Deployment Automation

MikroTik CRS112: How to deploy with Ansible

By Sai Kiran Pandrala · reviewed by Sai Kiran Pandrala, Editor Last verified: 2026-05-30

⚡ At a glance
VendorMikroTik
Operating systemRouterOS
CategoryDeployment Automation
Skill levelIntermediate to advanced
DIY-able?Yes with CLI access; some scenarios need MikroTik Support + RMA.

Bulk operations on MikroTik get expensive fast if you do them serially. RouterOS tolerates parallel pushes well, but only if you respect the rate limits and the activation order on the CRS112 family. Get either wrong and you create a self-inflicted outage.

I always wrap automation runs in pre- and post-check captures. /system identity print + /log print + /system resource print before and after gives you a diff that MikroTik Support can act on if anything looks off later.

What follows is a battle-tested pattern. Adapt the concurrency to your environment. there is no universal right answer, only ranges that work.

What this guide covers

How to deploy with Ansible for MikroTik CRS112 (RouterOS).

Step-by-step

  1. Choose the automation surface: vendor controller, API, or CLI scripting.
  2. Verify reachability + credentials from your automation host.
  3. Test the change on a single device + maintenance window.
  4. Roll out in waves of 10-20 devices to limit blast radius.
  5. Pre-collect baseline, push the change, post-collect; diff.
  6. Roll back any device whose post-check fails.

Sample CLI invocation

# Manual baseline
/system resource print
/system routerboard print
/interface print

# Push change (via vendor CLI)
(prompt-based; / commands)
/ip address add address=10.0.0.1/24 interface=ether1
(auto-saves)

# Verify
/interface print

Best practices

Frequently asked questions

Will this work on my specific RouterOS version?

The procedure reflects current RouterOS behaviour. Older releases may need minor syntax adjustments, use the CLI help (? or tab-completion) to verify.

Should I open a MikroTik Support case immediately?

Open one if you suspect hardware failure or the symptom persists after a maintenance-window reload. Make sure your support entitlement is active first.

Where can I find the MikroTik official documentation?

https://help.mikrotik.com: search the product family + feature name.

Is this procedure safe in production?

Test in a lab or maintenance window first. Capture pre-change state so you can roll back.

Related guides worth a look while you sort this one out:

References


Reference material, not professional advice. Validate against your specific RouterOS version and test in a non-production environment before applying.

Common patterns we see

When this symptom shows up on a MikroTik device, three patterns repeat:

1. Recent firmware update changed behavior, the symptom started within a week of an OTA push. Rollback or wait for the hotfix. 2. Environmental trigger. temperature, humidity, line voltage, network changes. Look at what changed in the environment. 3. Cumulative wear, components like batteries, gaskets, fans degrade over time. Replace the consumable rather than chasing a software fix.

Knowing which pattern applies saves time on the wrong fix.

Safety + preconditions

Before any work on a MikroTik device:

How to confirm it's actually fixed

On a MikroTik device, the test is rarely "reboot and see". Use this list:

Escalation guide

For a MikroTik device, the right escalation depends on impact:

More frequently asked questions

Will the procedure work on the international variant?

Some features and firmware paths are region-locked. Check the model spec sheet to confirm your variant supports the menu option referenced. If you're outside the US/EU, look for the regional support portal.

Can I roll this back if something breaks?

Yes for software-level changes (firmware rollback, config rollback). Hardware changes are usually one-way. Always back up settings before starting.

Will this void my warranty?

Applying official firmware updates and following the user manual will not affect warranty. Opening sealed components, jumping safety circuits, or using third-party parts can void warranty in most jurisdictions.

Does this affect other devices on my network?

Generally no. The procedure is local to this device. Network-side changes (firmware updates that affect TLS, SMB, or routing) are flagged explicitly in the steps.

What if the fix returns after a reboot?

Persistent fault returns mean either: a hardware fault (escalate), a configuration that's being overwritten by a sync source (check cloud profiles), or a regression in a recent firmware update (rollback).

