Community discussions

MikroTik App
 
mariuszelectro
just joined
Topic Author
Posts: 21
Joined: Sun Mar 22, 2020 4:49 pm

My router doesn’t auto upgrade

Mon May 29, 2023 12:31 am

Hello. What are wrong in my router configuration.
I can’t upgrade to new software, I got message:
ERROR: could not connect - Host is unreachable

Please take a look in my configuration.
The configuration consists WireGuard VPN for some ports and VLAN.

I am really new. Please help me.


[admin@MT HexS] > export
# may/28/2023 21:48:55 by RouterOS 7.5
# software id = H9MH-TV79
#
# model = RB760iGS
# serial number = xxxxxxx
/interface bridge
add admin-mac=18:FD:74:13:69:EB auto-mac=no comment=defconf name=bridge
add disabled=yes name=openVpn
/interface wireguard
add listen-port=13231 mtu=1420 name=wg1
/interface vlan
add interface=ether5 name=vlan11 vlan-id=11
add interface=ether5 name=vlan12 vlan-id=12
add interface=ether5 name=vlan13OpenVPN vlan-id=13
add interface=ether5 name=vlan55 vlan-id=55
/interface ovpn-client
add add-default-route=yes certificate=AZ24-client.crt_0 cipher=aes128 \
connect-to=xxx.xxx.xxx disabled=yes mac-address=02:BB:FF:8D:1B:69 mode=\
ethernet name=AZserwer user=AZ24-client
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.7.10-192.168.7.254
add name=poolVlan55 ranges=192.168.55.10-192.168.55.60
add name=poolVlan11 ranges=192.168.11.10-192.168.11.60
add name=poolVlan12 ranges=192.168.12.10-192.168.12.60
add name=dhcpOpenVPNvlan13 ranges=192.168.1.6-192.168.1.10
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=poolVlan55 disabled=yes interface=vlan55 name=VPN-to-PL
add address-pool=poolVlan12 interface=vlan12 name="MyWALAN K1"
add address-pool=poolVlan11 interface=vlan11 name="Local WiFi"
add address-pool=dhcpOpenVPNvlan13 interface=vlan13OpenVPN name=Guest
/port
set 0 name=serial0
/routing table
add disabled=no fib name=tablWG
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=vlan55
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=xxx.xxx.xxx.xxx endpoint-port=\
13231 interface=wg1 persistent-keepalive=5s public-key=\
"IeQ0yrzJpnlyBRvJC8SGkWgTIze9YcmDs6NAB2QtFQk="
/ip address
add address=192.168.7.1/24 comment=defconf interface=bridge network=192.168.7.0
add address=172.16.10.3/24 interface=wg1 network=172.16.10.0
add address=192.168.55.1/24 comment=VPN-toPL disabled=yes interface=vlan55 \
network=192.168.55.0
add address=192.168.12.1/24 comment="MyWlLAN K1 do PT" interface=vlan12 \
network=192.168.12.0
add address=192.168.11.1/24 comment="Local WiFI do PT" interface=vlan11 \
network=192.168.11.0
add address=192.168.1.5/24 interface=vlan13OpenVPN network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.12.50 comment=Podlewaczka mac-address=FC:67:1F:C1:ED:4B \
server="MyWALAN K1"
/ip dhcp-server network
add address=192.168.1.0/24 comment="addres fo open VPN" gateway=192.168.1.254
add address=192.168.7.0/24 comment=defconf dns-server=8.8.8.8 gateway=\
192.168.7.1 netmask=24
add address=192.168.11.0/24 gateway=192.168.11.1 netmask=24
add address=192.168.12.0/24 gateway=192.168.12.1 netmask=24
add address=192.168.55.0/24 gateway=192.168.55.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.7.1
/ip dns static
add address=192.168.7.1 comment=defconf name=router.lan
add address=8.8.8.8 name=Google
add address=192.168.1.254 name=Az
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow LAN access" in-interface-list=LAN
add action=accept chain=input comment="allow wg acces for config" in-interface=\
wg1
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=""
add action=accept chain=forward comment="WG for net" dst-address=192.168.7.0/24 \
in-interface=wg1 src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 out-interface=wg1 \
src-address=192.168.7.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ip route
add disabled=no distance=2 dst-address=192.168.1.0/24 gateway=wg1 pref-src=\
0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src="" \
routing-table=tablWG scope=30 suppress-hw-offload=no target-scope=10
add comment="dla OpenVPN" disabled=no dst-address=0.0.0.0/0 gateway=\
192.168.1.254 routing-table=main suppress-hw-offload=no vrf-interface=\
AZserwer
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/routing rule
add action=lookup disabled=no dst-address=192.168.7.0/24 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.7.0/24 table=\
tablWG
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name="MT HexS"
/system scheduler
add name=startSkyptu on-event="/system script run zigbeeCheck" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/system script
add dont-require-permissions=no name=zigbeeCheck owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":gl\
obal i 0;\
\n:global k 1;\
\n:global x 0;\
\n:log info (\"Zigbee monitor start\");\
\n:delay 300s;\
\n:do {\
\n:if ([/ip dhcp-server lease find where active-mac-address=\"D8:1F:12:22:AC\
:42\"] != \"\" ) do={:set x (\$x+1)} else { \
\n:log info (\"rest Zigbee \" . \$i );\
\n:log info (\" time\" . \$x);\
\n:set i (\$i+1);\
\n/system routerboard usb power-reset duration=60s;\
\n:log info (\"USB power up\" );\
\n:delay 300s;\
\n}\
\n:delay 60s;\
\n:set (\$k+1);\
\n:if ( \$k>600 ) do={\
\n:set (\$k=0);\
\n:log info (\"Zigbee Stat \" . \$i);\
\n:log info (\" time \". \$x);\
\n}\
\n} while (1);"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MT HexS] >
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: My router doesn’t auto upgrade

Mon May 29, 2023 1:06 am

When I see that message on a new device when trying to upgrade, I know I goofed (usually) with DNS settings.
Also your wireguard peer settings indicate all traffic go through the wireguard tunnel. Which means probably there is an issue there as well.
So I'd look in the DNS area first.

Perhaps disable wireguard peer first and then perform upgrade ?
You can enable it again afterwards.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: My router doesn’t auto upgrade

Mon May 29, 2023 3:16 am

/ip address
add address=192.168.7.1/24
/ip dns
set allow-remote-requests=yes servers=192.168.7.1
Nice, the router ask itself what is the IP of update.mikrotik.com...
And the ruoter ask itself...
 
mariuszelectro
just joined
Topic Author
Posts: 21
Joined: Sun Mar 22, 2020 4:49 pm

Re: My router doesn’t auto upgrade

Tue May 30, 2023 12:56 am

Thanks for responce.
ip address
add address=192.168.7.1/24
Was defined in my configuration,
/ip dns
set allow-remote-requests=yes servers=192.168.7.1
Setting was missing.

But it look like my router was strange behaviour…… no upgrade and lost 60% ping packets in WireGuard peer. So after reset was able take upgrade without any changes in settings, and no lost ping packets in WireGuard


Anyway the missing settings about dns was added.

🙏

Who is online

Users browsing this forum: No registered users and 41 guests