How to add MikroMCP to Windsurf
Production-grade MCP server for MikroTik RouterOS — 117 typed, auditable tools for safe AI-native network automation. Paste the config into ~/.codeium/windsurf/mcp_config.json and restart Windsurf.
Last updated June 14, 2026 · 35★ · stdio · no auth
Windsurf config for MikroMCP
npm install -g mikromcp{
"mcpServers": {
"mikromcp": {
"command": "mikromcp",
"args": [
"serve"
],
"env": {
"MIKROMCP_CONFIG_PATH": "/absolute/path/to/config/routers.yaml",
"ROUTER_CORE01_USER": "mcp-api",
"ROUTER_CORE01_PASS": "your-router-password"
}
}
}
}Setup steps
- 1Open Windsurf → Cascade → the hammer/MCP icon → Configure (or edit ~/.codeium/windsurf/mcp_config.json).
- 2Paste the MikroMCP config below.
- 3Fill in placeholder secrets, then save.
- 4Click Refresh in the MCP panel.
- 5MikroMCP's tools become available to Cascade.
Before you start
- Node.js >= 22
- MikroTik RouterOS 7.x with the REST API enabled
- A least-privilege RouterOS user with the required policies
- A config/routers.yaml router registry with matching ROUTER_*_USER / ROUTER_*_PASS environment variables
What MikroMCP can do in Windsurf
get_system_statusCPU load, memory, uptime, firmware version, and router identity in one call.
get_system_clockRead the current date, time, and timezone from the router.
set_system_clockSet the system date, time, and/or timezone (idempotent; returns already_set when no change is needed).
rebootTrigger a controlled router reboot with an optional delay (0–3600 seconds). Destructive.
run_commandExecute an arbitrary RouterOS console command via SSH, guarded by a configurable allow/deny policy and a built-in deny list. Requires the ssh policy.
list_packagesList installed RouterOS packages with version and enabled status.
manage_packageEnable or disable a RouterOS package (takes effect after reboot; no-op if already in target state).
get_upgrade_statusCheck available RouterOS/firmware upgrades, current channel, and routerboard firmware versions.
Security
MikroMCP controls real network devices — treat it like an operations system: use least-privilege RouterOS users, verified TLS (or pinned fingerprints), store credentials only in ~/.mikromcp/.env, use scoped RBAC identities, and enable audit logging for shared use. Write tools support dryRun previews; destructive operations (reboot, run_command) are guarded by allow/deny policies and confirmation gates. Requires Node.js >= 22 and RouterOS 7.x with the REST API enabled.
MikroMCP + Windsurf FAQ
Where is the Windsurf config file?
Windsurf reads MCP servers from ~/.codeium/windsurf/mcp_config.json. Paste the MikroMCP config there under the "mcpServers" key and restart the client.
Is MikroMCP safe to use with Windsurf?
MikroMCP controls real network devices — treat it like an operations system: use least-privilege RouterOS users, verified TLS (or pinned fingerprints), store credentials only in ~/.mikromcp/.env, use scoped RBAC identities, and enable audit logging for shared use. Write tools support dryRun previews; destructive operations (reboot, run_command) are guarded by allow/deny policies and confirmation gates. Requires Node.js >= 22 and RouterOS 7.x with the REST API enabled.
What is MikroMCP?
An open-source Model Context Protocol server that exposes MikroTik RouterOS as 117 typed, auditable tools, letting AI assistants inspect, diagnose, and safely operate routers in natural language instead of improvising CLI commands.
How is it different from the RouterOS REST/API?
The RouterOS REST/API exposes raw endpoints. MikroMCP wraps them in schema-validated, idempotent, dry-run-able tools with RBAC, audit logging, snapshots, and rollback — the safety layer an LLM needs before touching production gear.
How is it different from SSH automation?
Instead of brittle SSH scripts that screen-scrape CLI output, MikroMCP returns structured, typed results with confirmation gates and per-router circuit breakers. SSH is used only where REST can't reach — ping, traceroute, torch, and guarded run_command.