Community discussions

MikroTik App
 
dbsoundman
just joined
Topic Author
Posts: 6
Joined: Wed Feb 17, 2021 3:56 pm

How does SwOS check for online updates behind a firewall?

Fri Feb 19, 2021 4:16 pm

Hi all, I'm a bit puzzled here. I just set up a CSS326 yesterday, and it has an IP address on my Management VLAN, which has a default deny any any rule in PFSense, meaning Management VLAN devices shouldn't be able to reach the internet. Further, PFSense logs any attempts that Management VLAN devices make to access the internet; I know this because I see hits from my Unifi access points periodically (insert eyeroll).

I understand that SwOS uses some sort of MAC address reply algorithm, so I can access it from other VLANs because it doesn't need a default gateway; that doesn't bother me. What does seem strange is that SwOS is still able to check for updates on the internet, and I don't see anything in my firewall. I'm considering deploying these in a business environment, but I'm not really comfortable in doing so until I know exactly how this works in case I choose to block it for security purposes.
 
User avatar
elevendroids
just joined
Posts: 5
Joined: Mon Dec 07, 2020 3:05 am
Location: Ireland

Re: How does SwOS check for online updates behind a firewall?

Fri Feb 19, 2021 4:28 pm

Judging from the fact that the update check doesn't work on more locked-down browsers (matter of privacy settings I guess) - it fails with the following error in the JavaScript console (Firefox):
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://upgrade.mikrotik.com/swoslite/css610g/LATEST. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

The update detection is implemented in the Web GUI and runs in the browser.

Who is online

Users browsing this forum: kaleruka and 10 guests