I have a RB751U-2HnD running RouterOS 6.33.3.
IP Cloud is inactive
/ip cloud print
ddns-enabled: no
update-time: no
but I see connections to 81.198.87.240:15252 - why this?!?
there are several places in RouterOS that rely on ‘/ip cloud’ infrastructure.
‘/system clock’ - time-zone-autodetect
That’s funny. Are you guessing the time zone by ip address?
You expected a hidden GPS receiver to do the autodetect?
No. Not at all. I expect silent router without backdoors and not generating any traffic on his own without my explicit settings.
That kind of expectation usually means that you will have to do extra research and work.
Today, most clients expect a router (or other device) to “work out of the box” and that group is what MikroTik have
to engineer for.
Sure I know that. Therefore I am always removing the configuration right out of the box and making my own. And dropping / logging on the end of output chain too to see what unexpected is going out. Even though I am not convinced enough that my routers are safe.
here is some description of the geolocation using an IP address:
https://www.iplocation.net/
Also, you can read here about what services IP Cloud provides:
http://wiki.mikrotik.com/wiki/Manual:IP/Cloud#Operation_details
If we create drop rule with dst address 81.198.87.240/24 will that prevent routers from accessing cloud services?
There should be a way how to reliably switch off each communication service in the ros. But it is not.
For these purposes I use firewall with general drop on the end of output chain and named accepting exclusions before.
And one thing above that. There should not be any outbound communication initiated from the router at all by default until the user explicitly allows such service.
I agree with you that we should be able to turn off all communication to cloud services.
Can Mikrotik kernel override firewall rules ? That’s a question 
(I think that can)
I am afraid of the same. But I am far away from saying that because I haven’t tested it yet.
I tested with enabled “Update time” and Force Update button.
Here are used firewall → filter rules:
add action=log chain=forward comment=“test ” dst-address=81.198.86.0/23
add action=drop chain=forward content=cloud.mikrotik.com
add action=drop chain=forward dst-address=81.198.86.0/23
add action=drop chain=forward src-address=81.198.86.0/23
add action=drop chain=forward dst-address=91.188.51.136/29
add action=drop chain=forward src-address=91.188.51.136/29
When I hit “force update” button firewall rules counters are on 0, and status is updated. So MT CAN contact cloud server even if you create drop rules in firewall. Solution is to add static dns entry for ‘cloud.mikrotik.com’ and point it to something that will never be MT cloud server, I used ‘255.255.255.255’ and after “force update” button error was “Error: no internet connection”.
Keep in mind that I find out that if MT doesn’t have dns server specified it will contact cloud server by ip address. Firewall rules will not protect router that have them, but will all others that access internet using that router.
I hope that this will be useful and maybe one day improved…