I Can’t seem to get this to work.
What is the firewall rule to Bock ALL RDP ( Port 3389 ) access to the internal server on 192.168.0.x EXCEPT from 101.0.0.1 ?
There is one internal connection ( LAN1 ) and two external Connections ( WAN 1 and WAN 2 ) to separate Routers / ISPs.
TIA
You need two rules. The first one does an accept and allows only the permitted IP to access the RDP port, the second one does a drop for anything else going to the RDP port. Struggling to find a single rule to do something usually means that you need two or more, and sometimes even a side chain to simplify things.
One NAT rule is enough:
/ip firewall nat
add action=dst-nat chain=dstnat comment="RDP" disabled=no dst-port=3389 in-interface=WAN protocol=tcp src-address=101.0.0.1 to-addresses=192.168.0.x to-ports=3389
HTH,
Thanks.
Digging into the setup of this router further i see that WAN 1 is bridged. would this be why the rules aren’t applying ?
But can’t one simply use a bang (!) to say Drop where IP NOT = 101.0.0.1 ?
Surely that’s simpler.
This rule states that RDP Dst-NAT is possible only when src-address is 101.0.0.1,
for other addresses it doesn’t work, that’s all.
HTH,
Thanks. I do understand the rule.
( My reference to the Bang was in reply to the first responders message about two rules )