Can't connect WinBox 4beta21 on Linux when ufw is enabled

knute · May 27, 2025, 8:27pm

Ubuntu 25.04
UFW version 0.36.2

If ufw is enabled, when I attempt connect to my router via its MAC address I get an error message: ERR: could not connect, MacConnection syn timeout. IP address connections work. If I disable ufw it works just fine. There has to be something in the firewall blocking the connection but I don’t know how the MAC address connections work so I don’t know where to look. Any hints would be appreciated.

knute@knute-XPS-8700:~$ sudo ufw status
Status: active

To Action From

Anywhere ALLOW 192.168.1.0/24
Anywhere ALLOW 172.0.0.0/8/udp
Anywhere (v6) ALLOW 2645:49c8:1239:af10::/64
Anywhere (v6) ALLOW fda0:237c:629c:102::/64

knute@knute-XPS-8700:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ufw-before-logging-forward all – anywhere anywhere
ufw-before-forward all – anywhere anywhere
ufw-after-forward all – anywhere anywhere
ufw-after-logging-forward all – anywhere anywhere
ufw-reject-forward all – anywhere anywhere
ufw-track-forward all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – anywhere anywhere
ufw-before-output all – anywhere anywhere
ufw-after-output all – anywhere anywhere
ufw-after-logging-output all – anywhere anywhere
ufw-reject-output all – anywhere anywhere
ufw-track-output all – anywhere anywhere

Chain ufw-after-forward (1 references)
target prot opt source destination

Chain ufw-after-input (1 references)
target prot opt source destination
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:netbios-ns
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:netbios-dgm
ufw-skip-to-policy-input tcp – anywhere anywhere tcp dpt:netbios-ssn
ufw-skip-to-policy-input tcp – anywhere anywhere tcp dpt:microsoft-ds
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:bootps
ufw-skip-to-policy-input udp – anywhere anywhere udp dpt:bootpc
ufw-skip-to-policy-input all – anywhere anywhere ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target prot opt source destination

Chain ufw-after-logging-input (1 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target prot opt source destination

Chain ufw-after-output (1 references)
target prot opt source destination

Chain ufw-before-forward (1 references)
target prot opt source destination
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere icmp destination-unreachable
ACCEPT icmp – anywhere anywhere icmp time-exceeded
ACCEPT icmp – anywhere anywhere icmp parameter-problem
ACCEPT icmp – anywhere anywhere icmp echo-request
ufw-user-forward all – anywhere anywhere

Chain ufw-before-input (1 references)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-logging-deny all – anywhere anywhere ctstate INVALID
DROP all – anywhere anywhere ctstate INVALID
ACCEPT icmp – anywhere anywhere icmp destination-unreachable
ACCEPT icmp – anywhere anywhere icmp time-exceeded
ACCEPT icmp – anywhere anywhere icmp parameter-problem
ACCEPT icmp – anywhere anywhere icmp echo-request
ACCEPT udp – anywhere anywhere udp spt:bootps dpt:bootpc
ufw-not-local all – anywhere anywhere
ACCEPT udp – anywhere mdns.mcast.net udp dpt:mdns
ACCEPT udp – anywhere 239.255.255.250 udp dpt:1900
ufw-user-input all – anywhere anywhere

Chain ufw-before-logging-forward (1 references)
target prot opt source destination

Chain ufw-before-logging-input (1 references)
target prot opt source destination

Chain ufw-before-logging-output (1 references)
target prot opt source destination

Chain ufw-before-output (1 references)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ufw-user-output all – anywhere anywhere

Chain ufw-logging-allow (0 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target prot opt source destination
RETURN all – anywhere anywhere ctstate INVALID limit: avg 3/min burst 10
LOG all – anywhere anywhere limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target prot opt source destination
RETURN all – anywhere anywhere ADDRTYPE match dst-type LOCAL
RETURN all – anywhere anywhere ADDRTYPE match dst-type MULTICAST
RETURN all – anywhere anywhere ADDRTYPE match dst-type BROADCAST
ufw-logging-deny all – anywhere anywhere limit: avg 3/min burst 10
DROP all – anywhere anywhere

Chain ufw-reject-forward (1 references)
target prot opt source destination

Chain ufw-reject-input (1 references)
target prot opt source destination

Chain ufw-reject-output (1 references)
target prot opt source destination

Chain ufw-skip-to-policy-forward (0 references)
target prot opt source destination
ACCEPT all – anywhere anywhere

Chain ufw-skip-to-policy-input (7 references)
target prot opt source destination
DROP all – anywhere anywhere

Chain ufw-skip-to-policy-output (0 references)
target prot opt source destination
ACCEPT all – anywhere anywhere

Chain ufw-track-forward (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere ctstate NEW
ACCEPT udp – anywhere anywhere ctstate NEW

Chain ufw-track-input (1 references)
target prot opt source destination

Chain ufw-track-output (1 references)
target prot opt source destination
ACCEPT tcp – anywhere anywhere ctstate NEW
ACCEPT udp – anywhere anywhere ctstate NEW

Chain ufw-user-forward (1 references)
target prot opt source destination

Chain ufw-user-input (1 references)
target prot opt source destination
ACCEPT all – 192.168.1.0/24 anywhere
ACCEPT udp – 172-0-0-0.lightspeed.brhmal.sbcglobal.net/8 anywhere

Chain ufw-user-limit (0 references)
target prot opt source destination
LOG all – anywhere anywhere limit: avg 3/min burst 5 LOG level warn prefix "[UFW LIMIT BLOCK] "
REJECT all – anywhere anywhere reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target prot opt source destination
ACCEPT all – anywhere anywhere

Chain ufw-user-logging-forward (0 references)
target prot opt source destination

Chain ufw-user-logging-input (0 references)
target prot opt source destination

Chain ufw-user-logging-output (0 references)
target prot opt source destination

Chain ufw-user-output (1 references)
target prot opt source destination

yuripg1 · May 27, 2025, 9:06pm

It’s simply a matter of taking a look at a packet capture in Wireshark, for example, and figuring out what’s coming in but getting dropped and why.

When accessing via MAC address, the MikroTik devices use IP 0.0.0.0, which doesn’t match any expected traffic and gets blocked by the firewall.

Since I wanted the most restrictive rule possible, I ended up creating one that allows incoming traffic on my Ethernet interface (enp2s0) with source IP 0.0.0.0/32 and source port 20561. That allowed me to access MikroTik devices via MAC address.

$ sudo ufw allow in on enp2s0 proto udp from 0.0.0.0/32 port 20561 to any

While you’re at it, make sure you accept the MNDP broadcasts too.

$ sudo ufw allow 5678/udp

knute · May 28, 2025, 12:19am

That works like a charm. Thanks!