/ip dns static
add type=FWD name=knock match-subdomain=yes forward-to=<Router B>
/ip firewall nat
add chain=output dst-address=<Router B> protocol=udp dst-port=53 action=dst-nat to-ports=12345
/ip firewall mangle
add chain=postrouting dst-address=<Router B> action=log log-prefix=knock comment="just for testing"
:resolve x.knock
:resolve xx.knock
:resolve xxx.knock
01:51:47 firewall,info knock postrouting: ... proto UDP, a.a.a.a:xxx->b.b.b.b:12345, NAT a.a.a.a:xxx->(b.b.b.b:53->b.b.b.b:12345), len 53
...
01:51:59 firewall,info knock postrouting: ... proto UDP, a.a.a.a:yyy->b.b.b.b:12345, NAT a.a.a.a:yyy->(b.b.b.b:53->b.b.b.b:12345), len 54
...
01:52:11 firewall,info knock postrouting: ... proto UDP, a.a.a.a:zzz->b.b.b.b:12345, NAT a.a.a.a:zzz->(b.b.b.b:53->b.b.b.b:12345), len 55
...
Wow,it is a good idea! I will tryI hope I'm not forgetting some proper tool, but assuming I'm not, you have new enough RouterOS and don't mind ugly hacks, then something can be done:
Then try to resolve some fake DNS name (length influences packet size):Code: Select all/ip dns static add type=FWD name=knock match-subdomain=yes forward-to=<Router B> /ip firewall nat add chain=output dst-address=<Router B> protocol=udp dst-port=53 action=dst-nat to-ports=12345 /ip firewall mangle add chain=postrouting dst-address=<Router B> action=log log-prefix=knock comment="just for testing"
And you'll get your packets:Code: Select all:resolve x.knock :resolve xx.knock :resolve xxx.knock
There will be five, not just one, but let's call it a wanted bonus, in case one would get lost.Code: Select all01:51:47 firewall,info knock postrouting: ... proto UDP, a.a.a.a:xxx->b.b.b.b:12345, NAT a.a.a.a:xxx->(b.b.b.b:53->b.b.b.b:12345), len 53 ... 01:51:59 firewall,info knock postrouting: ... proto UDP, a.a.a.a:yyy->b.b.b.b:12345, NAT a.a.a.a:yyy->(b.b.b.b:53->b.b.b.b:12345), len 54 ... 01:52:11 firewall,info knock postrouting: ... proto UDP, a.a.a.a:zzz->b.b.b.b:12345, NAT a.a.a.a:zzz->(b.b.b.b:53->b.b.b.b:12345), len 55 ...
As your direct,I wrote a knock function. It works. Thank you.I hope I'm not forgetting some proper tool, but assuming I'm not, you have new enough RouterOS and don't mind ugly hacks, then something can be done:
Then try to resolve some fake DNS name (length influences packet size):Code: Select all/ip dns static add type=FWD name=knock match-subdomain=yes forward-to=<Router B> /ip firewall nat add chain=output dst-address=<Router B> protocol=udp dst-port=53 action=dst-nat to-ports=12345 /ip firewall mangle add chain=postrouting dst-address=<Router B> action=log log-prefix=knock comment="just for testing"
And you'll get your packets:Code: Select all:resolve x.knock :resolve xx.knock :resolve xxx.knock
There will be five, not just one, but let's call it a wanted bonus, in case one would get lost.Code: Select all01:51:47 firewall,info knock postrouting: ... proto UDP, a.a.a.a:xxx->b.b.b.b:12345, NAT a.a.a.a:xxx->(b.b.b.b:53->b.b.b.b:12345), len 53 ... 01:51:59 firewall,info knock postrouting: ... proto UDP, a.a.a.a:yyy->b.b.b.b:12345, NAT a.a.a.a:yyy->(b.b.b.b:53->b.b.b.b:12345), len 54 ... 01:52:11 firewall,info knock postrouting: ... proto UDP, a.a.a.a:zzz->b.b.b.b:12345, NAT a.a.a.a:zzz->(b.b.b.b:53->b.b.b.b:12345), len 55 ...
:global knockSvr do={
/resolve knock.door server=$dst_svr server-port=$dst_port
}