I have a couple of ports identified so that technicians can access devices behind the router.
I have the following rules in place…]
/ip firewall filter
add action=accept chain=forward comment=
“Allow Port Forwarding - DSTNAT” connection-nat-state=dstnat
/ip firewall nat
add action=dst-nat chain=dstnat comment=CompanyA dst-port=
xx,yy, zz in-interface-list=WAN protocol=tcp
src-address-list=Technicians to-addresses=192.168.uu.uu
However when I check at GRC.COM for open ports,
it states xx,yy,zz are STEALTH and not open.
I am puzzled, as to why this occurs!
Is the reason they appear stealth is because GRC.com is not on my list of allowed source addresses?
( I thought this was a firewall check after the fact ? )
Okay, so what I did was create another dst-rule to the same address but a random port, and tcp protocol.
I used no additional factors (no source address list protection
Result: FAILED, detected as a closed port!!
Conclusion. MT implementation of using Source Address List to narrow down incoming allowed traffic has a double edged effect.]
A. It obviously prevents any non approved wanIP from gaining access to the server behind the router
B. It magically stops the PORT from visible to SCANS as something that exists.
THis is FU.. ING fantastic!! If Normis didnt have a scratchy beard I might kiss him! 