Automating MikroTik with Ansible: A Step-by-Step Guide

Introduction

Network automation is rapidly transforming the way enterprise networks are managed. The repetitive manual tasks of configuring devices can lead to human error and inconsistencies across your infrastructure. Integrating MikroTik devices with Ansible is a game changer—enabling you to deploy configuration changes consistently, reduce downtime, and scale operations with ease.

This article is tailored for network engineers and systems administrators who want to learn how to automate MikroTik RouterOS with Ansible. We cover everything from basic setups to advanced automation strategies, complete with real-world configuration examples.

Understanding the Basics

What is MikroTik?

• MikroTik RouterOS: A Linux-based operating system that powers MikroTik devices. It’s known for its flexibility, cost-effectiveness, and robust feature set.
• Key Features: Includes routing, firewalling, VPN, and wireless management at a fraction of the cost of other vendors.

What is Ansible?

• Ansible: An agentless automation tool that uses simple YAML files (playbooks) to configure devices and orchestrate tasks across your infrastructure.
• Benefits: Idempotence, simplicity, and scalability make Ansible a preferred choice for network automation.

By combining the power of MikroTik with the flexibility of Ansible, you can achieve consistent and repeatable configurations across large-scale enterprise networks.

Prerequisites and Environment Setup

Technical Prerequisites

• Basic knowledge of Linux and networking fundamentals.
• Working MikroTik devices with RouterOS (either physical or virtual).
• Ansible installed on a control node (Linux server or workstation).

Installing and Configuring Ansible

Install Ansible using your package manager. For example, on Ubuntu:

sudo apt update
sudo apt install ansible

After installation, verify it with:

ansible --version

Preparing Your MikroTik Device

Ensure your MikroTik device is accessible via SSH or API:

• Update RouterOS to the latest firmware.
• Create an administrative account dedicated to automation (e.g., ansible with full privileges).
• Enable SSH and configure necessary firewall rules to permit management access.

Example MikroTik commands:

/user add name=ansible group=full password=YourStrongPassword
/ip address add address=10.15.30.53/24 interface=ether1 comment="Management"

Creating an Inventory and Ansible Playbooks

Building Your Ansible Inventory

Create a simple inventory file (inventory) with your MikroTik device details:

[mikrotik]
routeros-01 ansible_host=10.15.30.53

[mikrotik:vars]
ansible_user=ansible
ansible_connection=network_cli
ansible_network_os=routeros
ansible_ssh_pass=YourStrongPassword

Writing Your First Playbook

Below is a simple playbook (setup.yml) that configures the hostname on your MikroTik:

---
- name: Configure MikroTik Device
  hosts: mikrotik
  gather_facts: false
  tasks:
    - name: Set hostname
      routeros_command:
        commands:
          - /system identity set name="{{ inventory_hostname }}"

This playbook uses the routeros_command module to send raw RouterOS commands to your device.

Step-by-Step Automation Process

In this section, we’ll cover how to automate common MikroTik tasks using Ansible. Below, you’ll find detailed examples for configuring interfaces, setting up IP addresses, and applying firewall rules.

Configuring Interfaces and IP Addresses

Use a playbook to configure interfaces. For example, to add a management IP address:

- name: Configure management IP address
  routeros_command:
    commands:
      - /ip address add interface=ether1 address=10.15.30.53/24 comment="Management"

You can loop through multiple interfaces using with_items or loop if you manage a large network:

- name: Configure multiple interfaces
  routeros_command:
    commands:
      - /ip address add interface={{ item.iface }} address={{ item.address }} comment="{{ item.desc }}"
  loop:
    - { iface: "ether1", address: "10.15.30.53/24", desc: "Management" }
    - { iface: "vlan104", address: "10.100.104.253/24", desc: "To netsvr" }

Setting Up Firewall Rules

Stateful firewall rules on MikroTik can be automated as well. For instance, here’s how to create a basic logging rule:

- name: Configure logging firewall rule
  routeros_command:
    commands:
      - /system logging add action=memory topics=system,info prefix="{{ inventory_hostname }}"

Deploying and Testing Playbooks

After creating your playbooks, deploy them with the ansible-playbook command:

ansible-playbook -i inventory setup.yml

Always verify the changes by logging into your MikroTik device and reviewing the applied configuration:

/system identity print
/ip address print

Troubleshooting and Best Practices

Even with automation, you may occasionally run into issues. Below are some troubleshooting tips and best practices to ensure your playbooks run smoothly:

Debugging Your Playbooks

• Use the debug module: Add a task to print variable values or messages during playbook execution.

  - name: Debug variable
    debug:
      msg: "The management IP is {{ management_ip }}"

• Increase verbosity: Run playbooks with -vvv to get detailed output that can help pinpoint issues.
• Check connectivity: Use ansible -m ping all to ensure your devices are reachable.

Ensuring Idempotence

Idempotence means running the same playbook multiple times produces the same result. Since RouterOS commands can be non-idempotent, use conditional logic (like find with filters) to check configuration before applying changes:

- name: Remove existing IP configuration if present
  routeros_command:
    commands:
      - /ip address remove [find where address="10.15.30.53/24"]

This approach avoids creating duplicate configurations and ensures your playbooks remain predictable.

Security and Compliance

• Store sensitive variables (passwords, keys) in Ansible Vault to protect your credentials.
• Apply role-based access control to limit who can execute critical playbooks.
• Ensure your automation scripts use secure channels (SSH/HTTPS) when connecting to devices.

Conclusion and Next Steps

Automating MikroTik devices with Ansible can greatly enhance your network’s efficiency and reliability. This guide has walked you through the essential steps—from understanding the basics and setting up your environment to writing playbooks and troubleshooting issues.

Key Takeaways:

• Automation reduces human error and improves configuration consistency.
• Ansible’s agentless approach makes it an excellent tool for managing diverse network devices.
• Using loops, conditionals, and proper error handling can create idempotent, repeatable playbooks for MikroTik RouterOS.

As you become more comfortable with Ansible, consider expanding your playbooks to cover advanced tasks such as:

• Integrating with network inventory systems (e.g., NetBox) to automatically generate device variables.
• Automating backup and recovery processes for device configurations.
• Implementing continuous compliance checks to ensure network security.

Begin by testing small changes, then scale your automation gradually across your network. Remember to document your playbooks and share your success stories with the community!

Additional Resources

To further expand your network automation skills, check out the following resources:

• MikroTik Wiki – Official documentation for RouterOS commands and features.
• Ansible for Network Automation – Comprehensive documentation on using Ansible with network devices.
• Ansible Getting Started Guide – Learn the fundamentals of Ansible and how to write playbooks.
• YouTube Tutorials – Search for MikroTik and Ansible tutorials for practical demonstrations.
• Ansible Blog – Stay updated with the latest trends and best practices in automation.

Engage with the community on forums such as r/mikrotik to share ideas and ask questions.