Posted: Wed Sep 14, 2011 4:53 Post subject: RDP works locally with external IP but not remotely
I have an Asus RT-N16 with Firmware DD-WRT v24-sp2 (08/12/10) mega running fine.
About 6 months ago, I had port forwarding for RDP working well from my previous job back to home where I had also restricted the external IP with these commands -
My problem now is that I cannot get RDP to work from the outside (I tried multiple locations using the same laptop) anymore even though I have restarted the router and have since removed the above commands and have verified that these settings are no longer in the iptables.
RDP using my external public static IP and DD-WRT forwarded port work fine from inside my house as does PPTP but I cannot get either to work from the outside using the same machine and .rdp connection file that uses the external IP address.
I am running my Westell DSL modem in bridge mode with no DHCP and the DD-WRT router does PPoE login and manages DHCP.
My DD-WRT network setup, Router IP, Local IP is set to 192.168.1.1 though status shows my correct public WAN IP address. This is how it was setup when working previously.
I have also used the "Shields Up" website to verify that my external IP has the specified port open that is forwarded to my RDP machine at 3389.
Any ideas why I cannot get RDP or PPTP to work from the outside but both work from the inside? Or other things I can try?
I don't want to try Open VPN if I can't get these simpler setups to work.
I'm likely doing/not doing something simple but stupid but for the life of me I cannot figure out what after double checking many times.
I am using the DD-WRT GUI. When I had setup the access restrictions as to what IP could RDP in, there was no GUI aspect to set that. It would be really nice if there was. In any event, that was then, this is now. Are you suggesting I use it for something in particular besides port forwarding? Thanks!
Posted: Thu Sep 15, 2011 4:32 Post subject: Could the problem be the firewall blocked edge traversal?
Could the problem be the Win7 firewall blocked edge traversal? I changed the Win7 firewall to allow edge traversal from inbound connections but cannot try this till tomorrow...
Here is some info from my router where xx.xxx.xxx.46 is my public WAN -
Hey guys - pls help. Is there anything in there that says internal gets to work but not external connections that might be leftover from when I was restricting the incoming IP? I'm pretty computer savvy, but I don't see anything wrong although I'm not so good at iptables.
Joined: 26 Jan 2008 Posts: 13049 Location: Behind The Reset Button
Posted: Tue Sep 20, 2011 17:53 Post subject:
the newer builds have a field in the port forward / port range forward called source net.
source net is the ip or ip range (wan) that you will allow to be forwarded. You no longer need to make your own iptable rules to allow a wan ip and block the rest.
if source net is left blank, any wan ip will be forwarded assuming it is being requested.. <wan.ip>:3389
if the source net is filled in, only that wan ip or ip range will be forwarded. not your wan ip, the wan ip of the client requesting the port. _________________ [Moderator Deleted]
Ya I saw that and it is a nice feature. I don't know what the range/address to restrict is without getting an initial connection. Did you see anything weird in the iptables output that I posted since this was working before I supposedly removed the original restriction? I guess I should just install the latest version and hope that clears up whatever is wrong with my current configuration. Thanks, Dave
Did you try the obvious and check the local Windows Firewall settings
I just had one of these last month with a client who had half a dozen machines which suddenly had no RDP access from outside the LAN.
It was a Windows firewall rule that was set to only allow clients on the local subnet. Even though you are accessing the session via the WAN address, the source address is local and therefore allowed.
This firewall rule it seemed to pull from a broken group policy setup.
Sorry if I am stating the obvious, but it may help eliminate one more thing.
Yes but good suggestion, thanks. Since I'm going from work to home, my target machines are just part of my private home workgroup, and not in a domain, so are not subject to group policy. I'm allowing RDP on the home/private/work network and have an Inbound Rule for RDP enabled, for all profiles, any local or remote address, any local or remote port, any user, any computer, TCP protocol only, and allows edge traversal.
Anyone else have any ideas? Unfortunately I can't risk reloading this right now since we are both very dependent on internet access from home for a living. I guess I need to get a basic backup router if no one else has any ideas what could be wrong here...thanks!