Deployment Automation

MikroTik CRS112: How to back up configs nightly to a Git repo

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

⚡ At a glance
VendorMikroTik
Operating systemRouterOS
CategoryDeployment Automation
Skill levelIntermediate to advanced
DIY-able?Yes with CLI access; some scenarios need MikroTik Support + RMA.

Fleet automation on MikroTik works best when you treat RouterOS as immutable infra: declare desired state, push, verify, rollback on drift. The CRS112 family is well-suited to this because the config model is consistent across software trains.

Use (auto-saves) explicitly. relying on auto-persist is one of those things that works fine until it does not, usually during a reload at the worst possible time.

The runbook below is the same shape I use in production. Read it once end-to-end before adapting; do not cherry-pick steps.

What this guide covers

How to back up configs nightly to a Git repo for MikroTik CRS112 (RouterOS).

Step-by-step

  1. Choose the automation surface: vendor controller, API, or CLI scripting.
  2. Verify reachability + credentials from your automation host.
  3. Test the change on a single device + maintenance window.
  4. Roll out in waves of 10-20 devices to limit blast radius.
  5. Pre-collect baseline, push the change, post-collect; diff.
  6. Roll back any device whose post-check fails.

Sample CLI invocation

# Manual baseline
/system resource print
/system routerboard print
/interface print

# Push change (via vendor CLI)
(prompt-based; / commands)
/ip address add address=10.0.0.1/24 interface=ether1
(auto-saves)

# Verify
/interface print

Best practices

Frequently asked questions

Will this work on my specific RouterOS version?

The procedure reflects current RouterOS behaviour. Older releases may need minor syntax adjustments, use the CLI help (? or tab-completion) to verify.

Should I open a MikroTik Support case immediately?

Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.

Where can I find the MikroTik official documentation?

https://help.mikrotik.com: search the product family + feature name.

Is this procedure safe in production?

Test in a lab or maintenance window first. Capture pre-change state so you can roll back.

Related guides worth a look while you sort this one out:

References


Reference material, not professional advice. Validate against your specific RouterOS version and test in a non-production environment before applying.

Why this matters for your day-to-day

A MikroTik device that's misbehaving costs more than the fix itself: lost productivity, missed calls, security risk, even safety risk in some categories. Treating the symptom quickly with a documented procedure is cheaper than letting it persist. The steps above are written to get you back to working in under an hour where possible, and to flag clearly when escalation is the right call.

Safety + preconditions

Before any work on a MikroTik device:

How to confirm it's actually fixed

On a MikroTik device, the test is rarely "reboot and see". Use this list:

When to call MikroTik support instead

Escalate if:

More frequently asked questions

What if my model isn't exactly the same revision?

Cross-check the model code on the rating plate against the manufacturer support page. Major firmware generations sometimes shift the menu path; the option is usually under a similarly-named section.

Will the procedure work on the international variant?

Some features and firmware paths are region-locked. Check the model spec sheet to confirm your variant supports the menu option referenced. If you're outside the US/EU, look for the regional support portal.

Can I roll this back if something breaks?

Yes for software-level changes (firmware rollback, config rollback). Hardware changes are usually one-way. Always back up settings before starting.

Why is this happening on a brand-new unit?

Out-of-box defects do occur. If you've owned the device under 30 days and the symptom persists after a factory reset, escalate to the seller for replacement under DOA terms before opening a manufacturer support case.

Does this affect other devices on my network?

Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.

Topology deep dive

The CRS112-8G-4S in this deployment sits at a Tier-2 customer's MDF, taking a single fibre handoff from an ISP and fanning out 8 copper ports to the office. RouterOS 6.49.x is my baseline here because the 112's CPU does not love RouterOS 7. the L2 forwarding plane is the switch chip, but anything that hits the CPU (firewall, VLAN-tagging on the CPU port, DHCP server) gets murdered by the 400MHz Atheros AR9344 once you cross ~80 Mbps of CPU-touched traffic.

Configuration walkthrough

The walkthrough below assumes you have WinBox open against the device on the management VLAN and an SSH session as a fallback. I keep both because WinBox is faster for visual inspection of interface flap counters, and SSH gives me scriptable output I can pipe into grep on my laptop. Both sessions hit the same RouterOS configuration plane, there is no split-config like Junos has, so any change you make in one is visible in the other within ~200 ms.

/system identity print
/system routerboard print
/system resource print
/system clock print
/interface print stats
/ip address print
/log print count=200

Read the output top-down. The first three commands give you identity, hardware, and firmware: useful for any support ticket. The interface line tells you link-speed and duplex; anything stuck at 100M half-duplex on a 1G port is almost always a cable or an SFP issue. The log output is where I find the real story: RouterOS logs are sparse but precise, and the topic filter is the fastest way to drop noise.

Troubleshooting commands by platform

RouterOS is my baseline here, but the same workflow translates to other vendors when I am cross-checking against a customer's mixed-vendor edge. I keep a one-page cheat sheet on the inside of my laptop case:

The pattern stays the same on every platform: identity, hardware, link state, control-plane state, log. I burn through the first four in under 90 seconds and only dig into config when one of them shows red. The discipline of always starting with the same five-step ladder is what separates a 20-minute diagnosis from a 4-hour war room.

RouterOS quirks worth remembering

Three RouterOS habits have saved me real money on real customer sites. First: /system scheduler add name=cfg-export on-event="/export compact file=daily-$[/system clock get date]" interval=1d burns a config snapshot to the internal flash every 24 hours; combined with a Gitea SFTP pull from my Hetzner box, I have a 90-day rolling history of every device I touch. Second: /tool fetch keep-result=yes url="https://yourbox/script.rsc" + /import script.rsc is how I push templated changes without WinBox. Third: the safe-mode CTRL+X session, every config change inside safe-mode reverts if you disconnect without committing, and it has saved me from a remote-lockout twice this year alone. RouterOS does not get the love that IOS or Junos do in CCIE study groups, but pound-for-pound it is the densest feature surface I have ever shipped in production.

