Safely enter a network behind a Mikrotik device with SMS confirmation

Building on my last experiences documented here (read that one first, please) in this tutorial we will set up a safe backdoor access that can wake up the target machine, send an SMS to confirm the source IP address and expect an SMS back. The protocol can be anything, but in this case I will be using Remote desktop to log in.

Log in using winbox and go to Tools -> SMS.


The SMS Settings screen pops up. The minimal configuration is to check the Receive Enabled and set the proper Port. Everything else you can leave on the default settings for now:


Now let’s set up some firewall rules. Go to IP -> Firewall:


Go to the NAT tab (don’t mind the red rule, it’s normal) and click on the blue + button to add a new one:


The New Nat Rule screen will pop up:


Enter the following on the General tab:

Chain: dstnat

Protocol: 6 (tcp)

Dst. Port: 3389

In. Interface: ether1-gateway


On the Action tab:

Action: add src to address list

Address List: RDP250

Note: I mixed up the screenshots and it doesn’t show, but you REALLY need to enter RDP250 into the Address List field

Hit OK  to save it:


Click the blue + button once more to add another rule:


Fill the General tab as follows:

Chain: dstnat

Protocol: 6 (tcp)

Dst. Port: 3389

In. Interface: ether1-gateway


On the Advanced tab set it as below:

Src. Address List: RDPallow

Note: I know that it’s a different address list than the one we set earlier, it will all make sense soon


Finally on the Action tab do the following:

Action: dst-nat

To Addresses: (use the private address you want to access from the internet)

To Ports: 3389

Hit OK:


This is how your 2 rules should look like:


Now to make it work, we need to create a schedule. Go to System -> Scheduler:


Add a new schedule by pressing the blue + button:


Give it a fancy Name, set the Interval to 30 seconds and input the folowing:

:foreach A in=[/ip firewall address-list find name=RDP250] do={
 if ([/ip firewall address-list get $A list]="RDP250") do={
 :global LastRDPAddress [/ip firewall address-list get $A address]
 /tool sms send usb1 "phone-number-comes-here" message="RDP session requested from: $LastRDPAddress. Allow it?"
 /ip firewall address-list remove $A


The above script will query the address list and send you an SMS. To actually allow it in we need to create a script that we can call with our phone. Go to System -> Scripts:


The Script List panel shows up:


Add a new script by pressing (you guessed it) the blue + button:


Give it a Name (note: make it simple so you can type it out from your phone later) and enter the following into the Source textbox:

:global LastRDPAddress
/ip firewall address-list add list=RDP_allow address=$LastRDPAddress
/tool wol mac=mac-address-of-target-machine-comes-here interface=bridge-local
/tool sms send usb2 "phone-number-comes-here" message="WOL request sent. Please be patient. Note: $LastRDPAddress permanently added to access list."


After you hit OK it should saved:


If you trust your battery life you can limit the router to only accept messages from a single phone number. Go to Tools -> SMS and enter your phone number under Allowed Number. What I highly recommend is setting a Secret atleast that you must supply in each SMS you send to the router.


Now that it is set up, let’s run the script by sending an SMS to the routers number with the following message:

:cmd SECRET script allow

where SECRET is the secret we set at the above step, and allow is the script name we created earlier.

Comments 1

Leave a Reply

Your email address will not be published. Required fields are marked *