MikroTik

This was discussed in 6.43rc thread, but here is better place for it.

IMHO the cloud DDNS needs user-configurable option what protocol to use (IPv4 only, IPv6 only, both). Ideally with "both" as default, because if I have dualstack and IPv4 fails (perhaps by user mistake, which is more likely than real outage), IPv6 is very nice backup option (for some purposes at least).

Based on current description, only A record gets added for dualstack, and if IPv4 fails, user will sit and try hard to remember what the last IPv6 address was? It doesn't sound very good.

Ultimate solution would be support for multiple subdomains (for multi-WAN purposes) with suggested option available for each item. That way there could be A-only subdomain for e.g. OpenVPN server (to not slow down client trying AAAA; alternatively, you could add IPv6 support to OpenVPN, I wouldn't object) and another A/AAAA for administration. Well, it might get a little too complex, but it would be nice.

Another possibility, to keep it simple, automatic A-only and AAAA-only subdomains could be added by server (xxx.sn.mynetname.net with A/AAAA, ip4.xxx.sn.mynetname.net with A only, ip6.xxx.sn.mynetname.net with AAAA only) and user could use the right one for each intended purpose.

There are some not so clear scenarios. However, in your secnario if your IPv4 fails and router still has connectivity via IPv6 - in about 60 seconds router will register IPv6 address as cloud address and $host command will suddenly return IPv6 AAAA entry.

edit: I have some more scenarios in my head when I want this to work but it will not in the current state. We are working hard to resolve those.

It's nice to see a great feature being refined that bit more. I have noticed recently the "old" cloud is quite slow to respond so maybe this is the reason why?
I'd be lost without IP>Cloud for hairpin NAT scenarios on dynamic WAN IP's.

It looks like the old[stable] cloud implementation does not work for me anymore. (using v6.42.6 on routers)

After pressing force update in ip cloud settings (ddns enabled) it says request timed out.
Also "nslookup serialnr.sn.mynetname.net ns1.kissthenet.net" still shows the old address.

Your experiences?

I am amazed by the amount of responses and effort from MT team for a set of 2 features that can easily be replaced by ntp and duckdns, both being better alternatives.

I dont care for the alternatives. I am HAPPY with ip-cloud. working from the start 100% for me.
Free dyndns per device. What more can u ask

Indeed.

Even time precission is enough for coarse log analysis (did it happen this morning or a fortnight ago?). Anybody requiring "better" services are more than welcome to use alternatives.

Free dyndns per device. What more can u ask

Well some sort of control and completely brand agnostic solution... Not to say there are hundreds of more important features requests than IP Cloud or Kids Control viewtopic.php?f=1&t=45934 to tackle first and clearly most of them cannot be replaced by a less than 10 lines script or by an existing component supporting an established standard !

Actually this would put the mikrotik in the middleman role. It has to be considered as unsafe. I understand that some people do not care about it, but I rather build my own management network instead of rely on services that I cannot control and that can do whatever I do not know what above what they promote.

While you find some feature not so useful to yourself and relentlessly bash them - consider that there are other features made by RouterOS developer team that you are using. This one particular - IP-Cloud - is touted by you as very unsafe and understandably so - MikroTik hasn't disclosed information - but from time to time your posts look like just bashing.

Ona brighter note - there are new features in testing, new features in the development and one feature that just came out of testing and is included in new RC - IPv6 support.

this is what "IPv6 support" entails -
*) DNS requests via IPV6
*) IP-Cloud services (DDNS update, timezone) via IPv6
*) AAAA support for *.ns.mynetname.net domains

For now - there is only AAAA OR A entry support. Due to nature of RouterOS - if you have a dual-stack router and want the IP-Cloud address to be IPv6 you have to force it via /ip dns static entry - add cloud2.mikrotik.com with these IPv6 addresses 20a2:610:7501:4000::251 and 2a02:610:7501:1000::201

While you're doing this DNS stuff, is there any chance that conditional-forwarders might be added into the RouterOS DNS resolver? i.e. relay any requests for company.local to 192.168.1.1, for a branch office scenario?

@carl0s: It's not really related to this, but yes, it would be nice. Every other DNS resolver supports it, and no, keeping another machine around only because of such simple feature is not good solution.

coming to the router near you soon:

Any plans to add wildcard hostnames support? I mean "firsthost.123456.sn.mynetname.net" . If not - why?

Please explain what that would solve? If you have several routers - they all are eligible for the IP Cloud address.

edit: If you have a company and want all routers under same "umbrella", then you can create CNAME entries in your local DNS server for your domain.

coming to the router near you soon:

Code: Select all

$ host <serial>.sn.mynetname.net
<serial>.sn.mynetname.net has address 192.168.88.1
<serial>.sn.mynetname.net has IPv6 address 2001:db8:1337:beef::ada

Suggestion : add an option in cloud service to add an extra personal prefix.

like "xyz" when user define personal prefix the name will became

xyz.<serial>.sn.mynetname.net

this make difficult for brute force detect all mikrotiks in the world and make difficult in case of new vulnerability to attack all .

Currently is easy to make a brute force search for mikrotik devices using the cloud service as the names follow an simple pattern and is just an DNS query.

Will it be available for x86 router soon?

I am also looking forward to have support in x86

Will it be available for x86 router soon?

