As in topic - while Im trying to upgrade ROS whia system/packages/check-for-update I get no internet error. Provisoning works fine, there is internet connection via WiFi.
Router and CAPsMAN config:
/interface bridge
add admin-mac=x arp=proxy-arp auto-mac=no comment=defconf name=BridgeLAN port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ISP
/interface vlan
add interface=ISP name=vlan1 vlan-id=35
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 use-peer-dns=yes user=x
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add band=2ghz-ax comment="2.4 GHz" disabled=no name="2.4 GHz" width=20/40mhz
add band=5ghz-ax comment="5 GHz" disabled=no name="5 GHz" width=20/40/80mhz
/interface wifi datapath
add bridge=BridgeLAN disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa-psk,wpa2-psk disabled=no encryption="" name=sec1
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-lol-6d47565b rrm=yes wnm=yes
/interface wifi configuration
add channel="5 GHz" channel.reselect-interval=1h..2h country=Poland datapath=datapath1 disabled=no manager=local mode=ap name=cfg5ghz security=sec1 security.ft=yes .ft-over-ds=yes ssid=lol steering=steering1
add channel="2.4 GHz" channel.reselect-interval=1h..2h country=Poland datapath=datapath1 disabled=no manager=local mode=ap name=cfg2ghz security=sec1 security.ft=yes .ft-over-ds=yes ssid=lol steering=steering1
/interface wifi
set [ find default-name=wifi1 ] configuration=cfg5ghz configuration.mode=ap disabled=no name="wifi1 hAP" security=sec1 security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] configuration=cfg2ghz configuration.mode=ap disabled=no name="wifi2 hAP" security=sec1 security.authentication-types=wpa2-psk
/ip ipsec policy group
add name=ikev2-group
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2-peer passive=yes profile=ikev2
/ip ipsec proposal
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc name=ikev2-proposal pfs-group=none
/ip pool
add name=dhcp ranges=192.168.10.20-192.168.10.59
add name=ikev2 ranges=192.168.2.10-192.168.2.20
/ip dhcp-server
add address-pool=dhcp interface=BridgeLAN lease-time=10m name=defconf
/ip ipsec mode-config
add address-pool=ikev2 address-prefix-length=32 name=ikev2-config split-include=0.0.0.0/0
/ip smb users
set [ find default=yes ] disabled=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user-manager user
add name=lol
add name=x
/interface bridge port
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface="wifi1 hAP" internal-path-cost=10 path-cost=10
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface="wifi2 hAP" internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=BridgeLAN list=LAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:DA:84:B6:BB:4B name=ovpn-server1
/interface wifi cap
set caps-man-addresses="" discovery-interfaces=""
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces="" package-path=/ require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg2ghz name-format="%I 2GHz" supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg5ghz name-format="%I 5GHz" slave-configurations="" supported-bands=5ghz-ax
/ip address
add address=192.168.10.1/24 comment=defconf interface=BridgeLAN network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.10.3 client-id=1:f4:1e:57:7b:6d:d5 comment=imprezownia mac-address=F4:1E:57:7B:6D:D5 server=defconf
add address=192.168.10.151 client-id=1:18:1e:78:55:ac:40 comment="NC Imprezownia" mac-address=18:1E:78:55:AC:40 server=defconf
add address=192.168.10.152 client-id=1:18:1e:78:55:f1:7e comment="NC lol" mac-address=18:1E:78:55:F1:7E server=defconf
add address=192.168.10.170 client-id=1:e8:13:6e:59:95:99 comment=PV1 mac-address=E8:13:6E:59:95:99 server=defconf
add address=192.168.10.171 client-id=1:f0:9b:b8:f3:86:9d comment=PV2 mac-address=F0:9B:B8:F3:86:9D server=defconf
add address=192.168.10.160 client-id=1:0:21:ff:ed:c0:10 comment="Polsat master" mac-address=00:21:FF:ED:C0:10 server=defconf
add address=192.168.10.12 client-id=1:ec:8:6b:0:a7:7c comment="PC Warsztat" mac-address=EC:08:6B:00:A7:7C server=defconf
add address=192.168.10.100 client-id=1:18:68:cb:96:5e:7f comment=Rejestrator mac-address=18:68:CB:96:5E:7F server=defconf
add address=192.168.10.103 client-id=1:8:a1:89:a9:af:31 comment="Kamera suszarnia" mac-address=08:A1:89:A9:AF:31 server=defconf
add address=192.168.10.104 client-id=1:a0:ff:0c:ea:93:91 comment="Kamera waga" mac-address=A0:FF:0C:EA:93:91 server=defconf
