Fetch

Fetch

The Fetch tool (/tool/fetch) is RouterOS’s built-in file transfer utility, providing capabilities to download files from or upload files to remote servers using HTTP, HTTPS, FTP, or TFTP protocols. It serves as RouterOS’s equivalent to wget or curl, enabling automated file retrieval and submission without requiring additional packages or containers.

Fetch supports both IPv4 and IPv6 connections, SSL/TLS encryption for secure transfers, basic and digest authentication, and can operate as a client or server for TFTP transfers. The tool integrates with RouterOS’s scripting system, allowing sophisticated automation workflows for backup retrieval, configuration deployment, log collection, and software updates.

Overview

The Fetch utility addresses common network administration requirements where routers must interact with external file servers. Whether downloading configuration backups from a central server, uploading diagnostic logs to a support portal, retrieving software packages, or fetching dynamic content from web APIs, Fetch provides a reliable mechanism within the RouterOS environment.

Unlike external tools that require Container support, Fetch runs directly on the router with minimal resource overhead. This makes it particularly valuable on hardware with limited resources or in deployments where containerization is not permitted. The tool operates synchronously, blocking until the transfer completes or times out, which simplifies scripting by providing predictable completion behavior.

Supported Protocols

Protocol	Description	Port	Security
HTTP	Hypertext Transfer Protocol	80	Plaintext
HTTPS	HTTP over SSL/TLS	443	Encrypted
FTP	File Transfer Protocol	21	Plaintext (with TLS option)
FTPS	FTP over SSL/TLS	990	Encrypted
TFTP	Trivial File Transfer Protocol	69	Plaintext (UDP)
SMB	Server Message Block (Windows shares)	445	Plaintext

Sub-menu

/tool/fetch

Operations are performed using the fetch command family, with different modes controlled by the mode parameter. Each mode optimizes the connection for its specific protocol while presenting a consistent interface for common options like authentication and SSL verification.

Properties

The Fetch tool exposes numerous properties controlling connection behavior, authentication, transfer parameters, and output handling. Understanding these options enables precise control over file transfers in diverse network environments.

Connection Properties

Property	Type	Default	Description
address	IP or hostname	None	Target server IP address or hostname
port	Integer	Protocol default	Override default port (HTTP=80, HTTPS=443, FTP=21, TFTP=69)
src-address	IP	Router’s IP	Source IP address for outgoing connection
protocol	Enum	http	Transfer protocol: http, https, ftp, tftp
mode	Enum	http	Operational mode: http, ftp, tftp

Authentication Properties

Property	Type	Default	Description
user	String	None	Username for authentication
password	String	None	Password for authentication
check-certificate	yes/no	yes	Verify server SSL certificate

File Handling Properties

Property	Type	Default	Description
url	String	None	Full URL (alternative to address/port/path)
path	String	None	File path on remote server
dst-path	String	None	Local destination path and filename
upload	yes/no	no	Enable upload mode (reverse direction)
ascii	yes/no	no	Transfer as ASCII (FTP text mode)

Transfer Control Properties

Property	Type	Default	Description
keep-alive	yes/no	yes	Send HTTP Keep-Alive headers
follow-redirect	yes/no	yes	Follow HTTP 3xx redirects
max-redirects	Integer	5	Maximum redirect hops
http-method	Enum	get	HTTP method: get, post, put, head
http-data	String	None	Data to send in HTTP request body

Output and Debug Properties

Property	Type	Default	Description
check-certificate	yes/no	yes	Verify server certificate validity
verbose	yes/no	no	Enable verbose debug output
as-value	yes/no	no	Return result as scripting variable
dont-require	yes/no	no	Skip certificate validation errors

Basic Operations

Downloading Files via HTTP

The most common use case retrieves files from web servers. The following command downloads a file to the router’s storage:

/tool/fetch url="http://example.com/routeros-7.15.2.npk" dst-path="routeros.npk"

For HTTPS servers with certificate verification enabled (the default), ensure the server presents a valid certificate from a trusted CA. Self-signed certificates require disabling verification:

/tool/fetch url="https://192.168.1.100/configbackup.rsc" \
    check-certificate=no \
    dst-path="backup.rsc"

Specifying Server Address Directly

When constructing scripts dynamically, specify the server address, port, and path separately:

/tool/fetch address=files.example.com \
    port=8080 \
    path="/releases/v7.15.2.npk" \
    dst-path="new-version.npk"

Uploading Files

Enable upload mode to send files to a remote server. This reverses the client-server relationship, making the router act as the file source:

/tool/fetch upload=yes \
    url="ftp://ftp.example.com/backups/router1-config.rsc" \
    user=router \
    password=secret123

For uploads to FTP servers, use mode=ftp:

/tool/fetch upload=yes \
    mode=ftp \
    url="ftp://sftp.example.com/uploads/device.rsc" \
    user=uploaduser \
    password=securepass \
    src-path="backup.rsc"

TFTP Operations

TFTP supports downloads only. Upload (upload=yes) is not supported in TFTP mode — only FTP and FTPS modes support upload.

