Community discussions

MikroTik App
 
Joe
just joined
Topic Author
Posts: 8
Joined: Tue Dec 03, 2024 5:42 am

RDP HELP!

Tue Dec 03, 2024 7:23 am

We have a disaster - we basically just changed our firewall to a Mikrotik CCR1009-8G-1S-1S+ currently running 7.16.1 *tonight we we'll upgrade to 7.16.2 but the notes don't suggest that it will fix it. Short of going back to our old firewall - we'd prefer to get the Mikrotik working.

Its as if there's a limit on connections and sessions and so when that limit is being reached the connection is being dropped.
Or the high outbound ports numbers are restricted or limited or something.

The Issue

Randomly the Mikrotik will drop the RDP connection - this is something in the order of several times a day all day per person but its disconnecting someone every several minutes just choosing different users. The user then see's a black screen, reconnecting and then gets in for about several hours until its their turn. Only using TCP for my RDP. Its across older servers 2012r2 and newer server Windows 2019

The Windows servers reports "Session XX has been disconnected, reason code 0"

My Network

We have several public IP address's on one WAN port. We have several inbound RDP servers on different Public IP.
We cant use VPN to our customers.

So therefore there is a DSTNAT rule to link the Public IP address to the private server via the port.

add action=dst-nat chain=dstnat comment=" (Rule 249) " \
dst-address=PublicAddress.01 dst-port=3389 in-interface=sfp1 log=yes \
log-prefix=RULE249 protocol=tcp src-address-list=SAFELIST \
to-addresses=192.168.200.64 to-ports=3389

As i want to also want to have traffic that's leaving that server to be coming from its own public IP - i also have a SCRNAT.

add action=src-nat chain=srcnat comment= "(Rule 249)" out-interface=sfp1 \
src-address=192.168.200.64 to-addresses=PublicAddress.01

Also have a forwarding rule

add action=accept chain=forward comment="(Rule 249)" dst-address=\
192.168.200.64 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp

Each server are setup the same way on different IP.

So Ive looked at the timeouts and increased them

enabled: auto
active-ipv4: yes
active-ipv6: no
tcp-syn-sent-timeout: 30s
tcp-syn-received-timeout: 30s
tcp-established-timeout: 1d
tcp-fin-wait-timeout: 10s
tcp-close-wait-timeout: 10s
tcp-last-ack-timeout: 10s
tcp-time-wait-timeout: 10s
tcp-close-timeout: 10s
tcp-max-retrans-timeout: 5m
tcp-unacked-timeout: 5m
loose-tcp-tracking: yes
udp-timeout: 20s
udp-stream-timeout: 3m
icmp-timeout: 10s
generic-timeout: 10m
max-entries: 1048576
total-entries: 3179

I have "block invalid forward traffic" was being fired some traffic on other servers - anyway I've change block to log
So there could be something this - maybe. Here's the rule anyway.

add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid log=yes log-prefix="Drop invalid"

The client also has a Mikrotik :-) - thats been there for ever - its only on our side that's been changed.
Basically getting a whole bunch of upset users

PS: Many thanks in advance your help :-)
 
rplant
Long time Member
Long time Member
Posts: 536
Joined: Fri Sep 29, 2017 11:42 am

Re: RDP HELP!

Tue Dec 03, 2024 8:42 am

I would perhaps actively block udp to and from 3389, (if only to see if it changes anything)
 
User avatar
vingjfg
Member
Member
Posts: 411
Joined: Fri Oct 20, 2023 1:45 pm

Re: RDP HELP!

Tue Dec 03, 2024 9:34 am

Hi there!

Some notes -

The "error code 0" is the generic "there is an error somewhere", aka "Microsoft useful."

1. Can you permit both tcp/3389 and udp/3389? RDP tries to use UDP to stream more efficiently. Add a second rule both for the DST NAT and FILTER to permit that from the safe sources.

2. If not present, create a NAT and FILTER rules to permit ICMP/ECHO from the safe list to the RDP server. In case of issues, you can ask the user to ping the server.

There may be additional considerations though - what was the old firewall? What type of internet uplink do you have?
 
User avatar
vingjfg
Member
Member
Posts: 411
Joined: Fri Oct 20, 2023 1:45 pm

Re: RDP HELP!

Tue Dec 03, 2024 9:37 am

Also, can you share your config with the sensitive bits removed?
 
Joe
just joined
Topic Author
Posts: 8
Joined: Tue Dec 03, 2024 5:42 am

Re: RDP HELP!

Wed Dec 04, 2024 1:14 am

Let me start many thanks - lots of pressure over here.

@rplant UDP is blocked and never was opened - ie: including on the previous firewall - which was Securepoint.

@vingjfg - the entire setup that means the GPO all setup to only work on TCP - for years (like over 15years) - that includes the workstations.
Its been flawless. The MT does some things that Securepoint doesnt and we cant buy the new version in Australia.

There's no ping drop outs. Both ends have business grade quality internet fibre - even on the MT interface status shows there's no errors and more than 500GB of traffic has passed through in 2.5 weeks. The router capacity shows its not even breaking a sweat.

The uplink is 700Mbps and the RDP traffic barely hits 30Mbps - so not bandwidth or jitter issues.

Its as if the data stream changes the TCP the port mid session say via NAT.
Or it drops the port and so the RDP servers disconnect the user. Its not a Microsoft issue.

Can that happen? Can it re-organise or change an open TCP NAT or DNAT port mid way?
We did put in a wireguard VPN and we dont see the disconnections although we arent always in the RDP - again pushing me to a DNAT, NAT issue.
In the old days we could specify a limit on amount of port we could


The config - cut down to only the RDP servers and rules around it.

