Manual:IP/Services: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
← Older edit
No edit summary
No edit summary
 
(28 intermediate revisions by 5 users not shown)
Line 1: Line 1:
{{Versions|v3, v4}}
{{Versions|v3, v4}}
{{Warning|This manual is moved to https://help.mikrotik.com/docs/display/ROS/Services}}


<div class=manual>
<div class=manual>
Line 10: Line 12:
</p>
</p>


The default services are:
<table class="styled_table">
<tr>
  <th width="40%">Property</th>
  <th>Description</th>
</tr>
<tr>
    <td><b>telnet</b></td>
    <td>Telnet service</td>
</tr>
<tr>
    <td><b>ftp</b></td>
    <td>FTP service</td>
</tr>
<tr>
    <td><b>www</b></td>
    <td>Webfig http service</td>
</tr>
<tr>
    <td><b>ssh</b></td>
    <td>SSH service</td>
</tr>
<tr>
    <td><b>www-ssl</b></td>
    <td>Webfig https service</td>
</tr>
<tr>
    <td><b>api</b></td>
    <td>API service</td>
</tr>
<tr>
    <td><b>winbox</b></td>
    <td>Responsible for Winbox tool access, as well as Tik-App smartphone app and Dude probe</td>
</tr>
<tr>
    <td><b>api-ssl</b></td>
    <td>API over SSL service</td>
</tr>
</table>


==Properties==
==Properties==


<br />
<br />
Note that it is not possible to add new services, only [[#Services | existing service]] modifications are allowed.
Note that it is not possible to add new services, only existing service modifications are allowed.
<br />
<br />
<table class="styled_table">
<table class="styled_table">
Line 22: Line 64:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>address</b></var> (<em>IP address/netmask</em>; Default: <b>0.0.0.0/0</b>)</td>
     <td><var><b>address</b></var> (<em>IP address/netmask | IPv6/0..128</em>; Default: <b></b>)</td>
     <td>IP address from which the service is accessible. Default value is '0.0.0.0/0' - any address.</td>
     <td>List of IP/IPv6 prefixes from which the service is accessible.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>certificate</b></var> (<em>name</em>; Default: <b>none</b>)</td>
     <td><var><b>certificate</b></var> (<em>name</em>; Default: <b>none</b>)</td>
     <td>The name of the certificate used by particular service. Applicable only for services that depends on certificates (<i>www-ssl</i>)</td>
     <td>The name of the certificate used by particular service. Applicable only for services that depends on certificates (<i>www-ssl, api-ssl</i>)</td>
</tr>
</tr>
<tr>
<tr>
Line 38: Line 80:
</tr>
</tr>
</table>
</table>
===Example===
For example allow telnet only from specific IPv6 address range
<pre>
[admin@dzeltenais_burkaans] /ip service> set api address=10.5.101.0/24,2001:db8:fade::/64
[admin@dzeltenais_burkaans] /ip service> print
Flags: X - disabled, I - invalid
#  NAME    PORT  ADDRESS                                      CERTIFICATE 
0  telnet  23 
1  ftp      21 
2  www      80 
3  ssh      22 
4 X www-ssl  443                                                none       
5  api      8728  10.5.101.0/24                               
                    2001:db8:fade::/64                         
6  winbox  8291
</pre>


==Service Ports==
==Service Ports==
<p id="shbox"><b>Sub-menu:</b> <code>/ip firewall service-port</code></p>
<p id="shbox"><b>Sub-menu:</b> <code>/ip firewall service-port</code></p>
<br />
 
<p>
 
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. <br />
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT.
To overcome these limitations RouterOS includes a number of [[Firewall/NAT | NAT]] helpers, that enable NAT traversal for various protocols.  
 
<br />
To overcome these limitations RouterOS includes a number of [[M:IP/Firewall/NAT | NAT]] helpers, that enable NAT traversal for various protocols.  
 
{{Note | If connection tracking is not enabled then firewall service ports will be shown as inactive}}
 
<table class="styled_table">
<table class="styled_table">
<tr>
<tr>
Line 66: Line 130:
     <td><b>PPTP</b></td>
     <td><b>PPTP</b></td>
     <td>PPTP tunneling helper.</td>
     <td>PPTP tunneling helper.</td>
</tr>
<tr>
    <td><b>udplite</b></td>
    <td></td>
</tr>
<tr>
    <td><b>dccp</b></td>
    <td></td>
</tr>
<tr>
    <td><b>sctp</b></td>
    <td></td>
</tr>
</tr>
<tr>
<tr>
     <td><b>SIP</b></td>
     <td><b>SIP</b></td>
     <td></td>
     <td>SIP helper. Additional options:
* <b>sip-direct-media</b> allows redirect the RTP media stream to go directly from the caller to the callee. Default value is ''yes''.
* <b>sip-timeout</b> allows adjust TTL of SIP UDP connections. Default: 1 hour. In some setups you have to reduce that.
 
