My final last dependency on Windows is Winbox, for the rare case of running Winbox to a MAC address. If I crack this, I have no further need of Windows.
So, Winbox for Linux works OK for me by IP address, but it has not worked by MAC address. By way of experiment, I briefly opened up the firewall on my client PC to permit UDP on all ports, which demonstrated Winbox for Linux working by MAC address. I already have ports 8291 and 20561 open for UDP, but this alone is not sufficient.
I also have kdeConnect working with a set range of UDP and TCP ports open, which seems to work as a peer service to my mind points to Winbox using an apparently random port to respond to a transmission from my Winbox client. This tends to suggest that on the client firewall I should open all UDP ports, but restrict the zones on which they are open.
The questions
Am I right that a Winbox session on routeros sends replies to a random port on the client machine?
Does this require me to open all UDP ports?
Is it possible to define the zone from which UDP is allowed?
Is 'zone' even meaningful for communication by MAC address? And if so, what zone should I use?
Obviously this relates to a Linux client [OpenSuse Leap 15.6], so I appreciate I may need to get answers to some aspects elsewhere, but I want to start here for the knowledge of Winbox.
Thanks in advance for any help on this
OK, thanks to @CGGXANNX , this is now solved. The key part for me was the ports and on my Linux box firewall, I defined a Service called Winbox with port 8291 tcp and udp and source port 20561 udp, enabled for my main network interface [slightly vague to keep this as generic as possible for different Linux firewall implementations]. ie the firewall should allow 8291 udp and tcp to go out and 20561 udp to come in on the interface to the Mirkrotik box.
So now I have no Windows dependencies after 34 years
I don't know how you're testing this, but I would assume that the most problems will occur with a device that has no ip address configured at all (like after a fresh bare netinstall.)
I have never needed netinstall. My basic use case arises when I change IP addresses on the device in initial config and wipe the address I am working from [unintentionally]. But connecting by MAC address would be useful if netinstall leaves you with no IP address.
Also in MAC mode? I guessed it needs to open a raw socket on the network card and cannot do that unless it is either root or has a special CAP which it does not get from the ZIP file it is distributed in.
Yes, it worked in MAC mode. All I did was turn the firewall off for all UDP into the Linux client. No need for root. The question now is around the interaction from the routeros machine back to the Linux client and how to set the firewall.
For MAC WinBox to work on my Linux installations with nftables, I had to do his:
Make sure the interface on the PC has an IP address assigned.
Add the two following rules to table filter chain input:
udp sport 20561 udp dport 10000-65535 ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "allow MAC WinBox"
udp dport 5678 meta pkttype { broadcast, multicast } accept comment "allow MNDP"
The 2nd rule is for the Neighbors list. For the first rule, unfortunately we need to filter by source port 20561 and dst/src-address because the packets cannot be matched to have connection state established. And they are not broadcast packets either, so filtering with pkttype doesn't work. The high dst-port hopefully limits the attack surface.
With that, no root privileges are required for running WinBox.
In my tests the RouterOS device does not need to have an IP address configured on the interface facing the PCs (IP address shown as 0.0.0.0 on WinBox Neighbors tab).