/interface bridge
add comment="DMZ Zone" name=bridge1
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] comment="SWITCH"
set [ find default-name=ether3 ] comment="SWITCH"
set [ find default-name=ether4 ] comment="SWITCH"
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp1 ] auto-negotiation=no comment=\
"INTERNET"
#ignore the VPN
/interface wireguard
add listen-port=13231 mtu=1420 name=WG_Interface
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add comment="DMZ DHCP Pool" name=DMZ-POOL ranges=\
192.168.0.241-192.168.0.254
/ip dhcp-server
add address-pool=DMZ-POOL bootp-support=none interface=bridge1 lease-time=\
2h30m name=FW-DHCP
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add name=profile use-compression=yes use-ipv6=no
/queue simple
add comment="TOTAL INTERNET SPEED" disabled=yes max-limit=400M/1G name=\
"ALL BANDWIDTH" target=sfp1
add max-limit=10M/10M name="techsupport" target=MyOfficeIP

add comment="Protect DMZ traffic back to customer" max-limit=20M/20M name=\
DC_DMZ_ACCESS target=Other CustomerIP


add comment="10MBPS/10MBPS Webservers" max-limit=10M/10M name=WEBSERVERS \
target=192.168.0.21/32

add comment="20MBPS/20MBPS RULE19" dst=sfp1 max-limit=20M/20M name=20MBPS \
target=192.168.0.170/32

add max-limit=10M/10M name=SMTP-INBOUND target=192.168.0.176/32
add disabled=yes name=TERMINAL parent="ALL BANDWIDTH" priority=2/2 target=\
192.168.0.148/32
/queue type
add kind=fq-codel name=fq_codel
/queue simple
add bucket-size=0.005/0.005 comment="Buffer Bloat Testing" disabled=yes \
max-limit=400M/1G name=FQ_CODEL-QOS priority=1/1 queue=fq_codel/fq_codel \
target=sfp1 total-queue=fq_codel
/interface bridge port
add bridge=bridge1 comment="SWITCH" interface=ether2
add bridge=bridge1 comment="SWITCH" interface=ether3
add bridge=bridge1 comment="SWITCH" interface=ether4
add bridge=bridge1 disabled=yes interface=ether5
add bridge=bridge1 disabled=yes interface=ether6
add bridge=bridge1 disabled=yes interface=ether7
add bridge=bridge1 disabled=yes interface=ether8
add bridge=bridge1 disabled=yes interface=ether1
/ip firewall connection tracking
set tcp-syn-received-timeout=30s tcp-syn-sent-timeout=30s udp-timeout=20s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface l2tp-server server
set accept-proto-version=l2tpv2 allow-fast-path=yes default-profile=default
/interface list member
add interface=bridge1 list=LAN
add interface=sfp1 list=WAN
/interface ovpn-server server
set auth=sha1,md5

/interface wireguard peers
add allowed-address=etc etc

/ip address
add address=192.168.0.1/24 comment=Network interface=bridge1 network=\
192.168.0.0
add address=200.200.200.30/27 comment="INTERNET CONNECTION" interface=sfp1 \
network=200.200.200.28
add address=200.200.200.31/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.32/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.33/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.34/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.35/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.36/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.37/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.38/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.39/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.40/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.41/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.42/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.43/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.44/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.45/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.46/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.47/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.48/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.49/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.50/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.51/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.52/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.53/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.54/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.55/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.56/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.57/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.58/27 interface=sfp1 network=200.200.200.28

#Wireguard stuff
add address=192.168.1.1/24 interface=WG_Interface network=192.168.1.0
/ip dhcp-client

add disabled=yes interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.23,192.168.0.22 domain=\
domain.local gateway=192.168.0.1 netmask=24 ntp-server=\
192.168.0.76

/ip dns
set servers=192.168.0.22

/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet

add address=MyofficePublic list=techsupport

#the RDP servers
add address=192.168.0.148 comment=SERVER03 list=TERMINALSERVICES
add address=192.168.0.120 comment=SERVER07 list=TERMINALSERVICES
add address=192.168.0.164 comment=SERVER12 list=TERMINALSERVICES
add address=192.168.0.188 comment=SERVER25 list=TERMINALSERVICES

etc
etc

/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
"fasttrack - disables QUEUES bandwidth" connection-state=\
established,related hw-offload=yes

add action=accept chain=forward comment="=====established, related" \
connection-state=established,related log-prefix="RULE 60 Establish"

#disabled at the moment
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid

add action=add-src-to-address-list address-list=PortScanDetected \
address-list-timeout=none-dynamic chain=input comment="Port Scan Detect" \
in-interface=sfp1 log=yes log-prefix="Port Scan Detect" protocol=tcp psd=\
21,3s,3,1
add action=drop chain=input comment="Black List Attackers" in-interface=sfp1 \
src-address-list=black_list
add action=drop chain=input comment="Block PortScanners" in-interface=sfp1 \
src-address-list=PortScanDetected

add action=accept chain=input comment="dont allow pings" in-interface=sfp1 \
limit=50,2:packet protocol=icmp src-address=networkmonitoringaddress

add action=drop chain=input comment="dont allow pings" in-interface=sfp1 \
limit=50,2:packet log-prefix="IMCP Rule20" protocol=icmp

add action=accept chain=input comment="lan access to router" disabled=yes \
in-interface-list=LAN src-address-list=LAN

