Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block RDP access in 1:1 NAT setup

    Scheduled Pinned Locked Moved NAT
    25 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • HenryH
      Henry @johnpoz
      last edited by

      @johnpoz Rules.png

      I brought the rules up and it's blocking 3389, how to allow traffic for 27.50.90.200:6665?

      S 1 Reply Last reply Reply Quote 0
      • HenryH
        Henry
        last edited by

        @johnpoz did you see this update?

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @Henry
          last edited by

          Given a 1:1 NAT setup you should be able to block traffic with a firewall rule on WAN that blocks traffic from * to 192.168.0.65:3389. Remember to block both TCP and UDP.

          If you're blocking that and also trying to allow traffic to WAN:6665 that is redirected to 192.168.0.65:3389 I don't know that you can block one and allow the other. Can you allow the connection by source IP? Perhaps VPN to pfSense?

          You could always change Windows to listen on another port besides 3389 but port scanners will find that eventually.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          HenryH 1 Reply Last reply Reply Quote 0
          • HenryH
            Henry @SteveITS
            last edited by

            @teamits Thank you for the update. No I can't restrict it by source IP because of many different customers connect to that. Even if I change the default RDP port, it won't block the connection.

            1 Reply Last reply Reply Quote 0
            • HenryH
              Henry
              last edited by

              @johnpoz Dude I found a way to block the connection to WAN and allow it on Port forwarding.

              "Filter rule association" should set to pass for port forwarding, so all NAT traffic will pass without any rule and WAN is blocked by default.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Why are you doing 1:1 nat if you want to do port forwarding? Just not understanding what your freaking trying to accomplish exactly to be honest. Not understanding the use case at all..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                HenryH 1 Reply Last reply Reply Quote 0
                • HenryH
                  Henry @johnpoz
                  last edited by

                  @johnpoz 1:1 NAT is for my web-server and I needs to access it by RDP, so direct RDP should be blocked and port forwarding allowed

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by johnpoz

                    Why do you think you need 1:1 nat? Just do the port forwarding for the ports you need.. There is almost zero reason to do 1:1 nat unless your hosting someone else's server on an RFC1918.. 1:1 nat is for when you have so many ports you need to forward that is easier to just do 1:1. Or you have a whole block of public IPs and you want to do a range of 1:1 nat for a range of public to a range of rfc1918.

                    If all you want is rdp, then just forward that... How many other ports do you need open on this box that you want to do 1:1?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • HenryH
                      Henry
                      last edited by

                      I thought 1:1 NAT is easier to setup and also I can remember the setup later easily.

                      Secondly, outgoing traffic to the Internet originates from the associated external IP, helps for my reporting.

                      I only need HTTP & HTTPS on the box.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        Well if you only need http and https, just forward those.. If your forward it on a VIP the return traffic will use that VIP to return the traffic.

                        If you want originating traffic from this box to use your vip - just do that with a outbound nat.

                        BTW opening up RDP, even if you change the port is a HORRIBLE idea.. Unless you can lock it to a specific source IP

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          SteveITS Galactic Empire @johnpoz
                          last edited by

                          johnpoz said in How to block RDP access in 1:1 NAT setup:

                          if you only need http and https, just forward those

                          Or at least block all the other ports on the 1:1 NAT, because otherwise you're opening up file sharing, RPC, whatever else is listening on Windows on a LAN. Probably easiest to add a rule to allow HTTP/HTTPS and block the rest.

                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                          Upvote ๐Ÿ‘ helpful posts!

                          HenryH 1 Reply Last reply Reply Quote 0
                          • HenryH
                            Henry @SteveITS
                            last edited by

                            @teamits Yes however "1:1 NAT maps all the external ports on that IP to the internal IP but you must still have firewall rules to allow the traffic to reach the local server."

                            https://forum.netgate.com/topic/75917/1-1-nat-vs-port-forwarding-when-to-use-each/3

                            1 Reply Last reply Reply Quote 0
                            • S
                              serbus
                              last edited by

                              Hello!

                              Port 6665 for remote access to your network seems odd, not because IRC is odd, but because that port has been so badly abused.

                              https://www.speedguide.net/port.php?port=6665

                              You might want to pick a "safer" port, unless that is not your intent...

                              John

                              Lex parsimoniae

                              HenryH 1 Reply Last reply Reply Quote 1
                              • HenryH
                                Henry @serbus
                                last edited by

                                @serbus Thank you, very good point!

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by johnpoz

                                  Security though obscurity is not security... Opening up rdp to the public internet no matter what port is a BAD idea!!! If you want to rdp to this box, then vpn in and then do it.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.