MikroTik

How do I port forward RDC (3389) from the wan side to a private address on the inside? Also and https (443)?

http://wiki.mikrotik.com/wiki/Manual:IP ... rt_mapping Replace with your IP addresses and interface names, of course.

Thank you, I was missing the "in-interface=WAN"

One more thing:

With this rule in I can now get into my workstation via RDC from an outside connection.

Now my workstation on the inside is the only one that cannot connect via RDC out to a remote desktop.

Post the output of "/ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export", and an accurate network diagram.

I tried to PM you with the info as I'm not totally comfortable with posting all of my info in this thread, but it says I'm not authorized to do so. How else can I get the info to you?

There are no PMs on this forum. Post the information here. If you need 1:1 consultation there's a list on the Mikrotik website listing consultants you can hire.

[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Public Static
address=199.X.X.X/28 network=199.X.X.X broadcast=199.X.X.X
interface=Public actual-interface=Public

1 ;;; Internal Privates
address=10.X.X.X/24 network=10.X.X.X broadcast=10.X.X.X
interface=ether2-local-master actual-interface=ether2-local-master
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=199.X.X.X
gateway-status=199.X.X.X reachable Public distance=1 scope=30
target-scope=10

1 ADC dst-address=10.X.X.X/24 pref-src=10.X.X.X
gateway=ether2-local-master
gateway-status=ether2-local-master reachable distance=0 scope=10

2 ADC dst-address=199.X.X.X/28 pref-src=199.X.X.X gateway=Public
gateway-status=Public reachable distance=0 scope=10
[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R Public ether 1500 1524
1 R ether2-local-master ether 1500 1524
2 ether3-local-slave ether 1500 1524
3 R ether4-local-slave ether 1500 1524
4 R ether5-local-slave ether 1500 1524
[admin@MikroTik] > /ip firewall export
# jan/07/1970 21:23:56 by RouterOS 4.16
# software id = FK91-TZAZ
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no in-interface=Public
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no in-interface=Public
add action=accept chain=input comment="Winbox Access from Wan" disabled=no \
in-interface=Public port=8291 protocol=tcp
add action=drop chain=input comment="default configuration" disabled=no \
in-interface=Public
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
no out-interface=Public
add action=dst-nat chain=dstnat comment="Eric VNC Help Desk" disabled=no \
dst-port=5999 protocol=tcp to-addresses=10.X.X.X to-ports=5999
add action=dst-nat chain=dstnat comment="Eric VNC Help Desk" disabled=no \
dst-port=5999 protocol=udp to-addresses=10.X.X.X to-ports=5999
add action=dst-nat chain=dstnat comment="Cam VNC Help Desk" disabled=no \
dst-port=5998 protocol=tcp to-addresses=10.X.X.X to-ports=5998
add action=dst-nat chain=dstnat comment="Cam VNC Help Desk" disabled=no \
dst-port=5998 protocol=udp to-addresses=10.X.X.X to-ports=5998
add action=dst-nat chain=dstnat comment="Marv VNC Help Desk" disabled=no \
dst-port=5997 protocol=tcp to-addresses=10.X.X.X to-ports=5997
add action=dst-nat chain=dstnat comment="Marv VNC Help Desk" disabled=no \
dst-port=5997 protocol=udp to-addresses=10.X.X.X to-ports=5997
add action=dst-nat chain=dstnat comment="Remote Desktop to Eric Workstation" \
disabled=no dst-port=3389 in-interface=Public protocol=tcp to-addresses=\
10.X.X.X
add action=dst-nat chain=dstnat comment="Remote Desktop to Eric workstation" \
disabled=yes dst-port=3389 in-interface=Public protocol=udp to-addresses=\
10.X.X.X
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] >

You should add in-interface=Public to all your dstnat rules, the VNC ones don't have that - that would be a problem whenever you're connecting to ports 5997 - 5999 from inside the network to the Internet.

However, I don't see anything that would be blocking a client on the inside from connecting to a host on the Internet on port 3389. From what you're showing that should be working just fine. No firewall filters in the way, and NAT is set up correctly.