Hi ,
I am a user of a RB951Ui-2nD with firmware 6.43RC51.ISP delivers service tru PPPoE.
I have observed that , after installing this firmware ( have no ideea if it was happeninig with the other FW RC or with previous stable versions ) , at router start-up , there was a connection to this
ip -> 159.148.147.201:15252 (UDP) .
Keep in mind that the Cloud feature available via Winbox IP section is not active ,this because 2 months ago the clock would go up and down with hours ( at router start-up) instead of keeping up with the real local time .As such that time cloud auto-update was turned off.

Seeing this connection done from the router outside IP i have decided to block Output chain all together and see what happens.A rule has been created from within firewall interface -> Drop for Output Chain and Log.
Once this rule has been applied connectivity to the router itself via WInbox from within LAN was lost ? The router itself was operational though.
After a hard config reset a ruile to alllow the LAN IP range thru the Output chain has been made so that the Winbow from LAN IP to work.
A rule to Drop Output chain and Log has been created under the above and the log outputed DNS calls from the router to the ISP DNS (the ones already existing in the settings).These DNS calls are made every 16 minutes and around 10 in number.If the Time update is forced from within Cloud these DNS calls stop, if the router is restarted the DNS calls are logged again and they stop once the Time Update is forced.If i try to log to the router from Winbox , from LAN while the DNS calls are made a delay to login is observed , router gets less responsive ?

Questions:

That UDP connection to port 15252 is legit ? If yes is it related to time ?
That IP is a legit one ?
Should the Output chain relate to connections made from/to Router OS with/to the outside and if yes why do i need to make a rule to exclude LAN ip-s to be able to connect from Winbox from the inside LAN ?
Why are those DNS calls made if the Cloud time is disabled and why at every 16 minutes ?
Can this interval be modified to a day or something ?

Thank you for any response if any in advance.

Looks like that IP belongs to Mikrotik so it appears to be some cloud/time/package check to their servers. This recent reddit post had a similar issue and tried to establish exactly what connects out from the router - https://www.reddit.com/r/mikrotik/comme ... s_queries/

The output chain handles any packets leaving the router, regardless of what network they are going to. A single block rule will stop the router talking to anything. You would need an allow rule for your LAN (You might get away with an established rule if you have an input allow for the LAN, not sure without testing). My usual tactic when I'm not 100% certain about required rules is to use a log all instead of drop, then make rules for any genuine traffic that gets logged, then change the log rule to a drop.

most probably you still have time-zone detection still enabled on your router and that is causing the connection to the cloud.mikrotik.com or 159.148.147.201:15252 (UDP).

IP Cloud has these services:
*) DDNS - assign domain name to dynamic IP
*) auto-time - approximate time so logs make sense when you want to know what is happening. if you enable SNTP or NTP it will disable itself automatically.
*) automatic time-zone detection - if you move with your "travel router", or the router is moved around the time-zones.

Thank you for the feedback.

@usdmatt , I have a rule allowing LAN devices on the Input chain as well , as i ve added a Block All rule for the Input chain at the end of the input firewall rules.By default the security of the WAN inbound is quite relaxed on the Mikrotik so measures had to be taken .
And indeed loging instead of blocking at first is the smart way of discovering what rules should be implemented

@ janisk , DDNS is not used , auto-time was disabled , but time-zone detection box was still checked

So in the IP - > Cloud -> DDNS is not checked , Update time is not checked , both disabled.
In the System -> Clock -> Time -> for Time Zone Autodetect i have uncheked the box (DNS calls still made at every 16 minutes though).Here there is also DST Active checked and greyed , can t disable it.

Keep in mind that if i Update time manually via Cloud the DNS calls from the router itself stop , like i ve stated in the first post.

So it seems the connection was legit even though not needed in my view.

LE: Rebooted already 2 times and the DNS calls seem to have been stopped , so the Time Zone Autodetect was involved in the issue as well.
But , observed something else not seen untill now , after the router reboot the gateway IP felt the need to send some/few ICMP type 3 code 0 packets to one of my wired PC-s.So along the Allowed TCP on the LAN range for the Output chain (to be able to connect to the router interface) i have added an Allow ICMP rule for the LAN as well, for the Output chain (maybe not necessary though)..

ICMP type 3 code 0:
Type 3 - Destination Unreachable
code 0 - Net Unreachable

Thanks !
It seems that the output chain should be kept under control as well , even though not necesarelly in relation with the Cloud feature .

It seems that with version 6.43rc56 firmware the behaviour is a little different in realation to gateway<->client relation , via Outbound chain.When rc 51 was used ,right after the router restart there would be a ICMP 3 code 0 send by the gateway to the (some) clients .WIth RC 56 the gateway would ping the client with a ICMP 8 code 0.Installing latest stable the behaviour is back ICMP 3 code 0 beeing send to the client from gateway .
I ve just oberved this in logs and thought to give some feedback.I doubt it matters though , it s just ping.

This is happening on v6.43.1 but not in v.6.42.x.
I have disabled both the "Time Zone Autodetect" and all the "IP could" stuff.
I still see those UDP packets trying to go out every two minutes.
I'd say, if that's legitimate, then please document it.