Community discussions

MikroTik App
 
AdminSpeedNet
newbie
Topic Author
Posts: 34
Joined: Thu Jun 04, 2009 3:11 pm

How to Test Outgoing UDP Port

Thu Aug 11, 2022 3:09 am

Dear All

I played around with Tools that RouterOS provided but I can't find a way to test outgoing UDP port from inside RouterOS itself. Example. Is "160.111,111,160 UDP Port 51820" Open? Similar to telnet 160.111.111.160 51820 but for UDP
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to Test Outgoing UDP Port

Thu Aug 11, 2022 8:26 am

If by "UDP port is open" you mean "I don't get an ICMP destination unreachable message if I send something to that UDP port", try put [resolve x.y.z server=160.111.111.160 server-port=51820]. But it is actually not much helpful because most firewalls silently drop UDP packets to protected ports, which is the same that most servers listening at UDP ports do if the client sends a packet they do not understand. The situation is different with TCP, as the initial "3-way handshake" is a mandatory step before any application data can be transported, so any server must respond with a SYN,ACK packet to an incoming SYN,!ACK one, no matter what type of service it actually provides.
 
AdminSpeedNet
newbie
Topic Author
Posts: 34
Joined: Thu Jun 04, 2009 3:11 pm

Re: How to Test Outgoing UDP Port

Thu Aug 11, 2022 1:02 pm

resolve google.com server=160.111.111.160 server-port=51820. After about 8 seconds, I get respond "failure: dns server failure". Is it opened or closed?
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to Test Outgoing UDP Port

Thu Aug 11, 2022 6:18 pm

You won't be able to tell just from this. You'd need to watch for other packets from target address, and if you get back ICMP Destination Unreachable (type 3, with possibly different codes), you'd know that port is either closed (nothing is listening on it) or actively blocked.

Problem is, as already explained by @sindy, if you don't get anything, then port can be silently blocked, or it may be open, with something listening on it, but it doesn't necessarily have to send anything back. Two very different states, but same result. And port 51820 is commonly used by Wireguard, so if that's what you're testing, you won't get anything, because WG silently ignores packets that are invalid or not from known peers.
 
AdminSpeedNet
newbie
Topic Author
Posts: 34
Joined: Thu Jun 04, 2009 3:11 pm

Re: How to Test Outgoing UDP Port

Fri Aug 12, 2022 4:05 am

I want to try 2 scenario.

1. Is there a way to see wireguard client negotiated message with the wireguard server? Request Timeout? Wrong Keypair? If Not
2. Test if ISP block outgoing UDP port 51820 by Create a server on the internet somewhere that can reponse to UDP request on port 51820
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: How to Test Outgoing UDP Port

Fri Aug 12, 2022 5:21 am

I don't know enough details about the protocol, but as I understand it, WG is not chatty at all, so unless it's reachable and you're valid peer, don't expect to get anything back.

Testing whether outgoing port is blocked is easy. You can use this resolve test with external DNS server, or even RouterOS router (not with same address and port as used by actual WG server, because they would conflict, but another address is fine), where you'd add:
/ip dns
set allow-remote-requests=yes
/ip dns static
add name=wgtest address=1.2.3.4
/ip firewall nat
add chain=dstnat dst-address=<server address> protocol=udp dst-port=51820 content=wgtest action=redirect to-ports=53
/ip firewall filter
add chain=input protocol=udp dst-port=53 connection-nat-state=dstnat action=accept
And then on client:
:put [resolve wgtest server=<server address> server-port=51820]
And hope to see 1.2.3.4. If you do, outgoing packet wasn't blocked.
 
AdminSpeedNet
newbie
Topic Author
Posts: 34
Joined: Thu Jun 04, 2009 3:11 pm

Re: How to Test Outgoing UDP Port

Fri Aug 12, 2022 6:05 am

Oh, I have only one Mikrotik device. Do you know the quickest way to spin up a DNS SERVER port 51820 on linux?
 
AdminSpeedNet
newbie
Topic Author
Posts: 34
Joined: Thu Jun 04, 2009 3:11 pm

Re: How to Test Outgoing UDP Port

Fri Aug 12, 2022 6:27 am

It was quick and got empty result. Now I know UDP port 51820 is not blocked but return null is the question
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How to Test Outgoing UDP Port

Fri Aug 12, 2022 9:32 am

Oh, I have only one Mikrotik device. Do you know the quickest way to spin up a DNS SERVER port 51820 on linux?
The quickest way on Linux is to use a dstnat rule to redirect what has arrived to UDP port 51820 to 53 - provided that the DNS service has already been up on said Linux, and that it is configured to respond to queries from the internet, which is usually not the case for security reasons.

But if you've got administrator access to the server, all that complexity is actually not necessary - you can use tcpdump (or Wireshark) to listen on 51820, or you can add a passthrough rule matching on that port to firewall (iptables, nftables, ...h) and watch its counters.
 
AdminSpeedNet
newbie
Topic Author
Posts: 34
Joined: Thu Jun 04, 2009 3:11 pm

Re: How to Test Outgoing UDP Port

Sun Aug 14, 2022 1:25 am

About wrong interface, it has bridge interface that link all ether1-5

After days of browsing online I found a tool called tcpdump. I use it on one end
tcpdump -i eth0 'udp port 51820'

15:07:47.474818 IP ezecom.45.118.222.0.149.ezecom.com.6163 > h.wireguard_server.com.51820: UDP, length 148
15:07:51.677908 IP h.wireguard_server.com.51820 > ezecom.45.118.222.0.149.ezecom.com.18733: UDP, length 96
With this tcpdump, I can see that UDP port 51820 was not blocked by ISP or server's firewall Thank you guys and I hope this discussion will help other people in the future with similar problem

Who is online

Users browsing this forum: anav, Andrey05 and 95 guests