Hi,
How to make Port knocking working on vpn/pptp connection ?
I try this ( https://wiki.mikrotik.com/wiki/Port_Knocking ) but is not working on vpn/pptp connection
Anyone could help ?
Regards
Port knocking is intended and used primarily with normal/usual connections.How to make Port knocking working on vpn/pptp connection ?
I try this ( https://wiki.mikrotik.com/wiki/Port_Knocking ) but is not working on vpn/pptp connection
Anyone could help ?
He probably wants to reduce the attack surface even more by placing the VPN/PPTP "service" behind a port-knock and not make it fully "public"Port knocking is intended and used primarily with normal/usual connections.How to make Port knocking working on vpn/pptp connection ?
I try this ( https://wiki.mikrotik.com/wiki/Port_Knocking ) but is not working on vpn/pptp connection
Anyone could help ?
I really don't see a reason why one would need port-knocking with and over VPN/PPTP.
Just tell us more about your specific use-case.
# may/30/2020 18:26:00 by RouterOS 6.44
# software id = xxxx-xxxx
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = xxxxxxxxxxxx
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface=pppoe-out1
# in/out-interface matcher not possible when interface (wlan1) is slave - use mast
r instead (bridge)
add action=accept chain=input comment=":FTP WAN IMPUT:" dst-port=21 \
in-interface=wlan1 protocol=tcp
add action=drop chain=forward comment="Block acces to internet DVR" \
src-address=192.168.88.241
add action=drop chain=input src-address=139.162.102.46
add action=drop chain=input src-address=216.218.206.74
add action=drop chain=input src-address=141.98.80.115
add action=drop chain=input src-address=216.218.206.98
add action=drop chain=input src-address=46.161.27.42
add action=drop chain=input src-address=216.218.206.114
add action=drop chain=input src-address=184.154.74.66
add action=drop chain=input src-address=216.218.206.78
add action=drop chain=input src-address=185.232.67.13
add action=drop chain=input src-address=198.108.67.48
add action=drop chain=input src-address=216.218.206.102
add action=drop chain=input src-address=216.218.206.126
add action=drop chain=input src-address=107.170.197.213
add action=drop chain=input src-address=80.82.77.240
add action=drop chain=input src-address=216.218.206.70
add action=drop chain=input src-address=115.236.61.202
add action=drop chain=input src-address=122.224.158.196
add action=drop chain=input src-address=184.154.47.2
add action=drop chain=input src-address=46.161.27.122
add action=drop chain=input src-address=141.98.80.128
add action=drop chain=input src-address=107.179.9.154
add action=drop chain=input src-address=179.43.143.149
add action=drop chain=input src-address=122.224.158.197
add action=drop chain=input src-address=115.236.61.205
add action=drop chain=input src-address=92.63.194.27
add action=drop chain=input src-address=92.63.194.91
add action=drop chain=input src-address=92.63.194.92
add action=drop chain=input src-address=92.63.194.93
add action=drop chain=input src-address=92.63.194.94
add action=drop chain=input src-address=92.63.194.95
add action=drop chain=input src-address=92.63.194.47
add action=drop chain=input src-address=45.83.91.106
add action=drop chain=input src-address=45.79.144.96
add action=drop chain=input src-address=139.162.102.46
add action=drop chain=input src-address=92.63.194.0/24
add action=drop chain=input src-address=212.164.39.143
add action=drop chain=input src-address=60.190.226.187
add action=drop chain=input comment="Drop SSH 22" dst-port=22 in-interface=\
bridge log=yes log-prefix=SSHdrop protocol=tcp
add action=drop chain=input src-address=141.98.81.0/24
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input src-address=162.243.141.140
add action=add-src-to-address-list address-list=port:9000 address-list-timeout=\
1m chain=input dst-port=9000 protocol=tcp
add action=add-src-to-address-list address-list=secure address-list-timeout=1m \
chain=input dst-port=6000 protocol=tcp src-address-list=port:9000
add action=accept chain=input src-address-list=secure
add action=drop chain=input
add action=drop chain=input src-address=223.71.167.165
Can you please make an example of this with by adding ips/filenames or a video if you can plsConcerning some config lines.
