Community discussions

MikroTik App
 
johnt107
just joined
Topic Author
Posts: 15
Joined: Sat Jun 20, 2020 3:28 pm

FTP connecting from WAN without open port on router

Mon Jan 04, 2021 8:12 am

router info - hEX S - MikroTik RouterOS 6.47.3
I thought I had locked down my router from external access. Port scans from security web sites showed no open ports.
Then I did a scan with nmap and it shows port 21 is open. Connecting with FTP from the WAN results in a connection. The connection is closed by the host a short while later.
I tried including an explicit firewall rule to reject/ drop port 21 but the results were the same.
Should this be the behaviour of the Mikrotik? Do other brand equivalent routers do the same?
 
ak4020
just joined
Posts: 17
Joined: Mon Mar 23, 2020 11:35 am

Re: FTP connecting from WAN without open port on router

Mon Jan 04, 2021 10:49 am

hi, no, there is a config error with you - I have just tested it myself on my rb externally and of course the port does not answer, work through all your rules - something is over there. br
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5939
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: FTP connecting from WAN without open port on router

Mon Jan 04, 2021 2:56 pm

Post you config
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
erlinden
Long time Member
Long time Member
Posts: 653
Joined: Wed Jun 12, 2013 1:59 pm

Re: FTP connecting from WAN without open port on router

Mon Jan 04, 2021 2:58 pm

Do you have UPnP enabled?
By default everything is blocked unless a port is forwarded.
First the problem, then the solution
 
johnt107
just joined
Topic Author
Posts: 15
Joined: Sat Jun 20, 2020 3:28 pm

Re: FTP connecting from WAN without open port on router

Mon Jan 04, 2021 11:56 pm

Upnp is not enabled.

