.We have improved old IP Cloud backend, that will continue to serve older RouterOS versions.
IP Cloud is made so that it does not pose a security threat. It will assign FQDN to IP address of your router. In RouterOS 6.43 or newer - it will have both A and Quad A entry maintained by the router (if both v4 and v6 connections can reach our backend).Hi Janisk, thanks!
If my default setup does not allow external access to winbox, (or entire input chain) there is no security risk in using IP cloud correct?
It simply is an effective way to point to our external public WANIP (especially for those that need to connect to devices behind the router)?
It will assign FQDN to IP address of your router. In RouterOS 6.43 or newer - it will have both A and Quad A entry maintained by the router (if both v4 and v6 connections can reach our backend).
We have improved old IP Cloud backend, that will continue to serve older RouterOS versions.
1) Upgrading/downgrading between RouterOS versions with old or new IP Cloud does not need any extra attention. No more disabling/enabling the service.
2) New IP Cloud address for cloud.mikrotik.com - 159.148.147.229
3) The old IP address (81.198.87.240) will continue to work for hosts, but routers with working /ip dns configuration will work with the new IP address.
support@mikrotik.comHello Janisk,
Is it possible to contact me via pm? I have a important Question to the Cloud function of the mirkotik that i don't wont to discuss in public.
support@mikrotik.comHello Janisk,
Is it possible to contact me via pm? I have a important Question to the Cloud function of the mirkotik that i don't wont to discuss in public.
PM response time: never, as they are disabled on this forum.. responding time: 10 Weeks if you write on this address….
There is a clear problem not being able to address different names for IPv4 and IPv6 addresses. My router in London, for instance, is under a provider that has CGNAT for IPv4 but gives a /56 of IPv6 addresses. As it is currently, for the other Mikrotik routers the name is useless, as the IPv4 address is non functional, while the IPv6 is perfectly reachable. Not even in the tunneled machines can I sayIP Cloud is made so that it does not pose a security threat. It will assign FQDN to IP address of your router. In RouterOS 6.43 or newer - it will have both A and Quad A entry maintained by the router (if both v4 and v6 connections can reach our backend).
/ping <mysn>.sn.mynetname.net interface=sit1
Contact via support@mikrotik.com.. responding time: 10 Weeks if you write on this address….
mikrotik.com
You mean, local_address being "washington-street-bld-123-office-57a"?
Hello,
I am using Mikrotik on the vessels behind satellite modem with very limited data usage such as 50Mbyte per month. So each MBbye cost the customers extra US$s. We just allow e-mail IPs on the firewall
I have seen on satellite POP, we have a lot of request from our satellite modem to 81.198.87.240 and 159.148.147.229. I saw that these are Mikrotik Cloud IPs. I have disabled Cloud and DNS service on the unit. But it still send reqauest to those IPs. I have added rules to IP firewall rules but it is still happening.
How can I stop these requests or block these IPs on the Routerboard?
/ip firewall address-list
add address=81.198.87.240 list=ipCLOUD
add address=159.148.147.229 list=ipCLOUD
/ip firewall filter
add action=drop chain=output dst-address-list=ipCLOUD place-before=1
add action=drop chain=forward dst-address-list=ipCLOUD place-before=1
/ip dns cache flush
I tested with an option Use IP Local Address but being with CGNAT but only returns the Public IP.
[admin@MikroTik] /ip cloud> print
ddns-enabled: yes
ddns-update-interval: none
update-time: yes
public-address: 82.x.x.x
dns-name: 757bxxxxxxxx.sn.mynetname.net
status: updated
C:\>nslookup 757bxxxxxxxx.sn.mynetname.net
Non-authoritative answer:
Name: 757bxxxxxxxx.sn.mynetname.net
Address: 192.168.88.x
It doesn't come on my sideCode: Select all[admin@MikroTik] /ip cloud> print ddns-enabled: yes ddns-update-interval: none update-time: yes public-address: 82.x.x.x dns-name: 757bxxxxxxxx.sn.mynetname.net status: updated
It displays public address, but will return local address in actual lookup.
