TerraformPilot

DevOps

Terraform for MikroTik RouterOS

Automate MikroTik RouterOS devices with Terraform: terraform-routeros provider, firewall rules, VPNs, BGP peers, and edge router fleets.

LLuca Berton1 min read

MikroTik RouterOS runs millions of edge routers — WISPs, small ISPs, branch offices, hotspot operators. The community terraform-routeros/routeros provider exposes RouterOS REST API for declarative firewall, VPN, BGP, and DHCP config.

Provider

# 
terraform {
  required_providers {
    routeros = {
      source  = "terraform-routeros/routeros"
      version = "~> 1.50"
    }
  }
}
 
provider "routeros" {
  hosturl  = "https://${var.router_ip}"
  username = var.username
  password = var.password
}

Firewall Rule

# 
resource "routeros_ip_firewall_filter" "drop_inbound" {
  chain   = "input"
  action  = "drop"
  comment = "drop unsolicited inbound"
  in_interface = "ether1-wan"
  connection_state = "new"
}

BGP Peer

# 
resource "routeros_routing_bgp_connection" "transit" {
  name           = "transit-as12345"
  remote_address = "192.0.2.1"
  remote_as      = "12345"
  local_role     = "ebgp"
  templates      = "default"
}

DHCP Server on a Bridge

# 
resource "routeros_ip_dhcp_server" "lan" {
  name      = "lan-dhcp"
  interface = "bridge-lan"
  lease_time = "1d"
  address_pool = "lan-pool"
}
 
resource "routeros_ip_pool" "lan" {
  name   = "lan-pool"
  ranges = "192.168.10.10-192.168.10.250"
}

Best Practices

#
  • Enable REST API explicitly (/ip service set www-ssl disabled=no) and use a real cert.
  • Service account with limited group — never the admin user from Terraform.
  • CI plan in shadow mode — RouterOS doesn't have commit-confirmed; mistakes are immediate.
  • Snapshot exports before each apply (/system backup save).
#
#Terraform#MikroTik#RouterOS#BGP#WISP

Share this article

Related articles