# Choose some random ping packet sizes of at least 100 as a knock sequence.
# Add 28 to the size in the firewall to compensate for protocol overhead.
# After a matching knock sequence, services will be allowed for an hour from your src ip.

/ip firewall filter
# Place this rule early in the list.
add action=jump chain=input comment="Check port knock" icmp-options=8:0-255 jump-target=knock packet-size=!0-99 protocol=icmp


add action=accept chain=input comment="ACCEPT TLS after knock" dst-port=443 protocol=tcp src-address-list=KNOCK-SUCCESS
add action=accept chain=input comment="ACCEPT SSH after knock" dst-port=22 protocol=tcp src-address-list=KNOCK-SUCCESS


add action=return chain=knock comment="KNOCK FAILURE return" src-address-list=KNOCK-FAILURE

add action=add-src-to-address-list address-list=KNOCK-SUCCESS address-list-timeout=1h chain=knock comment="KNOCK 3rd - success 600" packet-size=628 src-address-list=KNOCK2
add action=return chain=knock comment="KNOCK 3rd - success return" src-address-list=KNOCK-SUCCESS

add action=add-src-to-address-list address-list=KNOCK-FAILURE address-list-timeout=1m chain=knock comment="KNOCK 3rd - failure" src-address-list=KNOCK2
add action=return chain=knock comment="KNOCK 3rd - failure return" src-address-list=KNOCK-FAILURE

add action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=1m chain=knock comment="KNOCK 2nd - success 500" packet-size=528 src-address-list=KNOCK1
add action=return chain=knock comment="KNOCK 2nd - success return" src-address-list=KNOCK2

add action=add-src-to-address-list address-list=KNOCK-FAILURE address-list-timeout=1m chain=knock comment="KNOCK 2nd - failure" src-address-list=KNOCK1
add action=return chain=knock comment="KNOCK 2nd - failure return" src-address-list=KNOCK-FAILURE

add action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=1m chain=knock comment="KNOCK 1st - success 400" packet-size=428
add action=return chain=knock comment="KNOCK 1st - success return" src-address-list=KNOCK1

add action=add-src-to-address-list address-list=KNOCK-FAILURE address-list-timeout=1m chain=knock comment="KNOCK 1st - failure"

@echo off
set destination=%1

rem Command Syntax: knock.bat hostname
ping -f -n 1 -l 400 %destination% >nul
ping -f -n 1 -l 500 %destination% >nul
ping -f -n 1 -l 600 %destination% >nul
echo Address specified: %destination%

/ip firewall filter
# Place this rule early in the list.
add chain=input action=jump comment="Check port knock" icmp-options=8:0-255 packet-size=!0-99 protocol=icmp jump-target=knock 

add chain=input action=accept comment="ACCEPT WINBOX after knock" dst-port=8291 protocol=tcp src-address-list=KNOCK-SUCCESS
add chain=input action=accept comment="ACCEPT SSH after knock" dst-port=22 protocol=tcp src-address-list=KNOCK-SUCCESS

/ip firewall filter
add chain=knock action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=1m comment="KNOCK 1st - success 400" packet-size=428
add chain=knock action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=1m comment="KNOCK 2nd - success 500" packet-size=528 src-address-list=KNOCK1
add chain=knock action=add-src-to-address-list address-list=KNOCK-SUCCESS address-list-timeout=1h comment="KNOCK 3rd - success 600" packet-size=628 src-address-list=KNOCK2
add chain=knock action=return comment="KNOCK FAILURE return"

ping -n 11 127.0.0.1 > nul % This is a delay of 10s %

Host routerboard.example.com
        ProxyCommand sh -c 'ping -c 1 -s 400 %h && ping -c 1 -s 500 %h && ping -c 1 -s 600 %h && exec nc %h %p'                                                                                                                                
        User admin

http://my-router-ip:44444
http://my-router-ip:33333
http://my-router-ip:22222