Graphing issue

m1982j · April 13, 2020, 9:01am

Hi, I am trying to set up graphing for my home connection but I am unable to view.
I have tried https://publicIP/graphs and also just https://publicIP to get to the webfig but pages do not show.

config is as follows:
/tool graphing interface> pri
Flags: X - disabled

INTERFACE ALLOW-ADDRESS STORE-ON-DISK

0 all 0.0.0.0/0 yes

All I can think of is maybe there are firewall rules preventing it, but I am not very good with these, could somebody take a look please?

Firewall rules:

0 D ;;; special dummy rule to show fasttrack counters
chain=forward

1 ;;; defconf: accept establieshed,related
chain=input action=accept connection-state=established,related log=no log-prefix=""

2 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=PoE log=no log-prefix=""

3 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

4 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no log-prefix=""

5 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""

6 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN log=no log-prefix=""

7 ;;; Allow Limited Pings
chain=input action=accept protocol=icmp limit=50/5s,2:packet log=no log-prefix=""

8 chain=output action=accept protocol=tcp content=530 Login Incorrect dst-limit=1/1m,9,dst-address/1m log=no log-prefix=""

9 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=3h content=530 Login Incorrect log=no log-prefix=""

10 ;;; Drop Excess Pings
chain=input action=drop protocol=icmp log=no log-prefix=""

11 ;;; Drop Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""

12 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 log=no log-prefix=""

13 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22 log=no log-prefix=""

14 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 log=no log-prefix=""

15 ;;; SSH Create Blacklist
chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 log=no log-prefix=""

16 ;;; SSH
chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""

17 ;;; Drop Invalid Connections
chain=input,forward action=drop connection-state=invalid log=no log-prefix=""

18 ;;; Drop FTP Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21 log=no log-prefix=""

19 ;;; Drop SSH Brute Forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 log=no log-prefix=""

20 ;;; Drop Everything Else
chain=input action=drop log=no log-prefix=""

Thank you so much

ingdaka · April 13, 2020, 10:51am

Your firewall is blocking input connection from WAN to router!
To enable it in best secured way, 1st go to IP>Services and change http port form 80 to any port, “i like 9090 or 9099”
be sure it is enabled.

2nd add a new firewall rule, chain=input, dst-port= “port which you set on http service”, action=accept then move this rule on top of others!

pe1chl · April 13, 2020, 10:54am

It is not a good idea to allow remote access to your router http port, also not on a different port number.
You can view the graphs from the internal IP address, normally 192.168.88.1
When you need external access, configure a VPN.

m1982j · April 13, 2020, 11:09am

Thanks for the replies, I still can not access the graphs even using the local IP as suggested.
With the firewall rule dropping all from WAN, with the previous rule being to allow anything established, should this not be good enough? Everything else seems to work fine except for accessing graphs?

1 ;;; defconf: accept establieshed,related
chain=input action=accept connection-state=established,related log=no log-prefix=“”

2 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=PoE log=no log-prefix=“”

I only have a basic understanding of what these things do, but any help is very appreciated.

pe1chl · April 13, 2020, 11:48am

What do you mean with “everything else seems to work fine”? Are you able to access your router from the local network via the web interface?
Or are you using winbox to manage the router and did you disable the web service?

Also, do use http:// instead of https:// unless you have installed a proper certificate on your router.

m1982j · April 13, 2020, 12:27pm

I mean that my internet connection works fine and I am able to access the router via public IP.
I do not use winbox, just console.
Web service is not disabled (i will change the port as it is currently set to 80).
I have tried http and https using private and public IP but so far unsuccessful in reaching the webfig or graphs.

pe1chl · April 13, 2020, 12:35pm

That is actually not a good thing! You should not have access to the router via public IP, because it will not take long before the bad guys have access as well.
Restrict access to only inside networks, as it is by default. That is done for a reason!

I do not use winbox, just console.
Web service is not disabled (i will change the port as it is currently set to 80).
I have tried http and https using private and public IP but so far unsuccessful in reaching the webfig or graphs.

Either there is a config error in your firewall or IP services settings, or indeed the router already has been hacked by outsiders who have changed things to assure their access.

When you want to access a router from outside (e.g. a remotely placed router where you never are on the inside with your management system), configure a VPN to access it.
Never allow access to management services from outside by changing firewall rules.

Jotne · April 13, 2020, 2:11pm

As pe1chl writes, you should have no access to the router public IP from internet.

There are one good solution for this and its called VPN.

If VPN is not possible, then

Use a long complicated password.
Open only port needed.
Add firewall rule to give access only from your IP.
Do not open more service than absolutely needed.
Use port knocking, so port looks closed.
At last, log every thing to see what is going on and who is accessing router and when.

If you need graphs from the router, you can set it up to send Syslog to a sentral server and look at it there.
See my signature for how to do it with Splunk (free)

haj3s29a · July 5, 2020, 2:14pm

I have got same issue.

I generated SSL certificate, associated with mikrotik web server. Disabled port 80…ever since graphing doesn’t work.

https://192.168.88.1/graphs
Error 404: Not Found

Of course everything else works as suppose to (Webfig HTTPS access)

Spidermila · January 5, 2022, 4:54pm

same issue here. graphs work over http but don’t work over https - getting Error 404: Not Found

jpnavarro · June 12, 2022, 1:29pm

RouterOS 7.3.x still has the same issue:

webfig “Graphs” navigations points to https:///graphs, but /graphs are only available at http:///graphs

This would seem like a simple issue to resolve, could “/graphs” please be made to also work over https?