Manual:IP/Services: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
(32 intermediate revisions by 5 users not shown)
Line 3: Line 3:
<div class=manual>
<div class=manual>


<h2>Summary</h2>
==Summary==
<p><b>Sub-menu:</b> <code>/ip service</code></p>
<p id="shbox"><b>Sub-menu:</b> <code>/ip service</code></p>
<br />
<br />
<p>
<p>
Line 10: Line 10:
</p>
</p>


The default services are:


<h2>Properties</h2>
<table class="styled_table">
<tr>
  <th width="40%">Property</th>
  <th>Description</th>
</tr>
<tr>
    <td><b>telnet</b></td>
    <td>Telnet service</td>
</tr>
<tr>
    <td><b>ftp</b></td>
    <td>FTP service</td>
</tr>
<tr>
    <td><b>www</b></td>
    <td>Webfig http service</td>
</tr>
<tr>
    <td><b>ssh</b></td>
    <td>SSH service</td>
</tr>
<tr>
    <td><b>www-ssl</b></td>
    <td>Webfig https service</td>
</tr>
<tr>
    <td><b>api</b></td>
    <td>API service</td>
</tr>
<tr>
    <td><b>winbox</b></td>
    <td>Responsible for Winbox tool access, as well as Tik-App smartphone app and Dude probe</td>
</tr>
<tr>
    <td><b>api-ssl</b></td>
    <td>API over SSL service</td>
</tr>
</table>
 
==Properties==


<br />
<br />
Note that it is not possible to add new services, only [[#Services | existing service]] modifications are allowed.
Note that it is not possible to add new services, only existing service modifications are allowed.
<br />
<br />
<table class="styled_table">
<table class="styled_table">
Line 22: Line 62:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>address</b></var> (<em>IP address/netmask</em>; Default: <b>0.0.0.0/0</b>)</td>
     <td><var><b>address</b></var> (<em>IP address/netmask | IPv6/0..128</em>; Default: <b></b>)</td>
     <td>IP address from which the service is accessible. Default value is '0.0.0.0/0' - any address.</td>
     <td>List of IP/IPv6 prefixes from which the service is accessible.</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>certificate</b></var> (<em>name</em>; Default: <b>none</b>)</td>
     <td><var><b>certificate</b></var> (<em>name</em>; Default: <b>none</b>)</td>
     <td>The name of the certificate used by particular service. Applicable only for services that depends on certificates (<i>www-ssl</i>)</td>
     <td>The name of the certificate used by particular service. Applicable only for services that depends on certificates (<i>www-ssl, api-ssl</i>)</td>
</tr>
</tr>
<tr>
<tr>
Line 39: Line 79:
</table>
</table>


<h2>Service Ports</h2>
===Example===
<p><b>Sub-menu:</b> <code>/ip firewall service-port</code></p>
For example allow telnet only from specific IPv6 address range
<br />
 
<p>
<pre>
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. <br />
[admin@dzeltenais_burkaans] /ip service> set api address=10.5.101.0/24,2001:db8:fade::/64
To overcome these limitations RouterOS includes a number of [[Firewall/NAT | NAT]] helpers, that enable NAT traversal for various protocols.  
[admin@dzeltenais_burkaans] /ip service> print
<br />
Flags: X - disabled, I - invalid
#  NAME    PORT  ADDRESS                                      CERTIFICATE 
0  telnet  23 
1  ftp      21 
2  www      80 
3  ssh      22 
4 X www-ssl  443                                                none       
5  api      8728  10.5.101.0/24                               
                    2001:db8:fade::/64                         
6  winbox  8291
 
</pre>
 
==Service Ports==
<p id="shbox"><b>Sub-menu:</b> <code>/ip firewall service-port</code></p>
 
 
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT.
 
To overcome these limitations RouterOS includes a number of [[M:IP/Firewall/NAT | NAT]] helpers, that enable NAT traversal for various protocols.  
 
