sreda, 16. marec 2016

Mikrotik Port knocking

When setting up routers or firewalls and we open management ports on the internet, we allow only trusted, safe, IPs to access these ports. This is done simply by creating a “safe” access list, containing a list of the IPs retained as safe, and configure the firewall rules to accept connections on the port from the IPs listed in the safe list.
Sometimes you may need to connect to the ports but you may not be connected to any of the IPs in the safe list. In this scenario, the firewall would drop your requests and you would not be able to access the router.

This is where port knocking comes in handy.
Port knocking is usually used to add source address to address list and then use that address list for access to specific services. For example, you can set-up the firewall to open TCP port 22 (SSH) if you first connect to port 10000 and then within the next 30 seconds, you need to connect to port 9000.

First we need to configure the first knocking port. IP addresses attempting to connect to this port, TCP 10000, will be placed in an intermediate address list named “Knock” for 30 seconds. You need to port knock on second port in 30 sec or less or else the address list will disappear.

 /ip firewall filter
add action=add-src-to-address-list address-list=knock address-list-timeout=\
30s chain=input comment=FirstKnockingPort dst-port=10000 protocol=tcp

Another filter rule will check if the IPs attempting to connect to the second knocking port, TCP 9000, are in the “Knock” address list. If they are, then the source IP is placed in the “safe” list for 30 minutes.

add action=add-src-to-address-list address-list=safe address-list-timeout=30m \
chain=input comment=SecondKnockingPort dst-port=9000 protocol=tcp \

When you knock on those 2 ports an address list with timeout 30min is created under firewall (you can adjust the timeout if you need longer access in the second rule)

Now we use that address list to allow access to SSH. For that you need to firstly enable SSH access under IP/Services and create this rule in firewall:

add action=drop chain=input dst-port=22 protocol=tcp src-address-list=!safe

 NOTE : The rules will be automagicaly created all the way on the bottom under default drop rule so you need to drag them up in the firewall to appropriate position. I put them all the way to the top in my case.

But how do we knock you say.

 That’s easy.

You just open your browser and put this in the address bar (in our example the external IP of the router is

Then open  in 30 sec or less

That will create the safe address list.

Or you can use a tool like this that Greg Sowell made:


EXTREMELY IMPORTANT NOTE: Always make the first port knocking port HIGHER than the second one.  If you don’t every port scanner will be able to create this list since they incrementally scan ports.

 May the force be with you all :)


petek, 04. marec 2016

Mikrotik basic firewall configuration script

In this blog I would like to post my standard basic configuration for firewall. These rules are good for home use and a baseline for building your own custom configuration.

What will this firewall do:

-         -  It will allow traffic from internal network to outside and back in for established and related      connections.
-          - Allow SSH and WinBox access to router only from internal network
-          - It will drop invalid connections coming to WAN port.
-          - It will allow DNS remote requests to router only from internal network.
-          - It will detect port scanners on your WAN interface and put them on a list for 2 weeks to block traffic  from their IP coming to your WAN interface.
-          - Block PING to router except from internal network.
-          - And finally drop all other input and forward chain traffic.

The configuration in this TXT will firstly rename ether1 interface to WAN and create an address list named Internal network that will be used in configuration. If you decide not to rename your WAN interface you must adjust your rules accordingly. I use default subnet so if you use different adjust the rules.

You can get the rules at this link: Firewall config TXT

If you are new to Mikrotik I suggest making the default configuration trough QuickSet, then wipe all the rules in the firewall and paste my configuration to terminal.

NOTE : The block DNS remote requests rule is there because the Mikrotik default configuration allows DNS remote requests on input chain meaning you are open to DNS amplification attacks and some hacker can use your router to relay his dastardly deeds.

May the force be with you all :)