I like the DynDNS feature of Mikrotik. Specially, that it allows the 1 minute refresh interval time.
However, I have some installations behind other routers and I would love to be able to reach my Mikrotiks without having to do NAT forwards on other firewalls to reach it.

A- Is there anything built in or available out there that allows me easy access to my Mikrotik no matter where in a network diagram I put it as long as it has internet?
B- If not a built in feature, maybe someone has built an easy system I can copy? (currently I use an OpenVPN tunnel but it's a bit messy because the OpenVPN server can break one day).

To connect all links with public addresses. This is the only way.

To connect all links with public addresses. This is the only way.

How??

There's no "cloud" connectivity available by using Mikrotik cloud service ... only dynamic DNS. So when connecting to <serial>.sn.mynetname.net, one is connecting directly to the router. If router doesn't have public address, then the device that holds the public address, will most probably block the connection attempts. Unless NAT is configured on the "public IP" device ...

Basically you're already using the only possible solution - VPN. If VPN server breaks, then you keep the pieces (and clean up your part of mess). Mikrotik cloud had it's own share of problems in the past as well ...

Is there anything built in or available out there that allows me easy access to my Mikrotik no matter where

If the devices you want to reach behind the Mikrotik router are Mikrotik devices as well then you can enable ROMON on all the devices...
Then as soon as you connect to the ROMON agent all the devices will appear in Winbox...

ROMON only works in a local (or at least L2-connected) network.
People asking for DynDNS features will normally use the internet for access and ROMON does not work over internet.

Like mkx, I recommend to setup a VPN server somewhere at a location where you have fixed external IP, and then setup a VPN connection to there in all routers you want to manage.
Besides that it overcomes the reachability issue you have, it is also much safer. You should NOT enable access to the winbox port (8291) from internet! But you can do it in a closed VPN network.

I would recommend to use L2TP/IPsec or maybe SSTP instead of OpenVPN. It is better supported in RouterOS.

People asking for DynDNS features will normally use the internet for access and ROMON does not work over internet.

Wrong! It works perfect...!
If you enable ROMON on your Main router for example and on your AP that is behind your router, if you allow access through WAN to your Router, by using the Cloud DNS or any other DNS service, you can connect to the ROMON agent of the Main router and you will see (and able to connect) the AP as well in the ROMON neighbors...

ROMON only works in a local (or at least L2-connected) network.

Oops.. wrong too...
its network operates independently from L2 or L3 forwarding configuration.
https://wiki.mikrotik.com/wiki/Manual:Tools/RoMON

ROMON only works in a local (or at least L2-connected) network.

Oops.. wrong too...
its network operates independently from L2 or L3 forwarding configuration.
https://wiki.mikrotik.com/wiki/Manual:Tools/RoMON

@zacharias, do yourself (and everybody else) a favour and quote the whole sentence including the previous one:

RoMON works by establishing independent MAC layer peer discovery and data forwarding network. RoMON packets are encapsulated with EtherType 0x88bf and dst-MAC 01:80:c2:00:88:bf and its network operates independently from L2 or L3 forwarding configuration.

So how does it work in routed (L3) environment?

The same thought process applies to the first claim by @pe1chl you dismissed so easily: if an user has a few routers in different places (that's the only case when different <sn>.sn.mynetname.net would point to different addresses), it's routed network again.

Your suggestion works in one case only: when there are a few RBs in same physical L2 network and admin wants to access them, then it's enough to make one of them accessible and the rest can be accessed via RoMon. And, technically, in this case RoMon is not working over internet, it's working between RBs ... it's winbox protocol working over internet.

I like the DynDNS feature of Mikrotik. Specially, that it allows the 1 minute refresh interval time.
However, I have some installations behind other routers and I would love to be able to reach my Mikrotiks without having to do NAT forwards on other firewalls to reach it.

