MikroTik is a real router: automated backups and routing streaming traffic properly
December 2023 — on why your home router deserves the same attention as everything else in your stack
Most home routers are appliances. You plug them in, log into a web UI once to set a password, and forget they exist until they stop working. The firmware update prompt appears. You dismiss it. Repeat for several years until the device dies.
MikroTik routers run RouterOS — a real operating system with a scripting language, a full CLI, and enough capability to do things most enterprise routers do. The learning curve is steeper than a consumer router. The payoff is complete control over your network, without subscription fees and without cloud dependencies.
Two things I automated that I want to walk through: configuration backups, and routing streaming service traffic correctly when you need different paths for different content.
Automated configuration backup
A router configuration is critical infrastructure. If the device dies unexpectedly, being able to restore the full config to a replacement unit in minutes rather than hours (of re-entering settings from memory) matters.
RouterOS has built-in backup capabilities. What it doesn’t do out of the box is automatically move those backups somewhere safe. Here’s the scheduler + script I use to push weekly backups to my NAS via SFTP:
/system scheduler
add interval=1w \
name=backup-to-storage1 \
on-event=backup-to-storage1 \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2023-11-27 \
start-time=21:00:00
/system script
add name=backup-to-storage1 \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="
:local routerName [/system identity get name]
:local currentDate [/system clock get date]
:local sshServer \"storage1.lan\"
:local sshUser \"ubuntu\"
:local backupFileName ($routerName . \"-\" . $currentDate . \".backup\")
:local path \"/mnt/md0/home/backup/mikrotik/\"
# Create the backup
/system backup save name=$backupFileName
# Export a plaintext config (human-readable, git-diffable)
/export compact file=$backupFileName
# Transfer via SFTP to the NAS
/tool fetch upload=yes \
url=(\"sftp://\" . $sshServer . $path . $backupFileName . \".backup\") \
user=$sshUser \
src-path=($backupFileName . \".backup\")
"
Every Sunday at 21:00, this script:
- Creates a binary
.backupfile (full restoration) - Exports a compact plaintext config (human-readable, useful for understanding what changed)
- Pushes both to
storage1.lanover SFTP
The NAS keeps rolling backups. If I need to restore or compare configs across time, it’s all there. The script uses SFTP with key-based auth — no passwords stored on the router.
I also keep only the last 5 backups locally on the router’s flash storage to avoid filling it up. A scheduled cleanup runs after the backup completes.
Routing streaming traffic correctly
Some streaming services — Netflix being the most common — have complex CDN architectures. Their IP ranges change frequently as they move content between providers. If you’re using policy routing (sending different traffic via different interfaces or VPNs), you need an accurate list of their IP ranges to route them correctly.
MikroTik supports address lists in its firewall, and you can use those lists in routing rules. The challenge is keeping the lists current.
I wrote a script to fetch the current Netflix CDN IP ranges and update a MikroTik address list automatically:
// netflix.go — fetches Netflix IP ranges from their published ASN data
// and outputs MikroTik /ip firewall address-list commands
package main
import (
"bufio"
"fmt"
"net/http"
"os"
"strings"
)
The Go tool fetches the IP ranges, aggregates them (combining overlapping CIDRs to reduce the number of firewall rules), and outputs RouterOS commands that can be applied directly:
# Generated output (applied to router)
/ip firewall address-list remove [find list=netflix]
/ip firewall address-list add list=netflix address=192.173.64.0/18
/ip firewall address-list add list=netflix address=198.38.96.0/19
# ... (several dozen entries)
The shell wrapper get-netflix.sh runs this and pipes the output to the router via SSH. I run it weekly from a cron job.
On the router side, a routing rule sends any traffic destined for the netflix address list via the interface I want it to use. The traffic follows the right path without manual intervention as the CDN topology shifts.
Why bother?
The legitimate version of policy routing is straightforward: you have two ISP connections (fiber + mobile backup, or two different ISPs for redundancy), and you want to ensure streaming traffic goes via the connection with better latency or no data cap. MikroTik handles this natively; consumer routers mostly don’t.
The backup automation is simply good practice. Routers fail. Power surges happen. Having a weekly automated export sitting on the NAS means recovery is minutes, not hours.
The RouterOS scripting learning curve
RouterOS scripts look unusual if you’re coming from bash or Python. Variables use :local declarations. String concatenation is done with .. Commands are hierarchical paths (/system scheduler, /ip firewall address-list). Conditionals have a specific syntax.
Once you’re past the initial friction, it’s surprisingly capable. Scheduled scripts, SFTP transfers, HTTP fetches, string manipulation — all built in, no dependencies. The router is self-contained.
The CLI (ssh admin@192.168.1.1) is where most of the power is. The web UI (Winbox or WebFig) is good for initial setup and diagnostics. For automation, scripting is the right tool.
What I didn’t automate
Router firmware upgrades. I do those manually, after checking the RouterOS changelog, on a day when I can be around if something goes wrong. Automated firmware upgrades on your primary network gateway is the kind of risk that doesn’t need to exist. The 5 minutes of manual work is worth it.
Everything else — backups, address list updates, health checks — can and should run without me.
