Ugh. Just, ugh./ip cloud set sdwan-enabled=yes
What problems?with the problems kept?
Any feature is first released in RC. Then it becomes 'current'.How does MK release a new Cloud that works better only with RC firmware?
You must not do this. Use RC only in controlled test environments.I can not put the RC in production.
You would need to find something else than serial number to use for hostname. There's System ID, but it seems to be generated randomly, so it might not be unique. It also seems to make a difference between case of letters, so it would not work well with dns either. But I'm sure something could be invented, at least for licensed instances.Will we get CHR support?
md5sum of the license number? Kinda big, but...You would need to find something else than serial number to use for hostname. There's System ID, but it seems to be generated randomly, so it might not be unique. It also seems to make a difference between case of letters, so it would not work well with dns either. But I'm sure something could be invented, at least for licensed instances.Will we get CHR support?
Maybe a little elaboration on this, so I can decide if I care? I use this feature only to locate MikroTik routers I have installed that don’t have static IP addresses.It has improvements in security, responsiveness and expandability.
old cloud was v4 only, w/o any theoretic chance for ipv6 support.Will we get IPv6 Support?
cy-bear:~ bat$ host cloud.mikrotik.com
cloud.mikrotik.com has address 81.198.87.240
cy-bear:~ bat$ host cloud2.mikrotik.com
cloud2.mikrotik.com has address 159.148.147.201
cloud2.mikrotik.com has address 159.148.172.251
cloud2.mikrotik.com has IPv6 address 2a02:610:7501:1000::201
cloud2.mikrotik.com has IPv6 address 20a2:610:7501:4000::251
[admin@tgcpe2] /ip cloud> /ip dns cache print
Flags: S - static
# NAME ADDRESS TTL
0 S router.lan 192.168.88.1 1d
1 ttt0-cegle... 2001:4c48:xxxxx::1 40s
2 tgcpenms.d... 2001:4c48:xxxxx::3 20m6s
3 cloud2.mik... 159.148.172.251 1h16m16s
4 cloud2.mik... 159.148.147.201 1h16m16s
[admin@tgcpe2] /ip cloud> /ip cloud print
ddns-enabled: yes
update-time: no
public-address: 188.6.129.21
status: connecting...
I completely understand that the cloud time is based on a http timestamp so it offers only 1-second resolution and cannot set the clock very accurately, but that was never an excuse for serving time that is wrong by 10 minutes.3) the new cloud works much faster, so the precision will be better - this is for setups where you cannot run NTP/SNTP or don't need the time so precise. This is enabled by default to get some, any time for logs where a user could benefit from seeing a time of occurrence.
OK... so, as I don't really care about using it for NTP or on IPV6, does this new implementation give me anything superior for my needs that would give me incentive to turn it on? Maybe I have overlooked an explanation, but I don't think one has yet been presented.> I use this feature only to locate MikroTik routers I have installed that don’t have static IP addresses.
this is the intended use - you are our target audience for the IP-cloud's DDNS feature
It's nice to hear. I just hoped we could get a little "peek under the hood", how it works. And please don't say "secret algorithm", because when it has to be on every single router, one bored person with decompiler could be all what's needed to make it not secret anymore.4) it is not possible to send fake updates to the IP-cloud. To the IP-cloud your router is unique.
If it would be possible to add multiple DDNS clients (with some reasonable limit), something like (just a quick thought, there might be better way):Multi-WAN support for DDNS pretty please?
/ip cloud ddns
add name=wan1 routing-table=isp1
add name=wan2 routing-table=isp2
ok, thanks..To give more authoritative weight behind some excellent answers given by other users:
1) do not put RC in production - all new features come to RC, then get into current and only then it is placed into bugfix.
2) backwards compatibility was considered and then removed. So no, to use this, you will need to wait for stable and/or bugfix release to use in production
3) the new cloud works much faster, so the precision will be better - this is for setups where you cannot run NTP/SNTP or don't need the time so precise. This is enabled by default to get some, any time for logs where a user could benefit from seeing a time of occurrence. The moment you get NTP/SNTP time IP-cloud time service stops even if enabled.
4) it is not possible to send fake updates to the IP-cloud. To the IP-cloud your router is unique.
5) CHR - it is complicated. There is a lot of things that have to be resolved for this to become a reality.
> I use this feature only to locate MikroTik routers I have installed that don’t have static IP addresses.
this is the intended use - you are our target audience for the IP-cloud's DDNS feature
> Will we get IPv6 Support?
Yes.
Literal translation: "Suck this".Huh?
You can avoid the reissue problem by creating a CNAME, with the old name, pointing to the new one. Not ideal, I agree, but keeps You from reissuing the certificates.@janisk: I have multiple Clients with IKEv2 Server with RSA (Certificates). Those Certificates are made with ddns hostname (7dgfdghgssaa1.sn.mynetname.net) from IP Cloud.will the hostname remain the same. If not I have a big problem since I have to reissue all certificates to users on multiple sites.
