WinBox and UFW configs

francogp · June 2, 2021, 11:59am

Hello,
I’m trying to connect using winbox on linux, with UFW firewall, and MAC.

If I turn OFF the firewall, it connect just fine.
If I turn ON the firewall, it refuse to connect.

I added this rules to UFW, but the problem continues:

sudo ufw allow in 20561/udp  
sudo ufw allow out 20561/udp  
sudo ufw allow in 8291/tcp  
sudo ufw allow out 8291/tcp  
sudo ufw allow in 5678/udp
sudo ufw allow out 5678/udp

What I am doing wrong?

rextended · June 3, 2021, 5:12pm

The port are

TCP src:x.x.x.x:any & dst x.x.x.x:8291 for WinBox,
UDP src x.x.x.x:5678 & dst 255.255.255.255:5678 for Network Discovery
UDP src x.x.x.x:20561 & dst 255.255.255.255:20561 for MAC Telnet,

ask Ubuntu

francogp · June 4, 2021, 10:17am

I added to my UFW config .ini:

[WinBox Neighbors]
title=WinBox Neighbors
description=WinBox Neighbors listening.
ports=5678/udp
from=any
to=255.255.255.255

[WinBox]
title=WinBox
description=WinBox.
ports=8291/tcp
from=any
to=any

[WinBox MAC]
title=WinBox MAC
description=WinBox MAC listening.
ports=20561/udp
from=any
to=255.255.255.255

then the rules:

  sudo ufw allow "WinBox Neighbors"
  sudo ufw allow "WinBox MAC" 
  sudo ufw allow "WinBox"

also tried:

  sudo ufw allow in "WinBox Neighbors"
  sudo ufw allow in "WinBox MAC" 
  sudo ufw allow in "WinBox" 
  
  sudo ufw allow out "WinBox Neighbors"
  sudo ufw allow out "WinBox MAC" 
  sudo ufw allow out "WinBox"

Without success

KiLLeRRaT · June 18, 2024, 10:22pm

I’m sorry to dredge up an old thread, but this is exactly what I’m trying to do.

Did you ever find a solution to this?

Stibila · June 19, 2024, 12:31pm

It seems like UFW is not able to determine, that incoming broadcast is response to first outgoing broadcast packet from winbox and therefore it is treated as new connection and blocked.

Solution i found is to allow connection from port 20561 to broadcast address to any ephemeral ports that can be used by winbox to create connection:

ufw allow from any port 20561 to 255.255.255.255 port 49152:65535 proto udp comment 'Mikrotik MAC Winbox'

This will however keeps all those ports open for and if there is any service listening, it is exposed, which is not very good idea in my opinion.

There may be some complex rules, that will check if there was any outgoing broadcast connection from port XYZ to 255.255.255.255:20561 and then allow incoming connections to 255.255.255.255:XYZ for let’s say 1 minute, but I’m not very good with UFW.

francogp · June 19, 2024, 12:35pm

not yet