fetch to itself, How to configure firewall accept rule

HEXv3(RB750Gr3) RouterOS firmware v6.42.1

I need to extract graphs to send via e-mail, see the code to https://wiki.mikrotik.com/wiki/Backup_graphing_data. But it not function.
I test via terminal by using this:
/tool fetch url=“http://LANIP/graphs/cpu/daily.gif” mode=http dst-path=“graphs/cpu-daily.gif”
LANIP=HEXv3 lan IP
Result: failed to connect

I try also with 127.0.0.1 address but the same result.

I have another new HEXv3 RouterOS firmware v6.42.1, with default config + enable graphing. The problem is the same.

I found there is a problem of config of firewall.
For default it is configured to permit traffic to HEXv3 only from LAN, but not from HEXv3 itself.

I search on web to a solution, but I not found.

To make function i use:
/ip firewall filter chain=input action=accept src-address=192.168.88.1 dst-address=192.168.88.1 in-interface-list=!all
before the default rule
;;; defconf: drop all not coming from LAN
/ip firewall filter chain=input action=drop in-interface-list=!LAN


How can be solve in a correct way, to be secure ?

Thank you
Best regards

Your approach is correct. That “drop anything that didn’t come from LAN” rule recently added to the default configuration causes trouble for other connections as well (e.g. when you want to control local WAN interfaces using local CAPsMAN).

So you can change the default rule’s in-interface-list from !LAN to WAN and properly populate the interface list WAN if you want to save CPU resources, or you can just keep your accept rule with in-interface-list=!all there even without the src-address and dst-address because in-interface-list=!all matches only on packets which were generated locally and thus have no in-interface. From security point of view, the two rules are slightly better because if you eventually add a new WAN interface and forget to add it to interface-list WAN, packets coming from it will be permitted, but it depends on the overall concept of our firewall. The most secure concept is to have “drop everyting” as the last rule in the chain, preceded by accept exceptions from it for everything you need to permit, the first exception being packets matching connection-state=related, established.

Below the complete firewall filter

Flags: X - disabled, I - invalid, D - dynamic

0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked

2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid

3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp

4 chain=input action=accept src-address=192.168.88.1 dst-address=192.168.88.1 in-interface-list=!all

5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN

6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec

7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec

8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related

9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked

10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid

11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN


It is the HEXv3(RB750Gr3 default router config, with add the filter number 4 as described in previous post.
I thinks that insert also the LAN IP of router may reduce the possibility of unexpected access to router, by some trick.

Finally I want to say that filter rule there is in default config, but may be usefull.


Where a can find the test of save cpu resource by change !LAN to WAN in filter number 5 ?

Any packet towards a local address which is not locally originated will have some in-interface.

There is no test. Simply one rule comparing interface name to a list (WAN) needs less resources than one rule comparing interface name to a list (!LAN) plus another rule in addition to it (in this case, the one comparing src-address, dst-address and interface list).