Can't access Remote Desktop on Windows through VPN

RouterOS General
1

Hi, I have the following architecture in mi organization:

And I wan’t to access to a Remote Desktop in a Windows Server 2K12 R2 SE (is a testing server on a VPN):

  • The firewall in the Windows Server is deactivated;
  • The Remote Access in Windows is activated with a specified user for login;
  • The port is configured in the NAT section of the Mikrotik Firewall like this;

  • This are the interfaces of the Mikrotik:

  • I can make a ping from my computer to the Server ;

  • And in whatsmyip.org I can check that the port 3389 is opened (at least in WAN)

But the problem is that I can’t access the Remote Desktop, it says the following error:

TRANSLATION:

Remote Desktop can’t connect to the remote computer for one of these reasons:

  1. Remote access to the server is not enabled
  2. The remote computer is turned off
  3. The remote computer is not available on the network
    Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.

It seems like something is blocking the connection, but the ping is OK and the port is opened so I don’t know if I missing something,
Any help will be really appreciated,
Thanks in advance!

2

Great post, and love the selfie cat avatar… :slight_smile:

It’s hard to say what your firewall rules are really doing from a screenshot because there is missing information.
Open a terminal window and do:
/ip firewall nat export compact
/ip firewall filter export compact

Post the results here in a code block
(sanitize the public IP addresses in the output if you wish)

But to give some general assistance:
My question would be “how” is it failing - meaning does it instantly fail, as if something is actively refusing the connection, or is it sitting there in limbo and finally timing out?
If the former, then the port is being directed to something that is not listening on 3389
If the latter, then packets are being dropped by a firewall / sent to the wrong destination by routing or NAT rules

3

Sorry for the late response,
Here is the code of the /ip firewall nat export compact command

[admin@MikroTik] > /ip firewall nat export compact
# aug/26/2016 09:34:00 by RouterOS 5.25
# software id = P673-N1QJ
#
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3389 in-interface=WAN protocol=tcp \
    to-addresses=10.2.2.6 to-ports=8080
add action=dst-nat chain=dstnat dst-port=3389 in-interface=VPN protocol=tcp \
    to-addresses=10.2.2.6 to-ports=8080
add action=dst-nat chain=dstnat dst-port=3389 in-interface=WAN2 protocol=tcp \
    to-addresses=10.2.2.6 to-ports=8080
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN
add action=redirect chain=dstnat disabled=yes dst-port=80 in-interface=LAN protocol=\
    tcp to-ports=3128
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface=WAN protocol=\
    tcp to-addresses=10.2.2.6 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=8080 in-interface=WAN protocol=\
    tcp to-addresses=10.2.2.6 to-ports=8080
add chain=dstnat in-interface=VPN protocol=icmp

And here is the code of the /ip firewall filter export compact command

[admin@MikroTik] > /ip firewall filter export compact
# aug/26/2016 09:36:09 by RouterOS 5.25
# software id = P673-N1QJ
#
/ip firewall filter
add action=drop chain=input dst-port=3128 in-interface=WAN protocol=tcp
add action=drop chain=input dst-port=3128 in-interface=WAN2 protocol=tcp
add action=drop chain=forward layer7-protocol="MIX REDES SOCIALES" src-address=\
    10.2.2.0/24
add action=drop chain=forward layer7-protocol=www.youtube.com src-address=10.2.2.0/24
add action=drop chain=forward disabled=yes layer7-protocol=Face src-address=\
    10.2.2.0/24
add chain=forward content=macronline.com.ar disabled=yes protocol=tcp
add action=drop chain=forward content=spotify.com protocol=tcp
add action=drop chain=forward content=www.facebook.com disabled=yes protocol=tcp
add action=drop chain=forward content=www.youtube.com disabled=yes protocol=tcp
add action=drop chain=forward comment="Todo P2P" p2p=all-p2p
add action=drop chain=input dst-port=53 in-interface=WAN protocol=udp
add chain=input in-interface=VPN protocol=icmp src-address=10.2.2.128
4

As RDP is encrypted by SSL and MS also sets the dont-fragment bit on the traffic, it’s frequently troublesome due to fragmentation.

Your packets are more than likely getting fragmented over the VPN. Will need wireshark or something similar to compare, and you more than likely need some change-mss rules on the firewalls and/or mikrotik.

5

Make sure that your load balance/share policy routing is not to blame.

