Firmware not upgrading

sepvis · October 11, 2018, 2:01pm

Hi all,

Newbie here. I just rebooted a CCR1036-8G-2S+ which has been offline for ten months. Old firmware was 6.38.1. I always thought that rebooting the device would update the firmware automatically but 6.38.1 is apparently the firmware loaded on the day of installation (February 2017). So I am know wondering if it has been compromised because of the recent vulnerabilities…

I log in via Winbox (passwords still working) and click download and install in the quickset menu. Router reboots but firmware stays on 6.38.1. I tried just download and reboot manually, nothing. Also downloading the CCR TILE Main Package on my PC and dragging it into the Files folder in Winbox does not help. It remains on 6.38.1.

Winbox gives error message when I try to make a supout.rif.

There is a custom configuration file loaded and I’m scared to lose this. How can I update the firmware without losing all settings that the IT guy programmed last year?

Thanks!

normis · October 11, 2018, 2:03pm

Somehow it sounds like it is already compromised. Tell us the exact error messages you saw, and post the entire log, when you made the reboot.

sepvis · October 11, 2018, 2:10pm

Hi,

No error whatsoever. I click reboot and after power-up I check updates via Quicset menu. Shows the same firmware as before.

If you mean supout.rif, it says "Coulnd’t continue - failed to create supout.rif (6).

Log shows one entry in red: jan/01/1970 02:00:18 memory system, error, critical router was rebooted without proper shutdown, probably kernel failure.

normis · October 11, 2018, 2:13pm

Means you haven’t upgraded it, or rebooted it, it crashed before it did anything.

sepvis · October 11, 2018, 2:14pm

Ok, but I get the same message when I do just download the package and manual reboot.

sepvis · October 11, 2018, 2:17pm

Sorry, it’s slighty different: Router was rebooted without proper shutdown, probably kernel failure.

sepvis · October 12, 2018, 10:33am

Nobody can tell me what’s wrong with my router? Why it won’t upgrade its firmware?

nescafe2002 · October 12, 2018, 10:39am

You can upgrade RouterOS via System > Packages. If it is not working, use netinstall. Always export and save your configuration externally before upgrading.

The firmware however, is to be upgraded after update of RouterOS via System > Routerboard (click ‘Upgrade’). This will not happen automatically.

sepvis · October 12, 2018, 10:44am

Thank you for pointing out that there are two things to upgrade, routerOS and firmware for the hardware. I wasn’t aware of this.

How do I export my configuration? Through the files list? And how do I know these aren’t corrupted?

Thanks again!

nescafe2002 · October 12, 2018, 11:05am

https://www.google.nl/search?q=mikrotik+export+configuration

=> https://wiki.mikrotik.com/wiki/Manual:Configuration_Management#Exporting_Configuration

You should review the configuration export thoroughly as you ran a vulnerable version, so netinstall without ‘Keep configuration’ is advised. You may post your anonymized config here for review, using the following command: /export hide-sensitive

