Hi Frends! The router connects to the Internet via pppoe.
I’m doing port forwarding to a machine with open RDP. But it doesn’t work
Copying the sanitized output of the “/export” command into a “code” block is far more useful than screenshots. These in particular do not show whether you gave the key “to-port” parameter.
Here you go:
# oct/18/2023 10:55:28 by RouterOS 6.49.10
# software id = 01ET-I9FG
#
# model = RB951G-2HnD
# serial number = <edit>
/interface bridge
add name=local
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface pppoe-client
add add-default-route=yes comment=pppoe disabled=no interface=ether1 name=\
tattelecom password=******* use-peer-dns=yes user=*****
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.8.10-192.168.8.254
add name=dhcp_pool1 ranges=192.168.8.2-192.168.8.200
add name=dhcp_pool2 ranges=192.168.8.10-192.168.8.200
add name=dhcp_pool3 ranges=192.168.8.10-192.168.8.200
add name=dhcp_pool4 ranges=192.168.8.10-192.168.8.200
add name=dhcp_pool5 ranges=192.168.1.10-192.168.1.200
add name=dhcp_pool6 ranges=192.168.1.10-192.168.1.200
add name=dhcp_pool7 ranges=192.168.1.10-192.168.1.200
add name=dhcp_pool8 ranges=192.168.1.10-192.168.1.200
add name=dhcp_pool9 ranges=192.168.1.10-192.168.1.200
/ip dhcp-server
add address-pool=dhcp_pool9 disabled=no interface=local name=dhcp1
/interface bridge port
add bridge=local interface=wlan1
add bridge=local interface=ether2
add bridge=local interface=ether3
add bridge=local interface=ether4
add bridge=local interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=192.168.1.1/24 interface=local network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip firewall nat
add action=masquerade chain=srcnat comment=local log-prefix=nat-local \
out-interface=tattelecom src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=rdp dst-port=3389 in-interface=\
tattelecom log=yes log-prefix=rdp protocol=tcp to-addresses=192.168.1.2 \
to-ports=3389
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=RouterOS
/tool sniffer
set filter-interface=local
Your ISP might be blocking inbound RDP; it is often abused.
Try moving the service to a random port with “to-ports=3389 dst-port=12345” and then point your remote RDP client at this new port number. If that works, it confirms the ISP filtering hypothesis.
Not working(
rdp dstnat: in:tattelecom out:(unknown 0), proto TCP (SYN), 10.175.13.109:56361->178.205.140.48:12345, len 52
That looks like it is working, but the internal host isn’t answering. Does a connection to port 3389 on 192.168.1.2 work on the LAN?
From the local network I connected to 192.168.1.2 via RDP
Is 192.168.1.1 the gateway for host 192.168.1.2?
No, 192.168.1.2-192.168.1.10 set addresses manually without gateaway. So that there is no Internet
There you are, then. The RDP server doesn’t know that it needs to reply to the gateway, hence the SYN-ACK packet has nowhere to go, hence the RouterOS box gets no packets to send to the remote RDP client.
Either you will have to set up a gateway, or if this internal host must have no gateway for some reason, then I suggest you configure one of the several types of VPN available and then connect to the internal RDP host over that VPN instead of attempting to port-forward it.
The VPN option is superior anyway. RDP has had several security holes in it. Maybe your OS has them all patched today, but I wouldn’t bet on it being patched against all future flaws in time to avoid being attacked. I would never expose RDP naked to the Internet.