Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[costinruja]

Good evening,

I have a LAN computer with fixed IP which is banned from accessing the internet with ACCESS CONTROL (block all). This machine works fine within the LAN, file sharing and remote desktop connection from other computers in the LAN. The internet connection is a PPOE one.The ISP is providing a dynamic DNS service from which I can set up a domain name.I've set up on the router a virtual server using the RDP port and I can acces this LAN computer from the outside ONLY when it has internet access.This is actually the problem.I want to block all outgoing/ingoing traffic and all ports to this PC, BESIDES my RDP port.How can I do this ? Is this done with port forwarding ?

[FurryNutz]

Link>Welcome!

• What Hardware version is your router? Look at sticker under the router case.
• Link>What Firmware version is currently loaded? Found on the routers web page under status.
• What region are you located?

I presume if you set up the router to Block ALL for this one particular PC, That setting up any Virtual Server or PF will be inhibited by the Block All rule or may not be possible in this configuration as it might present a conflict in the policies. You might try blocking some instead of all or set up a schedule so that when you don't want the PC online or have access, it won't during this time frame, when it does have access, then Virtual Server rules and RDP will be enabled and you'll have access during this time frame when the PC does have access.


Internet Service Provider and Modem Configurations

• What ISP Modem Mfr. and model # do you have?
• If the ISP modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems: Link>Double NAT and How NAT Works. To tell if the modem is bridged or not, look at the routers web page, Status/Device Info/Wan Section, if there is a 192.168.0.# address in the WAN IP address field, then the modem is not bridged. If the modem can't be bridged then see if the modem has a DMZ option and input the IP address the router gets from the modem and put that into the modems DMZ.

[costinruja]

Thanks for the hints !

Now for the answers.

1.I am not at my PC right now so I can't see what the hardware REV is.
2.The firmware is 1.06 downloaded from this very forum a few months ago and it served me well.
3.Region is Romania, Bucharest to be specific.

I played a little with your emulator on support.dlink.com and came up with this kind of rule for access control
(see posted picture, 3389 is the RDP port). Do you think this will work ?

Best regards,

Costin Ruja

[FurryNutz]

I think that should work after you reserve the IP address for the PC that your RDPg too, and input that IP address for DEST IP Start and DEST IP End...

[PacketTracer]

Hi,

I guess this will not work: Say, your local RDP server has LAN IP address IP1. You want to allow your local RDP server (Src IP=IP1, proto=TCP, src port=3389) to send RDP reply data to any RDP client somewhere in the Internet (Dest IP=any, proto=TCP, dest port=any), and block anything else.

Since ACCESS CONTROL only allows rules for PROHIBITING instead of ALLOWING outgoing traffic, this would translate to the following four PROHIBITING rules:

• Src IP=IP1, Src Port Start=0, Src Port End=65535, Proto=UDP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=65535
• Src IP=IP1, Proto=ICMP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255
• Src IP=IP1, Src Port Start=0, Src Port End=3388, Proto=TCP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=65535
• Src IP=IP1, Src Port Start=3390, Src Port End=65535, Proto=TCP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=65535

While in these rules you can specify "Src IP=IP1" in STEP 3 (SELECT MACHINE) and the protocol and destination information in STEP 5 (PORT FILTER), unfortunately you cannot specify Source Port ranges of the form "Src Port Start - Src Port End". Hence it is not possible to formulate rules 3 and 4 above, only rules 1 and 2 are possible, because not being able to specify a source port range is irrelevant for ICMP (rule 2) and implicitly means "any" source port (Src Port Start=0, Src Port End=65535) which is the case for UDP (rule 1).

Hence to make it work for your scenario, you could only specify rules 1 and 2 (which disallows any UDP and ICMP traffic) but would have to allow any TCP traffic with the Internet (by not specifying any TCP rule with ACCESS CONTROL).

There is one thing left to improve the situation:

Given, RDP clients only use ports > 1023 (they should), you could add a third ACCESS CONTROL rule of the following form:

Src IP=IP1, Proto=TCP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=1023

This would prevent your RDP server to reach any well known TCP ports < 1024 (like 80 or 443 for web servers) but still allow it to talk to RDP clients. Hence this rule is a good surrogate for rules 3 and 4 above, which can not be formulated due to the limitations of your router.

To summarize, I would recommend the following three ACCESS CONTROLS:

• Src IP=IP1, Proto=UDP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=65535
• Src IP=IP1, Proto=ICMP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255
• Src IP=IP1, Proto=TCP, Dest IP Start=0.0.0.0, Dest IP End=255.255.255.255, Dest Port Start=0, Dest Port End=1023

This blocks almost any outgoing traffic from your RDP server to the Internet except to TCP ports >1023, which is the range, your RDP clients should use.

PT

[costinruja]

Thanks for the info, but this is quite a hassle.I think I will use RDP only on internal LAN.

Have a nice week,

Costin

[PacketTracer]

Hi,

you could also use the host firewall of your RDP server to restrict communication to what you want to allow.

PT

[FurryNutz]

If you need some remote desktop alternatives with out having to hassle with router configurations, try this:
Link> teamviewer if your interested. Its safe and secure.