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
They needs to be reworked to include an ACL "match" now also. Without this ACL match, they are just publicly "open" for the world.
You want to add the "src-address-list" variable here, see example below (eg. src-address-list=Allowed_VPN_IP)
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp src-address-list=Allowed_VPN_IP
Now you have to get the "Allowed_VPN_P" populated with IP's that matched you "port-knocking" sequence. You have to decide for yourself how many "stages" you want. In its most simple form 1 "port" can do the trick, but perhaps a sequence of 2 or 3 ports must be completed before you get "added" onto the "Allowed_VPN_IP" list. See below a multi-stage example. After port-knock is complete, you have 4 hours of time. (you can remove this or adapt the timing)
Within 15 seconds the sequences must arrive at the Mikrotik or the "intermediate" ACL's are flushed and the port-knock will not work. You can set this more aggresive. Experiment with it.
You can choose the PORT1/PORT2/PORT3/PORT_FINAL values yourself. Note that in this example I use a mix of TCP & UDP ports !!
Make sure the dst-address-list=WAN_IP is valid for your case.
add action=add-src-to-address-list address-list="Port Knock Phase 1" address-list-timeout=15s chain=input comment="Port Knock Phase 1" dst-address-list=WAN_IP dst-port=PORT1 in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH1 protocol=tcp
add action=add-src-to-address-list address-list="Port Knock Phase 2" address-list-timeout=15s chain=input comment="Port Knock Phase 2" dst-address-list=WAN_IP dst-port=PORT2 in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH2 protocol=tcp src-address-list="Port Knock Phase 1"
add action=add-src-to-address-list address-list="Port Knock Phase 3" address-list-timeout=15s chain=input comment="Port Knock Phase 3" dst-address-list=WAN_IP dst-port=PORT3 in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH3 protocol=udp src-address-list="Port Knock Phase 2"
add action=add-src-to-address-list address-list=Allowed_VPN_IP address-list-timeout=4h chain=input comment="VPN Port Knock Completed" dst-address-list=WAN_IP dst-port=FINAL_PORT in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-VPN-COMPLETED protocol=udp src-address-list="Port Knock Phase 3"
Make sure these lines are at the correct position in the overall input-chain, basically you want these BEFORE you start various drops ! So make sure you still "capture" inbound knocks on the access-lists before you start tossing away packets...
Hope this helps a bit.
Sry for the late replay, i was gone for a wile, Yes i use pppoe (dynamic ip) but i have host name that redirect every time to my actual ip (hostname is provided by my IPS) and thanks agai for your timeWell, what are the names of your ISP-interfaces ? Are you using PPPoE or something? Then your "input" interface to filter against would be that name.
Not sure about the WAN_IP ACL that I used, if I had to create it myself or not, can't remember anymore.
It contains 1 dns-name that is updated through the /ip cloud DDNS client in RouterOS , so ###############.sn.mynetname.net (#### = serial number of you unit)
ISP_Interface would be the incoming interface, in my case I used the name of the PPPoE connection to my ISP.
If you use a cable-modem + DHCP you probable use etherX interface.
PORT1 / PORT2 / PORT3 / FINAL_PORT are just the values you may choose randomly between 1 en 64K (that is the actual port to knock on)
Many thx for the replay, i will try this wen i will return home and i will come with a reply if this work (if someone else need it)Then the example below should work ;
I've even removed the "dst-address-list" WAN_IP and only use the effective interface the packet is coming is. You have only 1 PPPoE to an ISP so basic.
In the example below you need to knock TCP/1000 first, then within 15 seconds TCP/2000 then within 15 seconds TCP/3000 and then your IP-address from which you are knocking will be added with a duration of 4 hours to the Allowed_VPN_IP access-list.
