Good day,
I have noticed some curious activity recently when logging into my pihole to update some blocklists. In particular, frequent cloud.mikrotik.com lookups - as many as four in a single second - every few minutes. I have an RB4011iGS+SHacQ2HnD and did not notice this behavior a vouple of weeks ago when reviewing query logs. The only changes to the network since then have been swapping out a cisco ATA for ooma and disabling port bonding as it seemed to cause intermittent but major slow downs to internet connectivity (would slow to ~3Mbps at times). I do not use any of the cloud routing features mikrotik provides, at least not intentionally.
Apologies if this is lacking in useful information, I am an inexperienced user. It may be nothing worth concern but I could not find any information other than that "older mikrotik devices may use cloud.mikrotik.com" for cloud services on the wiki, which I would think my equipment would use cloud2.mikrotik.com as it is newer? This is the only active mikrotik device on the network aside from two Mikrotik gigabit homeplug adapters.
Any and all help would be much appreciated.
Thank you.
Re: Very frequent cloud.mikrotik.com activity
https://wiki.mikrotik.com/wiki/Manual:IP/Cloud
DDNS or Dynamic DNS is a service that updates the IPv4 address for A records and the IPv6 address for AAAA records periodically. Such a service is very useful when your ISP has provided a dynamic IP address that changes periodically, but you always need an address that you can use to connect to your device remotely.
-
-
Wolfganstein
just joined
- Posts: 3
- Joined:
Re: Very frequent cloud.mikrotik.com activity
Thank you for the information. Dynamic DNS has never been enabled and I have never had need of the remote connection capability. Should it still be making those connections when all the options in IP/Cloud are unchecked? Including my config:
Any enlightenment would be appreciated. Thank you.
Code: Select all
# nov/26/2020 12:00:07 by RouterOS 6.47.8
# software id = 0N1T-537Y
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D43B0CAD7AA8
/interface bridge
add admin-mac=48:8F:5A:69:09:83 auto-mac=no comment=defconf dhcp-snooping=yes \
igmp-snooping=yes mtu=1500 name=bridge protocol-mode=none
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-g/n basic-rates-a/g=54Mbps \
basic-rates-b="" channel-width=20/40mhz-XX country="united states" \
disabled=no distance=indoors frequency=auto installation=indoor l2mtu=\
1590 mode=ap-bridge multicast-helper=full scan-list=default,5200-5300 \
ssid=DJJ1 supported-rates-a/g=54Mbps supported-rates-b="" \
wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no rx-flow-control=auto \
tx-flow-control=auto
set [ find default-name=ether2 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether10 ] poe-out=off
/interface wireless nstreme
set wlan2 enable-polling=no
/interface bonding
add disabled=yes mode=active-backup name=bonding1 primary=ether1 slaves=\
ether1,ether2
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \
eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
management-protection=allowed mode=dynamic-keys name=5G \
supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac basic-rates-a/g=54Mbps \
channel-width=20/40mhz-Ce country="united states" disabled=no distance=\
indoors frequency=auto installation=indoor l2mtu=1590 mode=ap-bridge \
multicast-helper=full security-profile=5G ssid=DJJ2 supported-rates-a/g=\
54Mbps vht-basic-mcs="" vht-supported-mcs="" wireless-protocol=802.11 \
wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set wlan1 enable-polling=no
/ip pool
add name=dhcp ranges=10.0.0.2-10.0.0.254
add name=pool1 ranges=10.0.0.3-10.0.0.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp bootp-lease-time=lease-time bootp-support=\
dynamic disabled=no interface=bridge lease-time=2h10m name=dhcp1
add add-arp=yes address-pool=pool1 bootp-support=none interface=bonding1 \
name=server1
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
up-port=1700
/queue type
set 1 kind=sfq
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
set ether6 queue=ethernet-default
set ether7 queue=ethernet-default
set ether8 queue=ethernet-default
set ether9 queue=ethernet-default
set ether10 queue=ethernet-default
/snmp community
set [ find default=yes ] addresses=::/0,0.0.0.0/0
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether2
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add disabled=yes interface=bonding1 list=WAN
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=\
192.168.99.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
add interface=ether1 use-peer-dns=no
add add-default-route=no interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=15m
/ip dhcp-server lease
add address=10.0.0.234 client-id=1:0:b:82:d1:fd:e5 mac-address=\
00:0B:82:D1:FD:E5 server=dhcp1
add address=10.0.0.205 client-id=1:0:e0:4c:68:1:3a mac-address=\
00:E0:4C:68:01:3A server=dhcp1
add address=10.0.0.13 mac-address=00:18:61:44:B8:6D server=dhcp1
add address=10.0.0.222 mac-address=AA:9F:EC:07:84:F7 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf dns-server=10.0.0.205 \
gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.0.0.205
/ip dns static
add address=10.0.0.1 comment=defconf name=router.lan
add address=10.0.0.205 name=pidns
/ip firewall address-list
add address=127.0.0.0/8 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 documentation" list=\
bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 benchmark" list=\
not_global_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=bad_src_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=224.0.0.0/4 comment="defconf: RFC6890" list=bad_dst_ipv4
add address=192.168.99.229 list=pidns
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=fasttrack-connection chain=forward disabled=yes src-address=\
10.0.0.205
add action=fasttrack-connection chain=forward disabled=yes dst-address=\
10.0.0.205
add action=fasttrack-connection chain=forward disabled=yes port=5060 \
protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=reject chain=input dst-port=53 in-interface-list=WAN protocol=tcp \
reject-with=tcp-reset
add action=reject chain=input dst-port=53 in-interface-list=WAN protocol=udp \
reject-with=icmp-port-unreachable
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
/ip firewall mangle
add action=fasttrack-connection chain=forward in-interface-list=LAN
add action=fasttrack-connection chain=output
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface=bonding1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat comment="modem access" disabled=yes \
dst-address=10.0.0.0/24 out-interface=bonding1
add action=dst-nat chain=dstnat dst-address=!10.0.0.205 dst-port=53 \
in-interface-list=!WAN protocol=udp src-address=!10.0.0.205 \
to-addresses=10.0.0.205
add action=dst-nat chain=dstnat dst-address=!10.0.0.205 dst-port=53 \
in-interface-list=!WAN protocol=tcp src-address=!10.0.0.205 \
to-addresses=10.0.0.205
add action=masquerade chain=srcnat dst-address=10.0.0.205 dst-port=53 \
protocol=udp src-address=10.0.0.0/24
add action=masquerade chain=srcnat dst-address=10.0.0.205 dst-port=53 \
protocol=tcp src-address=10.0.0.0/24
add action=dst-nat chain=dstnat disabled=yes in-interface=bonding1 protocol=\
tcp src-port=5060 to-addresses=10.0.0.234
add action=dst-nat chain=dstnat disabled=yes dst-port=5060 in-interface=\
bonding1 protocol=tcp to-addresses=10.0.0.234
/ip firewall raw
add action=accept chain=prerouting comment=\
"defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=\
udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment=\
"defconf: drop forward to local lan from WAN" dst-address=10.0.0.0/24 \
in-interface-list=WAN
add action=drop chain=prerouting comment=\
"defconf: drop local if not from default IP range" in-interface-list=LAN \
src-address=!192.168.99.0/24
add action=drop chain=prerouting comment="defconf: drop bad UDP" port=0 \
protocol=udp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" \
jump-target=icmp4 protocol=icmp
add action=jump chain=prerouting comment="defconf: jump to TCP chain" \
jump-target=bad_tcp protocol=tcp
add action=accept chain=prerouting comment=\
"defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment=\
"defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad_tcp comment="defconf: TCP flag filter" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad_tcp comment=defconf protocol=tcp tcp-flags=rst,urg
add action=drop chain=bad_tcp comment="defconf: TCP port 0 drop" port=0 \
protocol=tcp
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 \
limit=5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: net unreachable" \
icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" \
icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" \
icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" \
icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" \
icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: echo" icmp-options=8:0 limit=\
5,10:packet protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded " icmp-options=\
11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop other icmp" protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set disabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add disabled=yes interface=ether1 type=external
add disabled=yes interface=ether2 type=external
add disabled=yes interface=ether3 type=internal
add disabled=yes interface=ether4 type=internal
add disabled=yes interface=ether5 type=internal
add disabled=yes interface=ether6 type=internal
add disabled=yes interface=ether7 type=internal
add disabled=yes interface=ether8 type=internal
add disabled=yes interface=ether9 type=internal
add disabled=yes interface=ether10 type=internal
add interface=bonding1 type=external
/system clock
set time-zone-name=America/New_York
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool netwatch
add down-script="/ip dbs set servers=9.9.9.9" host=10.0.0.205 interval=\
15s up-script="/ip dns set servers=10.0.0.205\r\
\n/ip dns cache flush"
/tool user-manager database
set db-path=user-manager
Re: Very frequent cloud.mikrotik.com activity [SOLVED]
The detect-internet function also uses the Mikrotik cloud servers. From various posts it seemd to cause more trouble than it is worth, you could disable it as the ports are already manually assigned to the LAN & WAN interface lists.
-
-
Wolfganstein
just joined
- Posts: 3
- Joined:
Re: Very frequent cloud.mikrotik.com activity
I did not realize this. It appears this has resolved the issue. Thank you very much.The detect-internet function also uses the Mikrotik cloud servers. From various posts it seemd to cause more trouble than it is worth, you could disable it as the ports are already manually assigned to the LAN & WAN interface lists.
Who is online
Users browsing this forum: Amazon [Bot], bananaboy1101 and 120 guests