Mikrotik Api

Getting started with the RouterOS API⌗

The traditional api has been included for quite some time. Starting with 6.43 the login procedure has been a bit changed. To make things simple when using the python RouterOS-api package, plaintext_login = True is required. This makes the need for an SSL cert more important. To use the 7.1 REST API An SSL cert is also required (it does not work over http)

Getting a cert⌗

We’re going to use a simple self signed cert for this example. System -> Certificates: Add New. The following should get set: Name: “Self” Country: “US” State: “IN” Locality: “Indianapolis” Organization: “Contoso” Unit: “IT” Common Name: “router.contsoso.com” Subject Alt. Name (SAN): IP; 192.0.2.1

Then click “Apply” and “OK” Then click on the Cert again, this time hit “Sign” Then “Start” It’ll think for a few moments, then should come back successful. At this point the cert is self signed and ready for use. Obviously if you want a fully validated signed cert, you can do the Cert Signing Request (CSR) and all the proper exports, signing, and reuploading as required. If you’re feeling excitable, this can be done with “Letsencrypt”/ACME. Take a look at this thread. Maybe one of these days, I’ll get around to some testing and try to document…

Back to getting into those sweet secured APIs.. IP -> Services. Click on API-SSL Change the certificate to be our newly created cert. “Apply” and “OK” again. Same thing in “www-ssl” if you want the REST API to work.

Now if you’re using Python, you can use the python RouterOS_API package. For example, a simple dhcp-server lease lister:

pip install RouterOS-api

import json
import routeros_api

con = routeros_api.RouterOsApiPool(
  'router.contsoso.com',
  username='admin',
  password='badpassword1!',
  use_ssl=True,
  ssl_verify=False,
  plaintext_login=True
)
api = con.get_api()
dhcp = api.get_resource('/ip/dhcp-server/lease').get()
for rec in dhcp:
  try:
    hostname = rec['host-name']
  except KeyError:
    hostname = ""
  print(f"{rec['address']},{rec['mac-address']},{hostname},{rec['last-seen']},{rec['expires-after']}")
con.disconnect()

And you’re in! Or if you wanna kick it in bash and use the REST API:

curl -k -u admin:badpassword1! https://router.contoso.com/rest/system/resource

ToDo⌗

• Screenshots for Certs
• Python using REST
• Verify Bash and Curl example