add action=accept chain=input comment="lan access to router" disabled=yes
add action=drop chain=input comment=\
"drop everything else - including firmware upgrade" in-interface-list=\
!LAN log-prefix="Rule 22 !LAN"

add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid log=yes log-prefix="Drop invalid"
add action=accept chain=forward comment="Inbound RULE23" dst-address=\
192.168.0.180 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp src-address-list=TS_Whitelist
add action=accept chain=forward comment="Inbound RULE25" dst-address=\
192.168.0.188 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp src-address-list=TS_Whitelist
add action=accept chain=forward comment="Inbound RULE07" dst-address=\
192.168.0.120 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp src-address-list=TS_Whitelist
add action=accept chain=forward comment="Inbound RULE25" dst-address=\
192.168.0.188 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp

add action=accept chain=forward comment="Inbound RULE23" dst-address=\
192.168.0.180 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
add action=accept chain=forward comment="Inbound RULE07" dst-address=\
192.168.0.120 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
add action=accept chain=forward comment="Inbound RULE03" dst-address=\
192.168.0.148 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
add action=accept chain=forward comment="Inbound RULE12" dst-address=\
192.168.0.164 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
add action=accept chain=forward comment="Inbound RULE24" dst-address=\
192.168.0.198 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
add action=accept chain=forward comment=\
"Rule 210 - default Internet browsing" dst-port=80,443,25,53,21 \
out-interface=sfp1 protocol=tcp src-address-list=TERMINALSERVICES

add action=drop chain=forward comment="=====Black List Attackers" \
src-address-list=black_list

add
add action=accept chain=forward comment="Default forwarding rule (DISABLE)" \
disabled=yes log=yes log-prefix="Rule 51 LAN" src-address-list=LAN

add action=drop chain=forward comment=\
"drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface-list=LAN log-prefix=\
"!public_from_LAN Rule 58" out-interface-list=!LAN

add action=drop chain=forward comment=\
"drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN log-prefix=\
"!NAT Rule 59"

add action=drop chain=forward comment=\
"drop incoming from internet which is not public IP" disabled=yes \
in-interface-list=WAN log-prefix="!public Rule 60" src-address-list=\
not_in_internet

add action=drop chain=forward comment=\
"drop packets from LAN that do not have LAN IP" in-interface-list=LAN \
log-prefix="DROP LAN_!LAN Rule 70" src-address=!192.168.0.0/24

add action=drop chain=forward comment="drop all else" log-prefix=\
"DROP_ALL Rule 71"
/ip firewall nat

add action=src-nat chain=srcnat comment=SERVER19 log-prefix=\
"dnat RULE19" out-interface=sfp1 src-address=192.168.0.170 \
to-addresses=200.200.200.33
add action=src-nat chain=srcnat comment=SERVER07 out-interface=sfp1 \
src-address=192.168.0.120 to-addresses=200.200.200.37
add action=src-nat chain=srcnat comment=SERVER03 out-interface=sfp1 \
src-address=192.168.0.148 to-addresses=200.200.200.34
add action=src-nat chain=srcnat comment=SERVER25 out-interface=sfp1 \
src-address=192.168.0.188 to-addresses=200.200.200.41
add action=src-nat chain=srcnat comment=SERVER12 out-interface=sfp1 \
src-address=192.168.0.164 to-addresses=200.200.200.40
add action=masquerade chain=srcnat comment="General DMZ Internet Access" \
log-prefix=MASQUERADE out-interface-list=WAN src-address-list=LAN
add action=dst-nat chain=dstnat comment="SERVER03 (Rule 249) " \
dst-address=200.200.200.34 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=CountryIPAustralia to-addresses=192.168.0.148 \
to-ports=3389
add action=dst-nat chain=dstnat comment="SERVER07 (Rule 249) " \
dst-address=200.200.200.37 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=CountryIPAustralia to-addresses=192.168.0.120 \
to-ports=3389
add action=dst-nat chain=dstnat comment="SERVER12 (Rule 249) " \
dst-address=200.200.200.40 dst-port=3389 in-interface=sfp1 log=yes \
log-prefix=RULE12 protocol=tcp src-address-list=CountryIPAustralia \
to-addresses=192.168.0.164 to-ports=3389
add action=dst-nat chain=dstnat comment="SERVER12 (Rule 249) " \
dst-address=200.200.200.40 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=TS_Whitelist to-addresses=192.168.0.164 to-ports=3389
add action=dst-nat chain=dstnat comment="SERVER25 (Rule 249) " \
dst-address=200.200.200.41 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=CountryIPAustralia to-addresses=192.168.0.188 \
to-ports=3389
add action=dst-nat chain=dstnat comment="SERVER23 (Rule 249) " \
dst-address=200.200.200.38 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=CountryIPAustralia to-addresses=192.168.0.180 \
to-ports=3389
add action=dst-nat chain=dstnat comment=SERVER24 dst-address=200.200.200.42 \
dst-port=3389 in-interface=sfp1 protocol=tcp src-address-list=\
CountryIPAustralia to-addresses=192.168.0.198 to-ports=3389
add action=dst-nat chain=dstnat comment="SERVER23 (Rule 249) " \
dst-address=200.200.200.38 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=TS_Whitelist to-addresses=192.168.0.180 to-ports=3389
add action=dst-nat chain=dstnat comment="SERVER25 (Rule 249) " \
dst-address=200.200.200.41 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=TS_Whitelist to-addresses=192.168.0.188 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/lcd
set enabled=no touch-screen=disabled
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
Last edited by Joe on Wed Dec 04, 2024 1:45 am, edited 3 times in total.
 