A- Is there anything built in or available out there that allows me easy access to my Mikrotik no matter where in a network diagram I put it as long as it has internet?
B- If not a built in feature, maybe someone has built an easy system I can copy? (currently I use an OpenVPN tunnel but it's a bit messy because the OpenVPN server can break one day).

A) https://www.cloutik.com/pricing/
B) https://www.cloutik.com/pricing/

I think that might an option. Price is not very crazy at 55 euro / year for up to 10 devices.

Wrong! It works perfect...!

Either you have not understood my remark or you have not understood ROMON.

Price is not very crazy at 55 euro / year for up to 10 devices.

Of course you can host a CHR at any cheap hoster for like 3 euro/month (36 euro/year) and use it as a VPN server for this kind of thing, without limit on the number of connected clients.
Unlicensed CHR will have 1Mbps, likely sufficient for this usage, and otherwise you can one-time invest in a CHR license and get the full speed.

@mkx,
First you say:

technically, in this case RoMon is not working over internet

Then:

it's winbox protocol working over internet.

How exactly do you connect to a Romon agent ? Is VPN needed ? No
Physical connection through a cable needed? No
Possible over Internet ? Yes
I never said its an internet protocol or anything...
Nothing more to add from my side...
The OP asks for an easy way to access his devices without port forward or antything and so i suggested him an easy solution in case the devices he wants to access are Mikrotiks...
You argue because you just want to argue...
Hope the OP finds a solution....

Either you have not understood my remark or you have not understood ROMON.

You said ROMON is not accessible through internet, not me (you can read your post again).. all the rest are just your theory, i never said its an internet protocol...

How exactly do you connect to a Romon agent ? Is VPN needed ? No
Physical connection through a cable needed? No
Possible over Internet ? Yes
I never said its an internet protocol or anything...
Nothing more to add from my side...
The OP asks for an easy way to access his devices without port forward or antything and so i suggested him an easy solution in case the devices he wants to access are Mikrotiks...
You argue because you just want to argue...
Hope the OP finds a solution....

I hope so too, but your remarks are not helpful because the solution you propose does NOTHING to bring him closer to a solution.
The solution mkx and I propose however, does bring him a solution.

...(you can read your post again)..

So why don't you read OPs first post again ... very carefully. Don't immediately jump into conclusions as you like to do very much, but read it quite literally (have faith in OP that he chose words well). Then think about possible solutions. And read the post again. And reconsider the solutions. And if you still think RoMon is solution, reread the initial OPs post again. And again. Specially second paragraph. Pay special attention to the singular vs. plural forms of nouns. All of them. And consider all implications of how they were used by OP.

Because, after all, we're not discussing merrits of RoMon, we're trying to find best solution to the problem described by OP. Exactly as described, without implying things OP did not write. If OP finds proposed solutions unfit, he might reword problem description and we'll go another round ... then.

I can not keep on arguing with people that do not even know that they can access a Romon Agent through the Internet ( yes you dont, all your posts showing that are above), i just loose my time...
Also, i can not discuss with people who answer behalf of the OP(really ? ) and by them selves show their suggestion as the Optimal, although i never said that their suggestion was bad or that mine was perfect.. i simply said my opinion, the OP does not include many details anyways... Ofcorse i would change my suggestion if needeed...
You are the best...

RoMon works very good on a routed / L3 network, not wise the expose to Internet for obvious reasons

not wise the expose to Internet for obvious reasons

I agree on that... although techniques like port knocking can be applied... Romon was just a thought...

RoMon works very good on a routed / L3 network, not wise the expose to Internet for obvious reasons

IT DOESN'T!!!

You can access a RoMon AGENT via the L3, but RoMon ITSELF does not work over routed networks.
And a RoMon AGENT is not a solution to access a router that is behind NAT (another router) from the internet.

And then there additionally is the issue that you would not want to expose a RoMon agent to internet, yes.
All in all it is a totally unusable solution for the problem at hand. RoMon is nice in a closed L2 network where you
fear that you lock yourself out due to mistakes in routing configuration. It is not useful to administer a bunch
of separate internet-connected routers.

