I have weird issue at one customer, and im out if ideas how else to debug it.

They have LTE router from their ISP and i put DMZ zone on Mikrotik behind it(HAP AC.I did several port forwards, few servers, video server etc and they all work just fine.

But there is this single PC i cant RDC from outside office.Ports are properly forwarded(3389), i can verify that also on "http://canyouseeme.org/", and i see packets going in when i rdp, but cant establish connection. Same rule works for other IPs, just not this one.

Tried turning off firewall on both PC and Mirkotik, but made no difference, RDC only works from within local network.

Any ideas?

1. check your pc's firewall again, check gateway on pc
2. make src-nat

add action=src-nat chain=srcnat dst-address=192.168.2.205 dst-port=3389 protocol=tcp to-addresses=192.168.2.X

1. check your pc's firewall again, check gateway on pc
2. make src-nat

add action=src-nat chain=srcnat dst-address=192.168.2.205 dst-port=3389 protocol=tcp to-addresses=192.168.2.X

Remote works from local network, so its no firewall (and firewall is currently full off)

And that 2, makes no sense to me whats supposed to do, i tried adding it made no difference

1. windows firewall can restrict to access while you are from different net
https://technet.microsoft.com/en-us/lib ... s.10).aspx

Block edge traversal (default)
Prevent applications from receiving unsolicited traffic from the Internet through a NAT edge device.

1b don't shutdown firewall service. it's must be poweroff by himself settings

2. setup src-nat and your external packets will be like "local" for your pc (in this way you don't need to setup firewall)

3. you made a simple mistake. To help you find it - draw a diagram of connecting devices and settings

1. windows firewall can restrict to access while you are from different net
https://technet.microsoft.com/en-us/lib ... s.10).aspx

Block edge traversal (default)
Prevent applications from receiving unsolicited traffic from the Internet through a NAT edge device.

1b don't shutdown firewall service. it's must be poweroff by himself settings

2. setup src-nat and your external packets will be like "local" for your pc (in this way you don't need to setup firewall)

3. you made a simple mistake. To help you find it - draw a diagram of connecting devices and settings

I tried setuping src-nat as u told me, doesnt help.It goes establishing connection for 1-2 sec, than it pops "internal error"

I draw simple diagram, hope its enough to illustrate it, its very simple setup actually.

if 2 pc works but only one is not with same settings...
1. anycase try to make src-nat

add action=dst-nat chain=dstnat dst-port=4001 in-interface=WAN protocol=tcp to-addresses=192.168.2.205 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.2.205 dst-port=3389 protocol=tcp to-addresses=192.168.2.1

2. when you trying to connect from internet to pc3 make netstat -aon|find ":3389" and show it
3. check your settings "Allow Connections From Computers Running Any Version Of Remote Desktop to allow connections from any version of Windows"
4. check your netmask
5. select other tcp port
6. try to dst-nat to working pc2. If it works then it means a bug in the pc3

setup rdp from internet is too simple. you made mistake in so some simple settings that it's too hard to fix it.

(mistake=misspelling)

To make things wierder, I forgot to mention, it worked first day I set it at customer than it stoped working next day , mikrotik or isp router wasn't touched.

I will try your suggestions tomorow, thanks for now.

It goes establishing connection for 1-2 sec, than it pops "internal error"

That does not sound like a firewall error to me. A firewall issue would just fail to connect.
Stupid question. You are trying to connect to your external address and port 4001 (since that's the port you are forwarding)?
You show your NAT rules, but how about firewall rules? Anything there that could be blocking it?
Just thought of this. I wonder if port 4001 is being used by something else on the computer you are connecting from. That might explain the "internal error". Try setting the DST-NAT to some other port and then try connecting using that port number.

It goes establishing connection for 1-2 sec, than it pops "internal error"

That does not sound like a firewall error to me. A firewall issue would just fail to connect.
Stupid question. You are trying to connect to your external address and port 4001 (since that's the port you are forwarding)?
You show your NAT rules, but how about firewall rules? Anything there that could be blocking it?
Just thought of this. I wonder if port 4001 is being used by something else on the computer you are connecting from. That might explain the "internal error". Try setting the DST-NAT to some other port and then try connecting using that port number.

I tried changing ports, even leaving default 3389 one, and ofcourse I tried completly disabling firewall in mikrotik which didn't help.

if 2 pc works but only one is not with same settings...
1. anycase try to make src-nat

add action=dst-nat chain=dstnat dst-port=4001 in-interface=WAN protocol=tcp to-addresses=192.168.2.205 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.2.205 dst-port=3389 protocol=tcp to-addresses=192.168.2.1

2. when you trying to connect from internet to pc3 make netstat -aon|find ":3389" and show it
3. check your settings "Allow Connections From Computers Running Any Version Of Remote Desktop to allow connections from any version of Windows"
4. check your netmask
5. select other tcp port
6. try to dst-nat to working pc2. If it works then it means a bug in the pc3

setup rdp from internet is too simple. you made mistake in so some simple settings that it's too hard to fix it.

(mistake=misspelling)

C:\Users\Win10>netstat -aon|find ":3389"
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1528
TCP 192.168.1.198:47057 192.168.1.200:3389 ESTABLISHED 1428
TCP [::]:3389 [::]:0 LISTENING 1528
UDP 0.0.0.0:3389 *:* 1528
UDP [::]:3389 *:* 1528

I still cant figure whats wrong, i did run command u gave me, it only shows one established connection and thats to my local server, all other optios you wrote i checked and nothing helping so far :/

@k6ccc just to report back, all working fine now, it was never problem in Mikrotik, that user had some 3d party terminal server on Windows 7, and that software was in some weird state and only connections from local lan worked.They reinstalled that software and now all works fine.

Thanks for help again.

Glad you got it working.


Sent from my phone using Tapatalk, so blame any typos on Android!

if 2 pc works but only one is not with same settings...
1. anycase try to make src-nat

add action=dst-nat chain=dstnat dst-port=4001 in-interface=WAN protocol=tcp to-addresses=192.168.2.205 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.2.205 dst-port=3389 protocol=tcp to-addresses=192.168.2.1

MEN! YOU DON'T KNOW HOW MUCH I LOOKED FOR THIS! THANK YOU SO MUCH!

add action=dst-nat chain=dstnat dst-port=4001 in-interface=WAN protocol=tcp to-addresses=192.168.2.205 to-ports=3389
add action=src-nat chain=srcnat dst-address=192.168.2.205 dst-port=3389 protocol=tcp to-addresses=192.168.2.1

Thank you!!!