Port 4000 Opened

checkip · October 8, 2022, 1:03am

Hi guys,

I recently notified that two of our clients have port 4000 opened on their Mikrotik routers. The firewall itself did not have the rules for the port 4000 open. We only discovered it by NMAP port scanning did on the WAN side. Both of them have the same commonName=DESKTOP-ADFU7CN. Is this something concerning?

https://i.postimg.cc/6QSTMbXw/2022-10-08-12-00-54.jpg

https://i.postimg.cc/Vvwfh3Hy/2022-10-08-12-07-07.jpg

Thank you very much.

tangent · October 8, 2022, 2:35am

Is UPnP enabled?

checkip · October 8, 2022, 4:04am

HI tangent, thank you for taking your time to reply my question. The UpnP is disabled.

I did port scanning in LAN, it came up with something like this:

https://i.postimg.cc/CLYRvL5x/2022-10-08-15-01-38.jpg

tangent · October 8, 2022, 4:44am

If these are “MikroTik routers”, why do their MAC OUI prefixes belong to Intel and a subsidiary of Foxconn?

Znevna · October 8, 2022, 6:17am

How do you know that the client routers are to blame?
Maybe you have a wrong dstnat rule for that port in YOUR network.
Get someone that knows a little about networking to fix it for you.
Kthnx.

checkip · October 8, 2022, 9:12am

That are not Mikrotik routers. But the port 4000 was reported opened when we did the port scanning from Internet side. When we did the port scanning in the LAN, then we saw the port were open but filtered on a couple of devices. My firewall rules are as below. Please check if they are correct. Thanks.

/ip firewall filter
add action=accept chain=input comment="L2TP VPN" port=1701,500,4500 protocol=\
    udp
add action=accept chain=input comment="L2TP VPN" protocol=ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

checkip · October 8, 2022, 9:21am

Thanks for your time. We are not blaming the routers. But we wish to find out what was happening. There is no dstnat rule and the UPnP is disabled in the routers, by the way.

pe1chl · October 8, 2022, 10:16am

Still everything seems to indicate it is about a Windows machine… so probably still some form of port forwarding.

Znevna · October 8, 2022, 10:32am

Your firewall rules or the client firewall rules?

BartoszP · October 8, 2022, 11:30am

Please provide network diagram describing what & where is/was connected.
Did you really test from WAN side?

checkip · October 9, 2022, 8:54pm

Sorry. They are my client’s router firewall rules.

checkip · October 9, 2022, 9:14pm

Thanks BartoszP. The network diagrams were like this:

Modem -----> (Ethernet 1) MIkrotik Firewall Router (Ethernet port 2) ------> Switch A (all are access ports with VLAN ID 15 ) -----> LAN wired devices
MIkrotik Firewall Router (Ethernet Port 3) ------>Switch B (Trunk port with VLAN 15 and VLAN 50) ------------> 5 x Mikrotik Access Points
(VLAN ID 15 is Office network, VLAN ID 50 is Guest WiFi)

When we did the Nmap port scanning from WAN side, we turned off the Guest WiFi. What we could not understand is how the port 4000 was shown open as there wasnt any dstnat rules in the firewall and the UPnP was disabled.

I would much appreciate you guys can share your expertise and point me to the right direction to investigate further.

Znevna · October 10, 2022, 6:07am

So the problem is in YOUR router, as I’ve suspected above.

checkip · October 10, 2022, 7:57am

Thanks Znevna. Can you please explain a bit more or tell me how we can look into the router further?

In these two routers (my client’s router) and my router, the Scheduler is clean, there is no Scripts or Jobs set in the routers. Where else should I check please?

Thanks in advance.

tangent · October 10, 2022, 8:10am

You said you posted the client’s router rules, we checked them, and Znevna now blames your router. Is the next step not obvious? Post your router’s sanitized configuration so we can check it, too.

If you aren’t willing to do that, then check it yourself.

checkip · October 10, 2022, 8:50am

Thank you so much tangent and Znevna. Zenevna and you reminded me that my router does have port 4000 open and translated into port 3389. This machine was protected by RDP Defender with disabled Windows default administrator and applied with a lockout policy. But can you please explain why this port 4000 would show up in our client’s routers when we did the port scanning from their WAN side?

Znevna · October 10, 2022, 8:52am

We covered that already http://forum.mikrotik.com/t/port-4000-opened/161334/1
But I’ll repeat, your dstnat rule isn’t properly set, please search the forum and/or wiki for proper usage of dstnat rules.
Seems that you posted the guilty rule below.
Your current rule catches anything trying to access port 4000 and sends it to your windows machine.
Because you’re not checking it against incoming interface or destination wan IP.
Those packets never touched the client router.

checkip · October 10, 2022, 8:53am

Thank you Znevna. You reminded me that my router has a dstnat rule enabled:

add action=dst-nat chain=dstnat comment=“RDP server port forwarding”
dst-port=4000 protocol=tcp to-addresses=192.168.85.10 to-ports=3389

But I could not understand why this port showed up in our clients Routers when we did the port scanning from their WAN side. Can you please explain?

Thank you very much.

checkip · October 10, 2022, 9:09am

Thank you so much Znevna. I finally understand what was causing it after reading your explanation. I just set the In Interface and dst. address.

When you mentioned the problem was from my router in your last post. I scratched dozens of my hairs off but still could not think of anything.

Thank you so much. Really appreciate you guys’ help.

checkip · October 10, 2022, 9:18am

Dear Friends,

I wish to say thank you very much for taking your time to help me out. I really appreciate it. If you guys come to Sydney, please let me know and we will catch up and have a cup of beer together.

Cheers,
Henry