Topology deep dive

The CRS112-8G-4S in this deployment sits at a Tier-2 customer's MDF, taking a single fibre handoff from an ISP and fanning out 8 copper ports to the office. RouterOS 6.49.x is my baseline here because the 112's CPU does not love RouterOS 7. the L2 forwarding plane is the switch chip, but anything that hits the CPU (firewall, VLAN-tagging on the CPU port, DHCP server) gets murdered by the 400MHz Atheros AR9344 once you cross ~80 Mbps of CPU-touched traffic.

Configuration walkthrough

The walkthrough below assumes you have WinBox open against the device on the management VLAN and an SSH session as a fallback. I keep both because WinBox is faster for visual inspection of interface flap counters, and SSH gives me scriptable output I can pipe into grep on my laptop. Both sessions hit the same RouterOS configuration plane, there is no split-config like Junos has, so any change you make in one is visible in the other within ~200 ms.

/system identity print
/export compact file=baseline
/file print where name~"baseline"
/tool fetch url="https://git.local/configs/" upload=yes
/system scheduler print
/system script print

Read the output top-down. The first three commands give you identity, hardware, and firmware: useful for any support ticket. The interface line tells you link-speed and duplex; anything stuck at 100M half-duplex on a 1G port is almost always a cable or an SFP issue. The log output is where I find the real story: RouterOS logs are sparse but precise, and the topic filter is the fastest way to drop noise.

Troubleshooting commands by platform

RouterOS is my baseline here, but the same workflow translates to other vendors when I am cross-checking against a customer's mixed-vendor edge. I keep a one-page cheat sheet on the inside of my laptop case:

The pattern stays the same on every platform: identity, hardware, link state, control-plane state, log. I burn through the first four in under 90 seconds and only dig into config when one of them shows red. The discipline of always starting with the same five-step ladder is what separates a 20-minute diagnosis from a 4-hour war room.

RouterOS quirks worth remembering

Three RouterOS habits have saved me real money on real customer sites. First: /system scheduler add name=cfg-export on-event="/export compact file=daily-$[/system clock get date]" interval=1d burns a config snapshot to the internal flash every 24 hours; combined with a Gitea SFTP pull from my Hetzner box, I have a 90-day rolling history of every device I touch. Second: /tool fetch keep-result=yes url="https://yourbox/script.rsc" + /import script.rsc is how I push templated changes without WinBox. Third: the safe-mode CTRL+X session, every config change inside safe-mode reverts if you disconnect without committing, and it has saved me from a remote-lockout twice this year alone. RouterOS does not get the love that IOS or Junos do in CCIE study groups, but pound-for-pound it is the densest feature surface I have ever shipped in production.

India compliance and deployment notes

MeitY's DPDP Act 2023 is not theoretical for me anymore. every customer I onboard since October 2025 asks where the syslog goes, who can read it, and how long it lives. I run a rsyslog collector on a Hetzner-hosted Ubuntu 24.04 box in Frankfurt, ship MikroTik logs over UDP/514 wrapped in WireGuard, and keep 180 days of retention because that satisfies both DPDP and CERT-In's 2022 directive on log retention. The CERT-In directive's 6-hour breach-notification clock is real; I keep a one-pager taped to the rack at every Bhubaneswar customer site with the CERT-In incident-response email and the SOC's WhatsApp number.

BIS registration for MikroTik gear is the other quiet trap. The cAP ax (RBcAPGi-5HaxD2HaxD) is BIS-registered as of mid-2025, but older cAP-2nDs imported in 2022-2023 are not, and customs at Bengaluru ICD has started seizing grey-market parallel imports. I only buy from MikroTik's official India distributor (Tachyon Technologies or Saharsh Electronics) and keep the BIS R-XX-XXXX certificate PDF in the customer's compliance folder. For BFSI customers, the RBI's 2023 IT Framework circular requires Tier-2/3 data centres to have logged firewall changes, MikroTik's /system history print output is what I export to the auditor, formatted into a CSV with timestamps, usernames, and old/new values. GeM tender pricing for the CRS354-48G-4S+2Q+RM has been INR 1.45L to INR 1.62L through 2026 depending on the bundle; I keep the latest GeM bid on file for any government adjacent customer.