My config is:
# jan/05/2021 08:42:19 by RouterOS 6.47.3
# software id = NPE3-YMYE
#
# model = RB760iGS
# serial number = xxxxxxxx
/interface bridge
add admin-mac=C4:AD:34:xx:xx:xx arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface ovpn-client
add certificate="United States-New York-TCP.ovpn_1" cipher=aes256 connect-to=\
usny2-ovpn-tcp.dns2use.com disabled=yes mac-address=02:31:3E:87:2A:E7 \
name=ovpn-out1 user=xxx@yyy.com
/interface pptp-client
add allow=mschap1,mschap2 connect-to=caq1.dns2use.com dial-on-demand=yes \
disabled=no name="Torrent pptp-out1" user=xxx@yyy.com
/interface vlan
add interface=sfp1 name=vlan4 vlan-id=4
add interface=sfp1 name=vlan100 vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip firewall layer7-protocol
add name=Bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$|get /scrap\
e\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/|GET /data\
\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp1 ranges=10.1.1.101-10.1.1.199
add name=dhcp_VLAN4pool ranges=10.1.4.101-10.1.4.199
add name=dhcp_VLAN100pool ranges=10.1.100.101-10.1.100.199
add name=L2TP-pool ranges=10.1.1.240-10.1.1.254
/ip dhcp-server
add address-pool=dhcp1 disabled=no interface=bridge name=defconf
add address-pool=dhcp_VLAN100pool disabled=no interface=vlan100 name=dhcp100
add address-pool=dhcp_VLAN4pool disabled=no interface=vlan4 name=dhcp4
/port
set 0 name=serial0
/ppp profile
add local-address=10.1.1.1 name=Profile-L2TP remote-address=L2TP-pool \
use-encryption=required
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge disabled=yes interface=ether1
add interface=vlan100
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=Profile-L2TP enabled=yes \
one-session-per-host=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
/ip address
add address=10.1.1.1/24 comment=defconf interface=bridge network=10.1.1.0
add address=10.1.4.1/24 interface=vlan4 network=10.1.4.0
add address=10.1.100.1/24 interface=vlan100 network=10.1.100.0
/ip dhcp-client
add comment=defconf interface=ether2 use-peer-dns=no
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.1.1.20 client-id=1:e8:fc:af:e5:f4:88 mac-address=\
E8:FC:AF:E5:F4:88 server=defconf
add address=10.1.1.3 client-id=1:b0:95:75:15:ac:60 mac-address=\
B0:95:75:15:AC:60 server=defconf
add address=10.1.1.19 client-id=1:28:c6:8e:36:1d:be mac-address=\
28:C6:8E:36:1D:BE server=defconf
add address=10.1.1.110 client-id=1:60:f1:89:1b:2d:29 mac-address=\
60:F1:89:1B:2D:29 server=defconf
add address=10.1.100.98 client-id=1:c:8b:fd:cc:51:f0 mac-address=\
0C:8B:FD:CC:51:F0 server=dhcp100
add address=10.1.1.13 mac-address=08:00:37:A9:DB:79 server=defconf
add address=10.1.1.4 client-id="Netgear POE switch" comment=\
"Netgear POE switch" mac-address=38:94:ED:A9:60:16 server=defconf
add address=10.1.100.21 client-id=1:8:ed:ed:89:13:c7 mac-address=\
08:ED:ED:89:13:C7 server=dhcp100
add address=10.1.100.22 client-id=1:8:ed:ed:6d:66:46 mac-address=\
08:ED:ED:6D:66:46 server=dhcp100
add address=10.1.100.25 client-id=1:8:ed:ed:89:13:c9 mac-address=\
08:ED:ED:89:13:C9 server=dhcp100
add address=10.1.100.24 client-id=1:a0:bd:1d:d5:73:d9 mac-address=\
A0:BD:1D:D5:73:D9 server=dhcp100
add address=10.1.100.250 client-id=1:88:dc:96:49:8e:ef mac-address=\
88:DC:96:49:8E:EF server=dhcp100
add address=10.1.100.23 client-id=1:8:ed:ed:19:3c:55 mac-address=\
08:ED:ED:19:3C:55 server=dhcp100
add address=10.1.100.26 client-id=1:8:ed:ed:d6:f7:9e mac-address=\
08:ED:ED:D6:F7:9E server=dhcp100
add address=10.1.100.31 client-id=1:c:8c:24:a1:c8:3c mac-address=\
0C:8C:24:A1:C8:3C server=dhcp100
add address=10.1.1.10 client-id=1:0:23:24:5e:4a:fb comment="NVR System" \
mac-address=00:23:24:5E:4A:FB server=defconf
add address=10.1.1.30 client-id=1:cc:98:8b:46:83:57 comment=\
"TV1 ethernet - lounge" mac-address=CC:98:8B:46:83:57 server=defconf
add address=10.1.1.33 client-id=1:ac:d5:64:74:8a:43 comment=\
"TV2 wifi - Theatre room" mac-address=AC:D5:64:74:8A:43 server=defconf
add address=10.1.4.168 comment="Eccowit weather" mac-address=\
DC:4F:22:59:19:F7 server=dhcp4
add address=10.1.4.2 mac-address=00:04:F3:13:86:34 server=dhcp4
add address=10.1.1.99 client-id=1:c:8b:fd:cc:51:f0 comment="Asus wifi static" \
mac-address=0C:8B:FD:CC:51:F0 server=defconf