THAT ACL you can then use to "filter" you rules on VPN ,say L2TP/SSTP/PPTP
add action=add-src-to-address-list address-list="Port Knock Phase 1" address-list-timeout=15s chain=input comment="Port Knock Phase 1" dst-port=1000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH1 protocol=tcp
add action=add-src-to-address-list address-list="Port Knock Phase 2" address-list-timeout=15s chain=input comment="Port Knock Phase 2" dst-port=2000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH2 protocol=tcp src-address-list="Port Knock Phase 1"
add action=add-src-to-address-list address-list="Port Knock Phase 3" address-list-timeout=15s chain=input comment="Port Knock Phase 3" dst-port=3000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH3 protocol=tcp src-address-list="Port Knock Phase 2"
add action=add-src-to-address-list address-list=Allowed_VPN_IP address-list-timeout=4h chain=input comment="VPN Port Knock Completed" dst-port=FINAL_PORT in-interface="ISP_Interface" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-VPN-COMPLETED protocol=udp src-address-list="Port Knock Phase 3"
One more question :Oops, small corrections, I did not add a value on the very last step, so summary again :
In the example below you need to knock TCP/1000 first, then within 15 seconds TCP/2000 then within 15 seconds TCP/3000 and finally within 15seconds TCP/8000 and then your IP-address from which you are knocking will be added with a duration of 4 hours to the Allowed_VPN_IP access-list.
THAT ACL you can then use to "filter" you rules on VPN ,say L2TP/SSTP/PPTP
add action=add-src-to-address-list address-list="Port Knock Phase 1" address-list-timeout=15s chain=input comment="Port Knock Phase 1" dst-port=1000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH1 protocol=tcp
add action=add-src-to-address-list address-list="Port Knock Phase 2" address-list-timeout=15s chain=input comment="Port Knock Phase 2" dst-port=2000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH2 protocol=tcp src-address-list="Port Knock Phase 1"
add action=add-src-to-address-list address-list="Port Knock Phase 3" address-list-timeout=15s chain=input comment="Port Knock Phase 3" dst-port=3000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH3 protocol=tcp src-address-list="Port Knock Phase 2"
add action=add-src-to-address-list address-list=Allowed_VPN_IP address-list-timeout=4h chain=input comment="VPN Port Knock Completed" dst-port=8000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-VPN-COMPLETED protocol=tcp src-address-list="Port Knock Phase 2"
# may/30/2020 18:26:00 by RouterOS 6.44
# software id = xxxx-xxxx
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = xxxxxxxxxxxx
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input in-interface=pppoe-out1
# in/out-interface matcher not possible when interface (wlan1) is slave - use mast
r instead (bridge)
add action=accept chain=input comment=":FTP WAN IMPUT:" dst-port=21 \
in-interface=wlan1 protocol=tcp
add action=drop chain=forward comment="Block acces to internet DVR" \
src-address=192.168.88.241
add action=drop chain=input src-address=139.162.102.46
add action=drop chain=input src-address=216.218.206.74
add action=drop chain=input src-address=141.98.80.115
add action=drop chain=input src-address=216.218.206.98
add action=drop chain=input src-address=46.161.27.42
add action=drop chain=input src-address=216.218.206.114
add action=drop chain=input src-address=184.154.74.66
add action=drop chain=input src-address=216.218.206.78
add action=drop chain=input src-address=185.232.67.13
add action=drop chain=input src-address=198.108.67.48
add action=drop chain=input src-address=216.218.206.102
add action=drop chain=input src-address=216.218.206.126
add action=drop chain=input src-address=107.170.197.213
add action=drop chain=input src-address=80.82.77.240
add action=drop chain=input src-address=216.218.206.70
add action=drop chain=input src-address=115.236.61.202
add action=drop chain=input src-address=122.224.158.196
add action=drop chain=input src-address=184.154.47.2
add action=drop chain=input src-address=46.161.27.122
add action=drop chain=input src-address=141.98.80.128
add action=drop chain=input src-address=107.179.9.154
add action=drop chain=input src-address=179.43.143.149
add action=drop chain=input src-address=122.224.158.197