{{Note | If connection tracking is not enabled then firewall service ports will be shown as inactive}}
 
<table class="styled_table">
<table class="styled_table">
<tr>
<tr>
Line 66: Line 128:
     <td><b>PPTP</b></td>
     <td><b>PPTP</b></td>
     <td>PPTP tunneling helper.</td>
     <td>PPTP tunneling helper.</td>
</tr>
<tr>
    <td><b>udplite</b></td>
    <td></td>
</tr>
<tr>
    <td><b>dccp</b></td>
    <td></td>
</tr>
<tr>
    <td><b>sctp</b></td>
    <td></td>
</tr>
</tr>
<tr>
<tr>
     <td><b>SIP</b></td>
     <td><b>SIP</b></td>
     <td></td>
     <td>SIP helper. Additional options:
* <b>sip-direct-media</b> allows redirect the RTP media stream to go directly from the caller to the callee. Default value is ''yes''.
* <b>sip-timeout</b> allows adjust TTL of SIP UDP connections. Default: 1 hour. In some setups you have to reduce that.
 
    </td>
</tr>
</tr>
<tr>
<tr>
Line 76: Line 154:
</tr>
</tr>
</table>
</table>
</p>


<h2>Protocols and ports</h2>
==Protocols and ports==


Table below shows the list of protocols and ports used by RouterOS.
Table below shows the list of protocols and ports used by RouterOS.
Line 96: Line 173:
</tr>
</tr>
<tr>
<tr>
     <td><b>23/tcp</b></td>
     <td><b>22/tcp</b></td>
     <td>Secure Shell (SSH) remote Login protocol</td>
     <td>Secure Shell (SSH) remote Login protocol</td>
</tr>
</tr>
Line 109: Line 186:
<tr>
<tr>
     <td><b>67/udp</b></td>
     <td><b>67/udp</b></td>
     <td>Bootstrap protocol or [[DHCP Server]]</td>
     <td>Bootstrap protocol or [[M:IP/DHCP Server | DHCP Server]]</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>68/udp</b></td>
     <td><b>68/udp</b></td>
     <td>Bootstrap protocol or [[DHCP Client]]</td>
     <td>Bootstrap protocol or [[M:IP/DHCP Client | DHCP Client]]</td>
</tr>
</tr>
<tr>
<tr>
Line 121: Line 198:
<tr>
<tr>
     <td><b>123/udp</b></td>
     <td><b>123/udp</b></td>
     <td>Network Time Protocol ([[Time | NTP]])</td>
     <td>Network Time Protocol ([[M:System/Time | NTP]])</td>
</tr>
</tr>
<tr>
<tr>
Line 129: Line 206:
<tr>
<tr>
     <td><b>179/tcp</b></td>
     <td><b>179/tcp</b></td>
     <td>Border Gateway Protocol ([[BGP]])</td>
     <td>Border Gateway Protocol ([[M:Routing/BGP | BGP]])</td>
</tr>
</tr>
<tr>
<tr>
Line 141: Line 218:
<tr>
<tr>
     <td><b>520/udp<br />521/udp</b></td>
     <td><b>520/udp<br />521/udp</b></td>
     <td>[[RIP]] routing protocol</td>
     <td>[[M:Routing/RIP | RIP]] routing protocol</td>
</tr>
<tr>
    <td><b>546/udp</b></td>
    <td>[[M:IPv6/DHCP_Client | DHCPv6 Client]] message</td>
</tr>
<tr>
    <td><b>547/udp</b></td>
    <td>[[M:IPv6/DHCP_Server | DHCPv6 Server]] message</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>646/udp<br />521/udp</b></td>
     <td><b>646/tcp</b></td>
     <td>[[LDP]] transport session</td>
     <td>[[M:MPLS/LDP | LDP]] transport session</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>646/tcp<br />521/udp</b></td>
     <td><b>646/udp</b></td>
     <td>[[LDP]] hello protocol</td>
     <td>[[M:MPLS/LDP | LDP]] hello protocol</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>1080/tcp</b></td>
     <td><b>1080/tcp</b></td>
     <td>[[SOCKS]] proxy protocol</td>
     <td>[[M:IP/SOCKS | SOCKS]] proxy protocol</td>
</tr>
<tr>
    <td><b>1698/udp 1699/udp</b></td>
    <td>RSVP TE Tunnels</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>1701/udp</b></td>
     <td><b>1701/udp</b></td>
     <td>Layer 2 Tunnel Protocol ([[L2TP]])</td>
     <td>Layer 2 Tunnel Protocol ([[M:Interface/L2TP | L2TP]])</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>1723/tcp</b></td>