Download from TFTP server:

/tool/fetch mode=tftp \
    address=192.168.100.10 \
    src-path="/bootloader.bin" \
    dst-path="routerboot.bin"

Authentication Configurations

Basic Authentication

HTTP Basic authentication transmits credentials in Base64 encoding. This method is convenient but should only be used over HTTPS connections to prevent credential exposure:

/tool/fetch url="https://secure.example.com/api/file.json" \
    user=apiuser \
    password=apipassword \
    dst-path="downloaded.json"

Digest Authentication

Digest authentication challenges credentials using a nonce, providing better security than basic auth for non-SSL connections:

/tool/fetch url="http://intranet.example.com/status.txt" \
    user=monitor \
    password=watcher \
    dst-path="status.txt"

FTP Authentication

FTP requires authentication for most servers. Passive mode (default) is recommended as it works better through firewalls:

/tool/fetch mode=ftp \
    address=ftp.example.com \
    path="/public/config-backup.tar.gz" \
    user=ftpuser \
    password=ftppass \
    dst-path="config.tar.gz"

For legacy FTP servers:

/tool/fetch mode=ftp \
    address=ftp.legacy-server.com \
    path="/data/export.csv" \
    user=legacyuser \
    password=legacy123 \
    dst-path="export.csv"

HTTPS Access with Server Certificate Validation

/tool/fetch can validate the server certificate with check-certificate=yes, but it does not have an ssl-certificate parameter for presenting a client certificate during mutual TLS authentication.

/tool/fetch url="https://api.secure-network.com/certauth/updates.npk" \
    check-certificate=yes \
    dst-path="updates.npk"

SSL/TLS Configuration

Certificate Verification

By default, Fetch verifies SSL certificates against the router’s certificate store. This ensures you’re connecting to the intended server and not an imposter:

/tool/fetch url="https://updates.mikrotik.com/routeros/stable.npk" \
    check-certificate=yes \
    dst-path="routeros-update.npk"

Disabling Verification

Development and testing environments often use self-signed certificates. Disable verification for these scenarios:

/tool/fetch url="https://192.168.1.100/internal/file.npk" \
    check-certificate=no \
    dst-path="internal.npk"

Disabling SSL verification exposes you to man-in-the-middle attacks. Never disable verification in production environments.

Using Custom CA Certificates

When your CA is not in the default trust store, import it into the RouterOS certificate store and mark it trusted before using check-certificate=yes:

/certificate import file-name=company-ca.crt
/certificate set [find where name~"company-ca"] trusted=yes
/tool/fetch url="https://internal.company.com/updates/file.npk" \
    check-certificate=yes \
    dst-path="internal.npk"

HTTP-Specific Options

HTTP Methods

Fetch supports various HTTP methods beyond GET, enabling API interactions:

POST request with data:

/tool/fetch url="https://api.example.com/submit" \
    http-method=post \
    http-data="device=router1&status=online" \
    http-header-field="Content-Type: application/x-www-form-urlencoded" \
    dst-path="response.txt"

HEAD request (fetch headers only):

/tool/fetch url="https://example.com/large-file.zip" \
    http-method=head \
    dst-path="/dev/null"

Custom headers:

/tool/fetch url="https://api.example.com/protected" \
    http-header-field="Authorization: Bearer token123" \
    http-header-field="X-Custom-Header: value" \
    dst-path="response.json"

Following Redirects

By default, Fetch follows HTTP redirects up to 5 times:

/tool/fetch url="http://short.example.com/abc123" \
    follow-redirects=yes \
    max-redirects=3 \
    dst-path="final-file.txt"

Keep-Alive Connections

Enable HTTP Keep-Alive for multiple requests to the same server:

/tool/fetch url="https://api.example.com/file1" \
    keep-alive=yes \
    dst-path="file1"

Scripting and Automation

Basic Download Script

Automate file downloads with error handling:

/system/script/add name=download-update source={
    :local url "https://updates.example.com/routeros.npk"
    :local dest "routeros-update.npk"
    :local result [/tool/fetch url=$url dst-path=$dest as-value output=user]
    :if ($result = "finished") do={
        :log info "Download completed successfully"
    } else={
        :log error "Download failed with status: $result"
    }
}