    </td>
</tr>
</tr>
<tr>
<tr>
Line 76: Line 156:
</tr>
</tr>
</table>
</table>
</p>


==Protocols and ports==
==Protocols and ports==
Line 96: Line 175:
</tr>
</tr>
<tr>
<tr>
     <td><b>23/tcp</b></td>
     <td><b>22/tcp</b></td>
     <td>Secure Shell (SSH) remote Login protocol</td>
     <td>Secure Shell (SSH) remote Login protocol</td>
</tr>
</tr>
Line 144: Line 223:
</tr>
</tr>
<tr>
<tr>
     <td><b>646/udp</b></td>
    <td><b>546/udp</b></td>
    <td>[[M:IPv6/DHCP_Client | DHCPv6 Client]] message</td>
</tr>
<tr>
    <td><b>547/udp</b></td>
    <td>[[M:IPv6/DHCP_Server | DHCPv6 Server]] message</td>
</tr>
<tr>
     <td><b>646/tcp</b></td>
     <td>[[M:MPLS/LDP | LDP]] transport session</td>
     <td>[[M:MPLS/LDP | LDP]] transport session</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>646/tcp</b></td>
     <td><b>646/udp</b></td>
     <td>[[M:MPLS/LDP | LDP]] hello protocol</td>
     <td>[[M:MPLS/LDP | LDP]] hello protocol</td>
</tr>
</tr>
Line 154: Line 241:
     <td><b>1080/tcp</b></td>
     <td><b>1080/tcp</b></td>
     <td>[[M:IP/SOCKS | SOCKS]] proxy protocol</td>
     <td>[[M:IP/SOCKS | SOCKS]] proxy protocol</td>
</tr>
<tr>
    <td><b>1698/udp 1699/udp</b></td>
    <td>RSVP TE Tunnels</td>
</tr>
</tr>
<tr>
<tr>
Line 167: Line 258:
     <td>Universal Plug and Play ([[M:IP/UPnP | uPnP]])</td>
     <td>Universal Plug and Play ([[M:IP/UPnP | uPnP]])</td>
</tr>
</tr>
<tr>
    <td><b>1966/udp</b></td>
    <td>MME originator message traffic</td>
</tr>
<tr>
    <td><b>1966/tcp</b></td>
    <td>MME gateway protocol</td>
</tr>
<tr>
<tr>
     <td><b>2000/tcp</b></td>
     <td><b>2000/tcp</b></td>
     <td>Bandwidth test server</td>
     <td>Bandwidth test server</td>
</tr>
<tr>
    <td><b>5246,5247/udp</b></td>
    <td>[[M:CAPsMAN | CAPsMAN]]</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>5678/udp</b></td>
     <td><b>5678/udp</b></td>
     <td>Mikrotik Neighbor Discovery Protocol</td>
     <td>Mikrotik Neighbor Discovery Protocol</td>
</tr>
<tr>
    <td><b>6343/tcp</b></td>
    <td>Default OpenFlow port</td>
</tr>
</tr>
<tr>
<tr>
Line 181: Line 289:
<tr>
<tr>
     <td><b>8291/tcp</b></td>
     <td><b>8291/tcp</b></td>
     <td>Winbox</td>
     <td>[[M:Winbox | Winbox]]</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>8728/tcp</b></td>
     <td><b>8728/tcp</b></td>
     <td>[[M:API | API]]</td>
     <td>[[M:API | API]]</td>
</tr>
<tr>
    <td><b>8729/tcp</b></td>
    <td>[[M:API-SSL | API-SSL]]</td>
</tr>
</tr>
<tr>
<tr>
Line 194: Line 306:
     <td><b>/1</b></td>
     <td><b>/1</b></td>
     <td>ICMP</td>
     <td>ICMP</td>
</tr>
<tr>
    <td><b>/2</b></td>
    <td>[[M:Routing | Multicast | IGMP]]</td>
</tr>
</tr>
<tr>
<tr>
Line 202: Line 318:
     <td><b>/41</b></td>
     <td><b>/41</b></td>
     <td>IPv6 (encapsulation)</td>
     <td>IPv6 (encapsulation)</td>
</tr>
<tr>
    <td><b>/46</b></td>
    <td>RSVP TE tunnels</td>
</tr>
</tr>
<tr>
<tr>
Line 221: Line 341:
<tr>
<tr>
     <td><b>/103</b></td>
     <td><b>/103</b></td>
     <td>[[M:Routing | Multicast | IGMP]]</td>
     <td>[[M:Routing | Multicast | PIM]]</td>
</tr>
</tr>
<tr>
<tr>

Latest revision as of 10:04, 17 January 2022

Applies to RouterOS: v3, v4

Warning: This manual is moved to https://help.mikrotik.com/docs/display/ROS/Services


Summary

Sub-menu: /ip service


This document lists protocols and ports used by various MikroTik RouterOS services. It helps you to determine why your MikroTik router listens to certain ports, and what you need to block/allow in case you want to prevent or grant access to the certain services. Please see the relevant sections of the Manual for more explanations.

