MikroTik remote access
Access a MikroTik router behind CGNAT or without port forwarding
RouterOS can run Dynamic DNS update scripts, but a hostname alone cannot create inbound access when the router is behind CGNAT, double NAT, or an ISP block. Use Dynamic DNS when inbound access already works; use DNSExit Remote Access when it does not.
First decide what problem you actually have
| Situation | Best DNSExit path | Why |
|---|---|---|
| Your MikroTik has a public WAN IP, but the IP changes. | Dynamic DNS router setup | RouterOS can call the DNSExit update URL on a schedule, keeping your hostname current. |
| Your MikroTik WAN IP is private, shared, or different from your public IP. | Static-IP Relay | CGNAT prevents direct inbound access, so outside clients need a stable relay endpoint. |
| You only need a local web dashboard, app, or WebFig-style HTTP service. | Public Tunnel | A public HTTPS URL can reach a local web service through an outbound tunnel. |
Dynamic DNS setup on MikroTik
MikroTik RouterOS is usually configured with /tool fetch and /system scheduler.
DNSExit already generates the account-specific update URL from the router setup page, so use that page
after logging in instead of copying a generic URL.
/tool fetch url="YOUR_DNSEXIT_DYNAMIC_DNS_UPDATE_URL" mode=https dst-path=ddns.txt /system script add name=dnsexit source="/tool fetch url=\"YOUR_DNSEXIT_DYNAMIC_DNS_UPDATE_URL\" mode=https dst-path=ddns.txt" /system scheduler add name=dnsexit-update interval=12m on-event=dnsexit
Dynamic DNS does not bypass CGNAT. If port forwarding still fails after the hostname updates correctly, check whether the MikroTik WAN address is private or shared by your ISP.
How DNSExit Remote Access fits MikroTik networks
- Static-IP Relay for router or TCP access.
Use this for SSH, VPN, RDP, cameras, or other TCP services that need a stable public endpoint. - Public Tunnel for web access.
Use this for local web dashboards or web apps that can be reached from a browser. - Run the tunnel client inside the LAN.
Use an always-on Linux box, NAS, mini PC, or Raspberry Pi that can reach the MikroTik router. - Keep exposure narrow.
Forward only the service you need and avoid publishing broad router admin access to the public internet.
Recommended setup for a MikroTik behind CGNAT
- Create a DNSExit Remote Access service and choose Static-IP Relay if you need TCP access.
- Install the DNSExit-provided tunnel client on an always-on device inside the same LAN as the MikroTik.
- Point the client to the MikroTik service you want to reach, such as SSH on the router LAN IP.
- Start the client and check the connection from the Remote Access Control Panel.
- Test from outside your network using the relay hostname and port shown in the control panel.
Security notes before exposing router access
Router management should be treated as sensitive. Use strong passwords, restrict which service is exposed, disable unused management services, and prefer SSH or a VPN workflow over publishing an unrestricted admin interface. If you only need one internal web app, expose that app rather than the whole router.
Trying to reach a MikroTik behind CGNAT?
Start with Remote Access, then choose Public Tunnel or Static-IP Relay based on whether the service is web-based or TCP-based.