I have a case for someone that refuses to use VPN and wants one RDP port accessible from the internet. I was trying to implement the brute force prevention firewall rules listed here. While testing when I initiate the first attempt the IP gets added to stage1 and stage2 immediately. When I initiate the second attempt it gets added to stage3 and blacklist. I am not sure why it's getting added to two list upon each attempt. It should add to stage1 on the first attempt, then stage2 on the second attempt and so on. Any ideas of why this may be happening. I've moved the rules to the top of firewall list to make sure no other rules were interfering. I have one dst-nat rule that forwards port 3393 on the WAN to 3389 on the LAN which works correctly. Any help would be greatly appreciated.

consider port knocking to avoid the need to initially expose RDP port, there is no need to call attention of bots scanning

I've used port knocking at other sites successfully but this particular person remotes from laptops and phones and I don't believe port knocking is an option for a phone. This was at least some protection to stop brute force attempts.

I've used port knocking at other sites successfully but this particular person remotes from laptops and phones and I don't believe port knocking is an option for a phone. This was at least some protection to stop brute force attempts.

there are applications for desktop and mobile to easily do the port-knocking from client side

If you need port knocking and can't or won't use an application, you can set up bookmarks for your favorite browser. Example: knock 1 = http://url:12354 and knock 2 = http://url:54312. Person points browser to knock 1, waits a couple seconds and stops it and then points to knock 2. Obviously you can set however many stages as you want, and the actual addresses as appropriate.

I use wireguard on my iphone easy and it works.

To be honest, it is useless to fight with the means of ROS against attempts to penetrate through redirected ports. IMHO, of course. I forced everyone to use VPN via L2TP / SSTP / ... Otherwise, all the protection work turned into hell. After connecting to a VPN, users, depending on their VPN profile, are limited by the list of internal network resources that they access.