I’m a new user in this forum and with Mikrotik products , RB2011UiAS with 6.32.1 Os installed.
I would to power on my server from WAN using an android app.
With server power off, the ethernet port is enabled for WOL correctly because I see it with doing an IP Scan from the mikrotik
Simply I forwarded the external port (example 5550) to the internal address (XXX.XXX.XXX.XXX) to the port (9) but I don’t see on the firewall NAT rule any packets is coming in, the counter is always 0
I’ve used another router to test my configuration (mobile phones etc.) and it works so I think I’m not setting correctly the Mikrotik firewall, please can someone give me an help?
If you are trying to use standard “Magic packet” WOL this will never work. WOL is strictly layer 2. It won’t be routeable since it’s only addressed to the broadcast address.
Also, since it’s a layer 2 affair the magic packet doesn’t even need to use a port. UDP is only used for programmer convenience and which port (if any) is used is at the discretion of whoever wrote the WOL client software.
One way to make this work would be to use a subnet directed broadcast which, to my knowledge, Mikrotik does not support. This is probably for the best, as enabling SDB is a major security risk.
The SAFE way to do it would be to use a VPN to become a member of the local LAN, and send your WOL packets that way.
Or you could setup an SSH client to remote into the router and you could run the inbuilt WOL tool on the router. You could probably automate this using something like JuiceSSH
Actually it is possible and I have done it with a simple router myself. But in order to work you need to setup a static arp for the ip that you redirect to.
Also new here as caprupa and also want to WOL from WAN via RouterOS.
What lordkappa says is theoretically true - WOL is Layer II based, but… it is possible to pass WOL packet through Layer III using static ARP as CyberTod says.
I’ve already did it on DD-WRT firmware using this method and I can confirm it works: http://www.dd-wrt.com/wiki/index.php/WOL#Remote_Wake_On_LAN_via_Port_Forwarding
WOL packets can also be sent as directed UDP packets, since only its data content is evaluated by the target NIC which scans for the following content: 6 bytes 0xFF followed by 16 repetitions of the target MAC (102 bytes).
Length can be more than that and the sequence doesn’t need to start at the beginning of the packet.
Sure, but unfortunately directed broadcast (forwarding traffic to the broadcast address of a remote subnet in a routed network)
does not work on MikroTik routers. They say “because of security” but IMHO there should be an option to enable this for
trusted networks.
But that sucks! The standard way of doing this (in other manufacturer’s equipment) is to send a packet
to the last address in the subnet, and the router or routing switch will automatically send it with broadcast MAC.
Of course you often have to use a config command like “ip directed-broadcast” to enable it.
The NIC actually doesn’t care about the MAC, it evaluates only the packet content.
So it just has to reach the physical interface, and for this it has to use a ethernet broadcast or multicast MAC address, to trick the switch to send it on all interfaces, since the real MAC can not be obtained via ARP or other methods, the NIC being in a receive only state…
I have a short script built that sends a WOL packet to a particular computer. If I need to activate the WOL, I SSH into the router and call up the script. The script also includes a log entry so I can tell if I (or someone else) activates the script.
Probably only when you test it like “computer is on, shut it down, try a WOL command, yes it wakes up”.
When you try it after an hour, it may be a different story.
(it might still work when the computer you try to wake up has “active management technology” or similar, and thus is always on the network, ready to be hacked)
I guess you could solve this by creating a script in the mikrotik that sends magic packet to the server.
Next you need a way to trigger the script. One way to do that is to create a firewall filter or mangle rule on a chosen port, and a scheduled task (running every minute or so) that checks the packet counter on this port - if it has counted X packets then it triggers the wol script - then reset the counter.
The downside of this solution is that you will get some false wake-ups (portscanners?). You can reduce these false wake-ups by implementing some portscanner detection on your fw, and limit the access to this port to your mobile service providers public ip ranges.
You can improve this further by including packet size in the firewall rule.
Another way to trigger the script from wan: In winbox go to ppp → profile → (add) → scripts
Then, when your user logs in the script is triggered that makes use of the build in wol tool. For security you may put logged in users into a subnet not used for anything else, create firewall rule to tarpit any tunelled trafic and even force logout after a few seconds. That way you basically created a way for user authentication to remotely run a script.