← Back to Home

Import Routes on MikroTik via .rsc Script

MikroTik RouterOS can import .rsc script files containing native routing commands — and NetRoute Pro generates that format directly. Just download the script, upload it to the router, and import it in the terminal. No manual entry, no copy-pasting dozens of commands.

Command Syntax

Syntax:

/ip route add dst-address=<CIDR> gateway=<GATEWAY> distance=1

Example:

/ip route add dst-address=1.1.1.0/24 gateway=wg-out distance=1

NetRoute Pro generates these commands as a .rsc file imported via /import file=routes.rsc in the terminal.

RouterOS version notes: Examples below assume a relatively recent RouterOS — commands may need adjusting for your exact version.

Prerequisites

Step 1. Generate a .rsc file in NetRoute Pro

  1. Open the target website in Chrome
  2. Click the NetRoute Pro icon in your extensions
  3. Select the MikroTik platform
  4. Set the gateway to your VPN interface name (e.g. wg-out, ovpn-out, l2tp-out1) — recommended form. The interface-name form works regardless of how the VPN provider assigns the peer IP. Using a gateway IP (10.0.0.1) only works when that IP is “directly reachable”; for typical commercial WireGuard setups (Mullvad, ProtonVPN, IVPN) the peer is assigned a /32 and an IP-form gateway will fail with gateway not directly reachable.
  5. Choose aggregation mask (recommended /24)
  6. Click Analyze Website
  7. Download the result as a .rsc file
Tip: enable RIPE BGP optimization in the extension — it replaces individual IPs with real announced BGP prefixes. This gives stable routes that don’t break when Cloudflare, Fastly, or other CDNs rotate IPs. Caveat: RIPE BGP returns all prefixes announced by the destination AS — for multi-tenant CDNs (Cloudflare AS13335, AWS AS16509, DigitalOcean AS14061) that’s tens of thousands of IPs covering unrelated sites. Use BGP optimization for single-tenant ASes; keep plain /24 CIDR aggregation for shared CDNs.

Step 2. Upload the file to MikroTik

There are two common ways to get the .rsc file onto the router:

Step 3. Import the script in the terminal

Open Terminal in WinBox (or connect via SSH) and run:

/import file-name=routes.rsc

All commands from the file execute sequentially. Routes are applied instantly — usually within a second even for hundreds of entries.

A generated .rsc file looks like this:

/ip route add dst-address=104.21.32.0/24 gateway=wg-out
/ip route add dst-address=172.67.182.0/24 gateway=wg-out

Replace wg-out with the actual name of your VPN interface (visible in /interface print).

Why this is convenient: /import is a native RouterOS mechanism — it respects your existing configuration, logs every action, and rolls back cleanly on syntax errors. No third-party scripts or packages required.

Alternative: Address Lists + Routing Rules

For more flexible, policy-based routing, you can push the IP set into a firewall address list and apply a routing rule against it instead of installing individual static routes:

  1. Generate the script with NetRoute Pro, then edit the .rsc so each line uses the address-list form: 
    /ip firewall address-list add list=vpn-routes address=104.21.32.0/24
/ip firewall address-list add list=vpn-routes address=172.67.182.0/24
  2. Add a routing rule that sends traffic matched against the list into a dedicated routing table: 
    /ip route rule add src-address-list=vpn-routes action=lookup table=vpn
  3. Populate the vpn table with a default route through your VPN gateway

This pattern keeps the main routing table clean and scales well across hundreds of prefixes.

Alternative: WireGuard AllowedIPs

If your VPN is WireGuard, you can skip static routes entirely and push the subnets into the peer's AllowedIPs:

  1. In NetRoute Pro, select the WireGuard platform
  2. Copy the AllowedIPs string
  3. Apply it on MikroTik: 
    /interface/wireguard/peers/set [find] allowed-address=...

DNS leak — required reading

Static routes on RouterOS forward traffic by IP. They do not route DNS. A LAN client still asks the router’s DNS service (which by default forwards to your ISP) for example.com — only the resulting IP traffic goes through the VPN. The ISP sees which sites are visited even though the data is encrypted.

Three options, by threat model:

  1. Hide DNS from ISP fully (split-DNS). Force the router’s DNS service to use your VPN provider’s internal resolver: 
    /ip dns set servers=10.0.0.1 allow-remote-requests=yes
    For only specific domains via VPN-side resolver, use static DNS rules: 
    /ip dns static add type=FWD name=example.com forward-to=10.0.0.1
  2. Reduce ISP visibility (DoH). RouterOS 7+ supports DoH natively: 
    /ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
    Replace with AdGuard (https://dns.adguard-dns.com/dns-query) or Quad9 (https://dns.quad9.net/dns-query) if preferred. RouterOS 6 has no native DoH — either upgrade or accept the leak.
  3. Accept the leak. Default behaviour — only the data path is encrypted.

Verify from a LAN client at dnsleaktest.com. On the router, check active DNS state with /ip dns print and the cache with /ip dns cache print.

IPv6 dual-stack bypass

/ip route is IPv4-only. RouterOS handles IPv6 via /ipv6/route. If a destination has an AAAA record (most modern sites do), LAN clients prefer IPv6 and the request goes through your ISP’s IPv6 default route — bypassing the VPN.

Two fixes:

Verify

After import, check that the routes are in the table:

/ip route print where dst-address~"104.21"

From a LAN client, confirm the traffic goes through the VPN:

tracert example.com     # Windows
traceroute example.com  # Linux/macOS

The first hops should go through your VPN gateway.

Common issues

Import fails with a syntax error

Most often this means the .rsc wasn't downloaded completely, or the browser saved an HTML error page under the .rsc extension. Open the file in a text editor — every line should start with /ip route add (or another RouterOS command). Re-download if needed.

Routes added but traffic doesn't route through VPN

Website IP changed — route stopped working

CDNs rotate IPs periodically. Regenerate the .rsc in NetRoute Pro with RIPE BGP optimization enabled — it substitutes announced BGP prefixes that cover all provider IPs and stay stable over time.

Too many routes

MikroTik handles thousands of static routes without issues on any modern hardware. If your route table grows to tens of thousands, consider the WireGuard AllowedIPs approach or BGP (see below) instead.

For advanced users: BGP

At very large scale, run BGP peering with a route server and import prefixes dynamically rather than managing static routes. This is out of scope for this guide, but RouterOS has full BGP support built in.

Example Configuration File

Ready-to-edit template with inline comments. Replace the example routes with output from NetRoute Pro for your target sites.


# Example .rsc file for /import on MikroTik RouterOS.
# Generated by NetRoute Pro: https://alexander2k.github.io/netroute-site/
#
# Format: /ip route add dst-address=<CIDR> gateway=<INTERFACE_OR_IP> distance=<METRIC>
# Adjust gateway= to your VPN interface name (e.g. wg-out, ovpn-out, l2tp-out)
# or to the gateway IP if your VPN provides one.

/ip route
add dst-address=1.1.1.0/24 gateway=wg-out distance=1
add dst-address=8.8.8.0/24 gateway=wg-out distance=1
add dst-address=162.159.0.0/16 gateway=wg-out distance=1

# Import:
#   Upload this file to the router (Files menu), then run in terminal:
#   /import file=routes.rsc

Tip: Need a config without these comment lines? In NetRoute Pro options, uncheck “Include comments in exported files” — the extension will export only the route commands. Useful for routers that don’t tolerate comment lines.

View all example configs on GitHub →

Official Documentation

Ready to try?

NetRoute Pro — a free Chrome extension to generate routes from any website.

Install Extension