I am also looking forward to have support in x86

I hear mumbles of CHR being available from 6.43 so there could quite possibly be x86 implementation.

Currently, there are no plans to bring it to the x86 platform.

Currently is easy to make a brute force search for mikrotik devices using the cloud service as the names follow an simple pattern and is just an DNS query.

The serial number consists of 12 hexadecimal characters.
I wouldn't call making 184884258895036416 (12^16) dns lookups 'easy'.

It's easier to just use masscan and scan the whole IPv4 address space for open port 8291.

You think there is any chance in the future to support multi-wan setups? One option is to prepend or append the interface number to the dyndns hostname?

pppoe-out1 = xxxxx-1.sn.mynetname.net
pppoe-out2 = xxxxx-2.sn.mynetname.net

Finally a change worth talking about

6.44beta9:
!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);

Some details:

*) Only aes-sha265 encrypted files are accepted.
*) If you save the secret-download-key, one will be able to download the backup file from another router.
*) one command to make, encrypt and upload
*) one command to download and apply
*) communication with IP Cloud servers is fully encrypted (so your encrypted file is transferred over an encrypted channel)
*) one backup file per router
*) free
of course, if you just download the file, then it has to be applied via /system backup load

edit: specified encryption method used for backup file that is accepted, file slot count = 1 per router. free

Ah finally some new functionality
Are you considering implementing a management VPN function?

!) cloud - added command "/system backup cloud" for backup storing on cloud (CLI only);

is this for backup configuration to cloud? free?
if yes VERY NICE MIKROTIK.

yes, 1 file slot per router and it is free for all the platforms that can use IP Cloud

free cloud backup. very nice really nice.
one tip, there is option to schedule to backup every xx days to cloud automatically. (of course you can do it with scheduler, but i am just saying)

yes, 1 file slot per router and it is free for all the platforms that can use IP Cloud

will there maybe an API we could use to interact with the backup file?
my aim is to have a "remote controlled" set of CPEs... i make changes to the "cloud-twin" and it is (pulled) "replicated" to the physical one.

maybe in a way that it could import the file w/o hurting device specific things, like MAC addresses.

not really, as restoring backup file will replace MAC addresses and EVERYTHING else. After that you can reset mac addresses of the interfaces on the router. But that is it.

It would be nice to have the option NOT to restore or backup MAC-addresses on HW-interfaces (Ethernet and Wireless).
Restoring MAC-addresses of logical interfaces like bridges, EoIP, VPLS and the like is useful though.

This actually is not related to the IP Cloud functionality anymore. For the IP Cloud Backup feature, it was important to be able to effortlessly upload the backup file and retrieve it afterwards. There is other stuff coming related to IP Cloud Backup in the future (regarding ease of access) however that is in no way related to the basic functionality of the backup system itself.

So the points are:
1) easily create backup and upload
2) retrieve and/or apply
3) in case of the router damage make the backup file available from the other device

Would be great if the IP cloud can expand the feature to whole configuration, something like Cloud Winbox.
User can login the cloud portal to modify and customize the configuration, when the router box connects to Internet, automatically grab updated cloud configuration and deploy it.
Two beauties:
1. reduce the risk of exposing winbox to Internet
2. easy bulk deployment

Really? Everyone wants to have a supersecured router and you would give all your login details to a cloud?

Really? Everyone wants to have a supersecured router and you would give all your login details to a cloud?

It certainly has some applications. I have been suggesting a management VPN to be part of IP cloud as well.
People have trouble arranging secure management of their routers that are on dynamic addresses, behind CGNAT, or otherwise inconvenient to access, and it could be nice to register them in a cloud system so you can manage routers that are not connectable from outside.

Of course the access to that cloud system should be done in a secure way. But remember, when some fault is found there it can be resolved by updates.
2nd factor authentication can be used. This is all much better than having 200.000 vulnerable routers in the field without a way to get them updated.

ManagementVPN as such is not planned for now. The main reason is the security implications.

You think there is any chance in the future to support multi-wan setups? One option is to prepend or append the interface number to the dyndns hostname?

pppoe-out1 = xxxxx-1.sn.mynetname.net
pppoe-out2 = xxxxx-2.sn.mynetname.net

This! We need to be able to monitor backup connections that have dynamic IP.

You think there is any chance in the future to support multi-wan setups? One option is to prepend or append the interface number to the dyndns hostname?

pppoe-out1 = xxxxx-1.sn.mynetname.net
pppoe-out2 = xxxxx-2.sn.mynetname.net

This! We need to be able to monitor backup connections that have dynamic IP.

Its a "free" service. I think that is usefull as it works actually. And U can manipulate from which link ddns works on it.

Enviado de meu MI 9 usando o Tapatalk

You think there is any chance in the future to support multi-wan setups? One option is to prepend or append the interface number to the dyndns hostname?

pppoe-out1 = xxxxx-1.sn.mynetname.net
pppoe-out2 = xxxxx-2.sn.mynetname.net

This! We need to be able to monitor backup connections that have dynamic IP.

Its a "free" service. I think that is usefull as it works actually. And U can manipulate from which link ddns works on it.

Enviado de meu MI 9 usando o Tapatalk

Hello,

Can you explain me how to choose on witch interface ddns will work please?