hAP ac2 - port knocking doesn't work (kind of)

philippetev · January 11, 2019, 7:49am

Hi!
Purchased hAP ac2 yesterday and started to transfer all my settings from my old RB951G-2HnD. Now it’s running the latest RouterOS 6.43.8 and all seems to work like before, all, except the port knocking. I’m using the following rules:

add action=add-src-to-address-list address-list=knock1 address-list-timeout=15s chain=input dst-port=xxxx in-interface=pppoe-out1 log=yes log-prefix=knock1 protocol=tcp
add action=add-src-to-address-list address-list=knock2 address-list-timeout=15s chain=input dst-port=xxxx in-interface=pppoe-out1 log=yes log-prefix=knock2 protocol=tcp src-address-list=knock1
add action=add-src-to-address-list address-list=trusted address-list-timeout=20s chain=input dst-port=xxxx in-interface=pppoe-out1 log=yes log-prefix=trusted protocol=udp src-address-list=knock2
add action=accept chain=input comment="SSH with port knocking" dst-port=xxxx in-interface=pppoe-out1 protocol=tcp src-address-list=trusted

where “xxxx” are some port numbers.
Now, the problem: this configuration worked fine with the RB951G-2HnD, but not with the hAP ac2. When I try knocking, only the first knock is being registered according to the router log and the rest are not being detected/registered at all. The cause turned out the be the port protocol type: it doesn’t work in every case, when you knock twice with tcp, selected as protocol. No such problem with udp
Example:

knock1 - 8765 tcp
knock2 - 3425 udp
knock3 - 4444 tcp
Works!

knock1 - 8765 tcp
knock2 - 3425 udp
knock3 - 4444 udp
Works!

knock1 - 8765 tcp
knock2 - 3425 tcp
knock3 - 4444 udp
Doesn’t work!

knock1 - 8765 udp
knock2 - 3425 tcp
knock3 - 4444 tcp
Doesn’t work!

Can anyone tell me if this is a bug with this platform or am I missing something? As I said, this configuration was working on RB951G-2HnD.
Tried also to add some delay between the knocks at client level, but that had no effect.

td32 · January 11, 2019, 8:14am

try to sleep a second between knocks

philippetev · January 11, 2019, 8:22am

As I said above, tried that already with delays between 1 and 3 seconds. No effect.

proximus · January 11, 2019, 9:32pm

I just tried all your scenarios on a RB450Gx4 ( which is also an ARM platform ) running 6.43.8 and they all work.

But, FWIW, my knock rules are in reverse order from yours. Meaning it would make your configuration look like:

add action=accept chain=input comment="SSH with port knocking" dst-port=xxxx in-interface=pppoe-out1 protocol=tcp src-address-list=trusted
add action=add-src-to-address-list address-list=trusted address-list-timeout=20s chain=input dst-port=xxxx in-interface=pppoe-out1 log=yes log-prefix=trusted protocol=udp src-address-list=knock2
add action=add-src-to-address-list address-list=knock2 address-list-timeout=15s chain=input dst-port=xxxx in-interface=pppoe-out1 log=yes log-prefix=knock2 protocol=tcp src-address-list=knock1
add action=add-src-to-address-list address-list=knock1 address-list-timeout=15s chain=input dst-port=xxxx in-interface=pppoe-out1 log=yes log-prefix=knock1 protocol=tcp

Which is based on other examples I’ve seen. May be worth a try.

philippetev · January 12, 2019, 1:43am

May I see your full rules list?

proximus · January 12, 2019, 2:33am

/ip firewall filter
add action=fasttrack-connection chain=forward comment="FastTrack (no-mark connections)" connection-mark=no-mark connection-state=established,related
add action=accept chain=forward comment="Accept Established / Related" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
add action=add-src-to-address-list address-list=portknock_allowed address-list-timeout=15m chain=input comment="Port Knocking" connection-state=new dst-port=xxxx in-interface=ether1-gateway \
    log-prefix=portknock_allowed protocol=tcp src-address-list=portknock_stage_2
add action=add-src-to-address-list address-list=portknock_stage_2 address-list-timeout=20s chain=input connection-state=new dst-port=xxxx in-interface=ether1-gateway protocol=tcp src-address-list=\
    portknock_stage_1
add action=add-src-to-address-list address-list=portknock_stage_1 address-list-timeout=20s chain=input connection-state=new dst-port=xxxx in-interface=ether1-gateway protocol=tcp
add action=accept chain=input comment="Accept Established / Related" connection-state=established,related,untracked
add action=drop chain=input comment="Drop Bogons - Source" in-interface=ether1-gateway log-prefix=bogon src-address-list=bogons
add action=drop chain=input comment="Drop Invalid" connection-state=invalid in-interface=ether1-gateway
add action=drop chain=input comment="Drop Everything Else" in-interface=ether1-gateway

philippetev · January 12, 2019, 9:36am

I don’t see the forth rule, for accepting connections by the hosts, located in the “trusted” list.
Do you get the three lists in the Address lists tab when you try to knock on the ports?

EDIT: Nevermind, found the cause. This is what happens, when you try to use one and the same port in both filter and nat rules. I’m an idiot )))))))))))))))

sebastia · January 12, 2019, 11:42am

Lol, don’t be harsh on yourself, happens to all of us