sepvis · October 12, 2018, 1:39pm

/interface bridge
add name=“bridge vlan6”
add name=bridge_VLAN_VPN1
add name=bridge_VLAN_VPN2
add name=bridge_trunk
/interface ethernet
set [ find default-name=ether1 ] name=“ether1 - trunk to switch 1”
set [ find default-name=ether2 ] name=“ether2 - trunk to switch 2”
set [ find default-name=ether3 ] name=“ether3 - WAN”
/interface vlan
add interface=bridge_trunk name=Crestron vlan-id=2
add interface=bridge_trunk name=Default vlan-id=1
add interface=bridge_trunk name=Kaleidescape vlan-id=3
add interface=bridge_trunk name=User vlan-id=6
add interface=ether5 name=VPN1 vlan-id=4
add interface=ether7 name=VPN2 vlan-id=5
/ip pool
add name=dhcp_pool_crestron ranges=192.168.102.150-192.168.102.200
add name=dhcp_pool_default ranges=192.168.101.150-192.168.101.200
add name=dhcp_pool_kal ranges=192.168.103.150-192.168.103.200
add name=dhcp_pool_VPN1 ranges=192.168.104.150-192.168.104.200
add name=dhcp_pool_VPN2 ranges=192.168.105.150-192.168.105.200
add name=dhcp_pool_user ranges=192.168.106.50-192.168.106.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool_VPN1 disabled=no interface=
bridge_VLAN_VPN1 lease-time=20h10m name=VPN1
add add-arp=yes address-pool=dhcp_pool_VPN2 disabled=no interface=
bridge_VLAN_VPN2 lease-time=20h10m name=VPN2
add add-arp=yes address-pool=dhcp_pool_crestron disabled=no interface=Crestron
lease-time=20h10m name=Crestron
add add-arp=yes address-pool=dhcp_pool_kal disabled=no interface=Kaleidescape
lease-time=20h10m name=Kal
add add-arp=yes address-pool=dhcp_pool_default disabled=no interface=Default
lease-time=20h10m name=Default
add address-pool=dhcp_pool_user disabled=no interface=User lease-time=20h10m
name=User
/ip ipsec mode-config
add address-pool=dhcp_pool_user name=cfg1 system-dns=no
/ppp profile
set *0 dns-server=8.8.8.8 local-address=dhcp_pool_default remote-address=
dhcp_pool_default wins-server=8.8.4.4
/interface bridge port
add bridge=bridge_VLAN_VPN1 interface=ether5
add bridge=bridge_VLAN_VPN1 interface=ether6
add bridge=bridge_VLAN_VPN2 interface=ether7
add bridge=bridge_VLAN_VPN2 interface=ether8
add bridge=bridge_VLAN_VPN1 interface=VPN1
add bridge=bridge_VLAN_VPN2 interface=VPN2
add bridge=bridge_trunk interface=“ether2 - trunk to switch 2”
add bridge=bridge_trunk interface=“ether1 - trunk to switch 1”
add bridge=“bridge vlan6” interface=ether4
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=
“ether1 - trunk to switch 1” network=192.168.88.0
add address=192.168.101.1/24 interface=Default network=192.168.101.0
add address=192.168.102.1/24 interface=Crestron network=192.168.102.0
add address=192.168.103.1/24 interface=Kaleidescape network=192.168.103.0
add address=192.168.104.1/24 interface=VPN1 network=192.168.104.0
add address=192.168.105.1/24 interface=VPN2 network=192.168.105.0
add address=192.168.106.1/24 interface=User network=192.168.106.0
add address=192.168.106.1/8 comment=“WAN address” interface=
“ether1 - trunk to switch 1” network=192.0.0.0
add address=192.168.106.1/8 interface=sfp-sfpplus1 network=192.0.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=clientid,clientid disabled=no
interface=“ether3 - WAN”
/ip dhcp-server network
add address=192.168.101.0/24 dns-server=8.8.8.8 gateway=192.168.101.1
add address=192.168.102.0/24 dns-server=8.8.8.8 gateway=192.168.102.1 netmask=
24
add address=192.168.103.0/24 dns-server=8.8.8.8 gateway=192.168.103.1 netmask=
24
add address=192.168.104.0/24 dns-server=8.8.8.8 gateway=192.168.104.1
add address=192.168.105.0/24 dns-server=8.8.8.8 gateway=192.168.105.1
add address=192.168.106.0/24 dns-server=8.8.8.8 gateway=192.168.106.1 netmask=
24
/ip dns
set allow-remote-requests=yes servers=193.106.31.98,193.106.30.122
/ip firewall filter
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=“ether3 - WAN”
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,aes-192,aes-128,3des exchange-mo
main-l2tp generate-policy=port-override send-initial-contact=no
/ip ipsec policy
add dst-address=0.0.0.0/0 src-address=0.0.0.0/0 template=yes
/ip ipsec user
add name=“VPN user”
/ip route
add distance=1 gateway=192.168.106.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=ww service=pptp
/system clock
set time-zone-name=Europe/Amsterdam
[admin@MikroTik] >

sepvis · October 12, 2018, 1:39pm

See two ip addresses starting with 193, located in Ukraine… any advise?

nescafe2002 · October 12, 2018, 1:47pm

After netinstall, you can apply the same configuration. With regular dns-server (from dhcp-client). Also limit access to your winbox service via firewall or via ip servers.

You might want to look into firewalling your device - there is a fine firewall in default configuration.

/system default-configuration print

Just create the appropriate interface lists LAN (bridges) and WAN (ether3).

sepvis · October 12, 2018, 7:36pm

You lost me with the last reply… DNS and firewalls is really beyond my expertise. So I thought let’s give it one more try. I followed your advise: Instead of the upgrade path via Quickset (which never worked), I tried to upgrade RouterOS via System > Packages and this worked perfectly. I was then also able to do the firmware update of the Routerboard.

I compared the configuration export with the one I posted earlier and both look identical.

My thought now is to leave it alone until the installer’s visit next month.

The only thing that troubles me is the two Ukrainian IP addresses.
/ip dns
set allow-remote-requests=yes servers=193.106.31.98,193.106.30.122
Is what you mean “With regular DNS-server” to change above ip-addresses?

nescafe2002 · October 12, 2018, 7:48pm

I suspect you have some dynamic dns servers set by the dhcp-client, if this is the case you can safely remove the Ukrainian addresses.

But you could always put Googles 8.8.4.4 and 8.8.8.8 in place.

Check IP > DNS in Winbox and change there.

And please, never ever use QuickSet on a custom configured RouterBoard