Skip to content
MKController

Fix MikroTik Backup Errors on MKController

Summary This guide covers the 3 most common reasons MikroTik devices fail to generate backups in MKController: the MKController user account is disabled, the API service port is closed, or a firewall rule is blocking MKController access. Each issue includes step-by-step resolution instructions and ends with the option to rerun the adoption script to restore all required configurations automatically.

Why Do MikroTik Backups Fail in MKController?

MKController creates daily binary backups by communicating with your MikroTik device over the API service through the VPN tunnel. If any of three conditions are not met — the MKController user is active, the API port is accessible, and the MKController firewall rule is in place — backup generation will fail silently or return an error.

Work through the three checks below in order.

Check 1: Is the MKController User Account Enabled?

The adoption script creates a dedicated user account on your MikroTik (identifiable by its UUID-style name). If this account is disabled or deleted, MKController cannot authenticate to the device.

  1. Log in to your MikroTik via WebFig or Winbox.

  2. Go to System → Users.

    System Users menu in MikroTik

  3. Look for the user with a UUID-style name (created by MKController). If it is disabled, enable it.

    Enable MKController user account in MikroTik System Users

Check 2: Are the API Service Ports Open and Accessible?

MKController uses the RouterOS API port to create backups. If the port is disabled or has an IP filter that excludes the VPN gateway address (10.8.0.1), backups will fail.

  1. Log in to your MikroTik via WebFig or Winbox.

  2. Go to IP → Services.

    IP Services menu in MikroTik

  3. Verify that the api port is enabled. If it is disabled, enable it.

    API port enabled in MikroTik IP Services

  4. If the Available From filter is configured, verify that 10.8.0.1 is listed. Add it if missing, or disable the filter to allow access from all VPN addresses.

    Available From filter in MikroTik IP Services — add 10.8.0.1

Check 3: Is the MKController Firewall Rule Present and Active?

The adoption script creates a firewall rule named “MKController” that accepts traffic from 10.8.0.1. If this rule was deleted, disabled, or moved below a drop rule, MKController cannot reach the device.

  1. Log in to your MikroTik via WebFig or Winbox.

  2. Go to IP → Firewall.

    IP Firewall menu in MikroTik

  3. Find the rule named MKController. It must be:

    • Enabled (not disabled/greyed out).
    • Positioned above any drop or reject rules in the input chain.

    MKController firewall rule enabled and at top of input chain

If the rule is missing, rerun the adoption script (see below) to restore it.

Still Failing? Rerun the Adoption Script

If all three checks pass and backups are still failing, rerunning the adoption script will restore all MKController configurations on the device automatically.

  1. In MKController, find the device and click View More.

    View More button on device card in MKController

  2. Select Device Configuration from the device menu.

    Device Configuration menu option in MKController

  3. In the Adoption Script section, copy the script.

    Copy adoption script from Device Configuration in MKController

  4. Run the copied script on the MikroTik device via WebFig, Winbox, or SSH. See the Onboarding guide for instructions.

Preventing Backup Failures Before They Happen

Most backup failures occur when someone on the team modifies MikroTik configuration without realizing the impact on MKController’s access. The most common causes:

  • Deleting or disabling the MKController user — happens when a technician cleans up “unused” accounts on the router
  • Blocking port 8728 in the firewall — happens when a hardening script disables all API access for security
  • Moving the firewall accept rule below a drop rule — happens during firewall reorganization

To prevent future failures, consider adding a note or label to the MKController user and firewall rule in Winbox/WebFig, so team members know not to modify them.

What Does MKController Use to Create Backups?

Understanding the technical flow helps diagnose edge cases:

  1. MKController communicates with the device over the encrypted VPN tunnel (interface ovpn-MKController, gateway 10.8.0.1).
  2. It authenticates to the RouterOS API service on port 8728 using the MKController user credentials.
  3. It issues the /system backup save and /export compact commands to generate the backup files.
  4. The files are retrieved over the same API connection and stored in MKController’s cloud.

If any step in this chain fails — tunnel down, user disabled, API blocked, firewall drop — the backup will not complete.

Frequently Asked Questions

How do I know if backups are currently failing for a device? In MKController, open the device and look at the Backups section. If the most recent backup timestamp is more than 48 hours old (allowing for timezone variation), a failure has likely occurred. Check the device status and run through the three checks above.

Does a rerun of the adoption script affect my current RouterOS configuration? No. The adoption script only creates or repairs MKController-specific elements: the MKController user account, the VPN tunnel configuration, and the firewall accept rule. It does not modify your existing firewall rules, routing, IP addresses, or any other configuration.

Can I disable the RouterOS API after adoption without breaking MKController? No. MKController requires the RouterOS API (port 8728) to be accessible from 10.8.0.1 to create backups and execute management commands. Disabling the API breaks backup generation and remote configuration.

If the issue persists after all checks and a script rerun, contact MKController support on WhatsApp. Our team can review the device logs and help diagnose edge cases.