Hi!

I have a mAP Lite router. Nice little thing! I want it to automagically connect to my (Mikrotik!! ) router and establish a VPN tunnel after booting the mAP Lite. But I want to conduct a port knocking sequence to first open up firewall rules for VPN connection before setting up the VPN tunnel.

Is it possible by scripting in routerOS to make a port knock sequence?

/SA0BJW

On the router side, you make a set of rules that add matching SRC address to a list:
e.g.:
chain=input protocol=tcp dst-port=9999 action=add-src-to-address-list list=phase1 timeout=2sec
chain=input protocol=tcp dst-port=12345 src-address-list=phase1 action=add-src-to-address-list list=phase2 timeout=2sec
etc...
where the last one adds the src to the list with a longer timeout period, like 5 minutes or something, during which the successful src IP may create new connections to the router.
I have an accept all established,related rule which will keep the connections open even after the knock expires. If I need to open a new connection after that, I must knock again.

As for the mikrotik being the source - I'm not sure if you can generate arbitrary packets on arbitrary ports with ROS (but I could be wrong - it has quite a nice tool set)

Thanks for your answer.

I have already the portknocking up´n running on the receiving router, it works nicely! Would be very nice if the router could act as a client as well!

/SA0BJW

Hmmm... This is interesting. I have a perl script to do the knock from unix...

I'm curious if you could use the fetch....

What I'm thinking is use fetch to fetch something on a random port... use layer 7 to analyze the address and match it to a secret key....

e.g. fetch http://<YOUR IP>:<PORT 1>/somedata .... then fetch http://<YOUR IP>:<PORT 2>/somedata2 ... use the port knocking via layer 7 rules....

I think it would work.... It's the only way I know of to have the mikrotik generate the knock....

On the script side... would be something like....

This will leave send errors in yoour logs, but will work for a port knocker.

Thank you 2frogs for your answer. Have tested it and it works fine! Im sure the script efaden posted also works, shall try it out later.

Thanks!!!

Code: Select all

/tool fetch host=<DYNIPHOST> src-path=SOMERANDOMSTRING mode=http port=9119 keep-result=no
/tool fetch host=<DYNIPHOST> src-path=ANOTHERRANDOMSTRING mode=http port=9229 keep-result=no

This is a good idea to trigger the dst device of your port-knocking, however be sure to do it like this:

:do {/tool fetch host=<DYNIPHOST> src-path=SOMERANDOMSTRING mode=http port=9119 keep-result=no} on-error={}
:do {/tool fetch host=<DYNIPHOST> src-path=SOMERANDOMSTRING mode=http port=9229 keep-result=no} on-error={}

For some un-explained reason rOS scripts just die/halt (with no logged error nor any indication) if any line/command fails or produces an error. seeing as both of these fetch commands will error out (ie run one from the command line direct = "status:failed"), the script will only execute the first line, but not the 2nd (nor anything beyond where the "failed" occurs).
Thus you wont get your port knocking effect since only the first line runs. (and will prob waste alot of time thinking something is wrong with your FW rules or your script).

(this is assuming you are not running HTTPd server on all the ports you are knocking, which no one is running ofcourse. so as expected /tool fetch mode=http produces "failed" as it cant connect to a valid http server. The un-expected part is that this will kill you script, thus add the :do ... on-error ).

You could use a variation on port knocking but using icmp and various packet sizes.

Then the client can use the ping command with size set to execute the knock

Hope that helps
Nick

You could use a variation on port knocking but using icmp and various packet sizes.

Then the client can use the ping command with size set to execute the knock

Hope that helps
Nick

Ooh, I like that. ICMP packet sizes are also pretty obscure to someone sniffing the wire.

Allow trusted DDNS on VPN server.
Script the mAP to update a DDNS record on boot up and then establish the VPN connection. No need to knock on your own door unless you like secret handshakes.
You can also make a script in the mAP that updates the DDNS to a non public IP when your done using it in case your paranoid.

Untested, but i have tested the pinging, that works.

Sending and receiving a port knock based on 2 ICMP packets.
Stage 2 must follow within 10 seconds of stage 1:


Sending 2 ICMP packets of specific sizes:
ping 11.11.11.11 count=1 interval=1 size=2101
:delay 1
ping 11.11.11.11 count=1 interval=1 size=1202


Receiving them:
/ip firewall filter add action=add-src-to-address-list address-list=knock1 address-list-timeout=00:00:10 chain=input comment="Port knocking, stage 1" protocol=icmp size=2101
/ip firewall filter add action=add-src-to-address-list src-address-list=knock1 address-list=knock2 chain=input comment="Port knocking, stage 2" protocol=icmp size=1202