mikrotik.com blocked on our country and mikrotik cloud(ddns) and update check not working

gezir · August 7, 2021, 5:33pm

Hi,

mikrotik.com blocked on our country from last week and mikrotik cloud (ddns) and update check not working

How can I update cloud (ddns) IP ?

rextended · August 7, 2021, 6:00pm

IS blocked by IP or by name?

Try to ping 159.148.147.204

MikroTik IPs
AS51894
159.148.147.0/24
159.148.150.0/24
159.148.172.0/24
2a02:610:7501::/48

upgrade.mikrotik.com

gezir · August 7, 2021, 6:15pm

I have ping 159.148.147.204 but timeout
it’s meaning ip blocked and i have try 159.148.147.196 ip is same blocked

rextended · August 7, 2021, 7:33pm

but… if you reach the forum… probably block selectively the IP than country

anav · August 7, 2021, 8:01pm

You need wireguard LOL Its coming soon!

gezir · August 8, 2021, 6:16am

I reach mikrotik forum with vpn here all mikrotik.com is blocked
And this problem I have try on all ISP

Jotne · August 8, 2021, 8:36am

Why would “they” do that and what country are you in?
You should change the government or change country.

msatter · August 8, 2021, 9:59am

How irronic would it be if they blocked it using Miktotik devices and by error they blocked the access also for all, Mikrotik.

erkexzcx · August 8, 2021, 6:56pm

http://forum.mikrotik.com/t/nordvpn-ipsec-ikev2-killswitch-for-ros6/144817/1

Get NordVPN or any other trusted VPN provider subscription, then 2nd method (by destination) to Mikrotik ASN:

For example, Mikrotik.com resolves to “159.148.147.196”. Quick google revealed the Mikrotik has it’s own ASN which contains 512 ips, or in other words, If you wish to access Mikrotik services/websites under NordVPN, you should add 159.148.147.0/24 and 159.148.172.0/24 to your address list using this (2nd) method.

The only difference here is that you would also need to mark traffic in OUTPUT chain as well (guide marks only in FORWARD). Works like a charm, I’ve tested it myself since I’ve had issues reaching mikrotik.com services about a year ago.

msatter · August 8, 2021, 7:16pm

The problem is that he can’t use ddns because when you go through a VPN your public address changes. Now you can get your own public IP agains paying for it with NordVPN so that are also reachable with that public IP.

There surely must be DDNS services that allow you supply the public IP separate.

gezir · August 9, 2021, 6:41pm

How Can I change for mirotik cloud (ddns) update and mikrotik update checking with vpn ?
Because I have vpn connection

sindy · August 9, 2021, 7:59pm

As @erkexzcx has suggested, you can make the router itself use the VPN tunnel to connect to mikrotik.com destinations, by using action=mark-routing rules in chain output of /ip firewall mangle. But you have to set use-local-address under /ip cloud advanced to yes, and hope that it will work the expected way. When set to no, the DDNS resolves the xxxx.sn.mynetname.net FQDN to the IP address from which it has received the update request, which is the public IP of the remote VPN server; when set to yes, the update request contains the local IP of the router, which I assume is the one attached to the interface through which the update request has been routed.
[speculation]the ddns update process checks the routing table main before actually sending the packet, so when the mangle rules assign the routing-mark and thus change the routing-table actually used, the address in the update request remains the one that would be used if the packet wasn’t redirected.[/speculation].

However, I’d be afraid that the authorities might be scanning responses from sn.mynetname.net, and if they spot a response that contains an IP address from the range assigned to one of your country’s ISPs, they would easily track down the user of that address at that time.

So spawning a virtual router (CHR) in some data center abroad, with a fixed address, might be a safer option.

rextended · August 9, 2021, 8:04pm

set the and paste on terminal

/ip route
add distance=1 dst-address=159.148.147.0/24 gateway=<VPN-INTERFACE>
add distance=1 dst-address=159.148.150.0/24 gateway=<VPN-INTERFACE>
add distance=1 dst-address=159.148.172.0/24 gateway=<VPN-INTERFACE>

do not touch DNS, cloud2.mikrotik.com resolve to 159.148.147.201 and 159.148.172.251 and go through VPN.

sindy · August 9, 2021, 9:06pm

I assume you had in mind , hadn’t you? Otherwise yes, your suggestion is definitely simpler and less error-prone than an additional routing table and mangle rules, but the use-local-address=yes setting may not provide the desired outcome in this case, as the source address sent in the DDNS update request will most like be the one assigned by the VPN server, attached to the .

rextended · August 9, 2021, 9:36pm

ops, is late… obviously an error

The idea is to use another IP, the IP of the VPN, because if the IP are country-locked, passing the right IP to cloud, change nothing…
No incoming traffic possible.

Or not?

sindy · August 10, 2021, 10:04am

@rextended,

the OP has not explained why he needs to update the DNS record, but typically you do this when you have a public IP address but a dynamically changing one, and you want to run a service on that address, so your clients are configured with the FQDN rather than with an IP number.

For such a purpose, you usually cannot use the public address from which your traffic emerges from the remote public VPN server, because such a server usually doesn’t forward (or permit) incoming connections to the client, or even uses a single public IP for many clients - unless it is a VPN server under your own control, as I’ve suggested in my older post.

So depending on what is the OP’s actual need, it may be correct to update the DDNS with the actual public IP, or to update it with the VPN one, or none may help.

Of course, it is also possible that the OP’s device is acting as a client, and the remote server may verify the source address by reverse DNS lookup that must yield a known fqdn.

rextended · August 10, 2021, 10:39am

My hint on post #13 is for specific question the OP ask on post #11
http://forum.mikrotik.com/t/mikrotik-com-blocked-on-our-country-and-mikrotik-cloud-ddns-and-update-check-not-working/150940/1

…mikrotik update checking with vpn ?..

gezir · August 10, 2021, 8:52pm

Thank you for reply ,
It's working but set vpn ip to DDNS
How can is change to get ip from pppoe interface

set the and paste on terminal
/ip route
add distance=1 dst-address=159.148.147.0/24 gateway=<VPN-INTERFACE>
add distance=1 dst-address=159.148.150.0/24 gateway=<VPN-INTERFACE>
add distance=1 dst-address=159.148.172.0/24 gateway=<VPN-INTERFACE>
do not touch DNS, cloud2.mikrotik.com resolve to 159.148.147.201 and 159.148.172.251 and go through VPN.

sindy · August 10, 2021, 9:32pm

If so, you need to use the approach I gave above. Instead of the three direct routes to Mikrotik subnets via VPN, you have to do the following:

/ip route
add gateway= routing-mark=via-vpn

/ip firewall mangle
add chain=output dst-address=159.148.147.0/24 action=mark-routing new-routing-mark=via-vpn
add chain=output dst-address=159.148.150.0/24 action=mark-routing new-routing-mark=via-vpn
add chain=output dst-address=159.148.172.0/24 action=mark-routing new-routing-mark=via-vpn

(if there are already other rules in chain output of mangle, place these ones before (above) them)

/ip cloud advanced set use-local-address=yes

This way, the DDNS should get updated with the PPPoE address.

mha7 · October 1, 2022, 10:32pm

Unfortunately Mikrotik DDNS is also blocked in Iran!
When I check “Use Local Address” the DDNS record will update to the local address of the VPN interface. Is there any options to select my PPPoE interface instead?

Thanks