Cloud IPs need to be blocked

ahmetaybar · March 27, 2019, 9:12am

Hello,

I am using Mikrotik on the vessels behind satellite modem with very limited data usage such as 50Mbyte per month. So each MBbye cost the customers extra US$s. We just allow e-mail IPs on the firewall. I have seen on satellite POP, we have a lot of request from our satellite modem to 81.198.87.240 and 159.148.147.229. I saw that these are Mikrotik Cloud IPs. I have disabled Cloud and DNS service on the unit. But it still send request to those IPs. I have added rules to IP firewall rules but it is still happening.
How can I stop these requests or block these Cloud IPs on the Routerboard?

anav · March 27, 2019, 11:02am

Open the door HAL…
Resistance is futile, join the MT Borg…
Obviously this one has not been cloned yet and is still fighting back..
We are pwned by the Cloud..
Wake up you have simply been dreaming, there is no traffic to the cloud, trust MT!

Suggest sending a supout file to MT support and any other supporting evidence.

vecernik87 · March 27, 2019, 11:23am

To be honest, before annoying support staff, I would prefer to inspect full config. I have few devices around, where I specifically focused on any unexpected outgoing packets - and it’s just not happening. There must be some setting causing this.

/export hide-sensitive file=somename

anav · March 27, 2019, 3:50pm

Support staff are not so easily annoyed. In fact they expect and like questions which have a quick and easy answer.
Operator error!

gotsprings · March 27, 2019, 4:28pm

/ip firewall address-list
add address=81.198.87.240 list=ipCLOUD
add address=159.148.147.229 list=ipCLOUD
/ip firewall filter
add action=drop chain=output dst-address-list=ipCLOUD place-before=1
add action=drop chain=forward dst-address-list=ipCLOUD place-before=1
/ip dns cache flush

That should block devices inside the network for reaching IPCloud
It will also force the router to dump connection attempts to IPCloud

Paternot · March 27, 2019, 6:02pm

Did You disable “Cloud” AND “Update Time”? AFAIK they run independently - and this “Update Time” talks to the cloud server.

Fin32 · March 28, 2019, 2:08am

Hi!
Could somebody explain what is this?
How I can disable this traffic?

DDNS disabled.

Router (RB3011) updated.

And I don’t understand where from this traffic!

I can drop it with firewall rules… but.
Is it bug?

Thank you.

nescafe2002 · March 28, 2019, 10:47am

It’s documented and known behavior.

https://wiki.mikrotik.com/wiki/Manual:System/Time#Clock_and_Time_zone_configuration

Note: Time-zone-autodetect by default is enabled on new RouterOS installation and after configuration reset. The time zone is detected depending on routers public IP address and our Cloud servers database. Since RouterOS v6.43 your device will use cloud2.mikrotik.com to communicate with the MikroTik’s Cloud server. Older versions will use cloud.mikrotik.com to communicate with the MikroTik’s Cloud server.

And:
https://wiki.mikrotik.com/wiki/Manual:IP/Cloud#Update_time

Approximate time (accuracy of several seconds, depends on UDP packet latency)

Updates time after a reboot and during every DDNS update (when router’s WAN IP address changes or after the force-update command is used)

Sends encrypted packets to cloud.mikrotik.com or cloud2.mikrotik.com using UDP/15252 port

Detects time-zone depending on the router’s public IP address and our commercial database

r00t · March 28, 2019, 11:59am

Disable everything cloud and use NTP Client for clock updating instead.

Fin32 · March 28, 2019, 1:16pm

I did it

And this

(Thanks to nescafe2002)

Now I am waiting for results…
…
After reboot during half an hour no connection to cloud2.microtik.com !
What I did (thanks to everybody for help!)

Disable everything in Cloud.
Disable Time Zone AutoDetect
Install NTP instead SNTP
Reboot.
Seems to me that it works. Will see…

Thanks to everybody!

anav · March 28, 2019, 4:22pm

select gROOTs answer as solved so people know its solved.

lesnikov · May 24, 2019, 11:35pm

Hi,

We still have mikrotik devices (6.44.3) trying to connect to 159.148.172.251:15252 UDP
we disabled everything in IP/Cloud,
disabled clock time zone autodetect and installed ntp package.

are we missing some option that needs to be disabled?

lesnikov · May 27, 2019, 10:31am

problem solved after another reboot. only 2 units had this problem the rest worked fine.

guipoletto · May 28, 2019, 5:18pm

You could also add static DNS entries for cloud.mikrotik.com pointing to 127.0.0.1

/ip dns static add address=127.0.0.1 name=cloud2.mikrotik.com

Ugly but effective…