Dear All

I played around with Tools that RouterOS provided but I can't find a way to test outgoing UDP port from inside RouterOS itself. Example. Is "160.111,111,160 UDP Port 51820" Open? Similar to telnet 160.111.111.160 51820 but for UDP

If by "UDP port is open" you mean "I don't get an ICMP destination unreachable message if I send something to that UDP port", try put [resolve x.y.z server=160.111.111.160 server-port=51820]. But it is actually not much helpful because most firewalls silently drop UDP packets to protected ports, which is the same that most servers listening at UDP ports do if the client sends a packet they do not understand. The situation is different with TCP, as the initial "3-way handshake" is a mandatory step before any application data can be transported, so any server must respond with a SYN,ACK packet to an incoming SYN,!ACK one, no matter what type of service it actually provides.

resolve google.com server=160.111.111.160 server-port=51820. After about 8 seconds, I get respond "failure: dns server failure". Is it opened or closed?

You won't be able to tell just from this. You'd need to watch for other packets from target address, and if you get back ICMP Destination Unreachable (type 3, with possibly different codes), you'd know that port is either closed (nothing is listening on it) or actively blocked.

Problem is, as already explained by @sindy, if you don't get anything, then port can be silently blocked, or it may be open, with something listening on it, but it doesn't necessarily have to send anything back. Two very different states, but same result. And port 51820 is commonly used by Wireguard, so if that's what you're testing, you won't get anything, because WG silently ignores packets that are invalid or not from known peers.

I want to try 2 scenario.

1. Is there a way to see wireguard client negotiated message with the wireguard server? Request Timeout? Wrong Keypair? If Not
2. Test if ISP block outgoing UDP port 51820 by Create a server on the internet somewhere that can reponse to UDP request on port 51820

I don't know enough details about the protocol, but as I understand it, WG is not chatty at all, so unless it's reachable and you're valid peer, don't expect to get anything back.

Testing whether outgoing port is blocked is easy. You can use this resolve test with external DNS server, or even RouterOS router (not with same address and port as used by actual WG server, because they would conflict, but another address is fine), where you'd add:
And then on client:
And hope to see 1.2.3.4. If you do, outgoing packet wasn't blocked.

Oh, I have only one Mikrotik device. Do you know the quickest way to spin up a DNS SERVER port 51820 on linux?

It was quick and got empty result. Now I know UDP port 51820 is not blocked but return null is the question

Oh, I have only one Mikrotik device. Do you know the quickest way to spin up a DNS SERVER port 51820 on linux?

The quickest way on Linux is to use a dstnat rule to redirect what has arrived to UDP port 51820 to 53 - provided that the DNS service has already been up on said Linux, and that it is configured to respond to queries from the internet, which is usually not the case for security reasons.

But if you've got administrator access to the server, all that complexity is actually not necessary - you can use tcpdump (or Wireshark) to listen on 51820, or you can add a passthrough rule matching on that port to firewall (iptables, nftables, ...h) and watch its counters.

About wrong interface, it has bridge interface that link all ether1-5

After days of browsing online I found a tool called tcpdump. I use it on one end With this tcpdump, I can see that UDP port 51820 was not blocked by ISP or server's firewall Thank you guys and I hope this discussion will help other people in the future with similar problem