Cant Update Wifi Extender

RouterOS Beginner Basics
1

Introductions

I have been using Mikrotik for years and slowly migrated most of my family to use it, but I am not a network person and generally only do the basics and often used wizard and default configs where possible. I am very comfortable on a Linux CLI but all at see on the Mikrotik console and so generally prefer the web GUI.

One problem that I have never been able to solve that I have made my 2025 new years resolution to solve and understand is that I am unable to upgrade my wifi extenders.

Setup

The setup is simple. One Mikrotik device as the main gateway and DHCP device and then one or more wifi extenders.

When using RouterOS 6 I used the auto setup wizard for creating an extender but since upgrading hardware and using RouterOS 7 I manually created a repeater setup on top of a default config using the RouterOS 6 setup as a reference to copy.

Problem

In both versions of my setups v6 and v7 the wifi extenders are unable to do updates. Its as if the device has no gateway but clients that connect via wifi can access the internet just fine.

The error I get is one of two versions connection timeout or DNS cant resolve. The timeout version seems to be on my v7 setup and the DNS error on my v6 setups.

The odd thing for me is that even if I take the router and plug in ether1 directly into the gateway device it still cant upgrade.

Any guidance would be greatly appreciated.

2

Any config would be greatly appreciated :slight_smile:

Following anav’s advice please provide us both exported configs:

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

3

@BartoszP is this what you where expecting.

# 2025-01-03 16:56:04 by RouterOS 7.12.1
# software id = xx
#
# model = xx-xx
# serial number = xx
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment="5G Networked" name=\
    bridge1
add comment="2G 8 8a8e8bridge2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec-XXX-G5
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec-XXX-2
/interface wifiwave2 configuration
add disabled=no name=cfg-N5 security=sec-XXX-G5 ssid=XXX-G5
add datapath.client-isolation=yes disabled=no name=cfg-2 security=\
    sec-XXX-G2 ssid=XXX
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz comment="XXX-5 Station" configuration=\
    cfg-N5 configuration.mode=station-bridge disabled=no
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz comment="XXX Station" configuration=cfg-2 \
    configuration.mode=station-bridge .ssid=XXX disabled=no
add comment="XXX N5 AP" configuration=cfg-N5 configuration.mode=ap \
    disabled=no mac-address=XX:XX:XX:XX:XX:XX master-interface=wifi1 name=\
    wifi3
add comment="XXX AP" configuration=cfg-2 configuration.mode=ap disabled=no \
    mac-address=XX:XX:XX:XX:XX:XX master-interface=wifi2 name=wifi4
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge1 lease-time=10m \
    name=defconf
/interface bridge port
add bridge=bridge2 comment=defconf interface=ether2
add bridge=bridge2 comment=defconf interface=ether3
add bridge=bridge2 comment=defconf interface=ether4
add bridge=bridge2 comment=defconf interface=ether5
add bridge=bridge1 comment=defconf interface=wifi1
add bridge=bridge2 comment=defconf interface=wifi2
add bridge=bridge1 interface=wifi3
add bridge=bridge2 interface=wifi4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.4/24 interface=bridge2 network=192.168.1.0
add address=192.168.0.4/24 interface=bridge1 network=192.168.0.0
/ip dhcp-client
add interface=bridge1
add interface=bridge2
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=WebFig disabled=no
set api disabled=yes
set api-ssl certificate=WebFig
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name="XXX-RB x2"
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
4

You have BOTH a static IP address AND a DHCP client running on both bridges:

/ip address
add address=192.168.1.4/24 interface=bridge2 network=192.168.1.0
add address=192.168.0.4/24 interface=bridge1 network=192.168.0.0
/ip dhcp-client
add interface=bridge1
add interface=bridge2

This may (or may not) “confuse” the routes, depending on what is provided by the DHCP server.

Post the output of:

/ip route print
5

I remember setting this and seeing this, but never thought it was a problem.

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
     DST-ADDRESS     GATEWAY      DISTANCE
DAd+ 0.0.0.0/0       192.168.0.1         1
DAd+ 0.0.0.0/0       192.168.1.1         1
DAc+ 192.168.0.0/24  bridge1             0
DAc+ 192.168.0.0/24  bridge1             0
DAc+ 192.168.1.0/24  bridge2             0
DAc+ 192.168.1.0/24  bridge2             0
6

The DHCP Client and static IP’s seems to explain the difference between the two errors I have been getting (timeouts vs DNS).

After disabling the DHCP client on both bridges my error went from a timeout to Error: could not resolve dns name when trying to check for updated packages.

Routes now look like this.

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS     GATEWAY  DISTANCE
DAc 192.168.0.0/24  bridge1         0
DAc 192.168.1.0/24  bridge2         0
7

Well, in this configuration:

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP; + - ECMP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAd+ 0.0.0.0/0 192.168.0.1 1
DAd+ 0.0.0.0/0 192.168.1.1 1
DAc+ 192.168.0.0/24 bridge1 0
DAc+ 192.168.0.0/24 bridge1 0
DAc+ 192.168.1.0/24 bridge2 0
DAc+ 192.168.1.0/24 bridge2 0

You have two routes towards “internet” through two different gateways (they are so-called ECMP routes, marked by the + sign), if (as I suspect) only one or the two is actually the gateway to the internet, this may create issues, as the router will choose the one or the other, but the main issue is that seemingly you have not configured the interface to the modem/router/internet (possibly ether1?):

/interface list member
add comment=defconf interface=bridge1 list=LAN
add comment=defconf > interface=ether1 list=WAN

In this configuration (With DHCP disabled and only the static addresses set to the bridges):

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT
Columns: DST-ADDRESS, GATEWAY, DISTANCE
DST-ADDRESS GATEWAY DISTANCE
DAc 192.168.0.0/24 bridge1 0
DAc 192.168.1.0/24 bridge2 0

you have no route to the “internet” at all, the two LAN routes, one for each bridge are DAc (Dynamic Active connected) and come from the two IP addresses you gave (manually) to the two bridges (and are fine).

You need to add a static route, through the interface that is actually connected to the router/modem/internet, possibly ether1, which right now has not even an Ip address, or add ether1 as dhcp client, or if one of the two bridges is connected “upstream”, then add only that one.

8

That solved it, I now understand both errors and how they happen and was able to upgrade the one networks wifi extenders and will do the others when next on site.

Thank you very much.

9

Good. :slight_smile:
You are welcome of course.