Joe
just joined
Topic Author
Posts: 8
Joined: Tue Dec 03, 2024 5:42 am

Re: RDP HELP!

Wed Dec 04, 2024 1:40 am

re: : 2. If not present, create a NAT and FILTER rules to permit ICMP/ECHO from the safe list to the RDP server. In case of issues, you can ask the user to ping the server.

There are 20 users from one location connecting to the RDP server - meaning if it was network issue we'd expect that all the users would all experience the disconnect at the same time.
Its "randomly" disconnecting users - i dont have the data on when some connected vs when they've disconnected to see if there's a pattern.

So its looks like this

[ 20 users ] -> MT (Nat) -> internet (tcp 3389) -> MT (new firewall) -> [ RDP server ]
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1611
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: RDP HELP!

Wed Dec 04, 2024 10:33 am

It doesn't necessarily have to be the router that's the main problem. A tip is to troubleshoot using the Windows Event Log on both the RDP clients and the server. A good place to start is the guide "Microsoft - Troubleshoot Remote Desktop Disconnected Errors".

This might also be useful: "Gather information by using TSS for user experience-related issues (remote-desktop-disconnection)"
 
User avatar
vingjfg
Member
Member
Posts: 411
Joined: Fri Oct 20, 2023 1:45 pm

Re: RDP HELP!

Wed Dec 04, 2024 6:32 pm

The configuration refers to a PPP profile, is this something else? Or are you using PPPoE? The configuration refers to sfp1 and at places to the WAN interface list - can this be standardized to the interface list wherever possible, at least in all the ip firewall sections?

In your configuration (consider using the code tag next time), I see you do the NAT by creating additional IP addresses on the interface. Nothing wrong with that, keep in mind that everything that is not natted hits the firewall itself. For example, while you DSTNAt tcp/3389, ping to the same public IP would go to the firewall. I strongly suggest adding a rule to DSTNAT to the servers for icmp (from the same sources if you want), for the sake of pmtu discovery.

I saw a few things that are probably mistakes
add action=accept chain=forward comment="=====established, related" \
connection-state=established,related log-prefix="RULE 60 Establish"
This is going to log every single packet in an established connection, unless it is caught by the fasttrack rule above. Not something you want to do.
add action=accept chain=input comment="dont allow pings" in-interface=sfp1 \
limit=50,2:packet protocol=icmp src-address=networkmonitoringaddress

add action=drop chain=input comment="dont allow pings" in-interface=sfp1 \
limit=50,2:packet log-prefix="IMCP Rule20" protocol=icmp
The first one will permit ICMP packets with a maximum of 50 over 2 seconds (fine) the second drops at most 50 packets over 2 seconds. Everything above that is caught by a subsequent rule.I think you meant the second one to drop all ICMP, without limits.

I do not see an "established" rule in the input chain - did you remove it? If so, can you re-add it?
 
SPKA16
newbie
Posts: 30
Joined: Fri Aug 05, 2016 8:41 pm

Re: RDP HELP!

Wed Dec 04, 2024 11:13 pm

FIRST:
!!! Use a RDSGW (with also UDP enabled for better performance) - never expose a RDS /terminal directly on 3389. it will get hit hard... !!!

..Second:
Even if you say you dont use UDP steam this seems to be a 'kwown UDP-stream issue' to me.
Try to increase it to 30 seconds (default on v7) instead of 20 seconds. That most likely fix the problem atleast in my experience.
Seems like the router has been upgraded with a v6 config which makes it happen that udp-stream too low.
 
Joe
just joined
Topic Author
Posts: 8
Joined: Tue Dec 03, 2024 5:42 am

Re: RDP HELP!

Thu Dec 05, 2024 1:28 am

Many thanks for looking into this..

re: a PPP profile,
This has been shutdown and was for testing purposes. I'll clean up the config.

re: I understand about RDSGW and also RDS being hit hard

I hear your point I don't believe its the cause to the dropouts - there've only started to happen with the replacement of the firewall.
In our mind the issue is with the firewall or we've made an error in our config.

We been doing this for over 15 years and seen all the attacks long before the advice was to remove RDP from the internet etc etc
We've designed and built our own security systems to protect RDP. They work and didn't want to complicate this ticket.


re: UDP timeout

yes we had experienced that almost immediately once we've connected it - freezing with the UDP.
I believe the OS7 had it at 15s we've changed it 20s and seem to go away.

We did try 30s it work fine too. But we've never had udp ports open and only ever used RDP.
This is a preferred option as many home users have 3rd world internet connections.


re: ICMP packets
Sorry thats us "50 over 2 seconds" is normally disabled - we just turning things on as part of our troubleshooting.
But thanks good eye.

re: RULE 60 Establish
same as above normally off - it was just on for quick testing - but thank you.

re: for the sake of pmtu discovery.
ok i'll try it cant hurt - saying that ICMP off has always been the norm.

re: established" rule in the input chain
Was missing now in place, and dragged to the top made no difference...

re: Microsoft document

yes read all them and all the troubleshooting points back to the router. The RDP server see's the connection dropped and so disconnects the user.
(as opposed to the say the use logging off or the user disconnecting). On the user end, it freezes for 5 seconds and then retries and gets back in.
But i'll re-read them just in case ive missed something.
 
User avatar
vingjfg
Member
Member
Posts: 411
Joined: Fri Oct 20, 2023 1:45 pm

Re: RDP HELP!