     <td><b>1723/tcp</b></td>
     <td>Point-To-Point Tunneling Protocol ([[PPTP]])</td>
     <td>Point-To-Point Tunneling Protocol ([[M:Interface/PPTP | PPTP]])</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>1900/udp<br />2828/tcp</b></td>
     <td><b>1900/udp<br />2828/tcp</b></td>
     <td>Universal Plug and Play (uPnP)</td>
     <td>Universal Plug and Play ([[M:IP/UPnP | uPnP]])</td>
</tr>
<tr>
    <td><b>1966/udp</b></td>
    <td>MME originator message traffic</td>
</tr>
</tr>
<tr>
    <td><b>1966/tcp</b></td>
    <td>MME gateway protocol</td>
</tr>
<tr>
<tr>
     <td><b>2000/tcp</b></td>
     <td><b>2000/tcp</b></td>
     <td>Bandwidth test server</td>
     <td>Bandwidth test server</td>
</tr>
<tr>
    <td><b>5246,5247/udp</b></td>
    <td>[[M:CAPsMAN | CAPsMAN]]</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>5678/udp</b></td>
     <td><b>5678/udp</b></td>
     <td>Mikrotik Neighbor Discovery Protocol</td>
     <td>Mikrotik Neighbor Discovery Protocol</td>
</tr>
<tr>
    <td><b>6343/tcp</b></td>
    <td>Default OpenFlow port</td>
</tr>
</tr>
<tr>
<tr>
Line 181: Line 287:
<tr>
<tr>
     <td><b>8291/tcp</b></td>
     <td><b>8291/tcp</b></td>
     <td>Winbox</td>
     <td>[[M:Winbox | Winbox]]</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>8728/tcp</b></td>
     <td><b>8728/tcp</b></td>
     <td>[[API]]</td>
     <td>[[M:API | API]]</td>
</tr>
<tr>
    <td><b>8729/tcp</b></td>
    <td>[[M:API-SSL | API-SSL]]</td>
</tr>
</tr>
<tr>
<tr>
Line 194: Line 304:
     <td><b>/1</b></td>
     <td><b>/1</b></td>
     <td>ICMP</td>
     <td>ICMP</td>
</tr>
<tr>
    <td><b>/2</b></td>
    <td>[[M:Routing | Multicast | IGMP]]</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>/4</b></td>
     <td><b>/4</b></td>
     <td>[[IPIP]] encapsulation</td>
     <td>[[M:Interface/IPIP | IPIP]] encapsulation</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>/41</b></td>
     <td><b>/41</b></td>
     <td>IPv6 (encapsulation)</td>
     <td>IPv6 (encapsulation)</td>
</tr>
<tr>
    <td><b>/46</b></td>
    <td>RSVP TE tunnels</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>/47</b></td>
     <td><b>/47</b></td>
     <td>General Routing Encapsulation (GRE) - used for [[PPTP]] and [[EoIP]] tunnels</td>
     <td>General Routing Encapsulation (GRE) - used for [[M:Interface/PPTP | PPTP]] and [[M:Interface/EoIP | EoIP]] tunnels</td>
</tr>
</tr>
<tr>
<tr>
Line 217: Line 335:
<tr>
<tr>
     <td><b>/89</b></td>
     <td><b>/89</b></td>
     <td>[[OSPF]] routing protocol</td>
     <td>[[M:Routing/OSPF | OSPF]] routing protocol</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>/103</b></td>
     <td><b>/103</b></td>
     <td>[[Multicast | IGMP]]</td>
     <td>[[M:Routing | Multicast | PIM]]</td>
</tr>
</tr>
<tr>
<tr>
     <td><b>/112</b></td>
     <td><b>/112</b></td>
     <td>[[VRRP]]</td>
     <td>[[M:Interface/VRRP | VRRP]]</td>
</tr>
</tr>
</table>
</table>
Line 231: Line 349:
</div>
</div>


[[Category:Manual]]
 
{{cont}}
 
[[Category:Manual|S]]
[[Category:Firewall|S]]

Revision as of 12:02, 22 February 2019

Version.png

Applies to RouterOS: v3, v4

Summary

Sub-menu: /ip service


This document lists protocols and ports used by various MikroTik RouterOS services. It helps you to determine why your MikroTik router listens to certain ports, and what you need to block/allow in case you want to prevent or grant access to the certain services. Please see the relevant sections of the Manual for more explanations.

