Hi all - fairly new to Mirotik so would appreciate your assistance.
I have a Mikrotik router v6.27 running in VM with a public IP on the WAN interface. LAN IP of the fw is 10.254.5.254/24
Inside the LAN I have a windows 2012 server at 10.254.5.1/24
I am trying to configure the firewall to forward RDP traffic to 10.254.5.1 but I have not been able to get it to work.
I can ping both sides of the vlan and the windows server is configured for remote access and has its firewall disabled. I can RDP to the same server from inside the LAN so I am confident that there are no issues with the windows machine.
Here is my current NAT config:
ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; NAT rule to allow LAN access to Internet
chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”
1 ;;; Inbound Port Forward to 10.254.5.1:3389
chain=dstnat action=dst-nat to-addresses=10.254.5.1 to-ports=3389 protocol=tcp dst-address=xxx.xxx.xxx.xxx in-interface=ether1 dst-port=3389 log=no log-prefix=“”
note: xxx.xxx.xxx.xxx is my public IP.
I have copied this from another working firewall.
When I try to RDP to the public IP the rdp client fails to initiate a connection. A port scan shows that port 3389 is open but I can’t see in Winbox that there are any packets being processed by this rule.
I am wondering if I may have missed another setting in WinBox somewhere.
I would really appreciate any suggestions on how to resolve this or at least troubleshoot to the point I can find out where the problem is.
Do you get no connection occurring at all or a black screen? I had to clear the df bit in a mangle rule to get RDP working across a remote VPN subnet. If I didn’t I could ping and portscan but connecting just gave me a black screen. Sounds like you’re not quite getting that far though?
that looks to be exactly the fix I needed. I can now access the internal host via RDP - many thanks!
I take note of your comment that the current config is very insecure. Since I am only just starting with Mikrotik I am more than happy to hear any recommendations you might like to provide. Or if you can point me in the right direction of anything documenting best practice I’d really appreciate it. I will need to roll out more of these in the near future and want to build a standard config I can basically copy & paste.
Thanks for your help to resolve my initial problem -
Head over to this topic. This is my Blacklist and firewall rules. I think just the last two rules in the filter will need to be changed for you, my internet interfaces are called “WAN1” and “WAN2”. Yours is “ether1”. if you adjust them for your situation, it will provide you with a pretty secure unit.
Hey all - just further to my original question if I may…
I have RDP working fine however I have noticed that I am not able to RDP to the host via the public IP when I am on the same public IP. To be honest I don’t have a reason to actually access the server via the public IP when I am inside my network however I figure there is something here that I can learn more about.
My question then is: what do I need to do to allow the fw to process incoming requests from the same IP?
I am still struggling getting my NAT working. I understand hairpin NAT better now but not able to get it working with my network configuration as per the diagram below
Network Diagram.png
I am trying to get access to the device at 10.254.5.1 from the 10.1.10.0/24 subnet.
My current config is:
0 ;;; NAT rule to allow LAN access to Internet
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix=“”
