Services, Protocols, and Ports
Document revision 1.2 (10-Oct-2003)
This document applies to the MikroTik RouterOS V2.7
This document lists protocols and ports used by various MikroTik RouterOS services.
It helps you to determine why your MikroTik router listens to certain ports,
and what you need to block/allow if you want to prevent or grant access to
the certain services. Please see the relevant sections of the Manual for more explanations.
Packages required : Depends on actual service
License required : Depends on actual service
Home menu level : /ip service
Protocols utilized : Depends on actual service
Hardware usage: Depends on actual service
Firewall Filters and Network Address Translation (NAT)
Certificate Management
Submenu level : /ip service
name (name) - service name
port (1...65535) - port the service listens on
address (IP address/mask; default: 0.0.0.0/0) - IP address
from which the service is accessible
certificate (name | none; default: none)- name of the certificate
used by this service (absent for the services that do not need certificates)
To set www service to use 8081 port accesible from the 10.10.10.0/24
network:
[admin@MikroTik] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 telnet 23 0.0.0.0/0
1 ftp 21 0.0.0.0/0
2 www 80 0.0.0.0/0
3 hotspot 8088 0.0.0.0/0
4 ssh 22 0.0.0.0/0
5 hotspot-ssl 443 0.0.0.0/0 none
[admin@MikroTik] ip service> set www port=8081 address=10.10.10.0/24
[admin@MikroTik] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 telnet 23 0.0.0.0/0
1 ftp 21 0.0.0.0/0
2 www 8081 10.10.10.0/24
3 hotspot 8088 0.0.0.0/0
4 ssh 22 0.0.0.0/0
5 hotspot-ssl 443 0.0.0.0/0 none
[admin@MikroTik] ip service>
Below is list of protocols and ports used by MikoTik RouterOS services.
Some services require additional package to be installed, as well
as to be enabled by administrator, e.g., bandwidth server.
Port Description
------------------------------------------------------------------------
20/tcp File Transfer [Default Data]
21/tcp File Transfer [Control] (Change under /ip service)
22/tcp SSH Remote Login Protocol (Only with ssh package)
23/tcp Telnet
53/tcp Domain Name Server (Only with dns-cache package)
53/udp Domain Name Server (Only with dns-cache package)
67/udp Bootstrap Protocol Server, DHCP Server (only with dhcp package)
68/udp Bootstrap Protocol Client, DHCP Client (only with dhcp package)
80/tcp World Wide Web HTTP (Change under /ip service)
123/tcp Network Time Protocol (Only with ntp package)
161/tcp SNMP (Only with snmp package)
500/udp IKE protocol (Only with ipsec package)
179/tcp Border Gateway Protocol (Only with bgp package)
1719/udp h323gatestat (Only with telephony package)
1720/tcp h323hostcall (Only with telephony package)
1723/tcp pptp (Only with pptp package)
2000/tcp bandwidth-test server
3986/tcp proxy for winbox
3987/tcp sslproxy for secure winbox (Only with ssh package)
5678/udp MikroTik Neighbor Discovery
8080/tcp HTTP Alternate (Only with web-proxy package, can be changed)
/1 ICMP - Internet Control Message
/4 IP - IP in IP (encapsulation)
/47 GRE - General Routing Encapsulation (Only for pptp and eoip)
/50 ESP - Encap Security Payload for IPv6 (Only with ipsec package)
/51 AH - Authentication Header for IPv6 (Only with ipsec package)
/89 OSPFIGP - OSPF Interior Gateway Protocol
------------------------------------------------------------------------
Complete list of protocol numbers can be found at
http://www.iana.org/assignments/protocol-numbers
Complete list of port numbers can be found at
http://www.iana.org/assignments/port-numbers
© Copyright 1999-2003, MikroTik