add action=drop chain=input src-address=115.236.61.205
add action=drop chain=input src-address=92.63.194.27
add action=drop chain=input src-address=92.63.194.91
add action=drop chain=input src-address=92.63.194.92
add action=drop chain=input src-address=92.63.194.93
add action=drop chain=input src-address=92.63.194.94
add action=drop chain=input src-address=92.63.194.95
add action=drop chain=input src-address=92.63.194.47
add action=drop chain=input src-address=45.83.91.106
add action=drop chain=input src-address=45.79.144.96
add action=drop chain=input src-address=139.162.102.46
add action=drop chain=input src-address=92.63.194.0/24
add action=drop chain=input src-address=212.164.39.143
add action=drop chain=input src-address=60.190.226.187
add action=drop chain=input comment="Drop SSH 22" dst-port=22 in-interface=\
bridge log=yes log-prefix=SSHdrop protocol=tcp
add action=drop chain=input src-address=141.98.81.0/24
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp \
tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input src-address=162.243.141.140
add action=add-src-to-address-list address-list=port:9000 address-list-timeout=\
1m chain=input dst-port=9000 protocol=tcp
add action=add-src-to-address-list address-list=secure address-list-timeout=1m \
chain=input dst-port=6000 protocol=tcp src-address-list=port:9000
add action=accept chain=input src-address-list=secure
add action=drop chain=input
add action=drop chain=input src-address=223.71.167.165
I want to use one for all off services vpn,ssh,etc....There is 2 things, this port-knocking thing only populates an (most of time dynamic) access-list and you decide what you want to do with it.
You have indeed already some statements like the ones below, but without the "src-address-list" field. Perhaps better to UPDATE these rules ? Not too sure if you paste again there are edited or ADDED again.
I don't use PPTP (nobody should actually, old obsolete and not secure anymore)
Very important is the ORDER of all these rules make sure your "port-knocks" are pretty up on the order before other DROP statements.
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp src-address-list=Allowed_VPN_IP
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp src-address-list=Allowed_VPN_IP
Your construction with the SSH "blacklister" is a bit strange, but I see that basically if you try a couple of times to SSH to the box you are thrown on a ssh_blacklist. Better is to simply use the port-knock in general, then block EVERYTHING else anyway. No need to use CPU-cycles on this ssh_blacklist specific routine.
I use 3-stage port-knock generic as a "frontdoor" and than a final knock specific for the service I want to open. So 4-stages in total. Sure you could make 1 generic to cover all services too. Many solutions to the same problem.
add action=add-src-to-address-list address-list="Port Knock Phase 1" address-list-timeout=15s chain=input comment="Port Knock Phase 1" dst-port=1000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH1 protocol=tcp
add action=add-src-to-address-list address-list="Port Knock Phase 2" address-list-timeout=15s chain=input comment="Port Knock Phase 2" dst-port=2000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH2 protocol=tcp src-address-list="Port Knock Phase 1"
add action=add-src-to-address-list address-list="Port Knock Phase 3" address-list-timeout=15s chain=input comment="Port Knock Phase 3" dst-port=3000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-PH3 protocol=tcp src-address-list="Port Knock Phase 2"
add action=add-src-to-address-list address-list=Allowed_VPN_IP address-list-timeout=4h chain=input comment="VPN Port Knock Completed" dst-port=8000 in-interface="pppoe-out1" log=yes log-prefix=IPV4-INPUT-PORTKNOCK-VPN-COMPLETED protocol=tcp src-address-list="Port Knock Phase 2"
I use the same app, indeed a good solid port-knocker.PS : for port-knocking on mobile i use this app (5sec delay): play.google.com/store/apps/details?id=com.xargsgrep.portknocker
Hello,Post your port-knocking code. For an analysis we would need all your firewall rules, ie. this output:
/ip firewall filter export hide-sensitive
An alternative method would be to change the VPN server port from the default 1194 to another port.
I still use port-knocker.jvan if you use portknocker instead of wireguard, you will get a lump fo coal for xmas!