MikroTik Management

Manage the MikroTik fleet you already run

Most small and mid-sized ISPs and WISPs are MikroTik-first. The routers work — the problem is managing them at fleet scale: backups scattered across WinBox sessions, no record of who changed what, config drift after a late-night fix, and outages noticed only when customers call.

ISPAgents manages MikroTik RouterOS natively, through a validated connector path, so monitoring, backups, drift detection, and controlled config actions live in one place. It coexists with the routers and tools you already run — no rip-and-replace, and no faking backups through SNMP walks.

Native RouterOS, not a generic NMS

MikroTik management uses the RouterOS REST and API path directly, so it speaks the language the routers actually use: queues, PPPoE, hotspot, firewall, address lists, interfaces, and system resources. Actions are controlled — previewed and approved — rather than blanket automatic control of production routers.

Private Access: reach any router behind NAT

Most MikroTik routers sit behind NAT, CGNAT, or an LTE uplink, so reaching them usually means port forwards, a jump box, or a hand-maintained VPN. Private Access removes that. The router opens an outbound WireGuard tunnel to an ISPAgents access gateway, so you can reach it securely without exposing it to the public internet — no port forwarding, no public WinBox port, no static IP required.

From the browser, an operator gets a private session straight to RouterOS:

• WebSSH — a full RouterOS terminal in the browser.
• WebFig — the native RouterOS web interface, proxied privately.
• RouterOS REST — the API path for reads and controlled actions.

Prefer native tools? Private Access also brokers WinBox and SSH through a temporary, source-bound endpoint: your normal WinBox client connects to a short-lived port that maps over WireGuard to the router, then closes when the session ends.

Every session is built to be safe on production infrastructure:

• Private — the router's real address is never advertised, and the tunnel is always initiated outbound by the router itself.
• Time-bound and revocable — sessions run on a lease with a TTL and can be cut immediately.
• Tenant-scoped and audited — access is permission-gated per role, isolated per tenant, and recorded in the audit trail.
• Credential-safe — RouterOS credentials are resolved at access time and are never sent to the browser or written to logs.

The same private path powers automated RouterOS jobs — health probes, configuration backup and export, and neighbor and wireless discovery — so monitoring and backups keep working on routers you could never reach directly.

Private Access for MikroTik RouterOS is rolling out through controlled availability, on the same preview-approve-audit discipline as the rest of the platform.

What you can manage

Monitoring and alerts

RouterOS reads, SNMP, traps, and syslog converge into one tenant and device timeline instead of four disconnected dashboards. Operators see device status, interface and resource health, and recent events together, and get alerted when a router goes offline, a config changes, or drift appears — so issues surface before the phone rings.

Backups and drift detection

Configuration backup and export run natively through RouterOS on a schedule and on demand, with version history so any router can be restored quickly. After a controlled change, drift detection compares current state against the expected baseline and flags anything unexpected — turning a risky late-night edit into a reversible, audited action.

Controlled config actions

Config changes touch production routers, so they move through the same controls the rest of the platform uses:

1. Preview the exact RouterOS action before it runs — no blind bulk push.
2. Back up the affected configuration so the change is reversible.
3. Approve through permission-scoped roles where required.
4. Apply, then keep audit evidence of what changed, who approved it, and when.
5. Roll back from backup if drift or a fault appears.

Guarded config actions across the fleet are offered as controlled availability — enabled per workflow as evidence proves them safe — rather than handing blanket automatic control of every router on day one.

The real difference: management connected to the business

A standalone MikroTik RMM manages routers in isolation. ISPAgents manages the same routers, then connects each one to the subscriber, plan, balance, RADIUS session, and support timeline it serves. That changes what your team can do:

• Suspend, restore, or shape a subscriber through RADIUS CoA or a controlled RouterOS action — and prove exactly which router and policy changed service state.
• See whether a fault is the CPE, Wi-Fi, the access router, backhaul, or upstream before dispatching a technician.
• Map one identity per subscriber across MikroTik, RADIUS, and billing, instead of reconciling four tools by hand.

Coexist, then expand

Start by connecting MikroTik in read-only mode — pull device state, run backups, and validate inventory and identity mapping with nothing switched off. Turn on monitoring and alerts, then enable controlled config actions per workflow as you build confidence. Keep your existing RADIUS, billing, or CRM in place and let ISPAgents become the source of truth when the evidence is clean.

Pair MikroTik management with MikroTik ISP billing to connect payments to service state, see the underlying MikroTik integration for the connector detail, or add TR-069 / CWMP and SNMP to manage the rest of the CPE and edge a MikroTik-first network still depends on.