MikroDash
Real-time MikroTik RouterOS v7 dashboard. Streams live CPU, traffic, wireless clients, DHCP, WireGuard, firewall & geo connection data direct from the router API to your browser via Socket.IO. Self-hosted, Docker-ready
Install / Use
/learn @SecOps-7/MikroDashREADME
MikroDash
The Ultimate MikroTik RouterOS Dashboard.
Real-time MikroTik RouterOS v7 dashboard — streaming binary API, Socket.IO, Docker-ready.
MikroDash connects directly to the RouterOS API over a persistent binary TCP connection, streaming live data to the browser via Socket.IO. No page refreshes. No agents. Just plug in your router credentials and go.
Screenshots
Dashboard
Connections
Connections Map
Wireless Clients
Router Interfaces
DHCP Leases
VPN / WireGuard
Firewall
Routing
Bandwidth
Logs
Features
Dashboard
- Live traffic chart — per-interface RX/TX Mbps with configurable history window
- System card — CPU, RAM, Storage gauges with colour-coded thresholds (amber >75%, red >90%), board info, temperature, uptime chip
- RouterOS update indicator — shows installed vs available version side by side
- Network card — animated SVG topology diagram with live wired/wireless client counts, WAN IP, LAN subnets, and latency chart
- Connections card — total connection count sparkline, protocol breakdown bars (TCP/UDP/ICMP), top sources with hostname resolution, top destinations with geo-IP country flags and click-to-filter
- Top Talkers — top 5 devices by active traffic with RX/TX rates
- WireGuard card — active peers sorted by most recent handshake, limited to a configurable Top N (default 5)
- Multi-router switcher — monitor multiple MikroTik routers from one dashboard instance; switch between them via the dropdown in the page header with no restart or page refresh required
Pages
| Page | Description |
|---|---|
| Wireless | Signal Health and Band Split summary cards; clients grouped by interface with signal quality, band pill (2.4 / 5 / 6 GHz), IP, TX/RX rates, and sortable columns |
| Interfaces | Physical Ports card (RJ-45 port visualiser, colour-coded by state) and Interface Types card (count by type); all interfaces as compact tiles with status, IP, live rates, cumulative RX/TX totals, and per-card traffic trend sparkline |
| DHCP | Subnet utilisation card with per-network lease counts, pool sizes, and colour-coded progress bars; IP Utilisation gauge driven live from the lease stream; active lease table with hostname, IP, MAC, and status; sortable columns |
| VPN | Summary stats bar (Total / Connected / Idle / Throughput); all WireGuard peers as tiles sorted active-first, with colour-coded handshake age badge, live RX/TX rates, allowed IPs, and endpoint |
| Connections | World map with animated arcs to destination countries, per-country protocol breakdown, sparklines, top ports panel, and click-to-filter by country |
| Firewall | Rule Counts, Action Breakdown, and Total Hits summary cards; search bar; Top Hits, Filter, NAT, Mangle, and Raw rule tables with packet counts, byte totals, and live delta-pulse indicators |
| Bandwidth | Live per-connection bandwidth table with RX, TX, and Total Mbps; sortable columns; WAN traffic chart; ASN/Org colour-coded badges; interface and protocol filters |
| Routing | Route count summary by protocol with doughnut chart (total displayed in chart centre); static and dynamic route table (event-driven via /ip/route/listen); BGP peer table with state badges, prefix trend sparklines, and session flap detection (event-driven via /routing/bgp/session/listen) |
| Logs | Live router log stream with severity filter and text search |
| Settings | Persistent UI configuration — see below |
Notifications
- Bell icon in topbar opens an alert history panel showing the last 50 alerts with timestamps
- Browser push notifications (when permitted) for:
- Interface down / back up
- WireGuard peer disconnected / reconnected
- CPU exceeds 90% (1-minute cooldown)
- 100% ping loss to ping target
⚠️ Security Notice
MikroDash is designed to run on your local network only. It has no built-in HTTPS or role-based access control.
Do not expose MikroDash directly to the internet. Doing so would allow anyone to:
- View live data from your router (traffic, clients, connections, firewall rules, logs)
- Read your WAN IP, LAN topology, and connected device information
- Monitor your network activity in real time
If you need remote access, place MikroDash behind an authenticating reverse proxy (such as Nginx with Basic Auth, Authelia, or Cloudflare Access) or access it exclusively over a VPN.
