Community discussions

MikroTik App
 
zaher80
just joined
Topic Author
Posts: 7
Joined: Fri Sep 25, 2015 3:51 am

Port 443

Wed Jun 09, 2021 8:20 am

Hello
Is there a rule to allow traffic to pass via port 443 and block or drop for other app like vpn app (drop) on desktop and smart phone . Microsoft teams , google... allow ?!!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Port 443

Wed Jun 09, 2021 8:27 am

Even though you might have some success by constructing L7 filter rules it probably won't last ... The encrypted connection protocols are evolving. Currently there's some initial connection metadata passed unencrypted (namely SNI field) and it is possible to construct L7 filter to fetch that data and act upon it. But there's already next standard which encrypts also that data (ESNI). When that standard picks up current L7 filter rules will be useless.

So as things stand now, it's mostly: forget about it. There are solutions around it, but they either break standards or cost a lot. Unless you install some firewall application directly on end devices, this approach has benefit of knowing which application is actually starting certain connections. The drawback, however, is that most of the time you don't have control over connecting devices (happens even in corporate environment).
Last edited by mkx on Wed Jun 09, 2021 8:47 am, edited 1 time in total.
 
zaher80
just joined
Topic Author
Posts: 7
Joined: Fri Sep 25, 2015 3:51 am

Re: Port 443

Wed Jun 09, 2021 8:34 am

Thank you for ur reply.
In my opinion vpn app VS Mikrotik firewall-->Vpn wins 😔
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Port 443

Wed Jun 09, 2021 10:28 am

Thank you for ur reply.
In my opinion vpn app VS Mikrotik firewall-->Vpn wins 😔

Some VPN (PPtP & IPSec) use specific port and protocol,
Some other (L2TP, IKEv2, OpenVPN, Wireguard) only TCP or UDP ports

PPtP TCP 1723 & Protocol 47 GRE
IPSec UDP 500 & UDP 4500 & Protocol 50 ESP & Protocol 51 AH
L2TP UDP 1701 plus the same IPSec ports UDP 500 & UDP 4500
IKEv2 use same IPSec UDP 500
"OpenVPN UDP" use UDP 1194
Wireguard UDP 51820
Cisco VPN & IPSec: TCP 10000

Also EoIP, IP Tunnel (IPIP) and GRE tunnels used for VPN have the same port and protocol of PPtP
EoIP and IPIP can be used (MUST be used...) with IPSec for security

blocking that port and protocol the VPN can not be maded...

but other VPN like SSTP or "OpenVPN TCP" using TCP Port 443 HTTPS and are hard to block...
 
zaher80
just joined
Topic Author
Posts: 7
Joined: Fri Sep 25, 2015 3:51 am

Re: Port 443

Wed Jun 09, 2021 6:33 pm

Thank you for those info 🙂

Who is online

Users browsing this forum: PBondurant and 30 guests