Skip to Content

How to Configure MikroTik DynDNS (Cloud) and Access MikroTik Over Internet?

One of the issues with consumer internet connections is that they don’t provide static IPs by default. If you need one, you typically have to pay a premium to the service provider.

I faced a similar challenge with the ISP I was using at home. It didn’t offer a static IP and instead used public IPs assigned dynamically via DHCP. This meant that whenever I rebooted the router or the ISP released and renewed the public IP, the IP address changed. As a result, I would lose access to my router and any port forwarding configurations over the internet.

When I inquired about getting a static IP, the ISP informed me that my current plan didn’t support it, and I would need to upgrade to a much more expensive plan to get one.

That’s when I realized there had to be a better way. I decided to explore third-party Dynamic DNS (DynDNS) providers. These services allow you to sign up for an account and configure your router to update the dynamic IP automatically. However, there’s usually a recurring monthly or yearly fee associated with this.

The downside of using a third-party DynDNS provider is that, in addition to paying for the internet plan, I also had to pay for the DynDNS service. If I forgot to make a payment, the FQDN (Fully Qualified Domain Name) would stop working. This made me feel like I didn’t truly own the solution and was stuck in a subscription-based model.

Of course, I also wished I could avoid the internet bill altogether! 😉

After some research, I discovered that the most cost-effective solution was to get a MikroTik router, which offers a built-in DynDNS functionality. This allowed me to move away from the third-party DynDNS subscription model.

The Plan:

The plan was simple: get a MikroTik router, configure it for internet access, and enable the built-in DynDNS configuration. Whenever the public IP changes, the MikroTik DynDNS service automatically fetches the new IP and updates it.

Using the DynDNS FQDN, I can access my router or any services I’ve enabled via port forwarding over the public internet. I’ve been using this setup for quite some time now, and it works flawlessly.

What You Can Do with MikroTik DynDNS

The DynDNS feature in MikroTik is called Cloud. Once enabled, it identifies the public IP configured on the internet-facing port and maps it to a custom FQDN in the MikroTik router.

However, if you’re using MikroTik behind a NAT, the feature may not work unless:

  1. You move the public IP configuration from the ISP router to the MikroTik router, or         
  2. You enable the DMZ function or port forwarding on the ISP router.

I’ve created an extensive guide on troubleshooting router access over the public internet, which can help you resolve issues like these.

Benefits of MikroTik DynDNS

With MikroTik DynDNS (referred to as Cloud), you can do almost everything you would with a static IP. For example:

•  Enable port forwarding to access specific services on the LAN.
•  Configure WireGuard access.
•  Set up IPsec connectivity.
• Access the MikroTik router remotely over the internet.

Important Note:

While enabling these features, be aware of the risks. If not configured carefully, you might inadvertently expose your network to the internet. This is the last thing you want when dealing with WAN-side configurations.

How to enable Dyndns on MikroTik router?

Configuring the Dyndns service in MikroTik is pretty simple, you may login to the web GUI, or WinBox.

And go to IP-> Cloud.

As you can see, the Dyndns configuration is disabled at the moment.

Check the DDNS enabled option.

After a few seconds, you will see the MikroTik router assigned a custom Dyndns Fqdn for your router.

Click on Ok, here.

Accessing Your MikroTik Router Over the Internet Using Cloud (DynDNS)

Now that you’ve configured DynDNS, you can access your MikroTik router over the internet. However, you need to ensure the proper policies are in place to allow access securely. Let’s go through the steps to achieve this.

1. Enable the Required Services

To access the router using WinBox, which uses port 8291 by default, ensure that the service is enabled:

            •          Navigate to IP -> Services.

            •          Verify that WinBox (port 8291) is enabled.

            •          If you plan to access the MikroTik using a web GUI, check that the www service is enabled, and note its port number (default: 80).

Note: By default, the following services are enabled:

            •          WinBox: Port 8291

            •          HTTP: Port 80

If you’ve customized these ports, ensure they match your configuration.

2. Configure Firewall Policies to Allow WAN Access

To access the MikroTik router using its WAN interface (e.g., ether1), you must create a firewall rule to allow traffic. However, ensure you only allow access from trusted IP addresses to secure the router.

As the traffic will be ‘To’ traffic, not ‘through’ traffic you need to create ‘input’ chain rule.

If you allow traffic from any (0.0.0.0/0) anyone on the internet will be able to access the router, so just be careful here.

So instead of allowing any IP, I am temporarily connecting to another internet, and then allow access to that IP.

  • get the Public IP.

I have temporarily connected to another internet, and when I check the public IP here, as you can see, I got the IP x.x.x.111  , I will be allowing the WinBox access to only to this IP.

2.         Create the Firewall Policy

            •          Navigate to IP -> Firewall.

            •          Create a new rule under the Filter Rules tab.

Firewall Rule Configuration:

            •          General:

            •          Comment: Add a comment to describe the rule (e.g., “Allow WinBox from x.x.x.111”).

            •          Chain: Select input.

            •          Src.Address: Enter the trusted public IP (x.x.x.111).

            •          Action:

            •          Choose accept.

            •          Click OK to save the rule.

Once the rule is added, it will appear in the list of firewall rules.

As you can see the rule is now added.

3. Test Access

Now, test the router’s accessibility using both WinBox and the web GUI:

            1.         Open WinBox and enter the DynDNS FQDN as the router’s address.

            2.         Provide the username and password.

            3.         You should be able to access the MikroTik router successfully.

Once you access the router, you can monitor active connections:

            •          Go to IP -> Firewall -> Connections.

            •          You will see an entry showing the source IP (x.x.x.111) and the destination IP (x.x.x.60), which is the MikroTik’s WAN-side IP.

As you can see, there is a traffic from my public IP to the mikrotik wan side IP on port 80 and 8291.