sreda, 16. marec 2016

Mikrotik Port knocking

When setting up routers or firewalls and we open management ports on the internet, we allow only trusted, safe, IPs to access these ports. This is done simply by creating a “safe” access list, containing a list of the IPs retained as safe, and configure the firewall rules to accept connections on the port from the IPs listed in the safe list.
Sometimes you may need to connect to the ports but you may not be connected to any of the IPs in the safe list. In this scenario, the firewall would drop your requests and you would not be able to access the router.

This is where port knocking comes in handy.
Port knocking is usually used to add source address to address list and then use that address list for access to specific services. For example, you can set-up the firewall to open TCP port 22 (SSH) if you first connect to port 10000 and then within the next 30 seconds, you need to connect to port 9000.

First we need to configure the first knocking port. IP addresses attempting to connect to this port, TCP 10000, will be placed in an intermediate address list named “Knock” for 30 seconds. You need to port knock on second port in 30 sec or less or else the address list will disappear.

 /ip firewall filter
add action=add-src-to-address-list address-list=knock address-list-timeout=\
30s chain=input comment=FirstKnockingPort dst-port=10000 protocol=tcp

Another filter rule will check if the IPs attempting to connect to the second knocking port, TCP 9000, are in the “Knock” address list. If they are, then the source IP is placed in the “safe” list for 30 minutes.

add action=add-src-to-address-list address-list=safe address-list-timeout=30m \
chain=input comment=SecondKnockingPort dst-port=9000 protocol=tcp \

When you knock on those 2 ports an address list with timeout 30min is created under firewall (you can adjust the timeout if you need longer access in the second rule)

Now we use that address list to allow access to SSH. For that you need to firstly enable SSH access under IP/Services and create this rule in firewall:

add action=drop chain=input dst-port=22 protocol=tcp src-address-list=!safe

 NOTE : The rules will be automagicaly created all the way on the bottom under default drop rule so you need to drag them up in the firewall to appropriate position. I put them all the way to the top in my case.

But how do we knock you say.

 That’s easy.

You just open your browser and put this in the address bar (in our example the external IP of the router is

Then open  in 30 sec or less

That will create the safe address list.

Or you can use a tool like this that Greg Sowell made:


EXTREMELY IMPORTANT NOTE: Always make the first port knocking port HIGHER than the second one.  If you don’t every port scanner will be able to create this list since they incrementally scan ports.

 May the force be with you all :)