(6.45beta20)Code: Select allC:\>nslookup 757bxxxxxxxx.sn.mynetname.net Non-authoritative answer: Name: 757bxxxxxxxx.sn.mynetname.net Address: 192.168.88.x
While outright cutting at the firewall works beautifully. Sometimes knowing what uses what is better.That should block devices inside the network for reaching IPCloudCode: Select all/ip firewall address-list add address=81.198.87.240 list=ipCLOUD add address=159.148.147.229 list=ipCLOUD /ip firewall filter add action=drop chain=output dst-address-list=ipCLOUD place-before=1 add action=drop chain=forward dst-address-list=ipCLOUD place-before=1 /ip dns cache flush
It will also force the router to dump connection attempts to IPCloud
And fails spectacularly when I'm in London, systematically thinking that I'm in Europe/Tallin:
IP Cloud services include:
Time-zone detection, that is enabled by default.
[user@router] > /system clock print
time: 00:50:19
date: apr/19/2019
time-zone-autodetect: yes
time-zone-name: Europe/Tallinn
gmt-offset: +03:00
dst-active: yes
of course it does, so my ether1 has public interface and my outgoing interface has local ip. You can see from my picture above. When i do nslookup im getting my public ip. Maybe im doing something wrong, or..we do update the database regularly, so in most cases, this should be correct. Maybe sometime later it will clear the issue. Also, for the detection the IP address you are communicating with the server is used. As a result, if you use tunnels it might guess incorrectly.
nichky: do your outgoing interface have a local IP address? If not, even if you set - use-local-address it will bind to the outgoing IP address as used by the kernel to create a connection.
There is no interfaces and local IPs on your picture. Probably you're talking about some other picture?of course it does, so my ether1 has public interface and my outgoing interface has local ip. You can see from my picture above.
okay, so on ether1 is terminated pppoe connection.There is no interfaces and local IPs on your picture. Probably you're talking about some other picture?of course it does, so my ether1 has public interface and my outgoing interface has local ip. You can see from my picture above.
/ip cloud print
ddns-enabled: yes
ddns-update-interval: 1m
update-time: yes
public-address: 201.27.181.165
public-address-ipv6: 2804:431:b799:39ca::8
dns-name: axxxxxxxxxxx.sn.mynetname.net
status: updated
/ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2804:431:c7f2:df3f::/64 pool-ipv6 bridge yes
[admin@RuthMikroTik] /ip cloud> print
ddns-enabled: yes
ddns-update-interval: none
update-time: yes
[admin@RuthMikroTik] /ip cloud>
[admin@MikroTik] > /ip cloud print
ddns-enabled: yes
ddns-update-interval: 3m
update-time: yes
dns-name: d12XXXXXXda71.sn.mynetname.net
status: updating...
[admin@MikroTik] > /ip cloud advanced print
use-local-address: yes
$ curl icanhazip.com
Thanks for your answer@AlexRodac: You can't do much. "IP Cloud" is just fancy name for Dynamic DNS. It helps if you have public dynamic IP - that means real world routable IP which can randomly change anytime. Everytime IP changes, mikrotik will update the DNS entry and point the same unique domain name to the new IP.
Without public IP you have no way to connect to your device from rest of the world. There are only two options which may not be suitable for you:
1) use port forwarding to poke a hole through the nat (pretty sure impossible in your case, because you do not manage ISP's routers which are doing the NAT)
2) have a VM in cloud or somewhere else, with a public IP. Then you can set it as a VPN server. Your router will connect to it as a client (which will make a tunnel through the NAT) and then you can forward the data from public IP to your router. (or even better - you connect through the VPN as well and that way you have secure access to your router or even whole LAN from all around the world)
Because when you try to take a look at an old system that was installed in 2014 and last touched in 2018... knowing that IP cloud(1) has been deprecated would be helpful.they can deprecate anytime support for version older than 6.43, why would anyone care about those with so many security issues in them anyway?
Found the answer. The option "ip cloud" is not supported on x86 due to the inability to verify hardware reliably.
The DNS is assigned to valid serial numbers, for X86, we have no way of reliably identify the hardware.
Does that answer your question?ddns-update-interval (time, minimum 60 seconds; Default: none) - If set DDNS will attempt to connect IP Cloud servers at the set interval. If set to none it will continue to internally check IP address update and connect to IP Cloud servers as needed. Useful if IP address used is not on the router itself and thus, cannot be checked as a value internal to the router.
force-update
ddns-update-interval
/ip firewall address-list
comment
address
/ip dns cache
/ip dns cache
So I did a little bit more digging. It turned out to be this firewall rule that was causing my issueIt should be an outgoing connection AFAIK, there's nothing input to it.
add action=drop chain=input comment="Block WAN connections to router"
in-interface=pppoe-out1 log=yes src-address-list=!allow