The default services are:

Property Description
telnet Telnet service
ftp FTP service
www Webfig http service
ssh SSH service
www-ssl Webfig https service
api API service
winbox Responsible for Winbox tool access, as well as Tik-App smartphone app and Dude probe
api-ssl API over SSL service

Properties


Note that it is not possible to add new services, only existing service modifications are allowed.

Property Description
address (IP address/netmask | IPv6/0..128; Default: ) List of IP/IPv6 prefixes from which the service is accessible.
certificate (name; Default: none) The name of the certificate used by particular service. Applicable only for services that depends on certificates (www-ssl, api-ssl)
name (name; Default: none) Service name
port (integer: 1..65535; Default: ) The port particular service listens on

Example

For example allow telnet only from specific IPv6 address range

[admin@dzeltenais_burkaans] /ip service> set api address=10.5.101.0/24,2001:db8:fade::/64
[admin@dzeltenais_burkaans] /ip service> print 
Flags: X - disabled, I - invalid 
 #   NAME     PORT  ADDRESS                                       CERTIFICATE  
 0   telnet   23   
 1   ftp      21   
 2   www      80   
 3   ssh      22   
 4 X www-ssl  443                                                 none         
 5   api      8728  10.5.101.0/24                                
                    2001:db8:fade::/64                           
 6   winbox   8291 

Service Ports

Sub-menu: /ip firewall service-port


Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT.

To overcome these limitations RouterOS includes a number of NAT helpers, that enable NAT traversal for various protocols.

Icon-note.png

Note: If connection tracking is not enabled then firewall service ports will be shown as inactive


Helper Description
FTP FTP service helper
h323 H323 service helper
irc
PPTP PPTP tunneling helper.
udplite
dccp
sctp
SIP SIP helper. Additional options:
  • sip-direct-media allows redirect the RTP media stream to go directly from the caller to the callee. Default value is yes.
  • sip-timeout allows adjust TTL of SIP UDP connections. Default: 1 hour. In some setups you have to reduce that.
tftp

Protocols and ports

Table below shows the list of protocols and ports used by RouterOS.

Proto/Port Description
20/tcp FTP data connection
21/tcp FTP control connection
22/tcp Secure Shell (SSH) remote Login protocol
23/tcp Telnet protocol
53/tcp
53/udp
DNS
67/udp Bootstrap protocol or DHCP Server
68/udp Bootstrap protocol or DHCP Client
80/tcp World Wide Web HTTP
123/udp Network Time Protocol ( NTP)
161/udp Simple Network Management Protocol (SNMP)
179/tcp Border Gateway Protocol ( BGP)
443/tcp Secure Socket Layer (SSL) encrypted HTTP
500/udp Internet Key Exchange (IKE) protocol
520/udp
521/udp
RIP routing protocol
546/udp DHCPv6 Client message
547/udp DHCPv6 Server message
646/tcp LDP transport session
646/udp LDP hello protocol
1080/tcp SOCKS proxy protocol
1698/udp 1699/udp RSVP TE Tunnels
1701/udp Layer 2 Tunnel Protocol ( L2TP)
1723/tcp Point-To-Point Tunneling Protocol ( PPTP)
1900/udp
2828/tcp
Universal Plug and Play ( uPnP)
1966/udp MME originator message traffic
1966/tcp MME gateway protocol
2000/tcp Bandwidth test server
5246,5247/udp CAPsMAN
5678/udp Mikrotik Neighbor Discovery Protocol
6343/tcp Default OpenFlow port
8080/tcp HTTP Web Proxy
8291/tcp Winbox
8728/tcp API
8729/tcp API-SSL
20561/udp MAC winbox
/1 ICMP
/2 Multicast | IGMP
/4 IPIP encapsulation
/41 IPv6 (encapsulation)
/46 RSVP TE tunnels
/47 General Routing Encapsulation (GRE) - used for PPTP and EoIP tunnels
/50 Encapsulating Security Payload for IPv4 (ESP)
/51 Authentication Header for IPv4 (AH)
/89 OSPF routing protocol
/103 Multicast | PIM
/112 VRRP


[ Top | Back to Content ]