add address=10.1.1.21 client-id=1:0:11:32:c9:e7:a0 comment=AttungaNAS \
mac-address=00:11:32:C9:E7:A0 server=defconf
add address=10.1.100.33 client-id=1:74:ee:2a:37:95:74 comment=\
"Autens V380 Pro" mac-address=74:EE:2A:37:95:74 server=dhcp100
add address=10.1.1.83 client-id=1:22:15:af:dd:98:4 mac-address=\
22:15:AF:DD:98:04 server=defconf
add address=10.1.1.82 client-id=1:fe:b3:f1:2:86:25 mac-address=\
FE:B3:F1:02:86:25 server=defconf
add address=10.1.1.81 client-id=1:78:4f:43:88:62:72 mac-address=\
78:4F:43:88:62:72 server=defconf
/ip dhcp-server network
add address=10.1.1.0/24 comment=defconf gateway=10.1.1.1 netmask=24
add address=10.1.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.4.1
add address=10.1.100.0/24 gateway=10.1.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2
/ip dns static
add address=10.1.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=10.1.1.99 disabled=yes list="traffic to go to vpn"
add address=usny1.dns2use.com list=VPNservers
add address=ukm1.dns2use.com list=VPNservers
add address=caq1.dns2use.com list=VPNservers
add address=de1.dns2use.com list=VPNservers
add address=64.90.202.69 list=idrive-servers
add address=64.90.202.70 list=idrive-servers
add address=148.66.234.47 list=idrive-servers
add address=148.66.234.51 list=idrive-servers
add address=173.255.7.235 list=idrive-servers
add address=evsns19.idrive.com list=idrive-servers
add address=vleu-be1.dns2use.com list=VPNservers
/ip firewall filter
add action=drop chain=forward connection-state=!established dst-port=123 \
in-interface-list=WAN log=yes log-prefix="WAN to NTP" protocol=udp
add action=drop chain=forward dst-port=53 in-interface-list=WAN log=yes \
log-prefix="WAN to **DNS**" protocol=udp
add action=drop chain=input dst-port=53 in-interface-list=WAN log=yes \
log-prefix="WAN input to **DNS**" protocol=udp
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
disabled=yes in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
disabled=yes in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix="not from LAN"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
"prevent vlan100 (ipcameras) from accessing internet" disabled=yes \
in-interface=vlan100 out-interface-list=WAN src-address=!10.1.100.10
add action=accept chain=forward disabled=yes dst-address=10.1.100.0/24 \
src-address=10.1.1.0/24
add action=accept chain=forward disabled=yes dst-address=10.1.1.10 \
src-address=10.1.100.0/24
add action=drop chain=forward in-interface=vlan100 log=yes log-prefix=\
"vlan 100 dropped"
add action=drop chain=forward in-interface=all-vlan out-interface-list=!WAN
add action=accept chain=forward dst-address=10.1.1.21 dst-port=123 log=yes \
log-prefix="Time query" protocol=udp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
/ip firewall mangle
add action=mark-routing chain=prerouting comment="direct Asus laptop to VPN" \
disabled=yes dst-address-list=!idrive-servers new-routing-mark=for-vpn \
passthrough=yes src-address=10.1.1.99
add action=mark-routing chain=prerouting comment="direct NVR to VPN" \
disabled=yes dst-address-list=!idrive-servers new-routing-mark=for-vpn \
passthrough=yes src-address=10.1.1.10
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
# no interface
add action=masquerade chain=srcnat out-interface=*E
add action=dst-nat chain=dstnat dst-port=10443 in-interface=ether1 protocol=\
tcp to-addresses=10.1.100.10 to-ports=10443
add action=dst-nat chain=dstnat dst-port=20008 in-interface=ether1 protocol=\
tcp to-addresses=10.1.1.20 to-ports=80
/ip route
add distance=1 gateway="Torrent pptp-out1" routing-mark=for-vpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.1.1.0/24
set ssh disabled=yes
set www-ssl address=10.1.1.0/24 disabled=no
set api disabled=yes
set winbox address=10.1.1.0/24,10.1.100.99/32,10.1.4.99/32
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=xxx profile=Profile-L2TP service=l2tp
add name=yyy profile=Profile-L2TP service=l2tp
/system clock
set time-zone-name=Australia/Sydney
/system logging
add action=remote topics=critical,info,error,warning,ppp
/system ntp client
set enabled=yes server-dns-names=au.pool.ntp.org,oceania.pool.ntp.org
/system package update
set channel=long-term
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
 
