Problem:
I have routers with open (and non-standard) Winbox ports, where it is inconvenient to create a “white list” for administrative connections. But modern slow scanning spiders still find these ports over time. I use ICMP knocking through a Windows CMD file, but this is very inconvenient and slows down the work (first you need to take the router address from the Winbox address book, run the CMD file with it, then return to Winbox and connect in the usual way).
Offer:
It would be very convenient to automate the process - add ICMP/Port Knocking functionality to Winbox. Specifying up to 4 packets/ports to be sent would be a great solution. Ideally, it could be made individual for each connection in the address book, but even general knocking (with a checkbox next to each entry in the book) would be a great help.
I use the same thing for remote and emergency access only since many years. And love to have an easier way… but not a problem and i also use knoking for emergency access not only from wan, but on guests subnets… i also place rules on special chains to easy manage them instead input.
You can follow this guide to create on the input chain you’re own knoking system : https://help.mikrotik.com/docs/display/ROS/Port+knocking
Don’t limit to 3 steps and don’t use ports for knok 10001, 10002, … use more complex ports numbers.
You can also (with nc) switch between icmp, tcp, udp for create a real secure combination.
I also create a user allowed only to login from the “knok access” without fully administrative rights… only certains permissions.
Hi !
Thanks for the examples. Yes, I am aware of this technology. The problem is inconvenience. It would be great if Winbox itself did the specified knocking when connected.
In the end, Winbox itself is designed for convenience. We are talking about him, and not about RouterOS. It would be possible to sit in the terminal at the command line, like in the 1970s.. XD
Unfortunately, there are weak points in this wonderful chain with Wireguard. And most importantly, using a VPN is inconvenient. Well, the list goes on: you need a stable and not very slow Internet, DNS services and Mikrotik servers (in the case of BTH), open ports and protocol blocking or close ports by some providers, additional router settings. Not to mention RouterOS v6, which doesn’t have Wireguard at all.
Well, VPN may be inconvenient if you use random computers, but it’s possible to argue that maybe it’s not best idea to access anything sensitive (such as router administration) from there. It’s also true that ROSv6 doesn’t have Wireguard, but perhaps that could be the reason to upgrade?
The rest sounds purely as inventing reasons against VPN. You don’t need any better internet, if it’s good for WinBox, it’s also good for Wireguard + WinBox. You don’t need DNS if you use just own VPN. You do need one open port for Wireguard, but it shouldn’t be a big problem if you’re able to have X open ports for port knocking. Some extra config is required, but it’s primitive one-time thing, even simpler than port knocking config.
I won’t be protesting if MikroTik grants you your wish and adds port knocking to WinBox. I’m almost always for more options. But let’s face it, it’s poor man’s “security”, while the real security is easily available.
The only reason to use port knocking is if there isnt any other viable alternatives, including spending $7US a month to setup a cloud CHR.
The extreme case is living in the wrong country, where democratic values don’t exist, and all forms of VPN are blocked by the STATE, why still living there for starters…
In any case, there was one person who noted a variant of wireguard that purported to randomly send out packets such that it was not distinguishable as a VPN.
a. it would be somewhat legit ??
b. will be publicly scrutinized for evil hidden code ?? (open source review)
c. not widely available for smart phones from what I see.
d. unlikely to be adopted by vendors ( but hey, if legit and Mikrotik was the first…talk about a tech advantage !!! )
It is not always possible to update ROS. It could be a weak router, like hAP Lite, or it should be uninterrupted operation, or it could be, for example, a radio bridge. Lots of options…
I believe the Winbox protocol is quite secure.
Do you suggest using a VPN + knocking combination instead of knocking? It’s like “VPN for VPN’s sake.” Why complicate things? Well, for example, there are 20 routers and you will need to fence 20 connections in the WG client or another? First we connect the VPN, then we connect with Winbox. Or another option: first we do knocking, then we launch the VPN and only then we launch Winbox. Not very convenient.
Okay, we set CHR, open the ports for VPN connection and… after some time we observe the joyful crawling of spiders into these ports. How to solve the problem, use knocking to open ports?
Probably many people use knocking, but I propose to automate the process and integrate knocking into Winbox.
Regarding Amnesia VPN, there are implementations of the obfuscated protocols VLESS, VRAY, XRAY in containers and they can even be run in ARM or x86 Mikrotik. But this is a topic for another discussion.