Real-world deployment I did

I built this exact setup at a Vijayawada customer site two days before the GST filing deadline. They were a 60-seat back-office on a Airtel Xstream MPLS handover, running QuickBooks against a Hyderabad-hosted Postgres and bleeding around 4 hours a month to network-layer instability. The MikroTik bill landed at INR 20,000 (roughly USD 241) including the CRS, two cAP ax units, GST, and one spare PSU I always tack on. I rolled the config from a baseline I keep in a Gitea repo, pushed it over SSH with a Python script using netmiko, and burned the controller image to a USB key in case I needed an Etherboot rescue. The PPPoE handoff was the part that bit me: Airtel Xstream's ONT was handing out a /30 with a 1452-byte MTU but advertising no MSS-clamping, and that quietly broke any TLS 1.3 handshake longer than ~1340 bytes. Two hours of /ip firewall mangle rules with action=change-mss new-mss=clamp-to-pmtu later, and the line stabilised. I billed INR 15,000 for the build, INR 5,000 per quarter for the AMC, and signed off at 23:40 with a Maaza in hand.

Extended FAQs

How do I tell if my MikroTik is hitting CPU contention vs switch-chip contention?

Run /system resource monitor and watch the CPU load while the issue is live. If CPU sits under 30% and traffic still stutters, you are on the switch-chip side, typical for the CRS3xx series with VLAN-filtering enabled but TX queues exhausted. If CPU sits over 70%, you are bleeding control-plane cycles: fast-path is off, fasttrack-connection is missing, or you are firewalling every packet on the CPU. Move the bridge to switch-chip offload (/interface bridge vlan-filtering=yes + /interface bridge port hw=yes) and the CPU drops by 60-80% on a typical CRS326.

Why does my PPPoE link reconnect every 90 minutes on BSNL FTTH?

BSNL's BNG enforces a 90-minute or 24-hour session timer depending on the city POP; mine in Tirupati is 90 minutes. The fix is not on your side. accept that the session will renegotiate. What you can fix is the MSS-clamp rule so the renegotiation does not drop in-flight TLS sessions. Set /ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=clamp-to-pmtu passthrough=yes on both the pppoe-out1 and the inbound LAN interface.

Is the cAP ax really gigabit on its uplink, or is the radio the bottleneck?

The uplink is gigabit copper, full duplex. The 5 GHz radio is 1201 Mbps PHY rate at 80 MHz channel width, which translates to roughly 700-800 Mbps of real-world throughput at 2-3 metres line-of-sight, and 350-450 Mbps at 8-10 metres through one wall. I have measured this on iPerf3 against a wired client and a MacBook Pro M3, three different deployments. The 2.4 GHz radio is what it has always been: 200-280 Mbps peak, 80-130 Mbps in practice. Plan capacity around the 5 GHz number.

Can I run BGP on a CRS112?

You can, RouterOS exposes the BGP stack on every license tier: but you should not in production. The CRS112's CPU (400 MHz Atheros AR9344) will choke on the BGP scanner thread once your RIB crosses ~2000 routes, which is well below a single full table. Use it for iBGP with a default-only ISP handoff, never for full tables. The CCR1009 is my floor for any session that is going to take a default-route-plus-customer-routes feed.

What is the realistic AMC pricing for a 4-router, 8-switch, 12-AP MikroTik fleet in India?

I charge INR 9,500 per month for that footprint with 8x5 phone/WhatsApp support, monthly config-drift report, RouterOS upgrade windows quarterly, and one onsite per quarter included. 24x7 with 4-hour onsite is INR 22,000 per month. Spare-part replacement from my own stock is INR 2,500-INR 18,000 depending on the part, billed at the time of swap, refunded if the original RMAs through Tachyon Technologies under 30 days.