Thu Dec 05, 2024 11:29 am

re: a PPP profile,
This has been shutdown and was for testing purposes. I'll clean up the config.
OK, so not PPP and the usual MTU issue then. Do you have a different MTU for your internet fiber than you have for the internal network?
re: ICMP packets
Sorry thats us "50 over 2 seconds" is normally disabled - we just turning things on as part of our troubleshooting.
But thanks good eye.
No worries.
re: for the sake of pmtu discovery.
ok i'll try it cant hurt - saying that ICMP off has always been the norm.
Let's see where that leads. Check the counter to see if you see some form of increase.
re: established" rule in the input chain
Was missing now in place, and dragged to the top made no difference...
It won't hurt - and will help smooth out things from the router - but I suspect this by itself is not going to solve the whole issue, as there may be a combination of factors at play for now.

Can you repost the firewall rules (/ip/firewall/filter) after you made the changes?
 
Joe
just joined
Topic Author
Posts: 8
Joined: Tue Dec 03, 2024 5:42 am

Re: RDP HELP!

Thu Dec 05, 2024 2:30 pm

re: Do you have a different MTU

Well for the fibre its actual MTU 1500 and the L2 MTU 1580 while the bridge is 1500 & 1578 respectively.

Whats the PPP MTU issues?

When i did install a L2TP PPP the speed was horrible - not thats in place anymore.
We using Wireguard. So we've added a VPN between our servers and the customer. Look like its ok while they are in the office but problem persists while they are home - without the VPN.

re: pmtu discovery
I added it the counters went to 70.4KB and hasnt changed.

re: config

# 2024-12-05 22:50:39 by RouterOS 7.16.2

/interface bridge
add comment="DMZ Zone" name=bridge1
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] comment="SWITCH"
set [ find default-name=ether3 ] comment="SWITCH"
set [ find default-name=ether4 ] comment="SWITCH"
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] comment=DISABLED disabled=yes
set [ find default-name=sfp1 ] auto-negotiation=no comment=\
"INTERNET PORT 400MBPS"
/interface wireguard
add listen-port=retracted mtu=1420 name=WG
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/ip pool
add comment="DMZ DHCP Pool" name=DMZ-POOL ranges=\
192.168.0.241-192.168.0.254
/ip dhcp-server
add address-pool=DMZ-POOL bootp-support=none interface=bridge1 lease-time=\
2h30m name=FW-DHCP
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add comment="TOTAL INTERNET SPEED" disabled=yes max-limit=400M/1G name=\
"ALL BANDWIDTH" target=sfp1
add max-limit=10M/10M name="OFFICE" target=retracted
add comment="Protect DMZ traffic back to customer" disabled=yes max-limit=\
20M/20M name=queue1 target=retracted
add comment="10MBPS/10MBPS Webservers" max-limit=10M/10M name=WEBSERVERS \
target=192.168.0.21/32
add comment="50MBPS/50MBPS SERVER19" dst=sfp1 max-limit=20M/20M name=20MBPS \
target=192.168.0.70/32
add max-limit=10M/10M name=SMTP-INBOUND target=192.168.0.76/32
add disabled=yes name=TERMINAL parent="ALL BANDWIDTH" priority=2/2 target=\
192.168.0.48/32
/queue type
add kind=fq-codel name=fq_codel
/queue simple
add bucket-size=0.005/0.005 comment="Buffer Bloat Testing" disabled=yes \
max-limit=400M/1G name=FQ_CODEL-QOS priority=1/1 queue=fq_codel/fq_codel \
target=sfp1 total-queue=fq_codel
/interface bridge port
add bridge=bridge1 comment="switch" interface=ether2
add bridge=bridge1 comment="Switch" interface=ether3
add bridge=bridge1 comment="Switch" interface=ether4
add bridge=bridge1 disabled=yes interface=ether5
add bridge=bridge1 disabled=yes interface=ether6
add bridge=bridge1 disabled=yes interface=ether7
add bridge=bridge1 disabled=yes interface=ether8
add bridge=bridge1 disabled=yes interface=ether1
/ip firewall connection tracking
set tcp-syn-received-timeout=30s tcp-syn-sent-timeout=30s udp-timeout=20s
/ip settings
set arp-timeout=1m max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
LAN wan-interface-list=WAN
/interface l2tp-server server
set accept-proto-version=l2tpv2 allow-fast-path=yes default-profile=default
/interface list member
add interface=bridge1 list=LAN
add interface=sfp1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address= etc etc

/ip address
add address=192.168.0./24 comment=Network interface=bridge1 network=\
192.168.0.0
add address=200.200.200.30/27 comment="INTERNET CONNECTION" interface=sfp1 \
network=200.200.200.28
add address=200.200.200.31/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.32/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.33/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.34/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.35/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.36/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.37/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.38/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.39/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.40/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.41/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.42/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.43/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.44/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.45/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.46/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.47/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.48/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.49/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.50/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.51/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.52/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.53/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.54/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.55/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.56/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.57/27 interface=sfp1 network=200.200.200.28
add address=200.200.200.58/27 interface=sfp1 network=200.200.200.28
add address=192.168.99.1/24 interface=WG network=192.168.99.0
/ip dhcp-client
add disabled=yes interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.20,192.168.0.21 domain=\
domain.local gateway=192.168.0.1 netmask=24 ntp-server=\
192.168.0.76
/ip dns
set servers=192.168.0.20
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
not_in_internet

