IP Cloud (DDNS) in RouterOS: A Complete Guide

IP Cloud (DDNS) in RouterOS: A Complete Guide

RouterOS Version: 7.x+ Difficulty: Beginner Estimated Time: 15 minutes

Overview

MikroTik IP Cloud provides free Dynamic DNS (DDNS) service that automatically updates DNS records with your router’s public IP address. This enables remote access via a persistent hostname even when your ISP assigns dynamic IPs.

Key Features:

• DDNS Service - Automatic DNS A and AAAA record updates
• Time Synchronization - Clock sync without NTP configuration
• Cloud Backup - Encrypted backup storage (1 free slot, 15MB max)
• Back to Home VPN - Easy WireGuard VPN via mobile app (v7.12+)

Your router receives a permanent DNS name in the format: <serial>.sn.mynetname.net

Limitations:

• CHR requires paid license (P1 or higher)
• NOT supported on x86 systems
• No SLA - free service with occasional outages

How IP Cloud Works

When your WAN IP changes, the router detects it within 60 seconds and updates the DNS record.

Menu Reference

Menu	Purpose
/ip cloud	DDNS and time sync configuration
/ip cloud advanced	Advanced settings (local address)
/system backup cloud	Cloud backup management

Configuration Properties

Property	Type	Default	Description
ddns-enabled	yes/auto/no	auto (v7.17+)	Enable DDNS service
ddns-update-interval	time	none	Force update interval (min 60s)
update-time	yes/no	yes	Sync clock with cloud server

Read-only status:

Property	Description
dns-name	Your assigned hostname
public-address	IPv4 address sent to cloud
public-address-ipv6	IPv6 address sent to cloud
status	Current state (updated, updating, error)
warning	NAT warning if behind another router

Configuration Examples

Example 1: Enable DDNS

# Enable DDNS
/ip cloud set ddns-enabled=yes

# Verify status
/ip cloud print

Expected output:

         ddns-enabled: yes
  ddns-update-interval: none
          update-time: yes
       public-address: 203.0.113.50
  public-address-ipv6: 2001:db8::1
             dns-name: 529c0491d41c.sn.mynetname.net
               status: updated

Example 2: Allow Remote Access (Required!)

Critical: Default firewall blocks WAN access. You must add rules to allow remote access.

Option A: Allow specific service from WAN (less secure)

# Allow WinBox from any IP (use with caution!)
/ip firewall filter add chain=input protocol=tcp dst-port=8291 \
    action=accept place-before=0 comment="Allow WinBox from WAN"

Option B: Restrict to specific IPs (recommended)

# Create address list for trusted IPs
/ip firewall address-list add address=198.51.100.10 list=trusted-remote

# Allow only from trusted IPs
/ip firewall filter add chain=input protocol=tcp dst-port=8291 \
    src-address-list=trusted-remote action=accept place-before=0 \
    comment="WinBox from trusted IPs only"

Option C: Use VPN instead (most secure) Use Back to Home VPN or configure WireGuard/OpenVPN for secure access.

Example 3: Enable Time Synchronization

Sync router clock without configuring NTP:

# Enable time sync
/ip cloud set update-time=yes

# Enable automatic timezone detection
/system clock set time-zone-autodetect=yes

# Verify
/system clock print

Note: This provides approximate time (accuracy within seconds). For precise time, use NTP instead.

Example 4: Cloud Backup

Create and upload encrypted backup:

/system backup cloud upload-file action=create-and-upload password=MyStrongPass123!

View uploaded backups:

/system backup cloud print

Output shows the secret-download-key - save this securely!

Download backup (same device):

/system backup cloud download-file action=download number=0

Download backup (different device using secret key):

/system backup cloud download-file action=download secret-download-key=AbCdEfGhIjKlM1234567890

Delete cloud backup:

/system backup cloud remove-file number=0

Example 5: Force DNS Update

Manually trigger an update:

/ip cloud force-update

Example 6: Use Local Address (Behind NAT)

If your router is behind another NAT device and you want DNS to point to the local IP:

/ip cloud advanced set use-local-address=yes

Example 7: Back to Home VPN (v7.12+)

Enable easy VPN access via mobile app:

# Enable DDNS (required for Back to Home)
/ip cloud set ddns-enabled=yes

# Enable Back to Home
/ip cloud set back-to-home-vpn=enabled

# View QR code for mobile app
/ip cloud print

Scan the vpn-wireguard-client-config-qrcode with the MikroTik Back to Home app.

Requirements:

• RouterOS 7.12+
• ARM, ARM64, or TILE architecture (not MIPS or x86)

Understanding ddns-enabled Values (v7.17+)

Value	Behavior
yes	Always enabled
auto	Only enabled if Back to Home is active
no	Always disabled

Note: Default changed from no to auto in v7.17. After upgrading, DDNS may appear disabled unless Back to Home is active.

Common Problems and Solutions

Problem 1: DNS Name Resolves but Cannot Connect

Cause: Default firewall blocks WAN access to management services.

Solution: Add firewall rules (see Example 2) or use VPN.

