Features
A wizard, a scenario library,
a config you can trust
SICO turns intent into a correct, importable RouterOS configuration — free, offline, and without remembering every MikroTik menu.
Everything you need on the edge — in one wizard
Eight guided scenarios
- Basic internet + NAT, Wi-Fi router, office VLANs, PPPoE server
- Hotspot server, full ISP edge, CAPsMAN controller
- A Custom path that exposes every single option
- Each asks only the questions it needs, with smart defaults
Multi-WAN uplinks
- Add several WANs: DHCP client, static, or PPPoE client
- Interface-list NAT idiom — masquerade out the WAN list
- Each uplink named and isolated from the LAN bridge
- Sets the stage for failover or load-sharing
VLAN segmentation
- A vlan-filtering bridge with tagged trunks and access ports
- Per-port VLAN assignment — trunk, access, or excluded
- Per-VLAN gateway (SVI), IP range and DHCP server
- Auto-fill: VLAN 10 → 192.168.10.1/24 in one click
Wi-Fi & CAPsMAN
- Package-aware: wifi-qcom (Wi-Fi 6/ax) or legacy wireless
- Multiple SSIDs, each optionally pinned to its own VLAN
- Local radios or a centralised CAPsMAN controller
- Band selection, passphrases and per-SSID isolation
SAMM-style QoS
- App-priority board: drag 75 apps & games across 8 lanes
- Official app logos, just like the SAMM dashboard
- Per-app maximum caps, or simple fair-use PCQ per client
- Emits a clean queue tree, ready to import
Hotspot login templates
- 100 captive-portal designs — recolour, re-word, add your logo
- Live preview of the exact page your guests will see
- Download a ready-to-upload .zip of all 5 hotspot pages
- Includes a README with the router upload steps
App/Game DNS collector
- Build per-app address-lists from DNS — the SAMM technique
- 66 apps + 9 games, optional force-DNS and DoH/DoT blocking
- Per-app Up/Down counters for monitoring and QoS
- Full IPv4 and IPv6 coverage
Security hardening
- Stateful firewall with sane defaults per scenario
- SSH / Winbox / WebFig kept LAN-only
- Risky discovery and services switched off
- DNS provider choice — Google, Cloudflare, Quad9 or custom
Router model catalog
- Pick hEX, RB4011, RB5009, CCR, hAP and more
- Real RouterOS names — ether, sfp, sfp-sfpplus, wifi
- Not listed? Enter ether/SFP/Wi-Fi counts manually
- WAN port is auto-excluded from the LAN bridge
Save & re-download
- Save up to 10 named configs to your account
- Re-download any saved .rsc without re-answering the wizard
- "Save" or "Save & download" on the review screen
- Speed-limited PPPoE profile presets (1M–30M) ready to prune
Offline, private & pluggable
- Never connects to your router — generates text you import
- No credentials handled, nothing to install
- Deterministic, commented output, tagged SICO:
- Vendor-pluggable engine — Cisco and others by design
Frequently asked
Is SICO free?
Yes. SICO is completely free with any SecuryTik account — every scenario, every feature, no limits and no card required.
Does SICO connect to my router?
No. SICO generates a configuration file offline. You download the .rsc and import it yourself with /import. Your router credentials never leave your hands.
Which vendors does SICO support?
MikroTik RouterOS today. The engine separates intent from vendor syntax, so Cisco and other vendors are designed in and planned.
What if my router model is not listed?
Choose the manual option and enter your ether, SFP and Wi-Fi port counts. SICO builds the interface inventory from that.