add address=192.168.10.109 client-id=1:b4:a3:82:69:26:26 comment="Kamera warsztat srodek" mac-address=B4:A3:82:69:26:26 server=defconf
add address=192.168.10.110 client-id=1:44:a6:42:8f:da:17 comment="Kamera PV1" mac-address=44:A6:42:8F:DA:17 server=defconf
add address=192.168.10.111 client-id=1:24:f:9b:4f:dd:12 comment="Kamera PV2" mac-address=24:0F:9B:4F:DD:12 server=defconf
add address=192.168.10.4 client-id=1:44:d9:e7:f5:19:b5 comment=EdgeSwitch mac-address=44:D9:E7:F5:19:B5 server=defconf
add address=192.168.10.203 client-id=1:f4:92:bf:ba:97:43 comment="Bullet dom" mac-address=F4:92:BF:BA:97:43 server=defconf
add address=192.168.10.226 client-id=1:dc:9f:db:78:7f:d5 comment="NS Loco waga" mac-address=DC:9F:DB:78:7F:D5 server=defconf
add address=192.168.10.227 client-id=1:24:5a:4c:4e:f5:d5 comment="NS Loco PVcam" mac-address=24:5A:4C:4E:F5:D5 server=defconf
add address=192.168.10.224 client-id=1:f4:92:bf:4e:90:b1 comment="NS Loco PV" mac-address=F4:92:BF:4E:90:B1 server=defconf
add address=192.168.10.213 client-id=1:18:e8:29:74:f:de comment="Bullet warsztat" mac-address=18:E8:29:74:0F:DE server=defconf
add address=192.168.10.225 client-id=1:78:45:58:33:2f:9 comment=MagazynPV mac-address=78:45:58:33:2F:09 server=defconf
add address=192.168.10.150 comment="NC Master" mac-address=C4:77:AF:18:3F:69 server=defconf
add address=192.168.10.153 client-id=1:34:6b:46:f2:7b:90 comment="NC Sypialnia" mac-address=34:6B:46:F2:7B:90 server=defconf
add address=192.168.10.140 client-id=1:b0:b3:2b:0:52:2f comment=Centralka mac-address=B0:B3:2B:00:52:2F server=defconf
add address=192.168.10.161 comment="Polsat slave" mac-address=00:21:FF:F1:FB:5C server=defconf
add address=192.168.10.11 client-id=1:1c:6f:65:38:f6:ff comment="PC lol" mac-address=1C:6F:65:38:F6:FF server=defconf
add address=192.168.10.13 client-id=1:6c:62:6d:eb:f2:e1 comment="PC Biuro2" mac-address=6C:62:6D:EB:F2:E1 server=defconf
add address=192.168.10.10 comment="PC Biuro" mac-address=D0:50:99:AC:88:16 server=defconf
add address=192.168.10.141 client-id=1:00:13:48:03:b7:82 comment="GIR Paliwo" mac-address=00:13:48:03:B7:82 server=defconf
add address=192.168.10.60 client-id=1:34:5a:6:7a:d3:19 comment="Drukarka biuro" mac-address=34:5A:06:7A:D3:19 server=defconf
add address=192.168.10.101 client-id=1:a0:ff:c:ea:93:34 comment="Kamera dom" mac-address=A0:FF:0C:EA:93:34 server=defconf
add address=192.168.10.102 client-id=1:3C:1B:F8:FC:83:3D comment="Kamera biuro" mac-address=3C:1B:F8:FC:83:3D server=defconf
add address=192.168.10.106 client-id=1:a0:ff:c:ea:93:c comment="Kamera warsztat wjazd" mac-address=A0:FF:0C:EA:93:0C server=defconf
add address=192.168.10.107 client-id=1:a0:ff:c:ea:93:61 comment="Kamera warsztat tyl" mac-address=A0:FF:0C:EA:93:61 server=defconf
add address=192.168.10.108 client-id=1:a0:ff:c:ea:93:9e comment="Kamera warsztat plac" mac-address=A0:FF:0C:EA:93:9E server=defconf
add address=192.168.10.105 client-id=1:a0:ff:c:ea:93:96 comment="Kamera suszarnia stara" mac-address=A0:FF:0C:EA:93:96 server=defconf
add address=192.168.10.2 client-id=1:f4:1e:57:1d:91:35 comment=cAP mac-address=F4:1E:57:1D:91:35 server=defconf
add address=192.168.10.14 client-id=1:e4:54:e8:1f:cb:37 comment="Serwer dell" mac-address=E4:54:E8:1F:CB:37 server=defconf
add address=192.168.10.202 client-id=1:28:70:4e:a6:7d:93 comment="Most dom" mac-address=28:70:4E:A6:7D:93 server=defconf
add address=192.168.10.212 client-id=1:28:70:4e:a6:52:d3 comment="Most warsztat" mac-address=28:70:4E:A6:52:D3 server=defconf
add address=192.168.10.5 client-id=1:f4:1e:57:b4:64:bc comment="Mikrotik switch POE" mac-address=F4:1E:57:B4:64:BC server=defconf
add address=192.168.10.6 client-id=1:4:f4:1c:2a:85:a8 comment="cAP down" mac-address=04:F4:1C:2A:85:A8 server=defconf
add address=192.168.10.223 client-id=1:e0:63:da:96:30:e comment="loco paliwo" mac-address=E0:63:DA:96:30:0E server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=192.168.10.2-192.168.10.254 list=allowed_to_router
add address=192.168.2.10-192.168.2.20 comment=ikev2 list=allowed_to_router
add address=192.168.10.10/31 list=allowed_to_modem
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=CAPsMAN port=5246,5247 protocol=udp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="DNS queries-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=letsencrypt disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="ikev2 VPN" dst-port=500,4500 protocol=udp
