spectrum48k

I've successfully setup the new firewall appliance and everything is fine. All the computers on the LAN can access the internet, email, ping, FTP and remote desktop to other PC's on the LAN.

PROBLEM
The only thing I CANNOT do is remote desktop FROM the internet TO the computers on our LAN. I know the computers are setup for remote desktop as I used to do it with the old SonicWall, so I think its a firewall 'rule'

RULE #1
Any LOCAL computer can access any LOCAL computer's port 3389 (remote desktop) - I know this works, as I sat on the LAN and tried it.

QUESTION:
Once I connect via VPN and I'm allocated an IP address, does the firewall see my computer as if it were a local PC on the LAN ?

Could it be I need to create a new rule like this ?...

RULE #2
Any EXTERNAL computer can access any LOCAL computer's port 3389

This seems risky.

Any help or input appreciated

boxst

Hello

Edit: As I didn't read the question!

Your VPN should allow that to work, unless it has been told to specifically block that port.

The easiest thing to do is use http://www.logmein.com . It is free, and generally works with or without VPN active.

Steve

spectrum48k

thanks Steve, but I'd really like to crack my problem as I know its something I've overlooked.

mike1210

It would be, but for this bear in mind each computer would need it's own public IP address which I assume you don't have

LAN to LAN remote desktop will work which i'd imagine is nothing to do with the Draytek firewall as im guessing (unless any VLAN's are present) the Draytek firewall is only working as a perimeter firewall, in a sense it only controlls what comes into the local network and what goes out to the external, not sure if on the 2930 complex VLAN's can be setup but on the 2600 they couldn't, only total separation was allowed IIRC. I could be way off the mark here though.

To access the machines directly from outside port 3389 must be open to the external world.

Using a standard NAT (several internal addresses to one public address) the port must be re-directed to the relevant machine

With 1 IP address you only have one set of ports but this can be redirected on the external IP address, for example

192.168.1.xxx internal 80.224.35.223 public address

first rule re-direct 80.224.35.223:3389 to internal IP 192.168.1.10:3389
second rule re-direct 80.224.35.223:3390 to internal IP 192.168.1.11:3389

the external port is changed outside but re-directed inside to port 3389

when using remote desktop you would then need to type 80.224.35.223:3390 to tell the remote desktop program you are not using a standard port.

Using the dryatek VPN facilities I imagine you could use IPSec VPN to get onto the local network and then remote into the relevant machine, this I never dabbled with on my 2600 but it could/should be possible.

the VPN computer would be assigned 192.168.2.xxx for example and the local network would be 192.168.1.xxx

mike1210

DrayTek Vigor2930

have a look here on firewall rules there is a tick box Apply IP filter to VPN incoming packets

port re-direction is in the NAT interface, I think open ports may also need to be lookedat unless using VPN, having 2 WAN's will also make this more tricky

mike1210

Vigor Router FAQ

take a look here also

and here

DrayTek UK Forum :: Index

spectrum48k

Thanks Mike

Ok, so I'm still stuck - I can VPN no problem, but I can't get DNS or remote desktop.

Note: if I tell the Draytek to only use the rules I've given it to allow access I CANNOT remote dekstop

If I tell the Draytek to ignore the rules I've given it, I CAN do everything I need.

The conclusion is that I'm missing a rule somewhere for some port(s). At present I've got

HTTP, HTTPS, DNS, FTP, POP3, SMTP, RDP and PING

I've created a syslog, and during the failed attempts to remote desktop, it keeps mentionig "netbios-ns" so I've done some homework on netbios-ns which apparently is UDP 137 and its quite alarming! ;-) I don't have any rules to cater for netbios-ns. Do you think this could be the problem ? Do you have any rules to cater for it ?

Sonic'

Yes it is usually in the block rules by default on the Vigor's

in the Firewall, Filter Setup, Default Data Filter

xNetBios -> DNS, but that is only outbound, doesnt seem to be one blocking for inbound

We have had some issues lately with one vigor router and VPN, in that we can have the user work and see everything, but her phone doesnt work (3com NBX100 system) or we can get her phone working, but then her network wont, we know its a problem with the VPN too

unfeasablylargegonads

iTrader: (3)

and watch out for MTU issues as you are encapsulating traffic in IPSec the MTU of the traffic is lower so watch out how the firewall handles PMTU discovery/some ICMP (its not just ping you know) and fragments, plenty of google inof out there if needed

mike1210

are you trying to remote desktop by IP address or host name ?????

spectrum48k

both

both work when I tell the Draytek by default to let everything through the firewall

both fail when I tell the Draytek to abide by my rules only

spectrum48k

All my firewall rules are based on LAN > WAN
I only need to remote desktop from the VPN connection, so I'm *assuming* I don't need any WAN > LAN rules ?

When you connect via VPN, you're connected to the firewall's LAN interface, aren't you ?

mike1210

I may know what's happening here

so rules you have set up are firstly

block if no further match yes? then allow the outgoing ports to the outside world

so outgoing

block if no further match
pass tcp port 80
pass tcp port 443
pass tcp port 3389
etc

what you may need to is add another another rule for incoming remote desktop traffic, the firewall rule will still be in the outgoing direction though

so source port would be 3389 TCP, destination would be any port over 1024 TCP

if the firewall is as above this would be needed as all the outward ports are blocked except 80, 443 etc

The user would connect from another client port e.g 2034 so the connection is blocked

that may be it anyways, it depends on if VPN is treated as external traffic, give that a whirl though

spectrum48k

but if I open up the WAN interface like that, it'll let anyone RDP to the workstations on the LAN ? And because DNS, ping, etc... doesn't work either, I'd need to do the same for that ?

I'm sure this is a bug in the firmware. The VPN connection should connect to the LAN interface, surely ? Then it would be simply act like a device on the LAN.

mike1210

Only if the port had been re-directed in the NAT interface, otherwise the TCP SYN packet would be rejected and the connection wouldn't complete. I assume a NAT is being used here?

Im not sure how the VPN works on the Draytek but I did have to do similar to remote desktop on my 2600 as I also limited outgoing traffic on the LAN > WAN

I suppose yes when VPN'd in you are on the LAN but what the the address range you are being assigned by the Draytek, is it on the same subnet as the LAN machines i.e. 192.168.1.xxx

so yes the rules i posted above were from that but the VPN may need a similar rule added if its being treated as WAN traffic or on a different subnet.

Firmware has always been an issue on the Drayteks, many people on overclockers have had problems with their firmware and hate Draytek with a passion (main things were buggy firmware and features that didn't really work, WDS etc)

I loved my 2600 to be fair though, rock solid and never missed a beat

http://www.draytek.streamlinenettria...ekNatMovie.mpg

check

spectrum48k

thanks Mike, really appreciate your input - so much appreciated - I can't get any type of support from them

Think I'll do as you say and create a WAN > LAN rule that lets any IP access any LAN IP on port 3389

mike1210

no it's LAN to WAN

after you rules you have added

Outgoing

Source port 3389 TCP
Destination port > 1024 TCP

remember as you've limited outgoing traffic you need to create firewall rules for both ways. I know the connection is WAN > LAN but the above rule allows a path back to the originating machine hence LAN > WAN

if this doesn't work take screen dumps of your firewall rules if possible :-)

spectrum48k

all done! ;-)

the only thing I don't like is, surely any incoming VPN to the firewall connects to the LAN interface and is therefore subject to the same firewall rules as the LAN users ? I'm sure that's how the SonicWalls operate.

The Draytek method seems illogical (captain)

I also seem to get more intermittent dropped connections when VPNing into the Draytek box compared to say the SonicWall