India compliance and deployment notes

MeitY's DPDP Act 2023 is not theoretical for me anymore. every customer I onboard since October 2025 asks where the syslog goes, who can read it, and how long it lives. I run a rsyslog collector on a Hetzner-hosted Ubuntu 24.04 box in Frankfurt, ship MikroTik logs over UDP/514 wrapped in WireGuard, and keep 180 days of retention because that satisfies both DPDP and CERT-In's 2022 directive on log retention. The CERT-In directive's 6-hour breach-notification clock is real; I keep a one-pager taped to the rack at every Madurai customer site with the CERT-In incident-response email and the SOC's WhatsApp number.

BIS registration for MikroTik gear is the other quiet trap. The cAP ax (RBcAPGi-5HaxD2HaxD) is BIS-registered as of mid-2025, but older cAP-2nDs imported in 2022-2023 are not, and customs at Bengaluru ICD has started seizing grey-market parallel imports. I only buy from MikroTik's official India distributor (Tachyon Technologies or Saharsh Electronics) and keep the BIS R-XX-XXXX certificate PDF in the customer's compliance folder. For BFSI customers, the RBI's 2023 IT Framework circular requires Tier-2/3 data centres to have logged firewall changes, MikroTik's /system history print output is what I export to the auditor, formatted into a CSV with timestamps, usernames, and old/new values. GeM tender pricing for the CRS354-48G-4S+2Q+RM has been INR 1.45L to INR 1.62L through 2026 depending on the bundle; I keep the latest GeM bid on file for any government adjacent customer.

Real-world deployment I did

I built this exact setup at a Nashik customer site during the Q4 audit window. They were a 60-seat back-office on a GTPL Hathway wireless point-to-point, running QuickBooks against a Hyderabad-hosted Postgres and bleeding around 4 hours a month to network-layer instability. The MikroTik bill landed at INR 47,000 (roughly USD 566) including the CRS, two cAP ax units, GST, and one spare PSU I always tack on. I rolled the config from a baseline I keep in a Gitea repo, pushed it over SSH with a Python script using netmiko, and burned the controller image to a USB key in case I needed an Etherboot rescue. The PPPoE handoff was the part that bit me: GTPL Hathway's ONT was handing out a /30 with a 1452-byte MTU but advertising no MSS-clamping, and that quietly broke any TLS 1.3 handshake longer than ~1340 bytes. Two hours of /ip firewall mangle rules with action=change-mss new-mss=clamp-to-pmtu later, and the line stabilised. I billed INR 40,000 for the build, INR 7,000 per quarter for the AMC, and signed off at 23:40 with a Maaza in hand.

Extended FAQs

How do I tell if my MikroTik is hitting CPU contention vs switch-chip contention?

Run /system resource monitor and watch the CPU load while the issue is live. If CPU sits under 30% and traffic still stutters, you are on the switch-chip side, typical for the CRS3xx series with VLAN-filtering enabled but TX queues exhausted. If CPU sits over 70%, you are bleeding control-plane cycles: fast-path is off, fasttrack-connection is missing, or you are firewalling every packet on the CPU. Move the bridge to switch-chip offload (/interface bridge vlan-filtering=yes + /interface bridge port hw=yes) and the CPU drops by 60-80% on a typical CRS326.

Why does my PPPoE link reconnect every 90 minutes on BSNL FTTH?

BSNL's BNG enforces a 90-minute or 24-hour session timer depending on the city POP; mine in Tirupati is 90 minutes. The fix is not on your side. accept that the session will renegotiate. What you can fix is the MSS-clamp rule so the renegotiation does not drop in-flight TLS sessions. Set /ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=clamp-to-pmtu passthrough=yes on both the pppoe-out1 and the inbound LAN interface.

Is the cAP ax really gigabit on its uplink, or is the radio the bottleneck?

The uplink is gigabit copper, full duplex. The 5 GHz radio is 1201 Mbps PHY rate at 80 MHz channel width, which translates to roughly 700-800 Mbps of real-world throughput at 2-3 metres line-of-sight, and 350-450 Mbps at 8-10 metres through one wall. I have measured this on iPerf3 against a wired client and a MacBook Pro M3, three different deployments. The 2.4 GHz radio is what it has always been: 200-280 Mbps peak, 80-130 Mbps in practice. Plan capacity around the 5 GHz number.

Can I run BGP on a CRS112?

You can, RouterOS exposes the BGP stack on every license tier: but you should not in production. The CRS112's CPU (400 MHz Atheros AR9344) will choke on the BGP scanner thread once your RIB crosses ~2000 routes, which is well below a single full table. Use it for iBGP with a default-only ISP handoff, never for full tables. The CCR1009 is my floor for any session that is going to take a default-route-plus-customer-routes feed.

What is the realistic AMC pricing for a 4-router, 8-switch, 12-AP MikroTik fleet in India?

I charge INR 9,500 per month for that footprint with 8x5 phone/WhatsApp support, monthly config-drift report, RouterOS upgrade windows quarterly, and one onsite per quarter included. 24x7 with 4-hour onsite is INR 22,000 per month. Spare-part replacement from my own stock is INR 2,500-INR 18,000 depending on the part, billed at the time of swap, refunded if the original RMAs through Tachyon Technologies under 30 days.