Is IPv6 port redirection possible?

dksoft · April 22, 2018, 6:50am

Hi,

on IPv4 I redirect port 444 to 443 in order make it harder to find my RouterOS login.
Can something equal be done with IPv6? E.g. I want to redirect all traffic from the WAN arriving on port 444 to 443 on my router?

Thanks,
dksoft

msatter · April 22, 2018, 9:12am

Obscuring is not that effective and better do limit access to that address and port by sourceIP filtering or Port Knocking before granting access.

Tip about port knocking, that I learned here, is to use the established state for keeping the connection instead of a set time in addresslist.

And no, Mikrotik does not support NAT and PAT on IPv6.

Example and use should you own ports and sequence:

/ip firewall filter
add action=accept chain=input comment="Stateful (established only)" connection-state=established
add action=accept chain=input connection-state=new port=443 protocol=tcp src-address-list=WinboxAccess
add action=add-src-to-address-list address-list=port_knock address-list-timeout=2s chain=input comment=Knocking dst-port=1234 protocol=tcp
add action=add-src-to-address-list address-list=port_knock_1 address-list-timeout=2s chain=input dst-port=2341 protocol=tcp src-address-list=port_knock
add action=add-src-to-address-list address-list=port_knock_2 address-list-timeout=2s chain=input dst-port=3412 protocol=tcp src-address-list=port_knock_1
add action=add-src-to-address-list address-list=WinboxAccess address-list-timeout=1m chain=input dst-port=3412 log=yes protocol=tcp src-address-list=port_knock_2

You can use also UDP instead of TCP ports or even mix UDP and TCP. After successful knocking you have one minute (1m) to login from external into Winbox.