MikroTik

We have improved old IP Cloud backend, that will continue to serve older RouterOS versions.

Hi Janisk, thanks!
If my default setup does not allow external access to winbox, (or entire input chain) there is no security risk in using IP cloud correct?
It simply is an effective way to point to our external public WANIP (especially for those that need to connect to devices behind the router)?

It will assign FQDN to IP address of your router. In RouterOS 6.43 or newer - it will have both A and Quad A entry maintained by the router (if both v4 and v6 connections can reach our backend).

We have improved old IP Cloud backend, that will continue to serve older RouterOS versions.

1) Upgrading/downgrading between RouterOS versions with old or new IP Cloud does not need any extra attention. No more disabling/enabling the service.
2) New IP Cloud address for cloud.mikrotik.com - 159.148.147.229
3) The old IP address (81.198.87.240) will continue to work for hosts, but routers with working /ip dns configuration will work with the new IP address.

Hello Janisk,

Is it possible to contact me via pm? I have a important Question to the Cloud function of the mirkotik that i don't wont to discuss in public.

Hello Janisk,

Is it possible to contact me via pm? I have a important Question to the Cloud function of the mirkotik that i don't wont to discuss in public.

support@mikrotik.com

.. responding time: 10 Weeks if you write on this address….

IP Cloud is made so that it does not pose a security threat. It will assign FQDN to IP address of your router. In RouterOS 6.43 or newer - it will have both A and Quad A entry maintained by the router (if both v4 and v6 connections can reach our backend).

/ping <mysn>.sn.mynetname.net interface=sit1

.. responding time: 10 Weeks if you write on this address….

mikrotik.com

You mean, local_address being "washington-street-bld-123-office-57a"?

Hello,

I am using Mikrotik on the vessels behind satellite modem with very limited data usage such as 50Mbyte per month. So each MBbye cost the customers extra US$s. We just allow e-mail IPs on the firewall
I have seen on satellite POP, we have a lot of request from our satellite modem to 81.198.87.240 and 159.148.147.229. I saw that these are Mikrotik Cloud IPs. I have disabled Cloud and DNS service on the unit. But it still send reqauest to those IPs. I have added rules to IP firewall rules but it is still happening.
How can I stop these requests or block these IPs on the Routerboard?

/ip firewall address-list
add address=81.198.87.240 list=ipCLOUD
add address=159.148.147.229 list=ipCLOUD
/ip firewall filter
add action=drop chain=output dst-address-list=ipCLOUD place-before=1
add action=drop chain=forward dst-address-list=ipCLOUD place-before=1
/ip dns cache flush

I tested with an option Use IP Local Address but being with CGNAT but only returns the Public IP.

Code: Select all

[admin@MikroTik] /ip cloud> print 
          ddns-enabled: yes
  ddns-update-interval: none
           update-time: yes
        public-address: 82.x.x.x
              dns-name: 757bxxxxxxxx.sn.mynetname.net
                status: updated

It displays public address, but will return local address in actual lookup.

Code: Select all

C:\>nslookup 757bxxxxxxxx.sn.mynetname.net
Non-authoritative answer:
Name:    757bxxxxxxxx.sn.mynetname.net
Address:  192.168.88.x

(6.45beta20)

Code: Select all

/ip firewall address-list
add address=81.198.87.240 list=ipCLOUD
add address=159.148.147.229 list=ipCLOUD
/ip firewall filter
add action=drop chain=output dst-address-list=ipCLOUD place-before=1
add action=drop chain=forward dst-address-list=ipCLOUD place-before=1
/ip dns cache flush

That should block devices inside the network for reaching IPCloud
It will also force the router to dump connection attempts to IPCloud

IP Cloud services include:
Time-zone detection, that is enabled by default.

[user@router] > /system clock print 
                  time: 00:50:19
                  date: apr/19/2019
  time-zone-autodetect: yes
        time-zone-name: Europe/Tallinn
            gmt-offset: +03:00
            dst-active: yes

we do update the database regularly, so in most cases, this should be correct. Maybe sometime later it will clear the issue. Also, for the detection the IP address you are communicating with the server is used. As a result, if you use tunnels it might guess incorrectly.

nichky: do your outgoing interface have a local IP address? If not, even if you set - use-local-address it will bind to the outgoing IP address as used by the kernel to create a connection.

of course it does, so my ether1 has public interface and my outgoing interface has local ip. You can see from my picture above.

of course it does, so my ether1 has public interface and my outgoing interface has local ip. You can see from my picture above.

There is no interfaces and local IPs on your picture. Probably you're talking about some other picture?

@AlexRodac: You can't do much. "IP Cloud" is just fancy name for Dynamic DNS. It helps if you have public dynamic IP - that means real world routable IP which can randomly change anytime. Everytime IP changes, mikrotik will update the DNS entry and point the same unique domain name to the new IP.
Without public IP you have no way to connect to your device from rest of the world. There are only two options which may not be suitable for you:
1) use port forwarding to poke a hole through the nat (pretty sure impossible in your case, because you do not manage ISP's routers which are doing the NAT)
2) have a VM in cloud or somewhere else, with a public IP. Then you can set it as a VPN server. Your router will connect to it as a client (which will make a tunnel through the NAT) and then you can forward the data from public IP to your router. (or even better - you connect through the VPN as well and that way you have secure access to your router or even whole LAN from all around the world)

they can deprecate anytime support for version older than 6.43, why would anyone care about those with so many security issues in them anyway?

Found the answer. The option "ip cloud" is not supported on x86 due to the inability to verify hardware reliably.

The DNS is assigned to valid serial numbers, for X86, we have no way of reliably identify the hardware.

ddns-update-interval (time, minimum 60 seconds; Default: none) - If set DDNS will attempt to connect IP Cloud servers at the set interval. If set to none it will continue to internally check IP address update and connect to IP Cloud servers as needed. Useful if IP address used is not on the router itself and thus, cannot be checked as a value internal to the router.

It should be an outgoing connection AFAIK, there's nothing input to it.

add action=drop chain=input comment="Block WAN connections to router" 
    in-interface=pppoe-out1 log=yes src-address-list=!allow