Allow access to port only from certain remote IP's

[Harry D]

I am using an Asus RT-AC88U and would like to restrict access to port 3389 (RDP). I would like to only allow certain remote (outside my local network) IP addresses to gain access. It appeared I could do this using Windows Firewall with Advanced Security and setting an inbound rule on Remote Desktop (TCP-In) but could not make it work. So I'm hoping I can do something on the router.

Thanks in advance for your help.

Harry

 

[ColinTaylor]

If you are forwarding port 3389 on your router then you can specify the source address as part of the forwarding rule.

 

[Harry D]

Here is a screen cap of the port forwarding screen on my Asus RT-AC88U. I tried putting the IP of the PC making the RDP request in the Source Target cell. That did not work. Obviously I am missing something.

 

[ColinTaylor]

How are you testing it?

 

[Harry D]

73.188.105.2:25090

 

[ColinTaylor]

No, I mean "how" are you testing that it's blocking other IP addresses? Are you going to a different location, using mobile internet, etc.?

Or are you saying that you can't get access at all, even from the allowed address?

 

[Harry D]

Ok, I tried making the Source Target to my cell phones IPv6 IP address 2600:1001:b02c:418b:4d9d:9e37:522a:5d07 and I was able to log in. If my local networks exposed IP address is 73.188.105.2 then why can't I use 73.188.105.2:25090 from within my local network to test?

 

[ColinTaylor]

Ok, I tried making the Source Target to my cell phones IPv6 IP address 2600:1001:b02c:418b:4d9d:9e37:522a:5d07 and I was able to log in.

As far as I know port forwarding only applies to IPv4 connections so I'm not sure how you managed to get the router to accept an IPv6 address on the port forwarding page.

If my local networks exposed IP address is 73.188.105.2 then why can't I use 73.188.105.2:25090 from within my local network to test?

If you test from within the same network the router will perform NAT loopback which does not simulate the same kind of connection path. You need to test from outside your network.

 

[Harry D]

Colin,

Thanks so much for your replies. I will be at location tomorrow where I will be able to try and connect from a IPv4 address.

 

[Deepcuts]

Just use https://www.grc.com/x/ne.dll?bh0bkyd2 for port testing

 

[Harry D]

Colin, Thanks, everything is working fine now.

Deepcuts, I forgot about that website. I haven't used it in at least 15 years.

I would like to take this RDP access to the next level. Is there a way to have one pc on my network or vlan that would be turned on only when I'm on the road that could be isolated from the rest of my nework? It's only purpose would be to allow me to make changes to my router port forwarding setup so I could enter a new remote IP for the location where I am working. I figure that a hacker would first have to crack the PC's username and password then crack the router's username and password to do some damage. Again, this pc would only be on when I'm on the road which is not that often.

 

[ColinTaylor]

The most secure option would be to enable the OpenVPN server on the router and connect to that. That way there's no other devices required.

Of course that begs the question as to why you need port forwarding for RDP at all any more when you could do everything through OpenVPN.

 

[Harry D]

The answer to the OpenVPN question is...I know how to do port forwarding for RDP but I'm totally ignorant when it comes to any other methods.

 

[ColinTaylor]

The answer to the OpenVPN question is...I know how to do port forwarding for RDP but I'm totally ignorant when it comes to any other methods.

It's really straight forward and the only sensible way of allowing remote access from the internet. Just follow the instructions for your router. Basically all to do is setup the username and password in the VPN server and then export the ovpn file. Then on your client device install the OpenVPN client and import the ovpn file you created. That's it. When you turn on the VPN client it connects to your home network.

 

[Harry D]

Colin,

I did the following. I uploaded the client.ovpn file to my laptop. From there I have no idea what to do.

 

[ColinTaylor]

You won't be using the VPN client on the router so you can delete that profile.

On the laptop you need to download and install some free OpenVPN client software.

Currently the Windows versions are,
Windows 7/8/8.1: https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.9-I601-Win7.exe
Windows 10: https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.9-I601-Win10.exe

Run the OpenVPN client and import the ovpn file. You can now choose to "connect".

 

[Harry D]

Ok, I did that and used my cell as a hotspot and was able to connect to a computer in my network with RDP. When I turned off the hotspot the RDP connection was lost. That's great. My last question would be, why don't hackers attack OpenVPN?

 

[ColinTaylor]

My last question would be, why don't hackers attack OpenVPN?

They do! However OpenVPN is one of the most widely used and scrutinised security products on the planet. Way more so than the router's built-in web server, or just about any Microsoft product.

That said, to avoid hackers constantly trying to log into your VPN server I suggest that you change the server's listening port from the default of 1194 to something randomly chosen between 5001 and 32767.

After changing that you will need to re-export the ovpn file and re-import it into your client.