Scheduled Download with Verification

Combine Fetch with scheduler for periodic downloads:

/system/script/add name=fetch-logs source={
    :local date [/system/clock get date]
    :local time [/system/clock get time]
    :local filename ("logs-" . $date . "-" . $time . ".txt")

    /tool/fetch url="https://logs.example.com/daily.txt" \
        dst-path=$filename

    :log info "Downloaded logs to $filename"
}
/system/scheduler/add name=log-download interval=1d on-event=fetch-logs

Conditional Download Based on Version

Download only when a newer version is available:

/system/script add name=check-and-download source={
    # Fetch version info
    /tool/fetch url="https://updates.example.com/version.txt" \
        dst-path="/version-check.txt"

    :local currentVer [/system/package/update/get current-version]
    :local availableVer [/file get version-check.txt content]

    :if ($availableVer > $currentVer) do={
        :log info "New version available: $availableVer"
        /tool/fetch url="https://updates.example.com/routeros-$availableVer.npk" \
            dst-path="routeros-$availableVer.npk"
    } else={
        :log info "Current version $currentVer is up to date"
    }
}

Uploading Logs to Central Server

Configure automatic log upload after system logging events:

/system/script/add name=upload-logs source={
    :local timestamp [/system/clock get date]
    :local logfile ("router-logs-" . $timestamp . ".txt")

    # Export logs to file
    /log/export file=$logfile

    :delay 2s

    # Upload to central server
    /tool/fetch upload=yes \
        url="https://logs.example.com/upload/$logfile" \
        user=uploader \
        password=upload123 \
        src-path=$logfile

    :log info "Logs uploaded successfully"
}

FTP Backup Upload

Automate configuration backup to FTP server:

/system/script/add name=ftp-backup source={
    # Export current configuration
    /export file=auto-backup

    :delay 2s

    # Upload to FTP server
    /tool/fetch mode=ftp \
        upload=yes \
        address=backup.example.com \
        path="/backups/router-$[/system/identity get name].rsc" \
        user=ftpbackup \
        password=ftpsecret \
        src-path=auto-backup.rsc

    :log info "Backup uploaded to FTP server"
}
/system/scheduler/add name=scheduled-backup interval=1w on-event=ftp-backup

TFTP Server for Boot Images

Use RouterOS as a TFTP server to make a boot image available on the network, then fetch it from a client:

/system/script/add name=tftp-server source={
    # Enable TFTP server on specific interface
    /ip/tftp/add req-filename="routeros-boot.npk" \
        real-filename="routeros-7.15.2.npk" \
        interface=bridge-local
}
/tool/fetch mode=tftp \
    address=192.168.88.2 \
    src-path="/routeros-boot.npk" \
    dst-path="routeros-boot.npk"

Advanced Configurations

Multiple Concurrent Downloads

For batch operations, use scripting to manage multiple downloads:

/system/script/add name=batch-download source={
    :local urls={"https://files.example.com/file1.npk"; \
                  "https://files.example.com/file2.npk"; \
                  "https://files.example.com/file3.npk"}

    :foreach i in=$urls do={
        :local filename ([/tool/fetch url=$i dst-path=($i . ".tmp") as-value output=user])
        :log info "Downloading $i completed with status: $filename"
    }
}

Resume Interrupted Downloads

While RouterOS Fetch does not natively support resume, scripts can implement retry logic:

/system/script/add name=retry-download source={
    :local url "https://large-file.example.com/bigfile.zip"
    :local maxRetries 3
    :local attempt 1
    :local success false

    :while ($attempt <= $maxRetries and !$success) do={
        :log info "Download attempt $attempt of $maxRetries"

        :local result [/tool/fetch url=$url dst-path="bigfile.zip" as-value output=user]

        :if ($result = "finished") do={
            :set success true
            :log info "Download successful!"
        } else={
            :log warning "Attempt $attempt failed, retrying..."
            :set attempt ($attempt + 1)
            :delay 5s
        }
    }

    :if (!$success) do={
        :log error "All download attempts failed"
    }
}

Integration with Other RouterOS Features

Using Fetch with Netwatch

Monitor remote file availability and trigger actions:

/tool/netwatch/add host=files.example.com type=tcp port=443 \
    up-script=":log info \"File server is up\"; /tool/fetch url=\"https://files.example.com/status\" dst-path=status.txt" \
    down-script=":log warning \"File server is down\""

Fetch in Firewall Scripts

Download dynamic firewall rule sets:

