What's new

Allow access to port only from certain remote IP's

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Harry D

New Around Here
I am using an Asus RT-AC88U and would like to restrict access to port 3389 (RDP). I would like to only allow certain remote (outside my local network) IP addresses to gain access. It appeared I could do this using Windows Firewall with Advanced Security and setting an inbound rule on Remote Desktop (TCP-In) but could not make it work. So I'm hoping I can do something on the router.

Thanks in advance for your help.

Harry
 
If you are forwarding port 3389 on your router then you can specify the source address as part of the forwarding rule.
 
Here is a screen cap of the port forwarding screen on my Asus RT-AC88U. I tried putting the IP of the PC making the RDP request in the Source Target cell. That did not work. Obviously I am missing something.

mbj5rw3
 

Attachments

  • Screen1.jpg
    Screen1.jpg
    49.5 KB · Views: 501
No, I mean "how" are you testing that it's blocking other IP addresses? Are you going to a different location, using mobile internet, etc.?

Or are you saying that you can't get access at all, even from the allowed address?
 
Ok, I tried making the Source Target to my cell phones IPv6 IP address 2600:1001:b02c:418b:4d9d:9e37:522a:5d07 and I was able to log in. If my local networks exposed IP address is 73.188.105.2 then why can't I use 73.188.105.2:25090 from within my local network to test?
 
Ok, I tried making the Source Target to my cell phones IPv6 IP address 2600:1001:b02c:418b:4d9d:9e37:522a:5d07 and I was able to log in.
As far as I know port forwarding only applies to IPv4 connections so I'm not sure how you managed to get the router to accept an IPv6 address on the port forwarding page.

If my local networks exposed IP address is 73.188.105.2 then why can't I use 73.188.105.2:25090 from within my local network to test?
If you test from within the same network the router will perform NAT loopback which does not simulate the same kind of connection path. You need to test from outside your network.
 
Colin,

Thanks so much for your replies. I will be at location tomorrow where I will be able to try and connect from a IPv4 address.
 
Colin, Thanks, everything is working fine now.

Deepcuts, I forgot about that website. I haven't used it in at least 15 years.

I would like to take this RDP access to the next level. Is there a way to have one pc on my network or vlan that would be turned on only when I'm on the road that could be isolated from the rest of my nework? It's only purpose would be to allow me to make changes to my router port forwarding setup so I could enter a new remote IP for the location where I am working. I figure that a hacker would first have to crack the PC's username and password then crack the router's username and password to do some damage. Again, this pc would only be on when I'm on the road which is not that often.
 
The most secure option would be to enable the OpenVPN server on the router and connect to that. That way there's no other devices required.

Of course that begs the question as to why you need port forwarding for RDP at all any more when you could do everything through OpenVPN.
 
The answer to the OpenVPN question is...I know how to do port forwarding for RDP but I'm totally ignorant when it comes to any other methods.
 
The answer to the OpenVPN question is...I know how to do port forwarding for RDP but I'm totally ignorant when it comes to any other methods.
It's really straight forward and the only sensible way of allowing remote access from the internet. Just follow the instructions for your router. Basically all to do is setup the username and password in the VPN server and then export the ovpn file. Then on your client device install the OpenVPN client and import the ovpn file you created. That's it. When you turn on the VPN client it connects to your home network.
 
Colin,

I did the following. I uploaded the client.ovpn file to my laptop. From there I have no idea what to do.
upload_2020-6-4_13-37-59.png
upload_2020-6-4_13-37-59.png
 

Attachments

  • upload_2020-6-4_13-41-44.png
    upload_2020-6-4_13-41-44.png
    304.1 KB · Views: 423
Ok, I did that and used my cell as a hotspot and was able to connect to a computer in my network with RDP. When I turned off the hotspot the RDP connection was lost. That's great. My last question would be, why don't hackers attack OpenVPN?
 
My last question would be, why don't hackers attack OpenVPN?
They do! However OpenVPN is one of the most widely used and scrutinised security products on the planet. Way more so than the router's built-in web server, or just about any Microsoft product.

That said, to avoid hackers constantly trying to log into your VPN server I suggest that you change the server's listening port from the default of 1194 to something randomly chosen between 5001 and 32767.

After changing that you will need to re-export the ovpn file and re-import it into your client.
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top