My router doesn’t auto upgrade

mariuszelectro · May 28, 2023, 9:31pm

Hello. What are wrong in my router configuration.
I can’t upgrade to new software, I got message:
ERROR: could not connect - Host is unreachable

Please take a look in my configuration.
The configuration consists WireGuard VPN for some ports and VLAN.

I am really new. Please help me.

[admin@MT HexS] > export

may/28/2023 21:48:55 by RouterOS 7.5

software id = H9MH-TV79

model = RB760iGS

serial number = xxxxxxx

/interface bridge
add admin-mac=18:FD:74:13:69:EB auto-mac=no comment=defconf name=bridge
add disabled=yes name=openVpn
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
/interface vlan
add interface=ether5 name=vlan11 vlan-id=11
add interface=ether5 name=vlan12 vlan-id=12
add interface=ether5 name=vlan13OpenVPN vlan-id=13
add interface=ether5 name=vlan55 vlan-id=55
/interface ovpn-client
add add-default-route=yes certificate=AZ24-client.crt_0 cipher=aes128
connect-to=xxx.xxx.xxx disabled=yes mac-address=02:BB:FF:8D:1B:69 mode=
ethernet name=AZserwer user=AZ24-client
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.7.10-192.168.7.254
add name=poolVlan55 ranges=192.168.55.10-192.168.55.60
add name=poolVlan11 ranges=192.168.11.10-192.168.11.60
add name=poolVlan12 ranges=192.168.12.10-192.168.12.60
add name=dhcpOpenVPNvlan13 ranges=192.168.1.6-192.168.1.10
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=poolVlan55 disabled=yes interface=vlan55 name=VPN-to-PL
add address-pool=poolVlan12 interface=vlan12 name=“MyWALAN K1”
add address-pool=poolVlan11 interface=vlan11 name=“Local WiFi”
add address-pool=dhcpOpenVPNvlan13 interface=vlan13OpenVPN name=Guest
/port
set 0 name=serial0
/routing table
add disabled=no fib name=tablWG
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=vlan55
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=
13231 interface=wg1 persistent-keepalive=5s public-key=
“IeQ0yrzJpnlyBRvJC8SGkWgTIze9YcmDs6NAB2QtFQk=”
/ip address
add address=192.168.7.1/24 comment=defconf interface=bridge network=192.168.7.0
add address=172.16.10.3/24 interface=wg1 network=172.16.10.0
add address=192.168.55.1/24 comment=VPN-toPL disabled=yes interface=vlan55
network=192.168.55.0
add address=192.168.12.1/24 comment=“MyWlLAN K1 do PT” interface=vlan12
network=192.168.12.0
add address=192.168.11.1/24 comment=“Local WiFI do PT” interface=vlan11
network=192.168.11.0
add address=192.168.1.5/24 interface=vlan13OpenVPN network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.12.50 comment=Podlewaczka mac-address=FC:67:1F:C1:ED:4B
server=“MyWALAN K1”
/ip dhcp-server network
add address=192.168.1.0/24 comment=“addres fo open VPN” gateway=192.168.1.254
add address=192.168.7.0/24 comment=defconf dns-server=8.8.8.8 gateway=
192.168.7.1 netmask=24
add address=192.168.11.0/24 gateway=192.168.11.1 netmask=24
add address=192.168.12.0/24 gateway=192.168.12.1 netmask=24
add address=192.168.55.0/24 gateway=192.168.55.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.7.1
/ip dns static
add address=192.168.7.1 comment=defconf name=router.lan
add address=8.8.8.8 name=Google
add address=192.168.1.254 name=Az
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“allow LAN access” in-interface-list=LAN
add action=accept chain=input comment=“allow wg acces for config” in-interface=
wg1
add action=drop chain=input comment=“drop all else”
add action=accept chain=forward comment=“allow internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow port forwarding”
connection-nat-state=dstnat connection-state=“”
add action=accept chain=forward comment=“WG for net” dst-address=192.168.7.0/24
in-interface=wg1 src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 out-interface=wg1
src-address=192.168.7.0/24
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=
out,none out-interface-list=WAN
/ip route
add disabled=no distance=2 dst-address=192.168.1.0/24 gateway=wg1 pref-src=
0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src=“”
routing-table=tablWG scope=30 suppress-hw-offload=no target-scope=10
add comment=“dla OpenVPN” disabled=no dst-address=0.0.0.0/0 gateway=
192.168.1.254 routing-table=main suppress-hw-offload=no vrf-interface=
AZserwer
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment=“defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=
33434-33534 protocol=udp
add action=accept chain=input comment=
“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=input comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=
“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6”
src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6”
dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1”
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=
icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500
protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=
ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=
ipsec-esp
add action=accept chain=forward comment=
“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=
“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
/routing rule
add action=lookup disabled=no dst-address=192.168.7.0/24 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.7.0/24 table=
tablWG
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=“MT HexS”
/system scheduler
add name=startSkyptu on-event=”/system script run zigbeeCheck" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
/system script
add dont-require-permissions=no name=zigbeeCheck owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=“:gl
obal i 0;
\n:global k 1;
\n:global x 0;
\n:log info ("Zigbee monitor start");
\n:delay 300s;
\n:do {
\n:if ([/ip dhcp-server lease find where active-mac-address="D8:1F:12:22:AC
:42"] != "" ) do={:set x ($x+1)} else {
\n:log info ("rest Zigbee " . $i );
\n:log info (" time" . $x);
\n:set i ($i+1);
\n/system routerboard usb power-reset duration=60s;
\n:log info ("USB power up" );
\n:delay 300s;
\n}
\n:delay 60s;
\n:set ($k+1);
\n:if ( $k>600 ) do={
\n:set ($k=0);
\n:log info ("Zigbee Stat " . $i);
\n:log info (" time ". $x);
\n}
\n} while (1);”
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MT HexS] >

holvoetn · May 28, 2023, 10:06pm

When I see that message on a new device when trying to upgrade, I know I goofed (usually) with DNS settings.
Also your wireguard peer settings indicate all traffic go through the wireguard tunnel. Which means probably there is an issue there as well.
So I’d look in the DNS area first.

Perhaps disable wireguard peer first and then perform upgrade ?
You can enable it again afterwards.

rextended · May 29, 2023, 12:16am

/ip address
add address=192.168.7.1/24
/ip dns
set allow-remote-requests=yes servers=192.168.7.1

Nice, the router ask itself what is the IP of update.mikrotik.com…
And the ruoter ask itself…

mariuszelectro · May 29, 2023, 9:56pm

Thanks for responce.

ip address
add address=192.168.7.1/24

Was defined in my configuration,

/ip dns
set allow-remote-requests=yes servers=192.168.7.1

Setting was missing.

But it look like my router was strange behaviour…… no upgrade and lost 60% ping packets in WireGuard peer. So after reset was able take upgrade without any changes in settings, and no lost ping packets in WireGuard

Anyway the missing settings about dns was added.