diff --git a/playbooks/nms.yml b/playbooks/nms.yml
index e20f3e3..7979440 100644
--- a/playbooks/nms.yml
+++ b/playbooks/nms.yml
@@ -31,6 +31,7 @@
     - sssd
     - mkhomedir
     - tftp
+    - routeros_firmware
 
   tasks:
     - name: Enable UDP rsyslog server
diff --git a/roles/routeros_firmware/files/download-routeros-firmware.sh b/roles/routeros_firmware/files/download-routeros-firmware.sh
new file mode 100644
index 0000000..4347526
--- /dev/null
+++ b/roles/routeros_firmware/files/download-routeros-firmware.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -eu
+
+umask 022
+
+cd /srv/web/oob.foo.sh/routeros
+
+verbose=false
+if [ "${1:-}" = "-v" ]; then
+    verbose=true
+    shift
+fi
+
+if [ $# -gt 0 ]; then
+    echo "Usage: $(basename "$0") [-v]" 1>&2
+    exit 1
+fi
+
+packageurl="$(curl -sSf "https://mikrotik.com/download" | \
+    sed -n 's/.*<a href="\(.*routeros-[0-9\.]*-arm\.npk\)">.*/\1/p')"
+packagename="$(basename "$packageurl")"
+if [ -f "$packagename" ]; then
+    "$verbose" && echo "Already up to date"
+    exit 0
+fi
+
+checksum="$(curl -sSf "https://mikrotik.com/download" | \
+	sed -n 's/.*routeros-[0-9\.]*-arm\.npk<\/td>.*<td>SHA256<\/td><td>\(.*\)<\/td>.*/\1/p')"
+
+echo "Downloading new package '${packagename}'"
+trap 'rm -f -- "${packagename}.tmp"' EXIT
+curl -sSf -o "${packagename}.tmp" "$packageurl"
+
+if [ "$(sha256sum "${packagename}.tmp" | cut -d " " -f 1)" != "$checksum" ]; then
+    echo "ERR: Checksum check failed, not saving package" 1>&2
+    exit 1
+fi
+
+mv "${packagename}.tmp" "$packagename"
diff --git a/roles/routeros_firmware/tasks/main.yml b/roles/routeros_firmware/tasks/main.yml
new file mode 100644
index 0000000..a9fbc97
--- /dev/null
+++ b/roles/routeros_firmware/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: Create download directory
+  ansible.builtin.file:
+    path: /srv/web/oob.foo.sh/routeros
+    state: directory
+    mode: 0755
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: Install README.md
+  ansible.builtin.copy:
+    dest: /srv/web/oob.foo.sh/routeros/README.md
+    content: |
+      ## Update
+
+      ```
+      /system package update print
+      /tool fetch url=https://oob.foo.sh/routeros/routeros-7.13.4-arm.npk
+      /system reboot
+      /system package update print
+      ```
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: Install download script
+  ansible.builtin.copy:
+    dest: /usr/local/bin/download-routeros-firmware
+    src: download-routeros-firmware.sh
+    mode: 0755
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: Install cron job
+  ansible.builtin.cron:
+    name: download-routeros-firmware
+    job: /usr/local/bin/download-routeros-firmware
+    hour: "05"
+    minute: "25"