Page 1 of 1
Check for Updates failed - could not resolve dns name
Posted: Wed Jan 26, 2022 11:13 pm
by raki
Hello,
I would like to ask you for help with home network issue.
My network is described at attached picture. Router A is providing connection to the Internet.
network_topology.png
Problem is that I can't update the RouterOS on the Router B. Error message is "could not resolve dns names". Updates on Router A and C are working fine. I see different DNS setup on Router B versus C but I don't know how to force same DNS configuration with dynamic servers to Router B. I don't even know if this is the solution.
It's the only problem. The other devices behind the Router B are web sites correctly (there is no problem with DNS).
Router B DNS configuration:
RouterB_DNS.png
Router C DNS configuration:
RouterC_DNS.png
Thanks in advance,
Peter
Re: Check for Updates failed - could not resolve dns name
Posted: Thu Jan 27, 2022 2:18 am
by Sob
As a quick test, add 8.8.8.8 as static dns server on router B.
Re: Check for Updates failed - could not resolve dns name
Posted: Thu Jan 27, 2022 9:47 am
by raki
As a quick test, add 8.8.8.8 as static dns server on router B.
Thanks for recommendation. I tried it but still not working.
Re: Check for Updates failed - could not resolve dns name
Posted: Thu Jan 27, 2022 10:00 am
by erlinden
Would love to see configurations of all devices (/export hide-sensitive file=anynameyoulike)
You can upgrade by placing the correct package on the device. That won't solve your DNS problem, but will upgrade the device.
Re: Check for Updates failed - could not resolve dns name
Posted: Thu Jan 27, 2022 2:04 pm
by anav
HI erlinden not 100% positive but I think in vers 7, the hide-sensitive doesnt do anything (or more accurately is not required) ........ read that somewhere....
Re: Check for Updates failed - could not resolve dns name
Posted: Thu Jan 27, 2022 2:18 pm
by holvoetn
HI erlinden not 100% positive but I think in vers 7, the hide-sensitive doesnt do anything (or more accurately is not required) ........ read that somewhere....
hide-sensitive is default now and it makes sense to have it like that.
If you want to see all, you need to use show-sensitive or even verbose (have to test if that last one is not redundant ).
But it doesn't hurt to specify it since it's not always obvious which version a user has (ROS6 or 7).
Re: Check for Updates failed - could not resolve dns name
Posted: Thu Jan 27, 2022 7:43 pm
by raki
Would love to see configurations of all devices (/export hide-sensitive file=anynameyoulike)
You can upgrade by placing the correct package on the device. That won't solve your DNS problem, but will upgrade the device.
Router A
# jan/27/2022 18:36:21 by RouterOS 6.49.2
# software id = 42LP-PZFZ
#
# model = 960PGS
# serial number = AD8A0AD5C431
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.11.100-192.168.11.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=2h name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1
/interface bridge port-extender
# no hw support
set control-ports=ether4 switch=switch1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.11.1/24 interface=ether2 network=192.168.11.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=195.39.77.66,8.8.8.8 gateway=\
192.168.11.1
/ip firewall nat
add action=masquerade chain=srcnat
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.11.253
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="MikroTik master"
/tool graphing resource
add
/tool sniffer
set filter-interface=ether4 only-headers=yes
Router B
# jan/27/2022 18:38:46 by RouterOS 6.48.1
# software id = V2ZC-74WQ
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A770946EBA1
/interface bridge
add admin-mac=B8:69:F4:36:15:D5 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country="czech republic" distance=indoors frequency=auto installation=\
indoor mode=ap-bridge ssid=Raki-Trebo-2 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country="czech republic" disabled=no distance=indoors \
frequency=auto installation=indoor mode=ap-bridge ssid=Raki-Trebo-2 \
wireless-protocol=802.11
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=security
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=ether2 name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
set bridge=bridge interfaces=wlan2,wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add interface=bridge
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=185.140.244.62,8.8.8.8
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.11.1
/system identity
set name="MikroTik Wifi Obyvak"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Router C
# jan/27/2022 18:39:42 by RouterOS 6.49.2
# software id = W3SA-PWMP
#
# model = RB951G-2HnD
# serial number = DE350DE38DD8
/interface bridge
add admin-mac=08:55:31:EF:3A:DE auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country="czech republic" disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=Raki-Trebo-Wrk-2 \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
set bridge=bridge interfaces=wlan1
/ip address
add address=192.168.99.1/24 comment=defconf interface=ether2 network=\
192.168.99.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.99.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=185.140.244.62
/ip dns static
add address=192.168.99.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.11.1
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="MikroTik Wifi Pracovna"
Re: Check for Updates failed - could not resolve dns name
Posted: Thu Jan 27, 2022 8:20 pm
by Sob
That's weird config. On B and C you have *all* ports bridged, and on bridge you have at the same time both dhcp client and dhcp server with different subnets. So you have one big network segment with three dhcp server competing against each other. If you want separate subnets, ether1 should be separate (not member of bridge) and dhcp client should be on ether1.
Re: Check for Updates failed - could not resolve dns name
Posted: Thu Jan 27, 2022 9:39 pm
by raki
It's my home network so I rather want one big network where each segment can acces others (PC to NAS). What to do in this case, please?
