MikroTik 5G without MikroTik Connectivity - provisioning a carrier eSIM by hand

                
                    Christian Lehnert •
                
                2026-04-25 •
                ~5 min read

The MikroTik Chateau 5G ax ships with their own eSIM service preloaded, branded MikroTik Connectivity. It's a perfectly reasonable product: pay-as-you-go data, no contract, works out of the box. What it is not is the eSIM you already pay for.

If you already have a mobile plan you're happy with — flat-rate, unlimited, or simply cheaper than buying additional capacity through MikroTik — you don't need a second SIM. You need RouterOS to talk to your operator's SM-DP+ server directly. The technique below works against any GSMA-compliant SM-DP+, which is to say every commercial mobile carrier on the planet.

The catch: your carrier hands you an eSIM as a QR code, not as a config file. RouterOS wants the components separately. So before any RouterOS command runs, the QR has to be cracked open.

What's actually inside the QR code

A carrier eSIM QR code is not the profile. It encodes a short string defined by GSMA SGP.22 — the LPA Activation Code:

LPA:1$<SM-DP+ FQDN>$<matching-id>[$<confirmation-code-required-flag>]

Three fields matter:

SM-DP+ server — DNS name of the carrier's profile preparation server
Matching ID — single-use download token bound to your specific profile
Confirmation code flag — if present and 1, you'll need a separate PIN the carrier sent you out-of-band
That's it. The QR is just a transport layer. Phones make the unwrapping invisible. RouterOS does not.

Step 1 — Decode the QR

Phones lie politely; zbarimg doesn't.

1sudo apt install zbar-tools
2zbarimg --raw esim-qr.png
3# QR-Code:LPA:1$smdp.example-mno.com$ABCD10EFGHI5KL6M

Three values fall out:

sm-dp-plus = smdp.example-mno.com
matching-id = ABCD10EFGHI5KL6M
no confirmation code (no trailing $1)
Sanity-check the SM-DP+ host actually exists and serves TLS:

1dig +short smdp.example-mno.com
2echo | openssl s_client -connect smdp.example-mno.com:443 -servername smdp.example-mno.com 2>/dev/null \
3  | openssl x509 -noout -subject -issuer -dates

If DNS or TLS is broken, your eSIM does not yet exist on the carrier backend. Don't blame your router for the carrier's provisioning queue.

Step 2 — Verify the modem is eSIM-capable and switch the slot

The Chateau 5G ax has a switchable physical SIM tray and an internal eSIM chip. The default is the physical tray; switch it:

/interface/lte/settings/set sim-slot=esim

Confirm the eUICC is actually responding by querying the EID:

/interface/lte/esim/esim-id interface=lte1
# eid: 8903302342630000000004181FFFFFFF

If you get an EID, the chip is alive. If you get couldn't communicate with eSIM, your modem firmware is too old or the slot didn't switch.

Step 3 — Provision the profile

This is the entire point of the exercise:

/interface/lte/esim/provision \
    interface=lte1 \
    sm-dp-plus=smdp.example-mno.com \
    matching-id=ABCD10EFGHI5KL6M

If your carrier's activation code carries a confirmation code, append confirmation-code=....

Two non-obvious footguns:

The CLI prompts for confirmation, and the prompt is case-sensitive. Type lowercase y. Uppercase Y cancels the operation, and depending on the carrier the SM-DP+ server may now consider your matching-id consumed. WinBox is less hostile here.
On RouterOS < 7.20beta6, profiles do not auto-activate after provisioning. The activate=yes default behaviour landed in 7.20beta6. On older builds, provision lands the profile disabled, and you wonder why nothing connects. If you're on 7.18 or 7.19, you activate manually.
Activate explicitly:

/interface/lte/esim/print
# Flags: A - ACTIVE
# Columns: INTERFACE, NAME, SPN, ICCID, NICKNAME
# 0   lte1   Profile 1   ExampleMNO   8944111111111111111
/interface/lte/esim/activate number=0

Per GSMA SGP.22 only one profile per eUICC can be enabled at a time. If a MikroTik Connectivity profile was previously active, deactivate it explicitly (/interface/lte/esim/deactivate number=N) before activating the new one if RouterOS doesn't transition cleanly. The old profile stays installed on the chip — you can switch back at any time.

Step 4 — APN and bands

Profile alone is not enough. The modem still needs an APN to bring up a PDN session, and you want band locks unless you enjoy the modem flapping between a marginal LTE anchor and a strong 5G cell every two minutes.

/interface/lte/apn add name=carrier apn=internet.example-mno.com
/interface/lte/set [ find default-name=lte1 ] \
    apn-profiles=carrier \
    allow-roaming=yes \
    band=7 \
    network-mode=lte,5g \
    nr-band=78

band=7 = LTE 2600 MHz. nr-band=78 = 5G n78 (3.5 GHz). Adjust to whatever your carrier actually deploys around you — your locks will be different in different countries and across different operators. Locking is optional but stops the modem from clinging to a tired LTE anchor when an n78 cell is sitting two metres away.

For surgical 5G SA cell lock when the modem keeps picking the wrong neighbour, the Quectel AT command is your knife:

/interface/lte/at-chat lte1 input="AT+QNWLOCK=\"common/5g\",<pci>,<earfcn>,30,78"

Get pci and earfcn from /interface/lte/cell-monitor lte1 (where supported by the modem firmware). Note: this lock does not survive a modem reset on most Quectel parts, which is occasionally a feature, occasionally a footgun.

Step 5 — Verify it actually works

/interface/lte/monitor lte1 once

You want:

status: connected
data-class: 5G (or LTE-A if no n78 reach)
session-uptime counting up
rsrp better than -100 dBm, sinr north of 5 dB
A non-empty current-operator and current-cellid
Then:

/ip/route/print where dst-address=0.0.0.0/0
/ping 1.1.1.1 count=4

Default route via lte1 (or whatever your downstream architecture expects), replies arriving. Done. No portal, no MikroTik account, no second data plan.

Why bother

You already pay for the data plan. If your existing contract is unlimited or simply cheaper per gigabyte than MikroTik's tariff, there's no reason to buy capacity twice.
The carrier eSIM is portable across hardware. Replace the router, ask the carrier portal to issue a fresh matching-id, re-provision the new device against the same SM-DP+. MikroTik Connectivity is bound to the device serial.
You learn how SGP.22 actually works, which is non-trivial knowledge the next time something breaks.

MikroTik Connectivity is fine if you don't already have mobile data sorted. If you do, this is how you use what you already have.

                Tagged:
            

#mikrotik #routeros #homelab #networking

                
                   ← Back to posts