add address=192.168.0.48 comment=SRV-SERVER03 list=TERMINALSERVICES
add address=192.168.0.20 comment=SRV-SERVER07 list=TERMINALSERVICES
add address=192.168.0.64 comment=SRV-SERVER12 list=TERMINALSERVICES
add address=192.168.0.88 comment=SRV-SERVER25 list=TERMINALSERVICES
add address=192.168.0.00 comment=SRV-SERVER04 list=TERMINALSERVICES
add address=192.168.0.98 comment=SRV-SERVER24 list=TERMINALSERVICES
add address=192.168.0.80 comment=SRV-SERVER23 list=TERMINALSERVICES


add address=192.168.0.74 list=PROXY


add address=192.168.0.20 comment=SERVER02 list=DMZ_WEBSERVERS
add address=192.168.0.50 comment=SERVER08 list=DMZ_WEBSERVERS
add address=192.168.0.21 comment=SERVER09 list=DMZ_WEBSERVERS
add address=192.168.0.66 comment=SERVER11 list=DMZ_WEBSERVERS
add address=192.168.0.70 comment=SERVER19 list=DMZ_WEBSERVERS
add address=192.168.0.44 comment=SERVER21 list=DMZ_WEBSERVERS
add address=192.168.0.46 comment=SERVER01 list=VPN_ACCESSABLE
add address=192.168.0.20 comment=SERVER02 list=VPN_ACCESSABLE
add address=192.168.0.52 comment=SERVER05 list=VPN_ACCESSABLE
add address=192.168.0.50 comment=SERVER14 list=VPN_ACCESSABLE
add address=192.168.0.21 comment=SERVER21 list=VPN_ACCESSABLE
add address=192.168.0.70 comment=SERVER19 list=VPN_ACCESSABLE
add address=192.168.0.80 comment=SERVER23 list=VPN_ACCESSABLE
add address=192.168.0.88 comment=SERVER25 list=VPN_ACCESSABLE


add address=192.168.0.0/24 list=LAN
add address=192.168.0.20 list=DNS
add address=192.168.0.21 list=DNS


add address=192.168.0.98 comment=SERVER24 list=VPN_ACCESSABLE
add address=192.168.0.98 comment=SERVER24 list=VOIP_ACCESS

/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
"fasttrack - disables QUEUES bandwidth" connection-state=\
established,related hw-offload=yes log-prefix="FTract Enabled Rule1"
add action=accept chain=forward comment="=====established, related" \
connection-state=established,related log-prefix="RULE 60 Establish"
add action=accept chain=input comment=\
"Accept related and established connections" connection-state=\
established,related log-prefix="input established rule 3"
add action=accept chain=input comment=WIREGUARD dst-port=retracted protocol=udp \
src-address-list=VPN_EXTERNAL_INT
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid

add action=drop chain=input comment="Black List" in-interface=sfp1 \
src-address-list=black_list
add action=accept chain=input comment="allow pings from customers" dst-address-list=\
VPN_EXTERNAL_INT in-interface=sfp1 limit=50,2:packet log=yes log-prefix=\
"IMCP traffic Rule 21" protocol=icmp
add action=drop chain=input comment="dont allow pings" in-interface=sfp1 \
limit=50,2:packet log-prefix="IMCP Rule20" protocol=icmp

add action=drop chain=input comment=\
"drop everything else - including firmware upgrade" in-interface-list=\
!LAN log-prefix="Rule 22 !LAN"
add action=accept chain=forward comment="Inbound SERVER23" disabled=yes \
dst-address=192.168.0.80 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp src-address-list=TS_Whitelist
add action=accept chain=forward comment="Inbound SERVER25" disabled=yes \
dst-address=192.168.0.88 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp src-address-list=TS_Whitelist
add action=accept chain=forward comment="Inbound SERVER07" disabled=yes \
dst-address=192.168.0.20 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp src-address-list=TS_Whitelist
add action=accept chain=forward comment="Inbound SERVER24" disabled=yes \
dst-address=192.168.0.98 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp src-address-list=TS_Whitelist
add action=accept chain=forward comment="Inbound SERVER25" dst-address=\
192.168.0.88 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
add action=accept chain=forward comment="Inbound SERVER23" dst-address=\
192.168.0.80 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
add action=accept chain=forward comment="Inbound SERVER07" dst-address=\
192.168.0.20 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
add action=accept chain=forward comment="Inbound SERVER03" dst-address=\
192.168.0.48 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
add action=accept chain=forward comment="Inbound SERVER12" dst-address=\
192.168.0.64 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
add action=accept chain=forward comment="Inbound SERVER24" dst-address=\
192.168.0.98 dst-port=3389 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp
add action=accept chain=forward comment=\
"Rule 210 - default Internet browsing" dst-port=80,443,25,53,21 \
out-interface=sfp1 protocol=tcp src-address-list=TERMINALSERVICES
add action=accept chain=forward comment="Rule 33 - default Internet browsing" \
dst-port=80,443,25,21 log-prefix="rule 33 Default Internet" \
out-interface=sfp1 protocol=tcp src-address-list=DMZ_WEBSERVERS
add action=accept chain=forward comment="Rule 33 - default DNS" dst-port=53 \
log-prefix="Default Internet DNS" protocol=udp src-address-list=\
DMZ_WEBSERVERS
add action=drop chain=forward comment="=====Black List Attackers" \
src-address-list=black_list

add action=accept chain=forward comment="Inbound SRVDB03" dst-address=\
192.168.0.90 dst-port=443 in-interface=sfp1 log-prefix=\
"Default Internet DNS" protocol=tcp