Problem 2: Warning About NAT/IP Mismatch

Symptom: warning: DDNS server received request from IP X but your local IP was Y

Cause: Router is behind another NAT device (ISP modem/router).

Solutions:

1. Put upstream device in bridge mode
2. Configure port forwarding on upstream device
3. Use use-local-address=yes if internal DNS is acceptable

Problem 3: Status Stuck on “Updating…”

Causes:

• Firewall blocking UDP 15252 outbound
• MikroTik cloud service outage
• Time/date incorrect on router

Solutions:

# Check connectivity
/ping cloud2.mikrotik.com

# Check logs
/log print where topics~"cloud"

# Try disable/enable cycle
/ip cloud set ddns-enabled=no
/ip cloud set ddns-enabled=yes

Problem 4: IP Cloud Not Working on CHR

Cause: CHR requires paid perpetual license (P1 or higher).

Solution: Upgrade CHR license or use third-party DDNS.

Problem 5: IP Cloud Not Working on x86

Cause: IP Cloud is NOT supported on x86 systems.

Solution: Use third-party DDNS (Cloudflare, DuckDNS) with scripting.

Problem 6: Cannot Disable DDNS (v7.17+)

Cause: Back to Home feature is enabled (requires DDNS).

Solution:

# First disable Back to Home
/ip cloud set back-to-home-vpn=revoked-and-disabled

# Then set DDNS to auto
/ip cloud set ddns-enabled=auto

Problem 7: Cloud Backup Upload Fails

Causes:

• Backup not AES encrypted
• Backup exceeds 15MB
• Only 1 free slot available

Solution:

# Create properly encrypted backup first
/system backup save encryption=aes-sha256 name=mybackup password=MyPass123!

# Upload existing backup
/system backup cloud upload-file action=upload src-file=mybackup.backup

# Check file size
/file print where name~"backup"

Problem 8: Lost Secret Download Key

Problem: Cannot download cloud backup without secret-download-key.

Solution: Contact MikroTik support with device serial number and proof of ownership.

Prevention: Save the key immediately after uploading:

/system backup cloud print

Firewall Requirements

Outbound (Required for IP Cloud)

Protocol	Port	Destination	Purpose
UDP	15252	cloud2.mikrotik.com	DDNS updates
TCP	15252	cloud2.mikrotik.com	Cloud backup

Inbound (For Remote Access)

Service	Protocol	Port
WinBox	TCP	8291
SSH	TCP	22
WebFig	TCP	80/443
API	TCP	8728/8729

Verification Commands

# Check DDNS status
/ip cloud print

# Force update
/ip cloud force-update

# Check logs
/log print where topics~"cloud"

# Test DNS resolution (from external network)
# nslookup <serial>.sn.mynetname.net

# Check firewall rules
/ip firewall filter print where chain=input

# Check cloud backup
/system backup cloud print

Third-Party DDNS Alternatives

If IP Cloud doesn’t meet your needs, consider:

Service	Reliability	Cost	Notes
Cloudflare	High	Free	Requires script, full DNS control
DuckDNS	Medium	Free	Simple API, requires script
No-IP	High	Free tier	Web interface, limited free domains

Community Recommendation: For production/business use, implement redundant DDNS (IP Cloud + Cloudflare/DuckDNS).

Security best practices

1. Use VPN instead of exposing services - Back to Home or manual WireGuard
2. Restrict firewall rules - Use address lists for trusted IPs
3. Store secret-download-key securely - Required for backup recovery
4. Strong backup passwords - AES encryption is only as good as the password
5. Monitor access attempts - Check logs for unauthorized access

Related Features

• Back to Home (/ip cloud back-to-home-vpn) - Mobile VPN access
• NTP Client (/system ntp client) - More accurate time sync
• System Backup (/system backup) - Local backup management
• Firewall (/ip firewall filter) - WAN access control
• WireGuard (/interface wireguard) - Manual VPN configuration

Version Notes

Version	Change
6.43	IPv6 AAAA record support
6.44	Server changed to cloud2.mikrotik.com
7.12	Back to Home VPN introduced
7.17	ddns-enabled default changed to auto

Summary

IP Cloud provides convenient DDNS for MikroTik routers:

1. Enable DDNS with /ip cloud set ddns-enabled=yes
2. Configure firewall to allow remote access (or use VPN)
3. Access router via <serial>.sn.mynetname.net
4. Optional: Enable cloud backup and time sync

Key points:

• Default firewall blocks WAN access - add rules or use VPN
• CHR requires paid license; x86 not supported
• Store secret-download-key securely for backup recovery
• v7.17+ changed ddns-enabled default to auto
• No SLA - consider redundant DDNS for critical use

Related Topics

Remote Access

• WireGuard VPN - secure remote access
• Firewall Basics - allow remote management
• IP Services - management service ports

Security

• Certificates - SSL certificates for Let’s Encrypt
• User Management - secure authentication

Related Services

• NTP Client - alternative time sync
• System Backup - local backup management
• DNS Server - DNS configuration