MikroTik: Safe Mode – CLI, WinBox & WebFig

When setting up a network device, there is always a chance to lose a communication with it due to applying an incorrect configuration.

If you are far away from the device, this can be especially bad 😱.

Lucky owners of MikroTik routers can minimize such risks by using a safe mode feature.

From this note you will find out what is the MikroTik safe mode feature, how to use it and how to change the default timeout.

Cool Tip: A default MikroTik firewall config for dummies! Read more →

MikroTik: Safe Mode

Changes made to the MikroTik router after the safe mode is activated, won’t be saved unless you quit the safe mode manually.

If the connection to the router is dropped unexpectedly, any changes that were made in the safe mode will be reverted within 10 minutes, by default.

⚠️ Change Configuration by Small Chunks! Currently MikroTik keeps a history of up to 100 most recent actions. If more actions are executed while being in the safe mode, the changes couldn’t be automatically undone. The best is to change the configuration by small chunks (enter the safe mode → make a small change → exit the safe mode to empty the action list → enter the safe mode again, and so on).


To enter the safe mode in a WinBox, hit the Safe Mode button at the top left:

The pressed Safe Mode button means that the MikroTik router is in the safe mode.

To exit the safe mode, unpush the Safe Mode button.

In a WebFig, the safe mode can be enabled or disabled from the menu on the left:

Command-Line Interface

To enter the safe mode in a command-line interface (CLI) of the MikroTik router, press the Ctrl + X keyboard shortcut.

To exit the safe mode and permanently save the changes, press the Ctrl + X keyboard shortcut once again, for example:

[admin@MikroTik] > Ctrl + X
[Safe Mode taken]
[admin@MikroTik] > <SAFE> /ip firewall filter add action=drop chain=input
[admin@MikroTik] > Ctrl + X
[Safe Mode released]

If you made a change that caused a disconnection of your session to the router, whatever changes were made in the safe mode, they will be rolled back within 10 minutes, which should let you get back in to the router.

The time to rollback depends on the generic-timeout TCP connection setting:

[admin@MikroTik] > /ip firewall connection tracking print
- sample output -
                   enabled: auto
      tcp-syn-sent-timeout: 5s
  tcp-syn-received-timeout: 5s
   tcp-established-timeout: 1d
      tcp-fin-wait-timeout: 10s
    tcp-close-wait-timeout: 10s
      tcp-last-ack-timeout: 10s
     tcp-time-wait-timeout: 10s
         tcp-close-timeout: 10s
   tcp-max-retrans-timeout: 5m
       tcp-unacked-timeout: 5m
        loose-tcp-tracking: yes
               udp-timeout: 10s
        udp-stream-timeout: 3m
              icmp-timeout: 10s
           generic-timeout: 10m
               max-entries: 950272
             total-entries: 20

If you want the safe mode to rollback faster, you can temporary decrease the generic-timeout setting, for example, to 1 minute:

[admin@MikroTik] > /ip firewall connection tracking set generic-timeout=00:01:00

Cool Tip: Factory reset of a MikroTik router! Read more →

Was it useful? Share this post with the world!

Leave a Reply