I like the DynDNS feature of Mikrotik. Specially, that it allows the 1 minute refresh interval time.
However, I have some installations behind other routers and I would love to be able to reach my Mikrotiks without having to do NAT forwards on other firewalls to reach it.
A- Is there anything built in or available out there that allows me easy access to my Mikrotik no matter where in a network diagram I put it as long as it has internet?
B- If not a built in feature, maybe someone has built an easy system I can copy? (currently I use an OpenVPN tunnel but it’s a bit messy because the OpenVPN server can break one day).
There’s no “cloud” connectivity available by using Mikrotik cloud service … only dynamic DNS. So when connecting to .sn.mynetname.net, one is connecting directly to the router. If router doesn’t have public address, then the device that holds the public address, will most probably block the connection attempts. Unless NAT is configured on the “public IP” device …
Basically you’re already using the only possible solution - VPN. If VPN server breaks, then you keep the pieces (and clean up your part of mess). Mikrotik cloud had it’s own share of problems in the past as well …
Is there anything built in or available out there that allows me easy access to my Mikrotik no matter where
If the devices you want to reach behind the Mikrotik router are Mikrotik devices as well then you can enable ROMON on all the devices…
Then as soon as you connect to the ROMON agent all the devices will appear in Winbox…
ROMON only works in a local (or at least L2-connected) network.
People asking for DynDNS features will normally use the internet for access and ROMON does not work over internet.
Like mkx, I recommend to setup a VPN server somewhere at a location where you have fixed external IP, and then setup a VPN connection to there in all routers you want to manage.
Besides that it overcomes the reachability issue you have, it is also much safer. You should NOT enable access to the winbox port (8291) from internet! But you can do it in a closed VPN network.
I would recommend to use L2TP/IPsec or maybe SSTP instead of OpenVPN. It is better supported in RouterOS.
People asking for DynDNS features will normally use the internet for access and ROMON does not work over internet.
Wrong! It works perfect…!
If you enable ROMON on your Main router for example and on your AP that is behind your router, if you allow access through WAN to your Router, by using the Cloud DNS or any other DNS service, you can connect to the ROMON agent of the Main router and you will see (and able to connect) the AP as well in the ROMON neighbors…
ROMON only works in a local (or at least L2-connected) network.
@zacharias, do yourself (and everybody else) a favour and quote the whole sentence including the previous one:
RoMON works by establishing independent MAC layer peer discovery and data forwarding network. > RoMON packets are encapsulated with EtherType 0x88bf and dst-MAC 01:80:c2:00:88:bf and > its network operates independently from L2 or L3 forwarding configuration.
So how does it work in routed (L3) environment?
The same thought process applies to the first claim by @pe1chl you dismissed so easily: if an user has a few routers in different places (that’s the only case when different .sn.mynetname.net would point to different addresses), it’s routed network again.
Your suggestion works in one case only: when there are a few RBs in same physical L2 network and admin wants to access them, then it’s enough to make one of them accessible and the rest can be accessed via RoMon. And, technically, in this case RoMon is not working over internet, it’s working between RBs … it’s winbox protocol working over internet.
Either you have not understood my remark or you have not understood ROMON.
Price is not very crazy at 55 euro / year for up to 10 devices.
Of course you can host a CHR at any cheap hoster for like 3 euro/month (36 euro/year) and use it as a VPN server for this kind of thing, without limit on the number of connected clients.
Unlicensed CHR will have 1Mbps, likely sufficient for this usage, and otherwise you can one-time invest in a CHR license and get the full speed.
technically, in this case RoMon is not working over internet
Then:
it’s winbox protocol working over internet.
How exactly do you connect to a Romon agent ? Is VPN needed ? No
Physical connection through a cable needed? No
Possible over Internet ? Yes
I never said its an internet protocol or anything…
Nothing more to add from my side…
The OP asks for an easy way to access his devices without port forward or antything and so i suggested him an easy solution in case the devices he wants to access are Mikrotiks…
You argue because you just want to argue…
Hope the OP finds a solution…
Either you have not understood my remark or you have not understood ROMON.
You said ROMON is not accessible through internet, not me (you can read your post again).. all the rest are just your theory, i never said its an internet protocol…
I hope so too, but your remarks are not helpful because the solution you propose does NOTHING to bring him closer to a solution.
The solution mkx and I propose however, does bring him a solution.
So why don’t you read OPs first post again … very carefully. Don’t immediately jump into conclusions as you like to do very much, but read it quite literally (have faith in OP that he chose words well). Then think about possible solutions. And read the post again. And reconsider the solutions. And if you still think RoMon is solution, reread the initial OPs post again. And again. Specially second paragraph. Pay special attention to the singular vs. plural forms of nouns. All of them. And consider all implications of how they were used by OP.
Because, after all, we’re not discussing merrits of RoMon, we’re trying to find best solution to the problem described by OP. Exactly as described, without implying things OP did not write. If OP finds proposed solutions unfit, he might reword problem description and we’ll go another round … then.
I can not keep on arguing with people that do not even know that they can access a Romon Agent through the Internet ( yes you dont, all your posts showing that are above), i just loose my time…
Also, i can not discuss with people who answer behalf of the OP(really ? ) and by them selves show their suggestion as the Optimal, although i never said that their suggestion was bad or that mine was perfect.. i simply said my opinion, the OP does not include many details anyways… Ofcorse i would change my suggestion if needeed…
You are the best…
You can access a RoMon AGENT via the L3, but RoMon ITSELF does not work over routed networks.
And a RoMon AGENT is not a solution to access a router that is behind NAT (another router) from the internet.
And then there additionally is the issue that you would not want to expose a RoMon agent to internet, yes.
All in all it is a totally unusable solution for the problem at hand. RoMon is nice in a closed L2 network where you
fear that you lock yourself out due to mistakes in routing configuration. It is not useful to administer a bunch
of separate internet-connected routers.
RoMon itself does not work over L3, BUT, if all devices are Mikrotik and running RoMon, you can access all devices over a L3 network via the RoMon agent.
If configured as per above, it will create a RoMon network, similar to what OSPF does for L3 routing
So if all OPs devices were Mikrotik, RoMon would have been a solution (Without the need for VPN - Not suggested though)
I have some installations behind other routers and I would love to be able to reach my Mikrotiks without having to do NAT forwards on other firewalls to reach it.
in a different way than I do.
Not useful to continue discussion then.
I would assume I read it exactly the way you did. BUT:
Nowhere did anyone say RoMon IS the solution, it is an OPTION. Maybe you know the OP personally and know what is within his power, but I suspect @Zacharias don’t, and I definitely don’t.
So if this is so important to the OP, and it is within his power to change all devices to Mikrotik, he has the option / info and can decide for himself.
) and by them selves show their suggestion as the Optimal, although i never said that their suggestion was bad or that mine was perfect.. i simply said my opinion, the OP does not include many details anyways… Ofcorse i would change my suggestion if needeed…