Changing winbox port on router

idelac3 · Fri Mar 13, 2009 11:47 am

Hi,

I'd like to change default port 8291 to something else on my router. Is it possible?

If not, should I block access with:

 /ip firewall filter add chain=input protocol=tcp dst-port=8219 action=drop

Then redirect incoming traffic from port 8291 to desired port (eg. 5001):

 /ip firewall nat add chain=dstnat dst-port=8219 to-ports=5001 action=redirect

Would it work? How can I specify port (in this example 5001) in winbox when I want to connect to my router?

Igor

msundman · Fri Mar 13, 2009 11:51 am

/ip service set winbox port=5001

msundman · Fri Mar 13, 2009 11:52 am

How can I specify port (in this example 5001) in winbox when I want to connect to my router?

Use X.X.X.X:5001 when connecting.

idelac3 · Fri Mar 13, 2009 12:03 pm

Thanks. But I use v.2.9 and I think I don't have winbox under /ip service:

[admin@MikroTik] ip service> print
Flags: X - disabled, I - invalid
  #   NAME                                 PORT  ADDRESS            CERTIFICATE
  0   telnet                               23    0.0.0.0/0
  1   ftp                                  21    0.0.0.0/0
  2   www                                  8081  10.10.10.0/24
  3   ssh                                  22    0.0.0.0/0
  4   www-ssl	                           443   0.0.0.0/0          none
[admin@MikroTik] ip service>

msundman · Fri Mar 13, 2009 12:16 pm

Ahh, that makes it harder

Unfortunally you can't just DSTNAT 5001 to 8291 and then DROP traffic to 8291, as the DSTNATing will be done before going trough the input filter list, so it will filter your nat:ed traffic as well.

An ugly workaround is to DSTNAT 8219 to anunused port like:

[admin@R1] /ip firewall nat> pri
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=dst-nat to-ports=8291 protocol=tcp dst-port=5001
1 chain=dstnat action=dst-nat to-ports=1234 protocol=tcp dst-port=8291

With those two rules, I'm only able to connect with winbox using port 5001.

idelac3 · Fri Mar 13, 2009 1:04 pm

Thanks for reply. I found error in my first post. I mixed dst-port with to-ports and also forgot in-interface in my first post.

Redirect should be done in this way:

/ip firewall nat add chain=dstnat in-interface=public dst-port=5001 to-ports=8219 action=redirect

That rule means: whatever comes to tcp port 5001 should be redirected to port 8219. Right?

Dstnat'ing would be done before filter input list, so traffic redirected from port 5001 to 8219 would be droped. Maybe I need additional rule in /ip firewall filter:

/ip firewall filter add chain=input protocol=tcp src-port=5001 action=accept

msundman · Fri Mar 13, 2009 1:55 pm

Dstnat'ing would be done before filter input list, so traffic redirected from port 5001 to 8219 would be droped. Maybe I need additional rule in /ip firewall filter:
Code: Select all
/ip firewall filter add chain=input protocol=tcp src-port=5001 action=accept

That won't work. scr-port is not the original dst-port before NAT:ing, it's the src-port that was originally used by the winbox application, so you can't use it to differentiate between traffic going to 8291 or 5001 from the beginning.

I don't know the diffrence between action. redirect and dstnat. Dstnat works atleast.

idelac3 · Fri Mar 13, 2009 2:23 pm

Thanks. I guess I'd have to use your ugly workaround you suggested in previous post.

Changing winbox port on router

Changing winbox port on router

Re: Changing winbox port on router

Re: Changing winbox port on router

Re: Changing winbox port on router

Re: Changing winbox port on router

Re: Changing winbox port on router

Re: Changing winbox port on router

Re: Changing winbox port on router