Recommended local hardening:
- Set a dashboard username and password in the Settings page (HTTP Basic Auth)
- Run on a non-default port and bind to your LAN interface only
- Set
chmod 600 .envto protect your router credentials - Use a dedicated read-only API user on the router (see RouterOS Setup below)
- Set
DATA_SECRETin your.envto a long random string to protect encrypted credentials insettings.jsonandrouters.json
Quick Start
Option 1 — Docker Hub / GHCR (recommended)
Pull and run the pre-built image directly — no need to clone the repo:
docker pull ghcr.io/secops-7/mikrodash:latest
The image is built automatically by GitHub Actions on every push to main and on version tags. It is published as a multi-arch manifest covering linux/amd64 and linux/arm64. Docker will automatically pull the correct layer for your platform — this includes Raspberry Pi 4/5, MikroTik's own R5S/RB5009 companion boards, and Apple M-series machines running Linux containers.
To pin to a specific release:
docker pull ghcr.io/secops-7/mikrodash:0.5.22
Create your .env file:
curl -o .env https://raw.githubusercontent.com/SecOps-7/MikroDash/main/.env.example
# Edit .env — set ROUTER_HOST, ROUTER_USER, ROUTER_PASS at minimum
Run with Docker Compose — create a docker-compose.yml:
services:
mikrodash:
image: ghcr.io/secops-7/mikrodash:latest
restart: unless-stopped
env_file: .env
ports:
- "3081:3081"
volumes:
- mikrodash-data:/data
volumes:
mikrodash-data:
docker compose up -d
Option 2 — Build from source
git clone https://github.com/SecOps-7/MikroDash.git
cd MikroDash
node patch-routeros.js
cp .env.example .env
# Edit .env — set ROUTER_HOST, ROUTER_USER, ROUTER_PASS at minimum
docker compose up -d
To build a multi-arch image locally (requires Docker Buildx):
docker buildx build --platform linux/amd64,linux/arm64 -t mikrodash:local --load .
- Dashboard:
http://localhost:3081 - Health check:
http://localhost:3081/healthz(200only after startup completes and RouterOS is connected)
Source builds require the bundled node-routeros compatibility patch. If startup reports a missing patch marker, run node patch-routeros.js again before launching MikroDash.
For a production-style deployment on an external Docker host such as an R5S that connects to a MikroTik hEX S over the RouterOS API, see docs/deploy-r5s.md and the ready-to-copy files in deploy/r5s/.
Settings
Most configuration is managed through the Settings page in the UI (gear icon at the bottom of the sidebar). Settings are saved to /data/settings.json on the Docker volume and persist across container restarts.
| Section | What you can configure | |---|---| | Routers | Add, edit, and delete router connections. Each entry stores host, port, username, password (encrypted), TLS options, WAN interface, and ping target. A Test Connection button validates credentials before saving. The active router is selected from the dropdown in the page header | | Dashboard Auth | HTTP Basic Auth username and password for the dashboard itself | | Poll Intervals | Per-collector polling intervals — changes apply immediately without restart. Includes sliders for Firewall (counter poll) and VPN (counter poll). Streamed collectors (Interfaces, ARP, Routing) show an Event-driven badge instead of a slider | | Limits | Top N values for connections, talkers, firewall rules, and VPN dashboard peers; max connection rows; traffic history window | | Alert Thresholds | CPU alert threshold (%) and ping loss alert (%) for browser notifications | | Visible Pages | Toggle individual pages on/off — hidden pages are removed from the sidebar instantly |
Settings values from .env are used as the initial defaults if no settings.json exists yet, so existing deployments upgrade seamlessly.
Credential encryption
Router and dashboard passwords are encrypted at rest using AES-256-GCM. Router credentials are stored in /data/routers.json and the dashboard password in /data/settings.json — both use the same DATA_SECRET-derived key. Set DATA_SECRET in your .env to a long random string to tie the encryption key to your deployment:
DATA_SECRET=your-long-random-secret-here
If DATA_SECRET is not set, a built-in default is used — not recommended for production.
RouterOS Setup
Create a read-only API user (recommended):
/ip service set api port=8728 disabled=no
/user group add name=mikrodash policy=read,api,test,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!winbox,!web,!sniff,!sensitive,!romon,!rest-api
/user add name=mikrodash group=mikrodash password=your-secure-password
Enabling TLS (API-SSL)
MikroDash supports encrypted connections to the RouterOS API over api-ssl (default port 8729). You can use a self-signed certificate — no external CA or purchased certificate is required.
Step 1 — Enable the API-SSL service
/ip/serv
