IP Cloud Service inactive but calling home?

whitbread · Tue Dec 15, 2015 12:39 pm

I have a RB751U-2HnD running RouterOS 6.33.3.

IP Cloud is inactive

 /ip cloud print
  ddns-enabled: no
  update-time: no

but I see connections to 81.198.87.240:15252 - why this?!?

janisk · Tue Dec 15, 2015 12:51 pm

there are several places in RouterOS that rely on '/ip cloud' infrastructure.

'/system clock' - time-zone-autodetect

Sat Dec 26, 2015 9:52 am

That's funny. Are you guessing the time zone by ip address?

pe1chl · Sun Dec 27, 2015 3:56 pm

That's funny. Are you guessing the time zone by ip address?

You expected a hidden GPS receiver to do the autodetect?

Sun Dec 27, 2015 5:08 pm

No. Not at all. I expect silent router without backdoors and not generating any traffic on his own without my explicit settings.

pe1chl · Mon Dec 28, 2015 10:43 am

No. Not at all. I expect silent router without backdoors and not generating any traffic on his own without my explicit settings.

That kind of expectation usually means that you will have to do extra research and work.
Today, most clients expect a router (or other device) to "work out of the box" and that group is what MikroTik have
to engineer for.

Tue Dec 29, 2015 12:05 am

Sure I know that. Therefore I am always removing the configuration right out of the box and making my own. And dropping / logging on the end of output chain too to see what unexpected is going out. Even though I am not convinced enough that my routers are safe.

janisk · Tue Dec 29, 2015 11:05 am

here is some description of the geolocation using an IP address:
https://www.iplocation.net/

Also, you can read here about what services IP Cloud provides:
http://wiki.mikrotik.com/wiki/Manual:IP ... on_details

George90 · Sat Mar 05, 2016 5:47 am

If we create drop rule with dst address 81.198.87.240/24 will that prevent routers from accessing cloud services?

Sat Mar 05, 2016 8:06 am

There should be a way how to reliably switch off each communication service in the ros. But it is not.

For these purposes I use firewall with general drop on the end of output chain and named accepting exclusions before.

And one thing above that. There should not be any outbound communication initiated from the router at all by default until the user explicitly allows such service.

George90 · Sun Mar 06, 2016 4:14 am

I agree with you that we should be able to turn off all communication to cloud services.

Can Mikrotik kernel override firewall rules ? That's a question

(I think that can)

Sun Mar 06, 2016 4:36 am

I am afraid of the same. But I am far away from saying that because I haven't tested it yet.

George90 · Mon Mar 07, 2016 2:58 am

I tested with enabled "Update time" and Force Update button.

Here are used firewall -> filter rules:
add action=log chain=forward comment="test

" dst-address=81.198.86.0/23
add action=drop chain=forward content=cloud.mikrotik.com
add action=drop chain=forward dst-address=81.198.86.0/23
add action=drop chain=forward src-address=81.198.86.0/23
add action=drop chain=forward dst-address=91.188.51.136/29
add action=drop chain=forward src-address=91.188.51.136/29

When I hit "force update" button firewall rules counters are on 0, and status is updated. So MT CAN contact cloud server even if you create drop rules in firewall. Solution is to add static dns entry for 'cloud.mikrotik.com' and point it to something that will never be MT cloud server, I used '255.255.255.255' and after "force update" button error was "Error: no internet connection".

Keep in mind that I find out that if MT doesn't have dns server specified it will contact cloud server by ip address. Firewall rules will not protect router that have them, but will all others that access internet using that router.

I hope that this will be useful

and maybe one day improved...