Changing winbox port on router

idelac3 · March 13, 2009, 9:47am

Hi,

I’d like to change default port 8291 to something else on my router. Is it possible?

If not, should I block access with:

 /ip firewall filter add chain=input protocol=tcp dst-port=8219 action=drop

Then redirect incoming traffic from port 8291 to desired port (eg. 5001):

 /ip firewall nat add chain=dstnat dst-port=8219 to-ports=5001 action=redirect

Would it work? How can I specify port (in this example 5001) in winbox when I want to connect to my router?

Igor

msundman · March 13, 2009, 9:51am

/ip service set winbox port=5001

msundman · March 13, 2009, 9:52am

Use X.X.X.X:5001 when connecting.

idelac3 · March 13, 2009, 10:03am

Thanks. But I use v.2.9 and I think I don’t have winbox under /ip service:

[admin@MikroTik] ip service> print
Flags: X - disabled, I - invalid
  #   NAME                                 PORT  ADDRESS            CERTIFICATE
  0   telnet                               23    0.0.0.0/0
  1   ftp                                  21    0.0.0.0/0
  2   www                                  8081  10.10.10.0/24
  3   ssh                                  22    0.0.0.0/0
  4   www-ssl	                           443   0.0.0.0/0          none
[admin@MikroTik] ip service>

msundman · March 13, 2009, 10:16am

Ahh, that makes it harder

Unfortunally you can’t just DSTNAT 5001 to 8291 and then DROP traffic to 8291, as the DSTNATing will be done before going trough the input filter list, so it will filter your nat:ed traffic as well.

An ugly workaround is to DSTNAT 8219 to anunused port like:

[admin@R1] /ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-ports=8291 protocol=tcp dst-port=5001
1 chain=dstnat action=dst-nat to-ports=1234 protocol=tcp dst-port=8291

With those two rules, I’m only able to connect with winbox using port 5001.

idelac3 · March 13, 2009, 11:04am

Thanks for reply. I found error in my first post. I mixed dst-port with to-ports and also forgot in-interface in my first post.

Redirect should be done in this way:

/ip firewall nat add chain=dstnat in-interface=public dst-port=5001 to-ports=8219 action=redirect

That rule means: whatever comes to tcp port 5001 should be redirected to port 8219. Right?

Dstnat’ing would be done before filter input list, so traffic redirected from port 5001 to 8219 would be droped. Maybe I need additional rule in /ip firewall filter:

/ip firewall filter add chain=input protocol=tcp src-port=5001 action=accept

msundman · March 13, 2009, 11:55am

idelac3:

Dstnat’ing would be done before filter input list, so traffic redirected from port 5001 to 8219 would be droped. Maybe I need additional rule in /ip firewall filter:
/ip firewall filter add chain=input protocol=tcp src-port=5001 action=accept

That won’t work. scr-port is not the original dst-port before NAT:ing, it’s the src-port that was originally used by the winbox application, so you can’t use it to differentiate between traffic going to 8291 or 5001 from the beginning.

I don’t know the diffrence between action. redirect and dstnat. Dstnat works atleast.

idelac3 · March 13, 2009, 12:23pm

Thanks. I guess I’d have to use your ugly workaround you suggested in previous post.