WeWiNet
Member
Member
Posts: 489
Joined: Thu Sep 27, 2018 4:11 pm

Re: FTP connecting from WAN without open port on router

Tue Jan 05, 2021 11:47 am

Please use the [] sign above the editing window to past code, makes review easier.

You allow input: est/rel/untracked. Maybe as you use same IP address as your winbox connection
the connection tracker sees your FTP request as one of these connection types?
And when you do the port scanner, it comes from a different IP, thus its blocked by firewall?

I only accept established and related on the input chain from WAN. maybe that would do it also in your case?
WeWiNet

**
MTCNA
I like a new challenge, I migrate to ROS7... :? or maybe I am just crazy :lol: !!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5939
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: FTP connecting from WAN without open port on router

Tue Jan 05, 2021 4:28 pm

Overly complex IMHO.... and some things I dont get.
What is purpose of ovpn client
What is purpose of pptp-client (no longer a recommended secure vpn protocol I believe)!

I dont think Bitorrent is something that is effectively handled by the router but are you trying to block users outbound?
Outbound is easy -->use bittorent, lose access to internet!!!!

/interface vlan
add interface=sfp1 name=vlan4 vlan-id=4
add interface=sfp1 name=vlan100 vlan-id=100
Okay but why define vlan100 under bridge ports very strange one defines ports, wlans etc not vlans!!
/interface bridge port
....
add interface=vlan100

Just so I get this straight you have all traffic going through the bridge. Two streams are vlans4 and 100 that only go through SFP1 directly (and not associated with bridge directly) and all other traffic with dhcp from bridge goes over all ports included sfp1.
Why mix the same IP range for all traffic and the L2TP traffic, could be confusing?

Wait, do you have two dhcp clients, ether1 and ehter2??
If so why are they on the bridge???? I see ether1 is disabled but not ether2?? but ether2 is not listed as a WAN interface member???

You do have open ports on the router and you DO allow port forwarding.
But I do not see where you allow port 21 via dstnat rules (so it should not be visible at all).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
johnt107
just joined
Topic Author
Posts: 15
Joined: Sat Jun 20, 2020 3:28 pm

Re: FTP connecting from WAN without open port on router

Wed Jan 06, 2021 2:07 am

Thanks for the feedback. I'm no network or Mikrotik expert. I'm finding the Mikrotik a bit beyond me so I rely on tutorials I find on the web and Youtube to achieve the things I want done on the router.
There are remnants of things I've tried in the past in the config. Perhaps I'll start again from scratch so I have a relatively clean config and then come back if I still get that unwanted FTP connection.

What I want to achieve is:
VLANs - these are created on a managed switch (and connected WAP) connected on the SFP port.
VLAN4 for IoT stuff - they need internet access.
VLAN100 for cameras - no internet access
VPN in - access back to the network to view cameras - L2TP to the router, not using Mikrotik DDNS.
VPN out for torrents - Since this is for downloading I don't really care if the VPN is super secure or not thus I use PPTP as it's been the easiest to configure. Should I care?

I've also found speed on a VPN is slow when using Mikrotik to connect the VPN. I get much faster speeds when a machine behind the router has a VPN connection directly. I'd prefer to use the Mikrotik - any advice on getting max speeds with the router connection?
 
mkx
Forum Guru
Forum Guru
Posts: 5266
Joined: Thu Mar 03, 2016 10:23 pm

Re: FTP connecting from WAN without open port on router

Wed Jan 06, 2021 9:27 am

Encryption (used by VPN) is pretty intense stuff for the tiny CPUs in the low-price routers. Some of routers have HW support for certain types of encryption which helps with VPN throughput, but one has to be really careful when configuring VPN to use the supported VPN types (IPsec is the only supported VPN tech with HW encryption) and to use "correct" algorithms and cipher key lengths. But even when doing everything right, hEX S won't encrypt at wire speed. If the VPN settings are not compatible with HW encryption, then throughput will be at least 10-times less.
You can have a look at official test results, IPsec test results are at the bottom of page and indicate that encryption can be up to one third of routing throughput.

The device also doesn't support VLANs in hardware, which means that it is basically not suitable to be used as a smart switch with VLANs enabled. If it's only used for routing (e.g. only inter-VLAN traffic will actually hit it), this doesn't matter much.
BR,
Metod
 
johnt107
just joined
Topic Author
Posts: 15
Joined: Sat Jun 20, 2020 3:28 pm

Re: FTP connecting from WAN without open port on router

Fri Jan 08, 2021 10:56 am

Encryption (used by VPN) is pretty intense stuff for the tiny CPUs

Then perhaps I should rethink my need for encryption. If the sole purpose of the VPN is to hide the originating IP address, encryption isn't really needed, is it? I could connect and use a VPN tunnel without encryption to hide the originating IP?
 
johnt107
just joined
Topic Author
Posts: 15
Joined: Sat Jun 20, 2020 3:28 pm

Re: FTP connecting from WAN without open port on router

Sat Jan 16, 2021 2:20 am

Update - this is an issue with my ISP. I disconnected the router and still got an FTP connection.

Who is online

Users browsing this forum: No registered users and 53 guests