I don’t understand the solution. Certainly the administrator of mynetname.net could do that, but that’s not him.You can avoid the reissue problem by creating a CNAME, with the old name, pointing to the new one. Not ideal, I agree, but keeps You from reissuing the certificates.@janisk: I have multiple Clients with IKEv2 Server with RSA (Certificates). Those Certificates are made with ddns hostname (7dgfdghgssaa1.sn.mynetname.net) from IP Cloud.will the hostname remain the same. If not I have a big problem since I have to reissue all certificates to users on multiple sites.
As pointed out it is not possible to add a CNAME for domain that is not mine .@janisk: I have multiple Clients with IKEv2 Server with RSA (Certificates). Those Certificates are made with ddns hostname (7dgfdghgssaa1.sn.mynetname.net) from IP Cloud.will the hostname remain the same. If not I have a big problem since I have to reissue all certificates to users on multiple sites.
You can avoid the reissue problem by creating a CNAME, with the old name, pointing to the new one. Not ideal, I agree, but keeps You from reissuing the certificates.
I don’t understand the solution. Certainly the administrator of mynetname.net could do that, but that’s not him.
The hostnames will be the same for the same router. Do not worry about that.@janisk: I have multiple Clients with IKEv2 Server with RSA (Certificates). Those Certificates are made with ddns hostname (7dgfdghgssaa1.sn.mynetname.net) from IP Cloud.will the hostname remain the same. If not I have a big problem since I have to reissue all certificates to users on multiple sites.
my.domain.example. IN CNAME 7dgfdghgssaa1.sn.mynetname.net.
it is all about ease of use. Just check the box and you got your static FQDN for your router. Got your own DNS server, use those DNS names for CNAMEs.When you have your own DNS, why would you bother with something like "IP cloud"? You can make the router update your own DNS directly.
The usability of something like "IP cloud" is for those that want something like this without doing the work themselves.
Me too, but that is why I don't use IP cloud and probably you don't use it either. But, i can understand why a service like that would be worthwile, considering the vulnerability problems we have seen lately.Actually this would put the mikrotik in the middleman role. It has to be considered as unsafe. I understand that some people do not care about it, but I rather build my own management network instead of rely on services that I cannot control and that can do whatever I do not know what above what they promote.
Because there's difference between "domain with DNS servers under your control" and "domain with DNS hosted somewhere else". If you have own servers, you don't need MikroTik's DDNS (even though it might still be easier for some to use it, as it's just one click away). But with hosted DNS (e.g. offered by domain registrar as free bonus with domain), there's often no automated access and all changes have to be made manually in some web interface. That's where CNAME is the right solution.When you have your own DNS, why would you bother with something like "IP cloud"?
My mistake - I misread the domain: thought it were his own.I don’t understand the solution. Certainly the administrator of mynetname.net could do that, but that’s not him.You can avoid the reissue problem by creating a CNAME, with the old name, pointing to the new one. Not ideal, I agree, but keeps You from reissuing the certificates.@janisk: I have multiple Clients with IKEv2 Server with RSA (Certificates). Those Certificates are made with ddns hostname (7dgfdghgssaa1.sn.mynetname.net) from IP Cloud.will the hostname remain the same. If not I have a big problem since I have to reissue all certificates to users on multiple sites.
Sent from my iPhone using Tapatalk
Thanks Janisk for the confirmation, that everthing would stay the same only better (in my case .. no pun intended).
The hostnames will be the same for the same router. Do not worry about that.
The domain name will always be tied to the serial number of the router. If you are going to change routers - then you better create on your your own DNS server CNAME entry that points to the <SN>.sn.mynetname.net FQDN. It will not be possible to assign your 7dgfdghgssaa1.sn.mynetname.net to another router.
While you find some feature not so useful to yourself and relentlessly bash them - consider that there are other features made by RouterOS developer team that you are using. This one particular - IP-Cloud - is touted by you as very unsafe and understandably so - MikroTik hasn't disclosed information - but from time to time your posts look like just bashing.Actually this would put the mikrotik in the middleman role. It has to be considered as unsafe. I understand that some people do not care about it, but I rather build my own management network instead of rely on services that I cannot control and that can do whatever I do not know what above what they promote.
Isn't the same with dyndns, noip or your own ddns server?- when used without VPN, it requires the admin interface (winbox, ssh, webfig) to be exposed on internet, which is quite dangerous.
But I (and many others, I think) use it exactly to be able to connect at my house VPN!- when used without VPN, it requires the admin interface (winbox, ssh, webfig) to be exposed on internet, which is quite dangerous.
To have such remote support of customer routers, at least you should config a VPN service which you can connect via the DNS name (SSTP, L2TP/IPsec, OVPN).
Or, setup some "port knocking" firewall.
It would be nice when that was part of IPcloud, but as long as it isn't you need to setup your own VPN or other security solution.Are we still talking about this?
viewtopic.php?p=669439#p669439
There isn't a solution to this problem: we can't make a knife that will cut meat but not your fingers. The tool exists - it's up to the user to learn it.It would be nice when that was part of IPcloud, but as long as it isn't you need to setup your own VPN or other security solution.Are we still talking about this?
viewtopic.php?p=669439#p669439
I'm afraid many of the users who claim to have benefit from the IPcloud DDNS are not aware of that and just connect directly to the DNS name using Winbox.
