• February 24, 2020, 08:23:21 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Settings for Windows remote desktop connection  (Read 6625 times)

costinruja

  • Guest
Settings for Windows remote desktop connection
« on: September 26, 2014, 11:17:59 AM »

Good evening,

I have a LAN computer with fixed IP which is banned from accessing the internet with ACCESS CONTROL (block all). This machine works fine within the LAN, file sharing and remote desktop connection from other computers in the LAN. The internet connection is a PPOE one.The ISP is providing a dynamic DNS service from which I can set up a domain name.I've set up on the router a virtual server using the RDP port and I can acces this LAN computer from the outside ONLY when it has internet access.This is actually the problem.I want to block all outgoing/ingoing traffic and all ports to this PC, BESIDES my RDP port.How can I do this ? Is this done with port forwarding ?
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 48374
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Settings for Windows remote desktop connection
« Reply #1 on: September 26, 2014, 11:30:19 AM »

Link>Welcome!

  • What Hardware version is your router? Look at sticker under the router case.
  • Link>What Firmware version is currently loaded? Found on the routers web page under status.
  • What region are you located?


I presume if you set up the router to Block ALL for this one particular PC, That setting up any Virtual Server or PF will be inhibited by the Block All rule or may not be possible in this configuration as it might present a conflict in the policies. You might try blocking some instead of all or set up a schedule so that when you don't want the PC online or have access, it won't during this time frame, when it does have access, then Virtual Server rules and RDP will be enabled and you'll have access during this time frame when the PC does have access.


Internet Service Provider and Modem Configurations
  • What ISP Modem Mfr. and model # do you have?
  • If the ISP modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems: Link>Double NAT and How NAT Works. To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged. If the modem can't be bridged then see if the modem has a DMZ option and input the IP address the router gets from the modem and put that into the modems DMZ.
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!

costinruja

  • Guest
Re: Settings for Windows remote desktop connection
« Reply #2 on: September 26, 2014, 12:00:43 PM »

Thanks for the hints !

Now for the answers.

1.I am not at my PC right now so I can't see what the hardware REV is.
2.The firmware is 1.06 downloaded from this very forum a few months ago and it served me well.
3.Region is Romania, Bucharest to be specific.

I played a little with your emulator on support.dlink.com and came up with this kind of rule for access control
(see posted picture, 3389 is the RDP port). Do you think this will work ?

Best regards,

Costin Ruja
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 48374
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Settings for Windows remote desktop connection
« Reply #3 on: September 26, 2014, 12:35:18 PM »

I think that should work after you reserve the IP address for the PC that your RDPg too, and input that IP address for DEST IP Start and DEST IP End...
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 434
Re: Settings for Windows remote desktop connection
« Reply #4 on: September 26, 2014, 01:53:42 PM »

Hi,

I guess this will not work: Say, your local RDP server has LAN IP address IP1. You want to allow your local RDP server (Src IP=IP1, proto=TCP, src port=3389) to send RDP reply data to any RDP client somewhere in the Internet (Dest IP=any, proto=TCP, dest port=any), and block anything else.

Since ACCESS CONTROL only allows rules for PROHIBITING instead of ALLOWING outgoing traffic, this would translate to the following four PROHIBITING rules:
  • Src IP=IP1, Src Port Start=0, Src Port End=65535, Proto=UDP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=65535
  • Src IP=IP1, Proto=ICMP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255
  • Src IP=IP1, Src Port Start=0, Src Port End=3388, Proto=TCP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=65535
  • Src IP=IP1, Src Port Start=3390, Src Port End=65535, Proto=TCP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=65535

While in these rules you can specify "Src IP=IP1" in STEP 3 (SELECT MACHINE) and the protocol and destination information in STEP 5 (PORT FILTER), unfortunately you cannot specify Source Port ranges of the form "Src Port Start - Src Port End". Hence it is not possible to formulate rules 3 and 4 above, only rules 1 and 2 are possible, because not being able to specify a source port range is irrelevant for ICMP (rule 2) and implicitly means "any" source port (Src Port Start=0, Src Port End=65535) which is the case for UDP (rule 1).

Hence to make it work for your scenario, you could only specify rules 1 and 2 (which disallows any UDP and ICMP traffic) but would have to allow any TCP traffic with the Internet (by not specifying any TCP rule with ACCESS CONTROL).

There is one thing left to improve the situation:

Given, RDP clients only use ports > 1023 (they should), you could add a third ACCESS CONTROL rule of the following form:

Src IP=IP1, Proto=TCP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=1023

This would prevent your RDP server to reach any well known TCP ports < 1024 (like 80 or 443 for web servers) but still allow it to talk to RDP clients. Hence this rule is a good surrogate for rules 3 and 4 above, which can not be formulated due to the limitations of your router.

To summarize, I would recommend the following three ACCESS CONTROLS:

  • Src IP=IP1, Proto=UDP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=65535
  • Src IP=IP1, Proto=ICMP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255
  • Src IP=IP1, Proto=TCP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=1023

This blocks almost any outgoing traffic from your RDP server to the Internet except to TCP ports >1023, which is the range, your RDP clients should use.

PT
« Last Edit: September 26, 2014, 02:56:26 PM by PacketTracer »
Logged

costinruja

  • Guest
Re: Settings for Windows remote desktop connection
« Reply #5 on: September 27, 2014, 05:41:03 AM »

Thanks for the info, but this is quite a hassle.I think I will use RDP only on internal LAN.

Have a nice week,

Costin
Logged

PacketTracer

  • Level 4 Member
  • ****
  • Posts: 434
Re: Settings for Windows remote desktop connection
« Reply #6 on: September 27, 2014, 06:00:50 AM »

Hi,

you could also use the host firewall of your RDP server to restrict communication to what you want to allow.

PT
« Last Edit: September 27, 2014, 11:53:56 AM by PacketTracer »
Logged

FurryNutz

  • Poweruser
  •   ▲
    ▲ ▲
  • *****
  • Posts: 48374
  • D-Link Global Forum Moderator
    • Router Troubleshooting
Re: Settings for Windows remote desktop connection
« Reply #7 on: October 21, 2014, 07:16:33 AM »

If you need some remote desktop alternatives with out having to hassle with router configurations, try this:
Link> teamviewer if your interested. Its safe and secure.
Logged
"Nothing Funny about It...." We are not here to Impress anyone! You have a be a COMPETENT user first to under stand COMPETENT help!