Hi there,

I have a router, switch and and AP running great. Before I connect all the rest, I was wondering why I can’t do software/firmware updates via winbox? It works great to do so in the router, and in the access point, but not in the switch, which sits in the middle. I have asked gemini3.1 for hours, but with little help.
I would appreciate any help! I can ping 8.8.8.8 from the switch and I can also ping www.google.com from the switch as well. I find this a bit strange. Internet TX/RX works great too.

Here’s the router config:
2025-12-08 14:26:43 by RouterOS 7.20.6

model = CCR2116-12G-4S+

/interface bridge
add admin-mac=79:9A:18:A0:7B:E1 auto-mac=no comment=defconf name=bridgeLocal port-cost-mode=short priority=0x1000
/interface list
add name=WAN
add name=LAN
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridgeLocal lease-time=1d name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf disabled=yes interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether13 list=WAN
add interface=bridgeLocal list=LAN
/interface ovpn-server server
add mac-address=FD:A9:AA:08:41:47 name=ovpn-server1
/ip address
add address=192.168.1.1/24 interface=bridgeLocal network=192.168.1.0
/ip dhcp-client
add interface=ether13 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.1.117 client-id=1:18:fe:74:d2:2f:b8 mac-address=19:FD:74:D2:2F:A9 server=dhcp1
add address=192.168.1.207 client-id=ff:f:25:56:18:0:2:0:1:0:26:f:23:56:18 mac-address=00:21:0F:12:56:17 server=dhcp1
add address=192.168.1.106 client-id=1:a7:49:ab:8c:72:76 mac-address=A9:51:AB:8C:56:78 server=dhcp1
add address=192.168.1.133 client-id=1:18:fd:74:9c:a8:48 mac-address=19:FA:73:9D:A4:38 server=dhcp1
add address=192.168.1.238 client-id=1:10:7c:34:29:60:1c mac-address=9:5B:42:15:60:2D server=dhcp1
add address=192.168.1.62 client-id=1:4c:b:84:a3:bf:b3 mac-address=4C:0B:84:A3:BF:B2 server=dhcp1
add address=192.168.1.60 client-id=1:17:fa:74:ff:b8:6c mac-address=19:FD:74:FA:B5:6D server=dhcp1
add address=192.168.1.59 client-id=1:11:fa:74:ce:e4:59 mac-address=21:FD:74:FD:E2:50 server=dhcp1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
/ip dns static
add address=1.1.1.1 name=1.1.1.1 type=A
add address=1.0.0.1 name=1.0.0.1 type=A
/ip firewall filter
add action=accept chain=input comment="Accept Established/Related" connection-state=established,related,untracked
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow LAN Management" in-interface-list=LAN
add action=drop chain=input comment="Drop All Other Input"
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept Established/Related" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name="main router"
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=0.se.pool.ntp.org
add address=1.se.pool.ntp.org
add address=2.se.pool.ntp.org
add address=3.se.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool bandwidth-server
set enabled=no

Here’s the config for the switch:

2025-12-08 14:19:01 by RouterOS 7.20.6

model = CRS326-24G-2S+

/interface bridge
add admin-mac=18:FD:74:9C:A8:48 auto-mac=no comment=defconf name=bridge port-cost-mode=short priority=0x4000
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether16 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether20 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether21 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether23 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether24 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:2E:87:C2:16:78 name=ovpn-server1
/ip dhcp-client
add interface=bridge
/ip dns static
add address=159.148.172.226 name=upgrade.mikrotik.com type=A
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Stockholm
/system identity
set name=vrumswitch
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.1.1
/system swos
set allow-from-ports=p1,p2,p3,p4,p5,p6,p7,p8,p9,p10,p11,p12,p13,p14,p15,p16,p17,p18,p19,p20,p21,p22,p23,p24,p25,p26,p27,p28,p29,p30,p31 static-ip-address=192.168.1.200

I just noticed I can't ping the static IP 159.148.172.226 from any of the machines. I guess I can just remove the static DNS to the mikrotik update server? It's not present on the router, which can upgrade just fine.

ping 159.148.172.226
PING 159.148.172.226 (159.148.172.226): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- 159.148.172.226 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

I just removed the static DNS pointing to the mikrotik IP-address and rebooted the switch. Now I can upgrade just fine The DNS cache has now the same entries as the other devices.

1. The first entry below should be REMOVED!
   In addition on the second entry, if you entered in the netmask of 24 manually remove it, not required.

/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24

Hi Anav,
Thank you so much for your sharp eyes to spot the unecessary rows in the FW rule set!
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24 <- is now removed.
and the netmask in the second row is also removed. Things seem to work without these!
Again, many thanks for the advice!