Re: Check for Updates failed - could not resolve dns name
Posted: Thu Jan 27, 2022 11:31 pm
by Sob
You need to decide how exactly it should work. You can have one big common subnet for everything, and then all ports bridged on B and C would be ok (they would be completely transparent, same way as switch). Or you can have different subnets with no access restrictions, but there will always be some, because those will be different L2 segments, so e.g. some protocols for automatic discovery of devices won't work. What you have now is some weird hybrid with not clearly defined behaviour.
Re: Check for Updates failed - could not resolve dns name
Posted: Thu Jan 27, 2022 11:58 pm
by raki
I would be happy with one big subnet were all devices transparently see each other.
Re: Check for Updates failed - could not resolve dns name [SOLVED]
Posted: Fri Jan 28, 2022 3:00 am
by Sob
You're almost there. Basically just disable dhcp servers on B and C, and you'll have one big network with 192.168.11.0/24.
Other details:
- on both B and C, dhcp client should be on bridge (and you need to enable the one on B, that's why it doesn't work now!)
- bridge should be added to LAN interface list
- addresses 192.168.88.1/24 and 192.168.99.1/24 won't be needed anymore, there will be 192.168.11.x from dhcp (you can add static reservations on A)
- it's not clear to me, how you're currently connecting to B, when both firewall and mac winbox allow access only from interfaces in LAN list, but since you have all interfaces in bridge and bridge itself is not listed, it shouldn't work
- it's good idea to add some firewall on A, because as it is now, it's wide open to whole world (that's if you have public address, otherwise it's slightly less bad); you can find some inspiration in
this thread
Re: Check for Updates failed - could not resolve dns name
Posted: Fri Jan 28, 2022 4:27 pm
by raki
You're almost there. Basically just disable dhcp servers on B and C, and you'll have one big network with 192.168.11.0/24.
Other details:
- on both B and C, dhcp client should be on bridge (and you need to enable the one on B, that's why it doesn't work now!)
- bridge should be added to LAN interface list
- addresses 192.168.88.1/24 and 192.168.99.1/24 won't be needed anymore, there will be 192.168.11.x from dhcp (you can add static reservations on A)
- it's not clear to me, how you're currently connecting to B, when both firewall and mac winbox allow access only from interfaces in LAN list, but since you have all interfaces in bridge and bridge itself is not listed, it shouldn't work
- it's good idea to add some firewall on A, because as it is now, it's wide open to whole world (that's if you have public address, otherwise it's slightly less bad); you can find some inspiration in
this thread
Thank you for this. I'm a bit smarter again, although I'm not sure how to configure the firewall good enoug for my network. I applied some rules (on Router A) described in
post you mentioned and below is current configuration of A. I would be very grateful for any further recommendations but thank you also for the ones so far. Besides, the original problem with DNS and the RouterOS upgrade is solved.
# jan/28/2022 15:20:48 by RouterOS 6.49.2
# software id = 42LP-PZFZ
#
# model = 960PGS
# serial number = AD8A0AD5C431
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.11.100-192.168.11.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=2h name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1
/interface bridge port-extender
# no hw support
set control-ports=ether4 switch=switch1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.11.1/24 interface=ether2 network=192.168.11.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.11.228 client-id=1:0:11:32:70:a1:cb mac-address=\
00:11:32:70:A1:CB server=dhcp1
add address=192.168.11.151 client-id=1:4c:cc:6a:5:ac:c7 mac-address=\
4C:CC:6A:05:AC:C7 server=dhcp1
add address=192.168.11.2 client-id=1:b8:69:f4:36:15:d5 mac-address=\
B8:69:F4:36:15:D5 server=dhcp1
add address=192.168.11.3 client-id=1:8:55:31:ef:3a:de mac-address=\
08:55:31:EF:3A:DE server=dhcp1
add address=192.168.11.135 client-id=1:b2:fd:6:30:c5:4d mac-address=\
B2:FD:06:30:C5:4D server=dhcp1
add address=192.168.11.140 client-id=1:38:f3:ab:6a:10:12 mac-address=\
38:F3:AB:6A:10:12 server=dhcp1
/ip dhcp-server network
add address=192.168.11.0/24 dns-server=195.39.77.66,8.8.8.8 gateway=\
192.168.11.1
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.11.253
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="MikroTik master"
/tool graphing resource
add
/tool sniffer
set filter-interface=ether4 only-headers=yes
Re: Check for Updates failed - could not resolve dns name
Posted: Fri Jan 28, 2022 5:04 pm
by Sob
Firewall is already nice and safe, all incoming connections from internet are blocked and access is allowed only from LAN. If you'd want to have e.g. VPN server to get into LAN from remote networks, you'd add rule(s) to allow it in chain=input before the last drop rule (plus config for VPN server of course). If you don't need anything like that, then it's fine as it is.
And you don't need these:
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=192.168.11.253
The new masquerade rule you added is better. And the route is not needed anymore, if you have only single subnet.
Re: Check for Updates failed - could not resolve dns name
Posted: Fri Jan 28, 2022 5:20 pm
by raki
Sob, thanks!