RouterOS Experts - How to setup inbound access + DDNS

TedLasso

Expert Member
Joined
Feb 23, 2016
Messages
3,760
Hi,

I am normally good with firewalls, but this Mikrotik RouterOS is driving me nuts.

Requirement:-
I have an ISP that provides dynamic addressing (at home). I don't want a static IP.
I need to connect to my CCTV/Alarm using DynDNS remotely.

For the life of me, I can't work out how to create an inbound NAT rule so that any traffic from Internet to the external Interface of Router is NATTED to a static internal address, etc

If I create an inbound dstnat rule where the current IP of the external interface is specifically listed, traffic comes in and I can reach CCTV/Alarm. But if the IP changes, I am screwed and need to update dstnat rule with updated external IP. It seems I get a new external IP every two weeks even if I don't reboot router.

In addition:-
Is DDNS registration possible with Mikrotik router using no-ip, etc? Currently, I have PC that automatically updates the dyndns entry but if I can get the router to do it, whenever it detects the change, I can turn off my PC.

Thanks,
IL
 

RoganDawes

Expert Member
Joined
Apr 18, 2007
Messages
1,259
Just as a caution, be careful about exposing devices on your internal network to the Internet, c.f. Mirai attacking CCTV cameras, etc, etc. You probably also don't want folks messing around with your alarm, either!

Sorry I cannot help you configure your firewall, though.
 

HunterGR

Expert Member
Joined
Nov 30, 2011
Messages
2,140
Operation details
Router checks for outgoing IP address change: every 60 seconds
Router waits for cloud server response: 15 seconds
DDNS record TTL: 60 seconds
Cloud time update: after router restart and during every ddns update (when router WAN IP address change or after force-ddns-update command)
Time-zone-autodetect: The time zone is detected depending from router public IP address and our commercial database.;
After router sends it's IP address to the cloud server, it will stay on the server permanently. DNS name (/ip cloud dns-name) will resolve to last sent IP address. When user set /ip cloud set ddns-enabled=no router will send message to server to disable DNS name for this routerboard.

When enabled '/ip cloud' will send encrypted UDP packets to port 15252 to hosts that resolves from cloud.mikrotik.com. If you have connected a router and it has internet access you will see A record resolved for cloud.mikrotik.com in '/ip dns cache'.

Example
To enable and activate this service:

[admin@MikroTik] /ip cloud set ddns-enabled=yes
[admin@MikroTik] /ip cloud print
ddns-enabled: yes
update-time: yes
public-address: 159.148.172.205
dns-name: 529c0491d41c.sn.mynetname.net
status: updated
To enable time update from cloud service:

[admin@MikroTik] > ip cloud set update-time=yes
To enable automatic time zone detection:

[admin@MikroTik] > system clock set time-zone-autodetect=yes

Link
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
81,151
If you have routeros, just use their cloud ddns that you get free of charge ;)

Cameras, I don't expose to the net. I have set up OpenVPN for that.
 

mister

Executive Member
Joined
Jul 21, 2008
Messages
9,157
If I create an inbound dstnat rule where the current IP of the external interface is specifically listed, traffic comes in and I can reach CCTV/Alarm. But if the IP changes, I am screwed and need to update dstnat rule with updated external IP.

Use the pppoe interface name instead of IP address
 

TedLasso

Expert Member
Joined
Feb 23, 2016
Messages
3,760
If you have routeros, just use their cloud ddns that you get free of charge ;)

Cameras, I don't expose to the net. I have set up OpenVPN for that.

Good point. Will do that for CCTV , thx.

Also never knew they had their own cloud ddns. Makes life even easier. Thanks again
 
Last edited:

TedLasso

Expert Member
Joined
Feb 23, 2016
Messages
3,760
Use the pppoe interface name instead of IP address

Do I just type then name in where the IP address is ... I tried various options - never came right. Not near it so can't check. Or will google later
 

TedLasso

Expert Member
Joined
Feb 23, 2016
Messages
3,760
This totally sucks. Now i understand why I was having difficulty. my router is provided by Vox and while I have been authorized to log into it to make changes, I don't have a 'root' type account. Half of the options are unavailable to me - I can't create DDNS, etc ... guess I will have to make a request to them ... seems to be quite dangerous to wipe it and start again ...
 

Dirty Harry101

Active Member
Joined
Sep 23, 2016
Messages
80
Sounds like a simple port forward setup. should be able to do that on a write account. Lemme know, I'll help where I can.
 

RoganDawes

Expert Member
Joined
Apr 18, 2007
Messages
1,259
This totally sucks. Now i understand why I was having difficulty. my router is provided by Vox and while I have been authorized to log into it to make changes, I don't have a 'root' type account. Half of the options are unavailable to me - I can't create DDNS, etc ... guess I will have to make a request to them ... seems to be quite dangerous to wipe it and start again ...

And this is why I'm not interested in ISP's that don't give me control over the router that they provide. I had the same issue with Home Connect, which is why I cancelled the subscription.
 

TedLasso

Expert Member
Joined
Feb 23, 2016
Messages
3,760
And this is why I'm not interested in ISP's that don't give me control over the router that they provide. I had the same issue with Home Connect, which is why I cancelled the subscription.

I have to give props to Vox who after a helpdesk call last night, granted me full access to the router. It was simple. Of course, I signed an indemnity a while back for the router so if anything goes wrong, they can charge for any stuff ups I make. So I have now enabled the 'cloud' DDNS service using the GUI and can access my alarm and CCTV externally.



Sounds like a simple port forward setup. should be able to do that on a write account. Lemme know, I'll help where I can.

I would appreciate some help. Thanks. :) I can access CCTV/Alarm when I am external. But when I am connected inside the network and try to get to DDNS entries as defined in the apps, I think the firewall is blocking access. This makes sense as I leaving internal network to get to external interface to come back in. Is there a way to allow this, maybe a srcnat so that I don't have to have two profiles defined in the app e.g. Alarm-Internal (using private IP) and Alarm-External (using DDNS name)?


Next step working out how to enable VPN ... is PPTP the normal solution used by most to get secure access into their networks or should I use OpenVPN. ?
https://wiki.mikrotik.com/wiki/OpenVPN
 

mister

Executive Member
Joined
Jul 21, 2008
Messages
9,157
You could add a static DNS entry pointing your DDNS to the local IP... that's what I do.
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
81,151
I got around all that by only exposing the cameras via openvpn.
No direct internet access.
 

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
81,151
Mm. Openvpn support coming in RouterOS 7.

I've since moved from mikrotik to Unifi :)
 
Top