Hi there

I am new to Mikrotik and I think they are really great devices. We are switching to them exclusively at work. My apologies if this is a dumb question I really appreciate the help.

I am trying to RDP/ port forward to two workstations on the same network.

I have done this on another router by using two different service ports.

So I will RDP to 154.xxx.xxx.xxx:62456 which will forward to internal IP 192.168.1.xx1 and then use 154.xxx.xxx.xxx:62457 which will forward to 192.168.1.xx2

I have tried to set this up in a Mikrotik but only the first NAT rule works. The second rule will not work.

I assume I have done something wrong:

I didnt quite understand your setup?
If you wist to use a non-standard RDP port and then port translate that to the standard RDP port of 3389, I have provided a sample A below. This sample also assumes that there is only one RDP server (pc) on the LAN.

Example A.
1. Forward Chain Filter rule.
add action=accept connection-state=new connection-nat-state=dstnat in-interface=eth1-wan.

2. NAT rule
add action=dstnat chain=dst-nat protocol=tcp dst-port=xyxyxyx in-interface=eth1-wan to-address=lanServerIP to-ports=3389
add action=dstnat chain=dst-nat protocol=tcp dst-port=ztztzt in-interface=eth1-wan to-address=lanServerIP to-ports=3389

Your ports xyxyxyx and ztztzt will show up on scans as visible but closed.
If you know the external WANIPs that are allowed access you can add a source address list to the NAT rules and then those ports would not be visible on scans.

Regardless RDP is a much hacked service and it would be far better to have those folks VPN into your router and then RDP to the server.


Example B. Here, I assume that you want to use non-standard ports with no translation required. Also assume that each RDP goes to a different PC/server.
NAT rule
add action=dstnat chain=dst-nat protocol=tcp dst-port=xyxyxyx in-interface=eth1-wan to-address=lanServerIP1
add action=dstnat chain=dst-nat protocol=tcp dst-port=ztztzt in-interface=eth1-wan to-address=lanServerIP2

Those look right.

Hi Anap

Thank you for your in depth reply.

The reason I am trying to RDP in with a non standard port is simply so I can RDP to two separate pcs on the same network.

So I RDP to one computer with xxx.xxx.xxx.xxx:12345 and to another computer with xxx.xxx.xxx.xxx:12346.

The port forwarding then forwards to the PC IP with port 3389.

I have done this successfully on a different brand router but Im doing something wrong in the Mikrotik as the first forward works fine but the second will not connect.

The goal is to eventually move them onto OpenVPN which will be setup on the router. This is a workaround for now.

Thank you for your time.

OVPN has been "Broken" on Mikrotik for as long as I have been working on Tiks.

IPSec works well.

You should do an export of your firewall. As I stated above... your PAT (Port Address Translation) in the NAT chain "looked right".

If that is the case the proper setup is......
NAT rule
add action=dstnat chain=dst-nat protocol=tcp dst-port=xyxyxyx in-interface=eth1-wan to-address=lanServerIP1 to-ports=3389
add action=dstnat chain=dst-nat protocol=tcp dst-port=ztztzt in-interface=eth1-wan to-address=lanServerIP2 to-ports=3389

@anav: Give it a break with in-interface, dst-address is fine.

And when something doesn't work, find out what exactly happens. The most simple test in this case would be to forward the other port (which doesn't work) to same machine where the first port (which works) is forwarded to. If the connection will work then, it would be clear indication that the rule and other router config is fine and it's something on the other machine, most likely RDP port blocked by its firewall. If it won't work either, then there are other things to check, first look at dstnat rule's counter, if it increases (= there are incoming packets), then you can add logging rules in other chains (forward, postrouting) to see if packets are passing through as they should. And then you can do the same for reverse direction, to see replies. It's nothing complicated.

Do UDP as well as TCP, it goes faster.

@anav: Give it a break with in-interface, dst-address is fine.

Sorry I usually talk myself through config rules.
Where are you coming from my sweet little packet and so forth.
Is there a situation where stating in-interface=eth-1 wan could be a problem (not including multi-wan setups)??

- Can you RDP to the 2nd machine from inside the LAN? If not, then check Windows firewall. If you can, check if firewall is limited to LAN only or something like that.
- Use Torch on wan interface. You should see your RDP packets coming in the wan interface, then torch again on the lan and you should see them going to the PC. And vice versa, you should see the replies.
- Turn off windows firewall temporarily to troubleshoot.

@anav: Give it a break with in-interface, dst-address is fine.

Sorry I usually talk myself through config rules.
Where are you coming from my sweet little packet and so forth.
Is there a situation where stating in-interface=eth-1 wan could be a problem (not including multi-wan setups)??

Yes...

Because its lazy and does not allow for local loop back. So you don't have to have home and away in your apps.

I figured it out. I did not "allow remote control" in windows on the second PC.

My shame is eclipsed only by my will to die.