(after having modified the firewall to make that work)
The advantage of a VPN integrated with IP cloud would be that it could also work on routers that are behind NAT, either CGNAT or a local ISP router.There isn't a solution to this problem: we can't make a knife that will cut meat but not your fingers. The tool exists - it's up to the user to learn it.
I'd hate to see a solution that used a third part network, besides my own. Also, it's a can of worms: all that GDPR compliance and whatnot. We already have several VPNs to choose from, and OpenVPN is quite NAT friendly. Not the eight wonderful, being TCP, but more than enough to administration purposes.The advantage of a VPN integrated with IP cloud would be that it could also work on routers that are behind NAT, either CGNAT or a local ISP router.There isn't a solution to this problem: we can't make a knife that will cut meat but not your fingers. The tool exists - it's up to the user to learn it.
Also, IP cloud appears to be in the "one click solution without too much learning" area so it would never hurt to have such features in it.
Of course I would not use this feature - in fact most of the routers I manage do true routing, not some form of NAT, and are not directly connected
to internet. I can manage them over the "local" network. But I see an opportinity here to add some value.
Well some sort of control and completely brand agnostic solution... Not to say there are hundreds of more important features requests than IP Cloud or Kids Control viewtopic.php?f=1&t=45934 to tackle first and clearly most of them cannot be replaced by a less than 10 lines script or by an existing component supporting an established standard !Free dyndns per device. What more can u ask
While you're doing this DNS stuff, is there any chance that conditional-forwarders might be added into the RouterOS DNS resolver? i.e. relay any requests for company.local to 192.168.1.1, for a branch office scenario?While you find some feature not so useful to yourself and relentlessly bash them - consider that there are other features made by RouterOS developer team that you are using. This one particular - IP-Cloud - is touted by you as very unsafe and understandably so - MikroTik hasn't disclosed information - but from time to time your posts look like just bashing.Actually this would put the mikrotik in the middleman role. It has to be considered as unsafe. I understand that some people do not care about it, but I rather build my own management network instead of rely on services that I cannot control and that can do whatever I do not know what above what they promote.
Ona brighter note - there are new features in testing, new features in the development and one feature that just came out of testing and is included in new RC - IPv6 support.
this is what "IPv6 support" entails -
*) DNS requests via IPV6
*) IP-Cloud services (DDNS update, timezone) via IPv6
*) AAAA support for *.ns.mynetname.net domains
For now - there is only AAAA OR A entry support. Due to nature of RouterOS - if you have a dual-stack router and want the IP-Cloud address to be IPv6 you have to force it via /ip dns static entry - add cloud2.mikrotik.com with these IPv6 addresses 20a2:610:7501:4000::251 and 2a02:610:7501:1000::201
$ host <serial>.sn.mynetname.net
<serial>.sn.mynetname.net has address 192.168.88.1
<serial>.sn.mynetname.net has IPv6 address 2001:db8:1337:beef::ada
coming to the router near you soon:Code: Select all$ host <serial>.sn.mynetname.net <serial>.sn.mynetname.net has address 192.168.88.1 <serial>.sn.mynetname.net has IPv6 address 2001:db8:1337:beef::ada
I am also looking forward to have support in x86Will it be available for x86 router soon?
I hear mumbles of CHR being available from 6.43 so there could quite possibly be x86 implementation.I am also looking forward to have support in x86Will it be available for x86 router soon?
The serial number consists of 12 hexadecimal characters.Currently is easy to make a brute force search for mikrotik devices using the cloud service as the names follow an simple pattern and is just an DNS query.
will there maybe an API we could use to interact with the backup file?yes, 1 file slot per router and it is free for all the platforms that can use IP Cloud
It certainly has some applications. I have been suggesting a management VPN to be part of IP cloud as well.Really? Everyone wants to have a supersecured router and you would give all your login details to a cloud?
This! We need to be able to monitor backup connections that have dynamic IP.You think there is any chance in the future to support multi-wan setups? One option is to prepend or append the interface number to the dyndns hostname?
pppoe-out1 = xxxxx-1.sn.mynetname.net
pppoe-out2 = xxxxx-2.sn.mynetname.net
Its a "free" service. I think that is usefull as it works actually. And U can manipulate from which link ddns works on it.This! We need to be able to monitor backup connections that have dynamic IP.You think there is any chance in the future to support multi-wan setups? One option is to prepend or append the interface number to the dyndns hostname?
pppoe-out1 = xxxxx-1.sn.mynetname.net
pppoe-out2 = xxxxx-2.sn.mynetname.net
Hello,Its a "free" service. I think that is usefull as it works actually. And U can manipulate from which link ddns works on it.This! We need to be able to monitor backup connections that have dynamic IP.You think there is any chance in the future to support multi-wan setups? One option is to prepend or append the interface number to the dyndns hostname?
pppoe-out1 = xxxxx-1.sn.mynetname.net
pppoe-out2 = xxxxx-2.sn.mynetname.net
Enviado de meu MI 9 usando o Tapatalk