RouterOS Experts - How to setup inbound access + DDNS

[TedLasso]

Hi,

I am normally good with firewalls, but this Mikrotik RouterOS is driving me nuts.

Requirement:-
I have an ISP that provides dynamic addressing (at home). I don't want a static IP.
I need to connect to my CCTV/Alarm using DynDNS remotely.

For the life of me, I can't work out how to create an inbound NAT rule so that any traffic from Internet to the external Interface of Router is NATTED to a static internal address, etc

If I create an inbound dstnat rule where the current IP of the external interface is specifically listed, traffic comes in and I can reach CCTV/Alarm. But if the IP changes, I am screwed and need to update dstnat rule with updated external IP. It seems I get a new external IP every two weeks even if I don't reboot router.

In addition:-
Is DDNS registration possible with Mikrotik router using no-ip, etc? Currently, I have PC that automatically updates the dyndns entry but if I can get the router to do it, whenever it detects the change, I can turn off my PC.

Thanks,
IL

 

[RoganDawes]

Just as a caution, be careful about exposing devices on your internal network to the Internet, c.f. Mirai attacking CCTV cameras, etc, etc. You probably also don't want folks messing around with your alarm, either!

Sorry I cannot help you configure your firewall, though.

 

[HunterGR]

Operation details
Router checks for outgoing IP address change: every 60 seconds
Router waits for cloud server response: 15 seconds
DDNS record TTL: 60 seconds
Cloud time update: after router restart and during every ddns update (when router WAN IP address change or after force-ddns-update command)
Time-zone-autodetect: The time zone is detected depending from router public IP address and our commercial database.;
After router sends it's IP address to the cloud server, it will stay on the server permanently. DNS name (/ip cloud dns-name) will resolve to last sent IP address. When user set /ip cloud set ddns-enabled=no router will send message to server to disable DNS name for this routerboard.

When enabled '/ip cloud' will send encrypted UDP packets to port 15252 to hosts that resolves from cloud.mikrotik.com. If you have connected a router and it has internet access you will see A record resolved for cloud.mikrotik.com in '/ip dns cache'.

Example
To enable and activate this service:

[admin@MikroTik] /ip cloud set ddns-enabled=yes
[admin@MikroTik] /ip cloud print
ddns-enabled: yes
update-time: yes
public-address: 159.148.172.205
dns-name: 529c0491d41c.sn.mynetname.net
status: updated
To enable time update from cloud service:

[admin@MikroTik] > ip cloud set update-time=yes
To enable automatic time zone detection:

[admin@MikroTik] > system clock set time-zone-autodetect=yes

Link

 

[Sinbad]

If you have routeros, just use their cloud ddns that you get free of charge

Cameras, I don't expose to the net. I have set up OpenVPN for that.

 

[mister]

If I create an inbound dstnat rule where the current IP of the external interface is specifically listed, traffic comes in and I can reach CCTV/Alarm. But if the IP changes, I am screwed and need to update dstnat rule with updated external IP.

Use the pppoe interface name instead of IP address

 

[TedLasso]

If you have routeros, just use their cloud ddns that you get free of charge

Cameras, I don't expose to the net. I have set up OpenVPN for that.

Good point. Will do that for CCTV , thx.

Also never knew they had their own cloud ddns. Makes life even easier. Thanks again

 

[TedLasso]

Use the pppoe interface name instead of IP address

Do I just type then name in where the IP address is ... I tried various options - never came right. Not near it so can't check. Or will google later

 

[AfricanTech]

/bookmarks

 

[TedLasso]

This totally sucks. Now i understand why I was having difficulty. my router is provided by Vox and while I have been authorized to log into it to make changes, I don't have a 'root' type account. Half of the options are unavailable to me - I can't create DDNS, etc ... guess I will have to make a request to them ... seems to be quite dangerous to wipe it and start again ...

 

[Dirty Harry101]

Sounds like a simple port forward setup. should be able to do that on a write account. Lemme know, I'll help where I can.

 

[RoganDawes]

This totally sucks. Now i understand why I was having difficulty. my router is provided by Vox and while I have been authorized to log into it to make changes, I don't have a 'root' type account. Half of the options are unavailable to me - I can't create DDNS, etc ... guess I will have to make a request to them ... seems to be quite dangerous to wipe it and start again ...

And this is why I'm not interested in ISP's that don't give me control over the router that they provide. I had the same issue with Home Connect, which is why I cancelled the subscription.

 

[TedLasso]

And this is why I'm not interested in ISP's that don't give me control over the router that they provide. I had the same issue with Home Connect, which is why I cancelled the subscription.

I have to give props to Vox who after a helpdesk call last night, granted me full access to the router. It was simple. Of course, I signed an indemnity a while back for the router so if anything goes wrong, they can charge for any stuff ups I make. So I have now enabled the 'cloud' DDNS service using the GUI and can access my alarm and CCTV externally.

Sounds like a simple port forward setup. should be able to do that on a write account. Lemme know, I'll help where I can.

I would appreciate some help. Thanks. I can access CCTV/Alarm when I am external. But when I am connected inside the network and try to get to DDNS entries as defined in the apps, I think the firewall is blocking access. This makes sense as I leaving internal network to get to external interface to come back in. Is there a way to allow this, maybe a srcnat so that I don't have to have two profiles defined in the app e.g. Alarm-Internal (using private IP) and Alarm-External (using DDNS name)?


Next step working out how to enable VPN ... is PPTP the normal solution used by most to get secure access into their networks or should I use OpenVPN. ?
https://wiki.mikrotik.com/wiki/OpenVPN

 

[mister]

You could add a static DNS entry pointing your DDNS to the local IP... that's what I do.

 

[Sinbad]

I got around all that by only exposing the cameras via openvpn.
No direct internet access.

 

[TedLasso]

I got around all that by only exposing the cameras via openvpn.
No direct internet access.

Do you have a guide that one could follow to be sure I don't stuff it up?

 

[Genisys]

Do you have a guide that one could follow to be sure I don't stuff it up?

https://wiki.mikrotik.com/wiki/L2TP_+_IPSEC_between_Mikrotik_router_and_a_PC

That will probably work better for you, the Mikrotik OpenVPN implementation isn't the best, so would suggest rather using L2TP with IPsec.

 

[TedLasso]

https://wiki.mikrotik.com/wiki/L2TP_+_IPSEC_between_Mikrotik_router_and_a_PC

That will probably work better for you, the Mikrotik OpenVPN implementation isn't the best, so would suggest rather using L2TP with IPsec.

Thanks. Will give it a go!

 

[Sinbad]

Mm. Openvpn support coming in RouterOS 7.

I've since moved from mikrotik to Unifi

 

[AfricanTech]

Mm. Openvpn support coming in RouterOS 7.

I've since moved from mikrotik to Unifi

Which one?

And how are you finding it? I'm very happy with my Mikrotik - so configurable