I didn’t ask for the mangle rules and routing table earlier, but if your mangle table is like most common load balance configurations, then you have some rules that do connection marking for wan1 and wan2, and then some packet marking rules that operate based on the connection marks.

Make sure that you are marking connection-marks on new connections…
in-interface=wan1 connection-mark=no-mark action=mark-connection new-connection-mark=wan1
in-interface=wan2 connection-mark=no-mark action=mark-connection new-connection-mark=wan2

Obviously the interface names and the connection mark names are going to be specific to your installation, but I think you get the idea.

Another item of note: your firewall is a default-allow firewall, which is pretty insecure. You should at least make the input chain have a default drop rule, and also add some rules to the beginning of the input chain which accept all packets with connection-state=established,related and another rule to accept packets in-interface=LAN

6

Hi ZeroByte
Could you help me with a similar problem?

I can access from outside to my network perfectly, RDP, cameras, etc etc.
I cant access from within my network to outside, for example, cant RDP to something outside my network

Below are the configs you asked to the creator of the post.

add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=COOP
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
add action=dst-nat chain=dstnat dst-port=8000 protocol=tcp to-addresses=192.168.103.197 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 protocol=tcp to-addresses=192.168.103.197 to-ports=8001
add action=dst-nat chain=dstnat dst-port=554 protocol=tcp to-addresses=192.168.103.197 to-ports=554
add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp to-addresses=192.168.103.253 to-ports=3389




/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new in-interface=COOP new-connection-mark=COOP_conn
add action=mark-connection chain=prerouting connection-state=new in-interface=pppoe-out1 new-connection-mark=\pppoe-out1_conn
add action=mark-connection chain=prerouting connection-state=new in-interface=WAN3 new-connection-mark=WAN3_conn
add action=mark-routing chain=output connection-mark=COOP_conn new-routing-mark=to_COOP
add action=mark-routing chain=output connection-mark=pppoe-out1_conn new-routing-mark=to_pppoe-out1
add action=mark-routing chain=output connection-mark=WAN3_conn new-routing-mark=to_WAN3
add action=mark-connection chain=prerouting connection-state=new dst-address-type=!local in-interface=LAN \new-connection-mark=pppoe-out1_conn per-connection-classifier=both-addresses:5/0
add action=mark-connection chain=prerouting connection-state=new dst-address-type=!local in-interface=LAN \new-connection-mark=COOP_conn per-connection-classifier=both-addresses:5/1
add action=mark-connection chain=prerouting connection-state=new dst-address-type=!local in-interface=LAN \new-connection-mark=COOP_conn per-connection-classifier=both-addresses:5/2
add action=mark-connection chain=prerouting connection-state=new dst-address-type=!local in-interface=LAN \new-connection-mark=WAN3_conn per-connection-classifier=both-addresses:5/3
add action=mark-connection chain=prerouting connection-state=new dst-address-type=!local in-interface=LAN \new-connection-mark=WAN3_conn per-connection-classifier=both-addresses:5/4
add action=mark-routing chain=prerouting connection-mark=COOP_conn in-interface=LAN new-routing-mark=to_COOP
add action=mark-routing chain=prerouting connection-mark=pppoe-out1_conn in-interface=LAN new-routing-mark=\ to_pppoe-out1
add action=mark-routing chain=prerouting connection-mark=WAN3_conn in-interface=LAN new-routing-mark=to_WAN3




/ip route
add check-gateway=ping distance=2 gateway=192.168.0.1 routing-mark=to_WAN3
add check-gateway=ping disabled=yes distance=2 gateway=192.168.105.1 routing-mark=to_WAN2
add check-gateway=ping distance=2 gateway=pppoe-out1 routing-mark=to_pppoe-out1
add distance=1 gateway=COOP routing-mark=to_COOP
add distance=2 gateway=192.168.0.1

TY in advance

7

anyone please?

8

First, it’s usually bad idea to post your problem to existing topic, just because you think it’s similar. It often isn’t and only creates confusion, because it requires others to pay extra attention to what is what. Make your own topic for yourself and 100% focus will be on your problem.

I didn’t study your whole config in detail, but the obvious mistake is rules like this:

add action=dst-nat chain=dstnat dst-port=3389 protocol=tcp to-addresses=192.168.103.253 to-ports=3389

You don’t limit destination address, so it takes all - incoming, outgoing, it doesn’t matter. If you can, add dst-address=. If not (because it’s dynamic), use dst-address-type=local.