Also, you can use ICMP with custom packet size and you can ping (ping -l for Windows or ping -s for linux) from any OS without installing extra software. Packet size to ping should be packet size - 28 bytes (IP Header + ICMP Header).

Very thanksful Eng Druvis..! 🌹🙏

Very nice by You at Mikrotik! It opened up a really nice feature! Thanks!!!!

Nice presentation. Thanks

The timeout isn't very clear in the firewall GUI (web and Winbox), by default you can just choose "non dynamic" or "non static". Because of this video I've learned that you can also use any times you like. Thanks.

Please do a new series of videos about vlans. Each episode should start of selecting devices to method, theory about that method, example configuration for Access/Tagged/Hybrid and Trunk - those on one device only, and how use those vlans on /ip/address to reach them, how use that method with bonding and Q&Q. I hope you can stop this series on 6 episodes bcs I know at least 6 way of creating vlans and each should be shorter then 1h. I hope you clear all stuff about VLAN on MikroTik by that videos, I wait for that video series. Remember, Hybrid port are for wifi AccessPoint very very important.

Nice! Please consider adding Single Packet Authorization (fwknop) instead of the archaic port knocking method.

Instead of configuring port ranges to secure the knocking you can use this line before to block port scanners add action=drop chain=input comment="dropping port scanners" in-interface-list=WAN src-address-list=\ "port scanners" add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input \ comment="Port scanners to list " in-interface-list=WAN log=yes log-prefix=scanner protocol=tcp \ psd=21,3s,3,1

@RB01-lite

Жыл бұрын

Good point, but if you do it as in the video, it doesn't matter if someone is using cookie cutter scanning or if they are targeting specific ports.

Well... that looks like nice thing.

did that some years ago. works pretty good btw. druvis seems to be quite a fast typer ;)

@mikkio5371

9 ай бұрын

He is your have to pay attention and flow in same frequency as his .

Love the video! Would love to see what you were talking about towards the end regarding a passphrase on top of this great trick! Love the contrast as always you all are incredible!

@mikrotik

Жыл бұрын

See link in description, it has that step

@blindside995

Жыл бұрын

When I try viewing that in your documentation it just reveals rand string of characters.

@NikolayUnguzov

Жыл бұрын

@@mikrotik I see only random string there - "VGhlbiBjcmVhdGUg....."

@blindside995

Жыл бұрын

Just going to leave this here if you google around a bit you'll find a slide show that has an example of how you do this. The key takeaways is that you create a layer 7 rule to match the passphrase along with the knocks. Then so long all matches you'll get in. Haven't added that part, but will be trying it later. I'll add another comment or edit my original with the syntax.

@blindside995

Жыл бұрын

@@xtlmeth mum.mikrotik.com/presentations/US10/discher.pdf

Please do cover the passphrase thing in a coming video. Thank you :)

👏👏👏

In general I fail to see the need for port knocking now that MT has wireguard built-in. Druvis, when is port knocking useful (better option than wireguard)???

@RB01-lite

Жыл бұрын

Wireguard ports seem to be undetectable by port scan due to the use of UDP and PKI, but you might not always want to run everything through it. Or maybe you are restricted to using some weaker tunneling protocols - you could then hide those with port knocking.

Interesting. But you know what? Your (I suppose bash) `for` loop at 10:00 has in fact single item, which was interpreted as list in single `nmap` command.

Hey Druvis, the "low" part of "allow" is prounced like "loud" without the end "d" sound.

Knock, Knock, Who's there ? cAP ax

@mikrotik

Жыл бұрын

Actually it's Druvis

Why not put this in prerouting of mangle?

@Problembaer4

Жыл бұрын

I think you cannot allow acces to the router itself (input-chain) via magling.

@ChrisNicholson

Жыл бұрын

@@Problembaer4 if you put those rules for black listing in prerouting... I assure you it will catch incoming connections. My f--koff list is generated there.

@Problembaer4

Жыл бұрын

@@ChrisNicholson then you need the define the DST-IP (the Router-IP itself) somehow. Via the input-chain, the routing-decision was already done. So yeah, I think both ways are possible but for most people the firewall is easier to understand as a "prerouting" chain.

@ChrisNicholson

Жыл бұрын

@@Problembaer4 I use the wan interface.

666. Lol, Druvis.

knock knock, who's there? isis

Wrote this .bat script to protect my ports. Works only with windows: @echo off set target_ip=11.22.33.44 set /a PacketSize1=111 set /a PacketSize2=222 set /a PacketSize3=333 set ip=%target_ip% set /a size1=%PacketSize1%-28 set /a size2=%PacketSize2%-28 set /a size3=%PacketSize3%-28 set info=IP is: %ip%, ICMP size: %size1%, %size2%, %size3%; echo %info% CLS ping %ip% -l %size1% -n 2 CLS ping %ip% -l %size2% -n 2 CLS ping %ip% -l %size3% -n 2 CLS @echo off REM 2 sec hold ping -n 2 localhost>nul exit

fool consol use