Error updating ROS

I have an ax3 connected at ether2 to a switch on my LAN. The ax3 only provides very local wireless access.

I want to upgrade to 7.19.3 but when I click “Check for Updates” I get:

“ERROR: could not connect - Address not available”

From a terminal window I can ping yahoo.com

As you can see from the export below, I have it set up where all ether ports 1-4 are on the bridge (ether5 of for dedicated managemenbt) and my hope is to have it set up as a simple switch (yes, I know it has an IP address and routes). And, no firewall or NAT rules are set up.

What did I mess up?

# 2025-07-27 10:48:08 by RouterOS 7.18.2
# software id = PTUN-M4Y8
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HEW0xxxx
/interface bridge
add admin-mac=78:9A:18:30:D6:EE auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wifi
add channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz \
    configuration.mode=ap .ssid=ax3 disabled=no name=wifi1 radio-mac=\
    78:9A:18:30:D6:F2 security.authentication-types=wpa2-psk,wpa3-psk \
    .passphrase=ilovedaddy1!
add channel.band=2ghz-ax .skip-dfs-channels=disabled .width=20/40mhz \
    configuration.mode=ap .ssid=ax3 disabled=no name=wifi2 radio-mac=\
    78:9A:18:30:D6:F3 security.authentication-types=wpa2-psk .passphrase=\
    ilovedaddy1!
/interface list
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment=OffBridge name=OffBridge ranges=192.168.55.100-192.168.55.200
/ip dhcp-server
add address-pool=OffBridge interface=ether5 name=OffBridge
/system logging action
set 3 remote=127.0.0.1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge interface=ether1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether5 list=LAN
/interface ovpn-server server
add mac-address=FE:CD:A0:F7:0F:96 name=ovpn-server1
/ip address
add address=192.168.0.13/24 comment=defconf interface=bridge network=\
    192.168.0.0
add address=192.168.55.100/24 interface=ether5 network=192.168.55.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.55.0/24 dns-server=192.168.0.11 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=192.168.0.11,9.9.9.9
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d \
    wed=0s-1d
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.11 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set www-ssl disabled=no
/ipv6 nd
set [ find default=yes ] disabled=yes
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=355-hAPax3
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes id=78:9A:18:30:D6:F1
/tool sniffer
set filter-ip-address=192.168.2.0/24 filter-ip-protocol=icmp

upgrade.mikrotik.com

I should have included that I’m currently able to “Check for Updates” from other MT devices.

Not a suprise. Chocking connection, temporary blocked service … who knows.

Could be, but I would bet the problem is in my config.

I tried adding a masqerade NAT rule, thinking maybe the connection needed it, but that didn’t solve it.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge

Frames are getting to mikrotik.com and coming back:

image972×481 149 KB

I manually upgraded to 7.19.3 and upgraded from wireless to qcom-wifi.

It still can’t successfully check for upgrades.

What’s your firewall like?

No fw rules at all on this device.

This device is connected to a switch which is connected to a Ubiquiti UDM

I am a bit suspicious that the request actually goes through - the router sends a packet size 180, which is the request though quite short, and the response has size 74, which is way too short.

You wrote this goes to a UDM, can you check the logs there?

Agree it’s suspicious. Just checked using wireshark: initial connection packet (going from client towards update.mikrotik.com) - a TCP SYN - is 74 bytes long. Initial return packet (SYN ACK) is 74 bytes as well. Third packet (ACK) is 66 bytes long. The first packet with payload (sent from client towards server), which actually contains request, is 200 bytes long. The response is 172 bytes long and it contains redirect to another URL (https). And then there are a few short packets (66 bytes long) to close the TCP connection (ACK, FIN-ACK).

Next browser (or, in my case, wget) connects via https … which is not seen in your screenshot.

I don’t see anything in the UDM logs.

In addition to this device I have other MT devices on the inside (LAN side) of the UDM, include a cube connected via 60ghz to another cube, and a WAP connected to that second cube. They can all successfully check for upgrades.

UGH!!! I found my mistake.

The default IP route’s gateway was a hEX I have also on the inside of the UDM. (That hex provides Wireguard as well as DHCP and DNS services, but otherwise just sits there.)

As soon as a I changed the ax3’s default router gateway to 192.168.0.1 (the UDM), the system works.

Thank you all, as always, for sticking with me.