add action=accept chain=forward comment="Rule 253 - All Internet browsing" \
src-address-list=PROXY


add action=accept chain=forward comment="Rule 280 - Internet Access" \
out-interface=sfp1 src-address-list="Servers"
add action=accept chain=forward comment="Rule 161 SRV Access DMZ Servers" \
log-prefix=SRVtoDMZ src-address=retracted
add action=accept chain=forward comment="Rule 161 SRV Access DMZ Servers" \
disabled=yes dst-address=retracted log-prefix=SRVtoDMZ src-address=\
192.168.0.0/24
add action=accept chain=forward comment="Rule 274 Clients Access DMZ Servers" \
dst-address-list=VPN_ACCESSABLE src-address-list=VPN_SITE_LAN
add action=accept chain=forward comment="Rule 275 Clients Access DMZ Servers" \
dst-address-list=VPN_SITE_LAN log-prefix=VPN_LAN src-address-list=\
VPN_ACCESSABLE

add action=log chain=forward comment="Drop invalid connections" \
connection-state=invalid disabled=yes log=yes log-prefix=\
"Drop invalid RULE 68"
add action=drop chain=forward comment=\
"drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface-list=LAN log-prefix=\
"!public_from_LAN Rule 70" out-interface-list=!LAN
add action=drop chain=forward comment=\
"drop incoming from internet which is not public IP" in-interface-list=\
WAN log-prefix="!public Rule 60" src-address-list=not_in_internet
add action=drop chain=forward comment=\
"drop packets from LAN that do not have LAN IP" in-interface-list=LAN \
log-prefix="DROP LAN_!LAN Rule 73" src-address=!192.168.0.0/24
add action=drop chain=forward comment="drop all else" log-prefix=\
"DROP_ALL Rule 74"

/ip firewall nat
add action=src-nat chain=srcnat comment=SRV-SERVER07 out-interface=sfp1 \
src-address=192.168.0.20 to-addresses=200.200.200.37
add action=src-nat chain=srcnat comment="SRV-SERVER09\r\
\n" out-interface=sfp1 src-address=192.168.0.21 to-addresses=\
200.200.200.36
add action=src-nat chain=srcnat comment=SRV-SERVER03 out-interface=sfp1 \
src-address=192.168.0.48 to-addresses=200.200.200.34
add action=src-nat chain=srcnat comment=SRV-SERVER25 out-interface=sfp1 \
src-address=192.168.0.88 to-addresses=200.200.200.41
add action=src-nat chain=srcnat comment=SRV-SERVER23 out-interface=sfp1 \
src-address=192.168.0.80 to-addresses=200.200.200.38
add action=src-nat chain=srcnat comment=SRV-SERVER24 out-interface=sfp1 \
src-address=192.168.0.98 to-addresses=200.200.200.42

add action=src-nat chain=srcnat comment=SRV-SERVER12 out-interface=sfp1 \
src-address=192.168.0.64 to-addresses=200.200.200.40
add action=masquerade chain=srcnat comment="General DMZ Internet Access" \
log-prefix=MASQUERADE out-interface-list=WAN src-address-list=LAN
add action=dst-nat chain=dstnat comment="SRV-SERVER03 (Rule 249) " \
dst-address=200.200.200.34 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=safelist to-addresses=192.168.0.48 \
to-ports=3389
add action=dst-nat chain=dstnat comment="SRV-SERVER07 (Rule 249) " \
dst-address=200.200.200.37 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=safelist to-addresses=192.168.0.20 \
to-ports=3389
add action=dst-nat chain=dstnat comment="SRV-SERVER12 (Rule 249) " \
dst-address=200.200.200.40 dst-port=3389 in-interface=sfp1 log-prefix=\
SERVER12 protocol=tcp src-address-list=safelist to-addresses=\
192.168.0.64 to-ports=3389
add action=dst-nat chain=dstnat comment="SRV-SERVER12 (Rule 249) " \
dst-address=200.200.200.40 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=TS_Whitelist to-addresses=192.168.0.64 to-ports=3389
add action=dst-nat chain=dstnat comment="SRV-SERVER12 (Rule 249) " \
dst-address=200.200.200.42 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=TS_Whitelist to-addresses=192.168.0.98 to-ports=3389
add action=dst-nat chain=dstnat comment="SRV-SERVER25 (Rule 249) " \
dst-address=200.200.200.41 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=safelist to-addresses=192.168.0.88 \
to-ports=3389
add action=dst-nat chain=dstnat comment="SRV-SERVER23 (Rule 249) " \
dst-address=200.200.200.38 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=safelist to-addresses=192.168.0.80 \
to-ports=3389
add action=dst-nat chain=dstnat comment=SRV-SERVER24 dst-address=200.200.200.42 \
dst-port=3389 in-interface=sfp1 protocol=tcp src-address-list=\
safelist to-addresses=192.168.0.98 to-ports=3389
add action=dst-nat chain=dstnat comment="SRV-SERVER23 (Rule 249) " \
dst-address=200.200.200.38 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=TS_Whitelist to-addresses=192.168.0.80 to-ports=3389
add action=dst-nat chain=dstnat comment="SRV-SERVER25 (Rule 249) " \
dst-address=200.200.200.41 dst-port=3389 in-interface=sfp1 protocol=tcp \
src-address-list=TS_Whitelist to-addresses=192.168.0.88 to-ports=3389
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment="DEFAULT GW" disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=200.200.200.29 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
/system health settings
set use-fan=auxiliary
/system identity
set name=SRVFW
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
 
User avatar
vingjfg
Member
Member
Posts: 411
Joined: Fri Oct 20, 2023 1:45 pm

Re: RDP HELP!

