How to allow remote Wake on LAN through firewall without completely compromising security

RouterOS General
1

I have a PC that I want to be able to turn on remotely when I am not home. I have configured the following, and it works, but I want to know if there is a better or more secure way to set this up.

The PC is on subnet 10.10.10.0/24. I have taken an IP address outside the DHCP address pool and added it to the ARP table with MAC address FF:FF:FF:FF:FF:FF to turn the WOL magic packet into a broadcast once it gets through the firewall.

#    ADDRESS         MAC-ADDRESS       INTERFACE                                
 6  C ;;; WOL broadcast
      10.10.10.2      FF:FF:FF:FF:FF:FF Trusted

Then I created this dst-nat rule (ether1 is my WAN port). One of the guides I read recommended setting the rate limit, I am assuming to prevent a broadcast flood attack:

1    ;;; Remote WoL redirect
      chain=dstnat action=dst-nat to-addresses=10.10.10.2 to-ports=9 
      protocol=udp in-interface=ether1 dst-port=9 
      dst-limit=6/1m,3,dst-address/1m40s log=no log-prefix=""

And this forward chain filter rule:

14    ;;; Allow WoL passthrough
      chain=forward action=accept connection-state="" protocol=udp 
      dst-address=10.10.10.2 in-interface=ether1 dst-port=9 log=no 
      log-prefix=""

So, this does work. I can turn on my PC from my phone through its cellular data connection. But have I opened up a huge security hole in my router with this? I should probably change the wake-on-LAN app to use a different port to add a little security through obscurity. Is there anything I can do besides using a non-standard port on my wake-on-LAN app?

Thanks all

2

Establish a IPsec VPN connection and you would be fully secure. You can use a Mode Config method that is perfect for Road Worrier type of requirements.

First you have to establish what kind of Internet Connection your ISP provides you … PPPoE or DHCP … if PPPoE then consider L2TP/IPsec if DHCP then mode config works great.

3

Hi mozerd, thanks for the advice. My router obtains its WAN IP as a DHCP client from my modem. I am following the guide you linked for setting up the IPsec mode config method, however I am wondering if that guide on the Mikrotik Wiki was written for an older version of RouterOS. I am at the part where the guide states to create the ipsec users and peer, but the options available to me in Winbox do not match what the guide says to do. For instance, I cannot create users before the peer as the guide suggests, because Winbox will not allow me to create a user without specifying a peer. When I attempt to create a peer, the available options are completely different than what the guide lists to do. I am on Router OS v6.46.8. Do you know of a more up to date guide?

Thanks!

4

Not sure what you mean but I suspect you are using the GUI vs the CLI … I use the CLI more or less exclusively … Also I am not sure what changes have takes place from the version of ROS you are using v6.46.8 versus the current version 6.48.1 …

Following is the latest documentation from MikroTik on the Road Worrier configuration .. see if that helps you.

5

I have attempted a combination of the above linked guides in addition to the document posted here:

https://mum.mikrotik.com/presentations/EU18/presentation_5196_1523218211.pdf

When I attempt to initiate the VPN connection, I can see packets hitting the IKE firewall rule, but authentication ultimately fails. The MUM deep dive document above doesn’t seem to make any mention of a firewall address list, but the second guide you posted mozerd says to create the address list and then create the first mode-config below to allow for dynamically created src-nat rules. My connection attempts haven’t been successful with or without that piece. 10.10.10.0/24 is the LAN subnet I want to be able to communicate with from the outside.

Here are the relevant configs I have:

/ip ipsec mode-config
set [ find default=yes ] src-address-list=local-RW
/ip ipsec profile
add dh-group=modp2048 dpd-interval=10s enc-algorithm=aes-256 hash-algorithm=sha512 name=profile1
/ip ipsec peer
add name=peer1 passive=yes profile=profile1 send-initial-contact=no
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-128-cbc name=proposal1 pfs-group=modp2048
/ip ipsec mode-config
add address-pool=ipsec name=vpn-clients split-include=0.0.0.0/0 static-dns=10.10.90.3 system-dns=no
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=vpn-clients peer=peer1 username=****
/ip ipsec settings
set accounting=no
/ip firewall address-list
add address=10.10.10.0/24 list=local-RW
/ip firewall filter
add action=accept chain=input comment="IPsec IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="IPsec NAT-T" dst-port=4500 protocol=udp
add action=accept chain=input comment=IPsec-esp protocol=ipsec-esp
6

So, after some tinkering I now have a functional IPsec connection between my Android phone and Mikrotik router. I’ve made some firewall rules to allow my phone to utilize the Pi-hole on my network when it’s connect to the VPN and it is working.

However, the wake-on-LAN is not working. I wonder if I am still bumping up against the problem of RouterOS not allowing broadcast traffic through the firewall between subnets (in this case from the VPN client address pool to the local VLAN address pool). Will I still need to utilize the ARP table trick plus a NAT redirect like this:

#    ADDRESS         MAC-ADDRESS       INTERFACE                                
 6  C ;;; WOL broadcast
      10.10.10.2      FF:FF:FF:FF:FF:FF Trusted




1    ;;; Remote WoL redirect
      chain=dstnat action=dst-nat to-addresses=10.10.10.2 to-ports=9 
      protocol=udp in-interface=ether1 dst-port=9 
      dst-limit=6/1m,3,dst-address/1m40s log=no log-prefix=""

I suppose the advantage of being VPN’d is that I could make the NAT rule more specific to only function if the traffic originates from the VPN client address range, as opposed to redirecting any and all port 9 traffic coming in on the WAN interface.

Am I missing a better way to do this?

7

Yes, once you have your VPN connection then you can use Winbox and its WOL tool
/tool wol

or write a scripts to fire the tool … works great.
https://wiki.mikrotik.com/wiki/Manual:Tools/Wake_on_lan

8

With or without VPN , this trick should work:
Send your wol packet to some unused LAN IP address (dNAT or vpn), add static ARP table for that address, containing LAN broadcast MAC ff-ff-ff-ff-ff-ff, and of your WOL client will receive the WOL packet

9

This is what I was doing initially, but it felt like I was fooling the firewall into passing traffic that was purposely not allowed. Now I am connecting to the router via VPN and sending the WOL packet from RouterOS 's built in tool.