Hello.
I need to publish several RDP hosts and I would like to do that with single rule.
General idea is that connection on WAN port, say, 30209 should go to internal host 172.16.0.209:3389,
30210 should go to internal host 172.16.0.210:3389
…
30230 should go to internal host 172.16.0.230:3389
Sequence should start at A and finish at B.
Is there a (not overly complex) way to achive this in ROS?
Thanks a lot in advance
There are no “smart” ways of configuring NAT.
You could configure it using some script … but you’d still end up with N NAT rules. So even if the job would be done using a script, I’d run the script on some linux PC and copy-paste the resulting configuration commands to the CLI connection.
ok, thanks for clearing that up.
I would not expose “N” RDP servers directly (to Internet?). In stead use some loadbalancing/frontend like HAProxy or something.
https://www.haproxy.com/documentation/haproxy/deployment-guides/remote-desktop/rdp-gateway/
Then your RouterOS requires a single D-NAT entry pointing to HAProxy where you can do much more flexible things.
Offcourse it depends on the use-case, this introduces “another” components in the chain for sure. But again, is it that dramatic to have a couple of D-NAT lines ? It’s not that you are looking to map hundreds of RDP-NAT’s right ?
You can even “pre-configure” them and ENABLE/DISABLE them as you need them. Just make a small plan and communicate to the RDP/Server guys that they need to follow that scheme.
Confusing request?
Simply give users for RDPA - a unique dyndns name
give users for RDPB - a different name
give users for RDPC - a different name.
This would not solve anything as there is only 1 public IP-address to my understanding.
IF there are multiple public IP’s available sure you could already distribute based on that.
But I don’t even know if the topic-starting wants to address inbound connections coming from Internet…
Access to exposed RDP hosts will be limited by subnets, so that also reduces probabilty of hack.
Will read up on HAProxy. Thanks for the advice
I don’t have enough of public addresses to do 1:1 translation.
Still confused, port forwarding is doable with one public IP???
The key is to do port translation. The router will keep track of the incoming traffic and return it properly.
What you CANNOT have is incoming traffic for the SAME PORT going to to different servers, how does the router know which server that port is destined for???
(one port to one server).
We honour that above rule with port translation as shown below, each incoming port goes to one specific server.
/ip firewall nat
SOURCE RULE(s)
DESTINATION RULE(s) (roughly)
chain=dstnat action=dst-nat dst-address=fixedwanip dst-port=30209 protocol=tcp to-addresses=172.16.0.209 to-ports=3389
chain=dstnat action=dst-nat dst-address=fixedwanip dst-port=30210 protocol=tcp to-addresses=172.16.0.220 to-ports=3389
.
.
.
chain=dstnat action=dst-nat dst-address=fixedwanip dst-port=30230 protocol=tcp to-addresses=172.16.0.230 to ports=3389
Perhaps the question was… can I just write one rule to cover all of the above - answer no.
Perhaps the question was… can I have just one incoming port and rule and the router then switches the request to the next server in some sort of fair sequence? answer - not to my knowledge.
I wanted one rule to do D-NAT for several ports/addresses.
That is not (easily) doable, so will create rule for each port/IP pair.
The whole idea with haproxy seems to be that the proxy gets the domain name inside the session payload, but I’m not sure whether the domain name is available at all in the RDP protocol, and if yes, whether it is available in plaintext.
As for the same port being forwarded to different internal IP addresses, this is only possible if you match on source address of the request as well. For example, my colleague’s Tik forwards requests to port XXXX to some internal server, except if accessed from my home IP - in that case, it forwards requests to the same port to its own SSH port. But that’s a special application case of course.