Let me add,

RoMon itself does not work over L3, BUT, if all devices are Mikrotik and running RoMon, you can access all devices over a L3 network via the RoMon agent.

If configured as per above, it will create a RoMon network, similar to what OSPF does for L3 routing

So if all OPs devices were Mikrotik, RoMon would have been a solution (Without the need for VPN - Not suggested though)

You apparently read

I have some installations behind other routers and I would love to be able to reach my Mikrotiks without having to do NAT forwards on other firewalls to reach it.

in a different way than I do.
Not useful to continue discussion then.

I would assume I read it exactly the way you did. BUT:

Nowhere did anyone say RoMon IS the solution, it is an OPTION. Maybe you know the OP personally and know what is within his power, but I suspect @Zacharias don't, and I definitely don't.

So if this is so important to the OP, and it is within his power to change all devices to Mikrotik, he has the option / info and can decide for himself.

Nowhere did anyone say RoMon IS the solution, it is an OPTION.

It isn't!

Nowhere did anyone say RoMon IS the solution, it is an OPTION.

It isn't!

You make it so funny... i just laugh...
Its so rude from your side to keep trying to stop people from saying their opinion, totally rude... Also its rude when you answer behalf of the OP and you decide for him.. what can i say... am out of this post..
Also i agree with @CZFan...
Have all a nice day...

It looks like both of you are too dumb to understand that any usage of RoMon is not an option to solve the OP's problem of managing a router that is on a remote network behind another router doing NAT.
I did not imagine that people could get that dumb, but apparently it is possible! Oh well...

And remember, it is not an opinion, it is just a description of the facts.

Be nice!

RoMON could be an option if there were MikroTik routers under OP's control everywhere. This works:

[client]---internet---[router A]---lan1---[router B]---lan2---[router C]

If all routers have RouterOS with enabled RoMON, client can connect over internet to router A (which has public address) and then inside LAN using RoMON to router B or C.

But OP is IMHO very clearly looking for some "cloud" solution that would work even when routers A or B are not using RouterOS.

It looks like both of you are too dumb to understand that any usage of RoMon is not an option to solve the OP's problem of managing a router that is on a remote network behind another router doing NAT.
I did not imagine that people could get that dumb, but apparently it is possible! Oh well...

And remember, it is not an opinion, it is just a description of the facts.

This is uncalled for, no one attacked you personally, why do to others?

Be an adult, take it on the chin, admit you were wrong and move on...

I see no reason to "admit I am wrong". Everything I have written here is correct. End of discussion.

I hope no one replies him back... He will just keep on being offensive and rude... I have already reported his post where he verbally attacks me...

I see no reason to "admit I am wrong". Everything I have written here is correct. End of discussion.

So enlighten us why you say it will not work? Then we can also learn something not be so dumb

I hope no one replies him back... He will just keep on being offensive and rude... I have already reported his post where he verbally attacks me...

To be honest, I don't give a flying F^&%%$ what he thinks, posts etc

You know, it's still possible to go with misunderstanding, everyone assuming a slightly different thing and buildind up on that, ... no need to declare war.

I see no reason to "admit I am wrong". Everything I have written here is correct. End of discussion.

So enlighten us why you say it will not work? Then we can also learn something not be so dumb

Because RoMon itself will only work over L2 links and the RoMon agent will only work when there is incoming IP connectivity to at least one router that is connected to others over L2 links.
The IP said: I have some installations behind other routers and I would love to be able to reach my Mikrotiks without having to do NAT forwards on other firewalls to reach it.
So there is no possible solution using RoMon and other techniques that require incoming connections!
The only possibility (which he already wrote himself and which I also detailed in reply #6 and 2nd part of #10 in this topic) is a solution that makes OUTgoing connections from the routers to be managed.
In RouterOS (which does not have configuration via cloud as some products have today) this means: use a VPN.