The default services are:

Property Description
telnet Telnet service
ftp FTP service
www Webfig http service
ssh SSH service
www-ssl Webfig https service
api API service
winbox Responsible for Winbox tool access, as well as Tik-App smartphone app and Dude probe
api-ssl API over SSL service

Properties


Note that it is not possible to add new services, only existing service modifications are allowed.

Property Description
address (IP address/netmask | IPv6/0..128; Default: ) List of IP/IPv6 prefixes from which the service is accessible.
certificate (name; Default: none) The name of the certificate used by particular service. Applicable only for services that depends on certificates (www-ssl, api-ssl)
name (name; Default: none) Service name
port (integer: 1..65535; Default: ) The port particular service listens on

Example

For example allow telnet only from specific IPv6 address range 

[admin@dzeltenais_burkaans] /ip service> set api address=10.5.101.0/24,2001:db8:fade::/64
[admin@dzeltenais_burkaans] /ip service> print 
Flags: X - disabled, I - invalid 
 #   NAME     PORT  ADDRESS                                       CERTIFICATE  
 0   telnet   23   
 1   ftp      21   
 2   www      80   
 3   ssh      22   
 4 X www-ssl  443                                                 none         
 5   api      8728  10.5.101.0/24                                
                    2001:db8:fade::/64                           
 6   winbox   8291

Service Ports

Sub-menu: /ip firewall service-port


Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT.

To overcome these limitations RouterOS includes a number of NAT helpers, that enable NAT traversal for various protocols.

Note: If connection tracking is not enabled then firewall service ports will be shown as inactive


Helper Description
FTP FTP service helper
h323 H323 service helper
irc
PPTP PPTP tunneling helper.
udplite
dccp
sctp
SIP SIP helper. Additional options:
  • sip-direct-media allows redirect the RTP media stream to go directly from the caller to the callee. Default value is yes.
  • sip-timeout allows adjust TTL of SIP UDP connections. Default: 1 hour. In some setups you have to reduce that.
tftp

Protocols and ports

Table below shows the list of protocols and ports used by RouterOS.

Proto/Port Description
20/tcp FTP data connection
21/tcp FTP control connection
22/tcp Secure Shell (SSH) remote Login protocol
23/tcp Telnet protocol
53/tcp
53/udp 		DNS
67/udp Bootstrap protocol or DHCP Server
68/udp Bootstrap protocol or DHCP Client
80/tcp World Wide Web HTTP
123/udp Network Time Protocol ( NTP)
161/udp Simple Network Management Protocol (SNMP)
179/tcp Border Gateway Protocol ( BGP)
443/tcp Secure Socket Layer (SSL) encrypted HTTP
500/udp Internet Key Exchange (IKE) protocol
520/udp
521/udp		 RIP routing protocol
546/udp DHCPv6 Client message
547/udp DHCPv6 Server message
646/tcp LDP transport session
646/udp LDP hello protocol
1080/tcp SOCKS proxy protocol
1698/udp 1699/udp RSVP TE Tunnels
1701/udp Layer 2 Tunnel Protocol ( L2TP)
1723/tcp Point-To-Point Tunneling Protocol ( PPTP)
1900/udp
2828/tcp		 Universal Plug and Play ( uPnP)
1966/udp MME originator message traffic
1966/tcp MME gateway protocol
2000/tcp Bandwidth test server
5246,5247/udp CAPsMAN
5678/udp Mikrotik Neighbor Discovery Protocol
6343/tcp Default OpenFlow port
8080/tcp HTTP Web Proxy
8291/tcp Winbox
8728/tcp API
8729/tcp API-SSL
20561/udp MAC winbox
/1 ICMP
/2 Multicast | IGMP
/4 IPIP encapsulation
/41 IPv6 (encapsulation)
/46 RSVP TE tunnels
/47 General Routing Encapsulation (GRE) - used for PPTP and EoIP tunnels
/50 Encapsulating Security Payload for IPv4 (ESP)
/51 Authentication Header for IPv4 (AH)
/89 OSPF routing protocol
/103 Multicast | PIM
/112 VRRP


[ Top | Back to Content ]

Retrieved from "https://wiki.mikrotik.com/index.php?title=Manual:IP/Services&oldid=34519"