Summary


This page lists protocols and ports used by various MikroTik RouterOS services. It helps you to determine why your MikroTik router listens to certain ports, and what you need to block/allow in case you want to prevent or grant access to certain services. Please see the relevant sections of the Manual for more explanations.

The default services are:

PropertyDescription
telnetTelnet service
ftpFTP service
wwwWebfig HTTP service
sshSSH service
www-sslWebfig HTTPS service
apiAPI service
winboxResponsible for Winbox tool access, as well as Tik-App smartphone app and Dude probe
api-sslAPI over SSL service

Properties


Note that it is not possible to add new services, only existing service modifications are allowed.

Sub-menu: /ip service

PropertyDescription
address (IP address/netmask | IPv6/0..128; Default: )List of IP/IPv6 prefixes from which the service is accessible
certificate (name; Default: none)The name of the certificate used by a particular service. Applicable only for services that depend on certificates (www-ssl, api-ssl)
name (name; Default: none)Service name
port (integer: 1..65535; Default: )The port particular service listens on
tls-version (any | only-1.2; Default: any)Specifies which TLS versions to allow by a particular service
vrf (name; Default: main)Specify which VRF instance to use by a particular service

Example

For example, allow API only from a specific IP/IPv6 address range

[admin@dzeltenais_burkaans] /ip service> set api address=10.5.101.0/24,2001:db8:fade::/64
[admin@dzeltenais_burkaans] /ip service> print 
Flags: X - disabled, I - invalid 
 #   NAME     PORT  ADDRESS                                       CERTIFICATE  
 0   telnet   23   
 1   ftp      21   
 2   www      80   
 3   ssh      22   
 4 X www-ssl  443                                                 none         
 5   api      8728  10.5.101.0/24                                
                    2001:db8:fade::/64                           
 6   winbox   8291 

Service Ports


Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT.

To overcome these limitations RouterOS includes a number of NAT helpers, that enable NAT traversal for various protocols.

If connection tracking is not enabled then firewall service ports will be shown as inactive

Sub-menu: /ip firewall service-port

HelperDescription
FTPFTP service helper
h323H323 service helper
ircIRC service helper
PPTPPPTP tunneling helper
udpliteUDP-Lite service helper
dccpDCCP service helper
sctpSCTP service helper
SIPSIP helper. Additional options:
  • sip-direct-media allows redirecting the RTP media stream to go directly from the caller to the callee. The default value is yes.
  • sip-timeout allows adjusting TTL of SIP UDP connections. Default: 1 hour. In some setups, you have to reduce that.
tftpTFTP service helper

udplite, dccp, and sctp are built-in services of the connection tracking. Since these are not separately loaded modules, they cannot be disabled separately, they got disabled together with the connection tracking.


Protocols and ports


The table below shows the list of protocols and ports used by RouterOS.

Proto/PortDescription
20/tcpFTP data connection
21/tcpFTP control connection
22/tcpSecure Shell (SSH) remote login protocol
23/tcpTelnet protocol
53/tcp
53/udp
DNS
67/udpBootstrap protocol or DHCP Server
68/udpBootstrap protocol or DHCP Client
80/tcpWorld Wide Web HTTP
123/udpNetwork Time Protocol (NTP)
161/udpSimple Network Management Protocol (SNMP)
179/tcpBorder Gateway Protocol (BGP)
443/tcpSecure Socket Layer (SSL) encrypted HTTP
500/udpInternet Key Exchange (IKE) protocol
520/udp
521/udp
RIP routing protocol
546/udpDHCPv6 Client message
547/udpDHCPv6 Server message
646/tcpLDP transport session
646/udpLDP hello protocol
1080/tcpSOCKS proxy protocol
1698/udp 1699/udpRSVP TE Tunnels
1701/udpLayer 2 Tunnel Protocol (L2TP)
1723/tcpPoint-To-Point Tunneling Protocol (PPTP)
1900/udp
2828/tcp
Universal Plug and Play (uPnP)
1966/udpMME originator message traffic
1966/tcpMME gateway protocol
2000/tcpBandwidth test server
5246,5247/udpCAPsMAN
5678/udpMikrotik Neighbor Discovery Protocol
6343/tcpDefault OpenFlow port
8080/tcpHTTP Web Proxy
8291/tcpWinbox
8728/tcpAPI
8729/tcpAPI-SSL
20561/udpMAC winbox
/1ICMP
/2Multicast | IGMP
/4IPIP encapsulation
/41IPv6 (encapsulation)
/46RSVP TE tunnels
/47General Routing Encapsulation (GRE) - used for PPTP and EoIP tunnels
/50Encapsulating Security Payload for IPv4 (ESP)
/51Authentication Header for IPv4 (AH)
/89OSPF routing protocol
/103Multicast | PIM
/112VRRP
  • No labels