Cloud send not primary IP to ddns

nleo · July 19, 2018, 8:36am

I have lte connection and ipsec vpn tunnel. And restrict all non vpn traffic through lte, but I want to access router by ssh by lte1 public ip in case of problems with vpn.

I disable traffic through lte by this firewall rules

add action=accept chain=output dst-address=81.198.87.240 dst-port=15252 out-interface=lte1 protocol=udp
add action=accept chain=output dst-port=15252 out-interface=lte1 protocol=udp src-address=192.168.88.1
add action=accept chain=forward dst-address=104.238.184.144 port=500 protocol=udp
add action=accept chain=forward dst-address=104.238.184.144 port=4500 protocol=udp
add action=accept chain=output dst-address=104.238.184.144 out-interface=lte1
add action=drop chain=output out-interface=lte1

First two rules is about cloud.mikrotik.com:15252

But then I do /ip cloud force-update I got error:

[admin@MikroTik] /ip cloud>> print 
    ddns-enabled: yes
     update-time: yes
  public-address: 104.238.184.144
        dns-name: xx.sn.mynetname.net
          status: Error: request timed out
         warning: DDNS server received request from IP 104.238.184.144 but your local IP was 192.168.42.10; DDNS service 
                  might not work.

kevinds · July 20, 2018, 12:09am

Your LTE IP isn’t a public IP.. It is NAT’d. It is sending the correct IP to the DDNS server.

I will broadly say, and I believe this is the case world-wide, unless you are paying extra for a public IP, using LTE you will not get a public IP.

The way your LTE service works, you will not be able to connect to it using SSH. Outgoing connections only.

Lastly from my testing, there are more Mikrotik cloud IP addresses than just that one.

mkx · July 20, 2018, 7:20am

The remark about LTE addresses by @kevinds, according to my knowledge (I work as radio engineer for incumbent MNO), is not true in our region (SE part of EU).

Most of LTE devices will get own public IP. However, neither connections originating from internet at large nor connections between LTE devices from same LTE network are allowed and that’s to protect our customers.
Other LTE devices will get private IP address, but will “enjoy” NAT to a public IP address and that address will not change as long as LTE device keeps same private IP address. A few LTE devices will share single public IP address in this case. Also in this case connections from other devices and/or internet are not possible (partly due to how NAT operates but mostly due to same reasons as if LTE device gets public address).