Forwarding Ports during Offsite Virtualization – Knowledge Base

RDP Forwarding

Rdp / November 12, 2016

Hello all! This is my first time posting here so please be gentle:)

We are running into an odd issue with port forwarding that I am going to try to describe clearly. If I leave anything out, please feel free to ask for more info.

We have many Mikrotiks all over the US deployed as gateway routers. At many of these locations we have internal resources that need accessed via RDP. For example we have a customer (we are an MSP) that has about 40 locations, each with a server. What we do is create a firewall rule that allows RDP on 3389, but only from specific source IP addresses. Something like this:

add chain=forward comment="Allow RDP - 3389- Only From Approved List" dst-port=3389 in-interface=ether1 protocol=tcp src-address-list="Allowed IP Addresses"

And then for good measure (at some locations, not all) we add a drop rule like this:

add chain=forward action=drop comment="Block RDP - 3389- Not From Approved List" dst-port=3389 in-interface=ether1 protocol=tcp src-address-list="!Allowed IP Addresses"

This works well to lock down RDP from the firewall to specific public IPs. We then keep an address list and just add to it as needed.

The problem we run into is we occasionally have users who need RDP access to internal resources from laptops in the field. When they need access their source IPs often change or are not consistent so adding to the address list is not very feasible. What we have tried to do to work around this, and what I am inquiring about today, is we have created another rule to allow inbound traffic on a different port and accept without the address list restrictions. So in order we will have something like this:

add chain=forward comment="Allow RDP - 3391/TCP" dst-port=3391 in-interface=ether1 protocol=tcp
add chain=forward comment="Allow RDP - 3389- Only From Approved List" dst-port=3389 in-interface=ether1 protocol=tcp src-address-list="Allowed IP Addresses"
add chain=forward action=drop comment="Block RDP - 3389- Not From Approved List" dst-port=3389 in-interface=ether1 protocol=tcp src-address-list="!Allowed IP Addresses"

Then the user will try to RDP to publicIP:3391 to get to the internal resource. What we have found is that no matter what other port we use RDP is always picked up on the drop rule. We can move the 3391 rule to the top of the list but the traffic still hits the "Block RDP - 3389- Not From Approved List" rule.This is pretty clear when looking at traffic hitting the rule. On thing that is odd is that if a user specifics RDP on port 3391 and the drop rule for 3389 drops it, you can still see the traffic hit the NAT rule for 3391.

I suspect this has more to do with how RDP works in the backgroud than how the Mikrotik is handling the traffic. My guess is that RDP is passing some traffic on 3389 even if you explicitly tell it to use a different port. It is not a configuration error as I have set this up is many configurations and tested to validate what I was seeing. Even though I suspect this is an issue with how RDP handles specifying a port I was hoping to get some validation from someone much smarter than I and see if anyone else has a better solution. It makes it difficult to block RDP to our servers while allowing users to have access to other resources.

Source: forum.mikrotik.com