Thu Dec 05, 2024 8:05 pm

Hi there.

Regarding the rules, chain input:

Remove the logging for the first rule (established/related)
add action=accept chain=input comment=\
"Accept related and established connections" connection-state=\
established,related log-prefix="input established rule 3"
Move this one below the rule that drops the invalid connections.
add action=accept chain=input comment=WIREGUARD dst-port=retracted protocol=udp \
src-address-list=VPN_EXTERNAL_INT
Remove the limit=59,2 from this one.
add action=drop chain=input comment="dont allow pings" in-interface=sfp1 \
limit=50,2:packet log-prefix="IMCP Rule20" protocol=icmp
Consider removing the logging from this one. Can be quite noisy.
add action=drop chain=input comment=\
"drop everything else - including firmware upgrade" in-interface-list=\
!LAN log-prefix="Rule 22 !LAN"
Regarding chain=forward:

Remove the logging for the first rule, fasttracked connections.
add action=fasttrack-connection chain=forward comment=\
"fasttrack - disables QUEUES bandwidth" connection-state=\
established,related hw-offload=yes log-prefix="FTract Enabled Rule1"
Remove the logging for the second rule, established/related connections.
add action=accept chain=forward comment="=====established, related" \
connection-state=established,related log-prefix="RULE 60 Establish"
Might be worth adding the source and destination interfaces for this one.
add action=accept chain=forward comment="Rule 161 SRV Access DMZ Servers" \
log-prefix=SRVtoDMZ src-address=retracted
This one should ideally be near the very top, like number 3 or 4
add action=log chain=forward comment="Drop invalid connections" \
connection-state=invalid disabled=yes log=yes log-prefix=\
"Drop invalid RULE 68"
Consider removing the logging from the last rule, as this will just be noise.
add action=drop chain=forward comment="drop all else" log-prefix=\
"DROP_ALL Rule 74"
 
Joe
just joined
Topic Author
Posts: 8
Joined: Tue Dec 03, 2024 5:42 am

Re: RDP HELP!

Fri Dec 06, 2024 1:48 am

many thanks - looking at the config ive posted it suggests logging is on but its not bar one rule - which ive turned off.
However, i dont see it changing any of the dropouts.

re: this rule

add action=log chain=forward comment="Drop invalid connections" \
connection-state=invalid disabled=yes log=yes log-prefix=\
"Drop invalid RULE 68"


Its actually disabled as it breaks things - as i can see allot of RST - so far only non RDP servers

Drop invalid RULE 68 forward: in:bridge1 out:sfp1, connection-state:invalid src-mac 18:a9:05:41:60:0a, proto TCP (RST), 192.168.0.174:59052->162.247.243.29:443, len 40
Drop invalid RULE 68 forward: in:bridge1 out:sfp1, connection-state:invalid src-mac d8:d3:85:60:80:1e, proto TCP (RST), 192.168.0.176:443->14.200.38.198:49902, len 40
 
User avatar
vingjfg
Member
Member
Posts: 411
Joined: Fri Oct 20, 2023 1:45 pm

Re: RDP HELP!

Fri Dec 06, 2024 7:12 am

The question is whether the second config you posted is after the changes: I don't see any of the icmp rules you wrote you created.

The situation you mention with the rst packet is known, some servers reply with a rst instead of fin to immediately tear down the connection. I remember mentions of that being related to ecn - you can try disabling it on the server with
netsh int tcp set global ecncapability=disabled
And see if it helps. There is a way to create a mangle rule to remove the ECN, I will look into that later.
 
Joe
just joined
Topic Author
Posts: 8
Joined: Tue Dec 03, 2024 5:42 am

Re: RDP HELP!

Sun Dec 08, 2024 4:47 am

hmmm re: netsh int tcp set global ecncapability=disabled ok sure i'll give it a try.
What about on the RDP servers?


Is this the imcp rule? This is only allowing icmp from my customers. This is in place - not allot of traffic recorded on the counters. (40KB)

add action=accept chain=input comment="allow pings from customers" src-address-list=\
CUSTOMERS in-interface=sfp1 packet log=yes log-prefix=\
"IMCP traffic Rule 21" protocol=icmp
 
User avatar
vingjfg
Member
Member
Posts: 411
Joined: Fri Oct 20, 2023 1:45 pm

Re: RDP HELP!

Sun Dec 08, 2024 3:19 pm

On Windows servers, you can disable the ecncapability without issue.

For the rule, yes but don't forget the NAT rules - something that looks like
/ip firewall nat 
...
add action=dst-nat chain=dstnat comment="SERVER03 (Rule 249bis) " \
dst-address=200.200.200.34 in-interface=sfp1 protocol=icmp \
src-address-list=CountryIPAustralia to-addresses=192.168.0.148

add action=dst-nat chain=dstnat comment="SERVER07 (Rule 249bis) " \
dst-address=200.200.200.37 in-interface=sfp1 protocol=icmp \
src-address-list=CountryIPAustralia to-addresses=192.168.0.120
What you want is the path MTU to be established all the way, not just to your firewall.

Can you repost a full configuration with the changes? Between code tags, please-
 
Joe
just joined
Topic Author
Posts: 8
Joined: Tue Dec 03, 2024 5:42 am

Re: RDP HELP!

Tue Dec 10, 2024 9:06 am

will do - just addressing users temperatures ;-)

Who is online

Users browsing this forum: No registered users and 29 guests