RDP 3389 block to external connections

Tesl4 · June 11, 2014, 11:51am

Hello,

I’ve recently set up a RB951G-2hnd (6.13) all working fine but when I try to connect my remote desktop to a external server gives me an timeout.

In connections i see TCP-STATE when try yo connect >> syn sent

What rule I need to allow outgoing connections by rdp

thanks

rextended · June 11, 2014, 12:01pm

you can see google.com?

If yes you must contact server administrator because probably your ip are not allowed to connect to that server.

Tesl4 · June 11, 2014, 12:36pm

I´m the sysadmin.

Everything works fine (NAV,POP,SMTP..) except RDP connection to external public ip.

I’ve created a rule for incoming RDP conections [External to local IP ] and it work

rextended · June 11, 2014, 12:58pm

If all function, the cause can be the server or other devices between

xucraig · June 11, 2014, 1:13pm

Tesl4, I’d recommend checking your RDP dst-nat rule again and making sure that you’ve specified the Incoming Interface and that it’s set to your gateway interface.

craig

Tesl4 · June 19, 2014, 10:37am

when I try to connect:

the rule is:

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3389
in-interface=pppoe-out1 protocol=tcp to-addresses=172.16.2.253
to-ports=3389

dont work and i want all of my net can connect to externet RDP.

Regards.

xucraig · June 19, 2014, 12:27pm

Just to clarify, you can make inbound RDP connections successfully. Your issue now is that you cannot make outbound RDP connections, is that correct? Is it only one device that you’re unable to connect to, or all RDP connections regardless of destination?

If that’s correct, can you run an export and remove any passwords and other sensitive info?

craig

Tesl4 · June 19, 2014, 2:55pm

Hi Craig

inbound RDP connections works fine

outbound RDP connections not work to all RDP connections regardless of destination

lambert · June 19, 2014, 5:11pm

You don’t happen to control the PPPoE server do you?

If you run torch on your pppoe-out1 interface, do you see the outgoing RDP request?

If you do, then it’s time to call your ISP and ask if they have a default rule to block outgoing RDP traffic from subscribers. It would be the first time I’ve heard of and ISP blocking RDP by default but 25,137-139,445, and 1433 are not uncommon.

rextended · June 19, 2014, 5:28pm

I’m a WISP and I block on all incoming new connection this on udp/tcp:

111,135,137,138,139,445,8291

And we not remove it, neither on request.

We also block incoming

TCP: 20,21,22,23,53,80,443,8728,8729,1700,1812,1813,3799,2210,2211
UDP: 53,67,68,69,123,161,1700,1812,1813,3799,2210,2211

But for those ports, after explicit user request, can be opened.

Also incoming 5060-5067 are blocked on UDP and TCP, if the request not come from one well known sip / voip provider (or by end user request).

But about 3389, is not logic to block that port.

simogere · August 5, 2014, 8:12pm

Same problem: it happens if you set up a 3389 ingoing NAT. The solution is specify, for that rule, the interface that receive the ingoing rdp request.

I don’t know why, but without this trick outgoing rdp connections doesn’t work.

Let me know, Simone.