I am using now port-knocking, which is working brilliantly, in adding a dynamic address to the address list with a certain time-out.
To be able to close the door behind me when I am ready I thought to make a second port-knocking line with a small timeout so that the connection will time-out in a short time or even instantly.
This is not working and the strange thing adding time with al longer duration is no problem. So I thought it should also work the other way by decreasing the timeout.
A solution is to make several port-knocking end-rules in filters with different time-outs and so change during the connection but then I would love to see a standard implementation in RouterOS for this. In this way my filters page is not being fillid up with lines and lines of end-knocking rules with each different times. Times I have also to predict on the time expect to use the connection to the Mikrotik.
I have made a set of ruleslines and with each a specific end time for each last knock . When I want to extend then I have to terminate the secure connection and knock again.
/ip firewall filter
add action=add-src-to-address-list address-list=port_knock address-list-timeout=1s chain=input comment=Knocking dst-port=1234 protocol=tcp src-address-list=""
add action=add-src-to-address-list address-list=port_knock_1 address-list-timeout=1s chain=input dst-port=2341 protocol=tcp src-address-list=port_knock
add action=add-src-to-address-list address-list=port_knock_2 address-list-timeout=1s chain=input dst-port=3412 protocol=tcp src-address-list=port_knock_1
add action=add-src-to-address-list address-list=servicename address-list-timeout=1h5m chain=input dst-port=4123 protocol=tcp src-address-list=port_knock_2
add action=add-src-to-address-list address-list=servicename address-list-timeout=2h5m chain=input dst-port=1234 protocol=tcp src-address-list=port_knock_2
add action=add-src-to-address-list address-list=servicename address-list-timeout=4h5m chain=input dst-port=2341 protocol=tcp src-address-list=port_knock_2
add action=add-src-to-address-list address-list=servicename address-list-timeout=8h5m chain=input dst-port=3412 log=yes protocol=tcp src-address-list=port_knock_2
Course the show ports are an example so don’t come knocking. 