Configure Wake-on-LAN on MikroTik and Use It from Any Device

Wake-on-LAN (WOL) lets you power on a computer remotely by sending a special network packet (called a magic packet) to its network card. When set up properly, you can turn on your workstation, server, or lab PC from Windows, Linux, Android, or iPhone, securely through MikroTik.

Note: Read how to configure wireguard here.

What Is Wake-on-LAN?

Wake-on-LAN is a feature built into most modern Ethernet cards and BIOS/UEFI firmware. It allows a system to power on when a specially formatted network packet with its MAC address arrives on the network — even if it’s powered off (but still connected to electricity).

Is Wake-on-LAN Secure?

By default, it’s not encrypted — anyone on the same broadcast domain could send a magic packet. However, when combined with MikroTik + WireGuard VPN, it becomes very secure:

The magic packet travels inside an encrypted VPN tunnel.
MikroTik’s firewall restricts who can send it (only authenticated VPN users).
No need to expose UDP/9 to the internet.

In short: WOL + VPN = safe for remote use.

Step 1 Enable WOL in BIOS/UEFI

On the target PC:

Enter BIOS/UEFI setup.
Enable Wake on LAN, Resume by PCI-E, or PME Event Wake Up.
Disable ErP / Deep Sleep (these cut standby power).
Save and exit.

After boot, confirm in Linux or Windows that the NIC supports WOL:

# Linux
sudo ethtool eth0 | grep Wake

You should see Wake-on: g.

Step 2 MikroTik Configuration

Open Winbox or SSH and create a WOL script.

Example:

/system script add name=wol-pc source="/tool wol mac=D1:5E:D2:0F:FB:45 interface=bridge"

Replace with your PC’s MAC address and LAN interface (bridge, bridge-local, etc.).

To test:

/system script run wol-pc

Your PC should power on.

Step 3 Trigger WOL from Different Devices

From Windows

Install a WOL tool such as Depicus Wake on LAN or use PowerShell:

Send-WolPacket -mac "D1:5E:D2:0F:FB:45" -ipaddress 192.168.1.255

Or connect to MikroTik via SSH:

ssh [email protected] "/system script run wol-pc"

From Linux

wol -i 192.168.1.255 D1:5E:D2:0F:FB:45

Or through MikroTik CLI as above.

From Android/iPhone

Use any SSH client (e.g., Termius, Blink Shell).
Connect to your MikroTik’s WireGuard VPN, then SSH to 10.10.10.1.
Run:
```
/system script run wol-pc
```
Or in the MikroTik mobile app -> Scripts -> wol-pc -> Run.

One-Tap Shortcut on iPhone

Use the Shortcuts app → Run Script over SSH:

Host: 10.10.10.1
Command: /system script run wol-pc
Add to Home Screen -> “Wake PC” button ready.

Step 4 Check If the System Is Awake

After sending WOL, you can verify whether the target is alive.

Method 1: Ping Check (recommended)

Create another MikroTik script:

/system script add name=wol-status source={
    :local target "192.168.1.10"
    :if ([/ping address=$target count=3] > 0) do={
        :put ("Host " . $target . " is awake")
    } else={
        :put ("Host " . $target . " is still offline")
    }
}

Run it:

/system script run wol-status

Method 2: Combined WOL + Status

Send the WOL packet and check response automatically:

/system script add name=wol-pc-status source={
    :local mac "D1:5E:D2:0F:FB:45"
    :local lanIf "bridge"
    :local target "192.168.1.10"

    /tool wol mac=$mac interface=$lanIf
    :delay 5s
    :local alive false
    :for i from=1 to=10 do={
        :if ([/ping address=$target count=1] > 0) do={ :set alive true }
        :delay 1s
    }
    :if ($alive) do={
        :put ("Host " . $target . " is awake")
    } else={
        :put ("Host " . $target . " did not respond")
    }
}

Method 3: ARP Presence Check

:local target "192.168.1.10"
:if ([/ip arp find address=$target] != "") do={
    :put ($target . " seen in ARP — likely awake")
} else={
    :put ($target . " not in ARP — likely off")
}

Optional: Secure Access Over VPN

To trigger WOL from outside your home or office, avoid exposing port 9 to the internet.Instead, create a WireGuard VPN on MikroTik and connect from your phone or laptop. Once connected, run the same WOL script securely inside the encrypted tunnel.

Security Recommendations

Use VPN or LAN-only access for WOL — never open UDP/9 to the world.
Restrict WOL scripts to trusted users (group=read,write,test).
Log all WOL triggers (:log info "WOL triggered for <mac>").
Disable WOL in BIOS for high-risk systems if physical-layer attacks are a concern.

Troubleshooting Tips

No link light on NIC: BIOS power settings or ErP disabled incorrectly.
Ping works but WOL fails: wrong MAC or NIC driver power-saving settings.

WOL works locally but not over VPN: add static ARP entry on MikroTik:

/ip arp add address=192.168.1.10 mac-address=D1:5E:D2:0F:FB:45 interface=bridge

Summary

Task	Command / Action
Send magic packet	`/system script run wol-pc`
Check if awake	`/system script run wol-status`
Combined wake + check	`/system script run wol-pc-status`
From iPhone	Run via SSH / MikroTik app / iOS Shortcut
Secure remote wake	Use WireGuard VPN + SSH
Verify power state	Ping or ARP presence

Final Thoughts

Wake-on-LAN may seem old-school, but when combined with modern VPNs and secure scripting, it becomes a powerful tool for remote IT and cybersecurity workflows. Whether you’re patching servers, investigating incidents, or just waking your workstation from bed, MikroTik makes it easy to do it safely.

On this page