/system/script/add name=update-firewall source={
    /tool/fetch url="https://security.example.com/firewall-rules.rsc" \
        dst-path="/temp-rules.rsc"

    :delay 2s

    # Import the rules
    /import file-name=/temp-rules.rsc

    :log info "Firewall rules updated"
}

API Interaction with Fetch

Interact with REST APIs for external integrations:

/system/script/add name=api-report source={
    # Get device status
    :local status [/system/resource/get uptime]
    :local cpu [%cpu]
    :local memory ([/system/resource/get total-memory] - [/system/resource/get free-memory])

    # Prepare JSON payload
    :local payload ("{\"device\":\"" . [/system/identity get name] . "\",\"uptime\":\"" . $status . "\",\"cpu\":" . $cpu . ",\"memory\":" . $memory . "}")

    # Send to API endpoint
    /tool/fetch url="https://api.monitoring.com/devices/status" \
        http-method=post \
        http-header-field="Content-Type: application/json" \
        http-data=$payload \
        user=apiuser \
        password=apisecret \
        dst-path=/dev/null
}

Troubleshooting

Connection Refused

If the connection is refused, verify the server is running and accessible:

/tool/ping address=example.com count=4

Check firewall rules on both ends. For HTTP/HTTPS, ensure port 80 or 443 is open:

/ip/firewall/filter print where dst-port=80,443 protocol=tcp

Timeout Errors

Timeouts occur when the server doesn’t respond in time. /tool/fetch uses an internal fixed timeout with no configurable parameter. Verify network latency to the server:

/tool/ping address=example.com count=10

SSL Certificate Errors

Certificate errors indicate verification failures:

failure: ssl certificate verify failed

Solutions include importing the CA certificate or disabling verification (not recommended for production):

/certificate import file-name=ca-cert.crt
/certificate set [find where name~"ca-cert"] trusted=yes
/tool/fetch url="https://internal.example.com/file.npk" \
    check-certificate=yes \
    dst-path="file.npk"

FTP Connection Issues

RouterOS does not expose a passive/active mode toggle for FTP — the connection mode is handled internally. If FTP transfers fail, ensure the firewall allows FTP control connections (port 21) and related return traffic.

Permission Denied

Permission errors indicate authentication failures or access restrictions:

/tool/fetch url="https://protected.example.com/file.npk" \
    user=correctuser \
    password=correctpass \
    dst-path="file.npk"

Verify credentials and server-side permissions.

DNS Resolution Failures

If the hostname cannot be resolved:

[:resolve dns-server=8.8.8.8 name=example.com]

Check DNS server configuration:

/ip/dns/print

Insufficient Storage Space

Downloaded files require sufficient disk space:

/disk/print
/file/print

Remove old files or use a different destination path with more space.

Mixed Content Errors (HTTPS)

Accessing HTTPS resources through HTTP proxies that perform SSL inspection can cause certificate errors. Either disable SSL inspection for the proxy or use a certificate that the proxy presents.

Performance Considerations

Connection Limits

RouterOS maintains connection pools. Too many concurrent transfers can exhaust resources:

/system/resource/print

Bandwidth Considerations

Large downloads consume bandwidth. Schedule during off-peak hours:

/system/scheduler/add name=nightly-download interval=1d start-time=02:00:00 \
    on-event="/tool/fetch url=\"https://updates.example.com/large.npk\" dst-path=update.npk"

Memory Usage

Fetching very large files can stress router memory. For large files, consider using TFTP or FTP with ASCII mode disabled.

Security Best Practices

1. Use HTTPS/FTPS: Always use encrypted protocols for sensitive data
2. Protect Credentials: Avoid hardcoding passwords in scripts; use variables
3. Validate Certificates: Keep SSL verification enabled in production
4. Limit Access: Restrict which servers can be accessed via firewall rules
5. Log Transfers: Enable logging for audit trails
6. Rotate Keys: Change FTP/HTTP passwords periodically
7. Minimize Privileges: Use least-privilege accounts for file access

Related Commands

Command	Purpose
/file	Manage files on the router
/system/package/update	RouterOS software updates
/log	System logging
/tool/tftp	TFTP server configuration
/tool/ping	Test connectivity
/tool/traceroute	Diagnose network path
/tool/netwatch	Monitor host availability
/system/script	Script management
/import	Import configuration files
/export	Export configuration

Related Resources

• Official MikroTik Fetch Documentation
• RouterOS Tools Overview
• Netwatch Monitoring Tool
• Dynamic DNS Update Tool
• Scripting Manual
• System Logging