My trust in WinBox protocol significantly decreased since that funny incident when router happily provided list of usernames and their plaintext passwords to anyone who asked (meaning unauthorized users). And while I (want to) believe that nothing similar will happen again, I still feel better if WinBox port is not easily accessible. I admit that I also appreciate simple solutions that may be good enough for given purpose, e.g. IP whitelist, or port knocking that I also used to have. But truth it, they are not actually secure. They prevent random users from connecting, but ISP (where router is connected to) can easily get around it.
VPN with proper encryption solves this and it’s not too difficult either. There are different options. You can have VPN server on each router. Quite annoying with traditional VPNs, but ok with Wireguard. Or you can have routers connecting as VPN clients to some central server, which has additional bonus that this way it’s possible to reach even otherwise inaccessible routers behind NAT. This can be done even without Wireguard, using other types available in v6. It’s a bit of extra work if you don’t already have such central server. But it doesn’t have to be anything special, just one router with public address. It’s one-time configuration and then it just works. If this router/server is somewhere where you usually are (office, home, …), then you don’t need to do anything when you want to connect somewhere, you just connect directly to each router’s VPN address. If you’re somewhere else, then you use VPN to connect to this central server and then you have everything available again.
Yes, I remember such a vulnerability in the protocol, but that was a very long time ago and the protocol was replaced with a more secure one. Of course, we can also use a VPN for better security and peace of mind.
Knocking is very useful to protect public routers from scanning and “sweeping” of ports by spiders when it is not possible to use a static list of “white” addresses.
The centralized VPN network you proposed (I have such a case too) is an excellent option in conjunction with static IPs. But if the “client” IPs are dynamic, then the “server” part will inevitably be subject to spider attacks, and knocking solves this problem (and I use it in a number of cases between routers).
I only propose to improve the ease of use of Winbox and the efficiency of the administrator, and not to replace all other options with knocking.
The point is to inconvenience attacker, not legitimate user. Otherwise it may lead to user choosing something weaker (e.g. shorter sequence) that’s not as much annoying.
In fact, it seems to me that client side is not really a big problem. I’m sure there are some existing port-knocking tools and even connecting them to WinBox should be doable. I’m not good with it, but e.g. AutoHotkey can do miracles. And it’s not the only way. In the past I tried this with KeePass and it should be easy to add port knocking to it as extra step. Or some wrapper that would read data from Addresses.cdb (where port knocking instructions can be stored in Note) should be possible too (at first sight it doesn’t look as anything complicated and someone probably already documented it).
Of course official support would be easier. But if anyone really really wants it, some acceptable DYI solution shouldn’t be too hard.
A trick I have used for port knocking is to set the ports as bookmarks in Firefox (or whatever browser you use). You only need to let it try to connect for a second - and of course it will fail, so don’t wait for it. So select the first bookmark, wait a second and click the X to cancel the attempt. Repeat for how ever many steps you have. Another trick that I used was where I had two ISPs, the even knocks came in on one ISP and the odd knocks came in on the other. That way if someone was capturing all your inbound packets on ISP #1 they would only get some of the knock steps.
I don’t know. Port knocking always rubbed me off the wrong way. I know, I know: helps to prevent connection.
But does zero for secrecy and man in the middle.
Use a VPN already - it will be easier in the end.
It’s just administrative access, the traffic will be fairly low. Even IPSec without hardware acceleration would be fast enough on slow hardware. Mind, I’m not recommending IPsec - it works, but it’s a lot of work and has several caveats and whatnot. Wireguard should fit the bill very well - and uses about zero bandwidth while not talking. Just open its port to the world, and problem solved.
It depends. There are different ways, but if all you want is simple protection against stupid bots that blindly scan anything, port knocking is really simple and good enough. Especially if you’re used to it from the past when we didn’t have WG (which for this purpose is much more pleasant to work with than other VPN types).
I don’t care about the scanning. If I would mind it, my neighbors would be loosing hair in solidarity. I mean, either Your service is secure, or it isn’t. Since a secure service shouldn’t exposed to the internet… Once in a bluemoon manglement may force us to do it - but this would be a case of “the world made me do it”, not a “I love this solution”.
And Yes, Wireguard is SO easier to work with than the others… it isn’t even funny.
I don’t think this needs to be part of winbox itself
It can be done with a PowerShell or python script that prompts for an IP and choose from a list of preset port knock combinations that you create, executes them and then launches winbox and connects for you
This should be trivial for ChatGPT or Claude to write
