RouterOS Cloud

RouterOS Cloud

RouterOS Cloud connects your router to MikroTik’s cloud infrastructure to provide two services:

• Dynamic DNS (DDNS) — a stable *.sn.mynetname.net hostname that tracks your router’s public IP automatically
• Update-Time — basic time synchronization using MikroTik’s cloud servers

Both services are configured under /ip/cloud.

Sub-menus

Sub-menu	Purpose
/ip/cloud	Main cloud settings: DDNS, time sync
/ip/cloud/advanced	Advanced options including local address override

Dynamic DNS (DDNS)

RouterOS Cloud DDNS assigns your router a stable hostname of the form <unique-id>.sn.mynetname.net. Whenever your public IP changes, RouterOS automatically updates the DNS record — no external DDNS service or scripting required.

DNS records use a short TTL of 60 seconds, so changes propagate quickly after an IP change.

Typical use cases:

• Remote access to your router (Winbox, SSH, WebFig) without tracking a changing ISP IP
• IPsec or other VPN endpoints that need a stable address for the peer

Enabling DDNS

/ip/cloud/set ddns-enabled=yes
/ip/cloud/print

Example output after enabling:

       ddns-enabled: yes
           dns-name: a1b2c3d4e5f6.sn.mynetname.net
     public-address: 203.0.113.45
  public-address-ipv6: 2001:db8::1
             status: updated

Once status shows updated, the hostname resolves to your current public IP.

DDNS Properties

Property	Default	Description
ddns-enabled	no	Enable MikroTik cloud DDNS
ddns-update-interval	none	How often RouterOS proactively re-registers the DDNS record. none means register only when the public IP changes. Accepts RouterOS time values: none, 1m, 1h, 1d, etc.
dns-name	(read-only)	Assigned hostname (<id>.sn.mynetname.net)
public-address	(read-only)	Detected public IPv4 address
public-address-ipv6	(read-only)	Detected public IPv6 address
status	(read-only)	Current DDNS state: updated, updating, error

Force Update

If your IP has changed and you need the DNS record refreshed immediately (rather than waiting for the automatic interval):

/ip/cloud/force-update

Verify resolution

After enabling, verify the hostname resolves correctly from an external host:

# From a Linux/macOS host outside your network
dig a1b2c3d4e5f6.sn.mynetname.net

Tip

Use DDNS together with a firewall rule that restricts management port access to known source IPs. DDNS provides reachability, but access control is your responsibility.

Note

DDNS requires outbound internet access from the router. If your router is behind NAT, the detected public-address reflects the upstream public IP as seen by MikroTik’s servers.

Update-Time Synchronization

update-time=yes instructs RouterOS to set the system clock using MikroTik’s cloud servers at boot and after connectivity is established. This is a simple alternative to NTP for routers where a full NTP setup is not warranted.

/ip/cloud/set update-time=yes

Property	Default	Description
update-time	no	Set to yes to use MikroTik’s cloud servers to set the system clock at boot and after connectivity is established

When to use update-time:

Scenario	Recommendation
Small branch router, no NTP configured	update-time=yes — quick, no additional setup
Router with NTP client configured	Leave at no — NTP is more accurate and reliable
Router that issues certificates	Use NTP — cloud time sync is coarse and certificate validation requires accurate time

Advanced Settings

/ip/cloud/advanced exposes lower-level options for controlling how the router interacts with MikroTik’s cloud.

/ip/cloud/advanced/print

Property	Default	Description
use-local-address	no	When yes, DDNS registers the router’s local/LAN IP instead of the detected public IP. Use only when the router is behind NAT and you want to reach it from within the same private network using the DDNS hostname.

Remote Management via DDNS

Once DDNS is active, the assigned dns-name hostname can be used wherever you would normally type the router’s IP address — Winbox, SSH, WebFig, or the RouterOS API.

/ip/cloud/print
# Note the dns-name value, e.g. a1b2c3d4e5f6.sn.mynetname.net

Connect from an admin workstation:

Tool	Example
Winbox	Enter a1b2c3d4e5f6.sn.mynetname.net in the address bar
SSH	ssh [email protected]
WebFig	https://a1b2c3d4e5f6.sn.mynetname.net/

Restricting access to known sources

The DDNS hostname makes your router reachable — it does not restrict who can reach it. Apply source-address restrictions at both the service and firewall levels:

# Restrict services to your management IP
/ip/service/set winbox address=198.51.100.10/32
/ip/service/set ssh address=198.51.100.10/32
/ip/service/set www-ssl address=198.51.100.10/32

# Create WAN interface list and add your upstream interface (e.g. ether1)
/interface/list/add name=WAN
/interface/list/member/add list=WAN interface=ether1

# Firewall input chain: allow established, permit management sources, drop WAN
/ip/firewall/filter/add chain=input action=accept connection-state=established,related
/ip/firewall/filter/add chain=input action=drop connection-state=invalid
/ip/firewall/filter/add chain=input action=accept protocol=tcp \
    src-address=198.51.100.10/32 dst-port=22,443,8291
/ip/firewall/filter/add chain=input action=drop in-interface-list=WAN

Note

Firewall rules match IP addresses and ports — not DNS names. The DDNS hostname resolves to the router’s public IP before any packet is sent; firewall rules see the source IP of the connecting host, not the domain label the client used.

If your router sits behind CGNAT or upstream NAT that you do not control, the cloud DDNS record will resolve correctly but inbound connections will fail unless the upstream device forwards the relevant ports. DDNS alone cannot bypass upstream NAT.

VPN Endpoints via DDNS

The cloud hostname can be used as a stable endpoint address for VPN peers that need to reach this router over a dynamic WAN IP.

WireGuard

Set the cloud hostname as the endpoint-address on the remote peer’s configuration:

/interface/wireguard/peers/add \
    interface=wg1 \
    public-key="<remote-public-key>" \
    endpoint-address=a1b2c3d4e5f6.sn.mynetname.net \
    endpoint-port=13231 \
    allowed-address=10.10.10.2/32 \
    persistent-keepalive=25s

persistent-keepalive is recommended when the local peer is behind NAT — it keeps the NAT mapping alive and ensures the endpoint stays reachable.

IPsec

IPsec peers accept a hostname as the address field:

/ip/ipsec/peer/add \
    name=cloud-peer \
    address=a1b2c3d4e5f6.sn.mynetname.net \
    exchange-mode=ike2 \
    profile=default

RouterOS resolves the hostname at connection setup. If the IP changes and DDNS updates, the next IKE negotiation will use the new address.

Troubleshooting

DDNS status shows error

Check that the router has outbound internet access and DNS resolution works:

/ping count=4 address=cloud.mikrotik.com

If DNS fails, verify /ip/dns has a working upstream resolver set.

DDNS hostname resolves to old IP

Run a force update:

/ip/cloud/force-update

If the problem persists, check that no firewall rule is blocking outbound connections to MikroTik’s cloud infrastructure.

See Also

• Neighbor Discovery (MNDP)
• Winbox and WebFig
• NTP