Hi all
I’m trying to grant access to RDP port only after the remote user makes a successful logon. So I need a web panel (or something like this) in which the remote user can provide his credential and only after that, the user should access the terminal server from IP used for this connection until specific timeout.
Is there anyone that have an idea on how this goal can be reached?
I can make this with a watchguard firewall.
thank you
This isn’t something supported by MikroTik. A good solution would be setting up a VPN service and requiring a VPN connection first.
I think you should consider using port knocking for what you want.
Basically, the way port knocking works is as follows:
rule 1: match some random dst port (e.g. udp dst 12345) - action is to add src-IP to an address-list (Kock1) with timeout=10s or something short
rule 2: match some other random dst port (e.g. udp dst 56789) + src-IP is in list Knock1 → action=add src IP to list Knock2 with timeout 10s
rule 3: match some other random dst port (e.g. udp dst 2468) + src-IP is in list Knock2 → action=add src IP to list Knock3 with timeout 10s
…
use as many of these as you want for your “combination lock” behavior.
The last rule should add the src IP to a list like “KockSuccess” with a timeout of something like 1 minute.
Assuming that your first or second rule should accept packets for established,related connections (to allow the service to keep working once the KnockSuccess times out)
Your protected ports would be built like this:
chain=forward protocol=tcp dst-port=3389 src-address-list=KnockSuccess action=accept
chain=input protocol=tcp dst-port=22,8291,80,443 src-address-list=KnockSuccess action=accept
etc…
(place these after the knock rules but before the default DROP rules)
Then you need a port knock application on your device. Configure it to send the packets in the sequence you specified above. Then send the knock, and for the next 60 seconds, you’ll be able to connect to any service that has the src-address-list=KnockSuccess criteria on it. Once established, the connections will remain open, but if you get disconnected, you’ll have to knock again before being able to connect.
This is great, and I love port knocking… except the current RouterOS broke the timeout for address-list items.
Right now, when they expire, they just sit their at 00:00:00 and are never removed.
Whoops.
BTW - do you have a recommended Windows portknock client that…
a) doesn’t require stupid cygwin to run
b) runs in a GUI w/o being some crappy hack-together with java or other runtimes?
bonus attributes:
offers password requirement to run saved knocks
supports crypto knocking as well as simply sending a sequence of packets
I do not. I run Mac 
But I will look into it. I haven’t yet because of the timeout issue.
VPN or roll your own web-site leveraging the MikroTik API to toggle the allow. Alternatively, wouldn’t a Windows RemoteApp environment leverage Windows Remote Desktop Web Access essentially do this for you in a more “standard” or “enterprise” fashion?
What version does that? I use Port Knocks quite a bit and had not seen that I was able to get in when I shouldn’t. So I just tried it on both my routers, and it worked as I would expect. In each case I connected to the router using WinBox, added an entry to an address with a one minute timeout. Watched it count down, and after it hit zero, it disappeared in a couple seconds. The two routers and versions are:
RB750r2 version 6.38.5
RB750Gr3 version 6.39.2
What I do is low tech. I just have a series of bookmarks in a web browser. They are a little bit hidden, and the names are cryptic enough that unless someone knew what to look for, it’s unlikely that they would find them.
Maybe it’s an issue with many dynamic entries. I will do more testing.
I just remoted into my work computer and went through my port knock procedure while watching the router that I was testing with using WinBox. Each step created the correct address list entry, and they then times out and disappeared as expected.
can you manually add a dynamic entry and see what happens?
/ip firewall address-list add address=1.1.1.1 list=zzTest timeout=00:00:15
I’ve been doing my testing using WinBox, but I did this as a command line, and it still worked as expected.