Community discussions

 
brg3466
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Aug 01, 2015 7:29 am

"Check for update" Error  [SOLVED]

Fri Mar 30, 2018 8:58 am

Hi,
I have a Mikrotik CCR1009, when I want to check for update, it is always error as follows. I have set up DNS, internet works fine.

[brg3466@CCR1009] > /system package update check-for-update
channel: current
current-version: 6.41.3
status: ERROR: could not resolve dns name

[brg3466@CCR1009] > ip dns print
servers: 8.8.8.8,8.8.4.4
dynamic-servers: 75.75.75.75,75.75.76.76
allow-remote-requests: no
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 18KiB

I can ping 8.8.8.8 but cannot ping www.google.com

[brg3466@CCR1009] > ping www.google.com
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
while resolving ip-address: could not get answer from dns server
[brg3466@CCR1009] > ping 8.8.8.8
SEQ HOST SIZE TTL TIME STATUS
0 8.8.8.8 56 59 17ms
1 8.8.8.8 56 59 8ms
2 8.8.8.8 56 59 9ms
sent=3 received=3 packet-loss=0% min-rtt=8ms avg-rtt=11ms max-rtt=17ms



Anything I am missing in the configuration ?

Thank you !
 
erlinden
Member Candidate
Member Candidate
Posts: 173
Joined: Wed Jun 12, 2013 1:59 pm

Re: "Check for update" Error

Fri Mar 30, 2018 9:39 am

The difference I see with my router is that allow-remote-requests is set to yes while yours is set to no.
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: "Check for update" Error

Fri Mar 30, 2018 11:52 am

allow-remote-requests set to YES. this tells the Mikrotik to respond to DNS request from other network devices.
when it is set to NO, Mikrotik will only use the DNS server set here for DNS request from itself
so the DNS setting here should allow you to ping google from the terminal.

check your firewall, in case it drops DNS request on the output chain.
MTCNA MTCTCE UEWA
 
brg3466
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Aug 01, 2015 7:29 am

Re: "Check for update" Error

Fri Mar 30, 2018 7:07 pm

Hi, thank you for the suggestions.

I set the allow-romote-requests to "yes" but doesn't work. Any other suggestions ?

[brg3466@CCR1009] > ip dns print
servers: 8.8.8.8,8.8.4.4
dynamic-servers: 75.75.75.75,75.75.76.76
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 25KiB

[brg3466@CCR1009] > ping www.google.com
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
while resolving ip-address: could not get answer from dns server
 
brg3466
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Aug 01, 2015 7:29 am

Re: "Check for update" Error

Fri Mar 30, 2018 7:43 pm

Hi ,
I checked firewall filter rules, it seems I found where the issue is. The below filter rule block the dns.

5 ;;; drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""

If I disable it, check-for-update works normal. Any suggestion to modify this rule ?
 
anav
Forum Guru
Forum Guru
Posts: 3113
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: "Check for update" Error

Fri Mar 30, 2018 7:58 pm

I also have that rule and have no problem checking for updates via winbox???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
mkx
Forum Guru
Forum Guru
Posts: 3183
Joined: Thu Mar 03, 2016 10:23 pm

Re: "Check for update" Error

Fri Mar 30, 2018 9:36 pm

Your rule to drop anything on chain=input is fine ... but before that you need some other that accept connections you want to allow. For example connections with connection state established or related. You need to allow those to maintain connections initiated from router itself.
If you're extra paranoid, you can only enable them when you know it's fine for router to access internet, e.g. when you want to check for updates. And disable them after you're done.
BR,
Metod
 
brg3466
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Sat Aug 01, 2015 7:29 am

Re: "Check for update" Error

Sat Mar 31, 2018 2:30 am

Thank you , mkx !

Before drop everything in the input , I inserted a filter rule to accept established connection in the input chain. It works now !

And thank all for your valuable inputs , have a nice weekend !

Who is online

Users browsing this forum: MSN [Bot] and 39 guests