This page lists protocols and ports used by various MikroTik RouterOS services. It helps you to determine why your MikroTik router listens to certain ports, and what you need to block/allow in case you want to prevent or grant access to certain services. Please see the relevant sections of the Manual for more explanations.

The default services are:

telnetTelnet service
ftpFTP service
wwwWebfig HTTP service
sshSSH service
www-sslWebfig HTTPS service
apiAPI service
winboxResponsible for Winbox tool access, as well as Tik-App smartphone app and Dude probe
api-sslAPI over SSL service


Note that it is not possible to add new services, only existing service modifications are allowed.

Sub-menu: /ip service

address (IP address/netmask | IPv6/0..128; Default: )List of IP/IPv6 prefixes from which the service is accessible
certificate (name; Default: none)The name of the certificate used by a particular service. Applicable only for services that depend on certificates (www-ssl, api-ssl)
name (name; Default: none)Service name
port (integer: 1..65535; Default: )The port particular service listens on
tls-version (any | only-1.2; Default: any)Specifies which TLS versions to allow by a particular service
vrf (name; Default: main)Specify which VRF instance to use by a particular service


For example, allow API only from a specific IP/IPv6 address range

[admin@dzeltenais_burkaans] /ip service> set api address=,2001:db8:fade::/64
[admin@dzeltenais_burkaans] /ip service> print 
Flags: X - disabled, I - invalid 
 #   NAME     PORT  ADDRESS                                       CERTIFICATE  
 0   telnet   23   
 1   ftp      21   
 2   www      80   
 3   ssh      22   
 4 X www-ssl  443                                                 none         
 5   api      8728                                
 6   winbox   8291 

Protocols and ports

The table below shows the list of protocols and ports used by RouterOS.

20/tcpFTP data connection
21/tcpFTP control connection
22/tcpSecure Shell (SSH) remote login protocol
23/tcpTelnet protocol
67/udpBootstrap protocol or DHCP Server
68/udpBootstrap protocol or DHCP Client
80/tcpWorld Wide Web HTTP
123/udpNetwork Time Protocol (NTP)
161/udpSimple Network Management Protocol (SNMP)
179/tcpBorder Gateway Protocol (BGP)
443/tcpSecure Socket Layer (SSL) encrypted HTTP
500/udpInternet Key Exchange (IKE) protocol
RIP routing protocol
546/udpDHCPv6 Client message
547/udpDHCPv6 Server message
646/tcpLDP transport session
646/udpLDP hello protocol
1080/tcpSOCKS proxy protocol
1698/udp 1699/udpRSVP TE Tunnels
1701/udpLayer 2 Tunnel Protocol (L2TP)
1723/tcpPoint-To-Point Tunneling Protocol (PPTP)
Universal Plug and Play (uPnP)
1966/udpMME originator message traffic
1966/tcpMME gateway protocol
2000/tcpBandwidth test server
5350/udpNAT-PMP client
5351/udpNAT-PMP server
5678/udpMikrotik Neighbor Discovery Protocol
6343/tcpDefault OpenFlow port
8080/tcpHTTP Web Proxy
20561/udpMAC winbox
/2Multicast | IGMP
/4IPIP encapsulation
/41IPv6 (encapsulation)
/46RSVP TE tunnels
/47General Routing Encapsulation (GRE) - used for PPTP and EoIP tunnels
/50Encapsulating Security Payload for IPv4 (ESP)
/51Authentication Header for IPv4 (AH)
/89OSPF routing protocol
/103Multicast | PIM
  • No labels