add action=drop chain=input comment="drop other input"
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else" log=yes log-prefix="Drop fwall"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=!127.0.0.1
add action=masquerade chain=srcnat dst-address=192.168.10.0/24 src-address=192.168.10.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.10.0/24 dst-address-type=local dst-port=8000 protocol=tcp to-addresses=192.168.10.100
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.2.0/24
/ip ipsec identity
add auth-method=eap-radius certificate="Lets x" generate-policy=port-strict mode-config=ikev2-config peer=ikev2-peer policy-template-group=ikev2-group
/ip ipsec policy
add dst-address=192.168.2.0/24 group=ikev2-group proposal=ikev2-proposal src-address=0.0.0.0/0 template=yes
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www-ssl certificate="Lets x"
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/radius
add address=127.0.0.1 require-message-auth=no service=ipsec timeout=3s
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="MikroTik lol"
/system logging
set 0 topics=info,!wireless
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com
/system scheduler
add interval=11w3d name=letsencrypt on-event="/system script run letsencrypt_renew" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2024-10-26 start-time=03:00:00
add interval=1w name=reboot on-event="/system reboot" policy=reboot start-date=2024-04-21 start-time=04:00:00
/system script
add dont-require-permissions=no name=letsencrypt_renew owner=lol policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":log info "Script - Certificate renewal start"
\n
\n:local commName "remote.lol.pl"
\n
\n/ip firewall filter enable [find where comment="letsencrypt"]
\n
\n#Delete old certificate, create new certificate
\n/certificate remove [find where common-name=$commName]
\n/certificate enable-ssl-certificate dns=$commName
\n
\n:delay 60s
\n
\n/certificate
\n:local certName [get [find where common-name=$commName] name]
\n
\n/user-manager set certificate=$certName
\n/ip ipsec identity set [find peer=ikev2-peer] certificate=$certName
\n
\n/ip firewall filter disable [find where comment="letsencrypt"]
\n
\n:log info "Script - Certificate renewal finished""
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user-manager
set certificate="X" enabled=yes
/user-manager router
add address=127.0.0.1 name=localhost
Switch:
/interface bridge
add admin-mac=X auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether2 ] poe-out=off
/interface list
add name=WAN
add name=LAN
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp9
add bridge=bridge comment=defconf interface=sfp10
add bridge=bridge comment=defconf interface=sfp11
add bridge=bridge comment=defconf interface=sfp12
/interface list member
add disabled=yes interface=ether1 list=WAN
add disabled=yes interface=ether2 list=LAN
add disabled=yes interface=ether3 list=LAN
add disabled=yes interface=ether4 list=LAN
add disabled=yes interface=ether5 list=LAN
add disabled=yes interface=ether6 list=LAN
add disabled=yes interface=ether7 list=LAN
add disabled=yes interface=ether8 list=LAN
add disabled=yes interface=sfp9 list=LAN
add disabled=yes interface=sfp10 list=LAN
add disabled=yes interface=sfp11 list=LAN
add disabled=yes interface=sfp12 list=LAN
/interface ovpn-server server
add mac-address=X name=ovpn-server1
/interface wifi cap
set caps-man-addresses=192.168.10.1 certificate=request discovery-interfaces=
bridge enabled=yes
/ip dhcp-client
add interface=bridge
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="MikroTik switch POE"
/system routerboard settings
set enter-setup-on=delete-key
CAP:
/interface bridge
add admin-mac=X auto-mac=no comment=defconf name=bridgeLocal
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifimanaged by CAPsMAN X%bridgeLocal, traffic processing on CAP
mode: AP, SSID: lol, channel: 5500/ax/Ceee/D
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
managed by CAPsMAN X%bridgeLocal, traffic processing on CAP
mode: AP, SSID: lol, channel: 2452/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifi cap
set caps-man-addresses=192.168.10.1 certificate=request discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp slaves-static=yes
/ip dhcp-client
add add-default-route=no comment=defconf default-route-tables=main interface=bridgeLocal
/system identity
set name="MikroTik cAP"