Problem with port forwarding for RemoteDesktop

RouterOS Beginner Basics
1

Hello everyone i got big problem with port forwarding to connect with my server from home (example).
i configured firewall and added rule on NAT section i check on many sites and everywhere it is the same config and it looks like very easy task well… my connection still not works:(
I write what ive changed maybe someone kindly help me.

On NAT rule i got
GENERAL TAB
chain:dstnat
dst.adress: here i wrote ip adress that i checked from myip site (global adress?)
protocol:6(tcp)
dst.port:3389
ACTION TAB
action:dst.nat:
to adresses: here i wrote server IP from my inside network
to ports:3389

and its not worked so i add firewall rule
GENERAL TAB
chain:forward
protocol:6(tcp)
dst.port:3389
ACTION TAB
Action:accept
And my remote desktop still not works:( thanks in andvance for help.

2

http://forum.mikrotik.com/t/rdp-port-forwarding-issue/107061/1

3

tried everything from this topic:( still i cant connect:(

4

Is “ip adress that i checked from myip site” the same address you see directly on router (in IP->Addresses)?

5

disable all firewall filter rules for test.
what gateway have terminal server? it must be internal mikrotik address.

6

hmm strange i dont have that ip in adresses only 3 internal IP’s starting from 192…


ok Nikita i try and i reply tomorrow thanks guys

7

Shooting darts in the dark is rarely productive.

  1. Assuming you wish to connect from a remote location using RDP.
    a. any WAN IP?
    b. specific WAN IP?

  2. Assuming you want to connect to
    a. an RDP server/host?
    b. a LAN PC?

  3. Assume you use Dydns type (myip) services to connect to your home router.

  4. Any setup for the remote client can only begin once we know the host situation (version of RDP/windows server version, what edition of OS, home vs professional etc).

  5. In general, using RDP by port forwarding is not recommended for security reasons as there is some risk… and there are other ways such as VPN to get access to PCs behind the mikrotik. Relies solely on strength of password.

8

Then your router has no public address and nobody can directly connect to it. You can add as many port forwarding rules as you want and none of them will work. Unless that public address you saw is on some ISP’s modem/router connected before yours and forwards incoming connections to you.

9

Add same rule with chain INPUT -put this rule to the top on filter section !

10

You don’t need to add input rules for dst nat to work…

11

@anav
1.Any Wan Ip
2.n RDP server/host
3.im not quite what do you mean,
4.Windows server 2012 R2
5.It is hard to set vpn on mikrotik cuz frankly i never saw such complicated router i mean i always used casual routers :smiley:

@sob
i see thank you for you answers guys
There r other routers in that place and RDP works perfectly before we add third router (mikrotik) it is possible to that MyIP check ip is added from the other router in this network??
I think router is in VPN mode anyway it got two ip’s i can access it? it is normal? And one more question can i add whatever i want ip to addresses and make it public?

12

You should probably provide few more details about your network and how is everything connected and configured.

Two things are clear. You can’t just invent public address. And if you have public address somewhere else and forward ports from it to other routers, “dst.address” field of your dstnat rule on such other route can’t contain the original public address, but it must be the private address to which you forward ports from public one.

13

Concur with Sob. I was thinking one mikrotik router facing the internet and servers behind. Now there are three routers and VPN in the mix???

  1. Was just confirming that you use a dynamic IP name service so that one simply types in an URL “myfavouriteurl.myip” and the myip site sends the request to your current actual HOME WANIP address.

As far as RDP, what RDP application are you using on Windows 2012. There seems to be different styles of RDP server versions.

14

Why ? If you have last input rule in filter with drop all from in-interface=wan ?

15

Because you either use dstnat to forward packets elsewhere, or they go to input chain. The two events can never occur both for same packet. Whether packet goes to input chain or not, depends on destination address. If it’s local, it goes to input, if it isn’t, it doesn’t go to input. Even it destination was originally local, it isn’t local anymore after dstnat changes it (*).

(*) You can dstnat to other local address, but it doesn’t make much sense.

16

Windows Server 2012 introduced the Remote Desktop Management Service (RDMS) effectively removing the standard MMC consoles used to manage a Windows Server 2008 R2 Remote Desktop Services server.
Here is a decent link…
https://social.technet.microsoft.com/wiki/contents/articles/20684.management-how-to-changes-for-rds-in-windows-server-2012-and-2012r2.aspx

Gives me a headache but suffice to say, lets keep it simple, expecting clients to come in on 3389 TCP to your public IP.
You need to port forward the traffic to specific LANIP, and add an accompanying FW rule.

My question is how to protect this port from abuse (multiple login attempts by hackers)… Can we state a rule which says capture repeated attempts to enter and then block the source IP.
Is this useful or a waste of time.

17

You can limit connection attempts like shown here:

https://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

I don’t know how many login attempts each connection allows, but if it closes after a few failed attempts and attacker must connect again to continue, then it can help.

18

RDP on a publicly accessible port is spooky. I typically set people up with a VPN and then they can RDP to the local IP of the Windows machine. If the remote party has a DDNS updater app on their device you could port forward only allow trusted DDNS hostnames.