Solved: Re: RV016 Firewall Issue

briankays · ‎09-15-2009

Hello,

I unboxed my RV016 yesterday hoping to replace a SmoothWall 3.0 Router and achieve stable VPN tunnels to RV042 routers out in the field. I have created three VLAN's thus far and have a VPN tunnel to a remote site setup and the basics are working well.

The Smoothwall had 4 network cards in it and was configured as follows:

Red - dynamic IP w/ DynDns Host connected to Cable Modem

Green - my "safe" network 172.30.250.0/24 (now VLAN1)

Purple - my "gamer" network for the kids 172.29.250.0/24 (now VLAN2)

Orange - my "work on infested client computers" DMZ type network 172.28.250.0/24 (now VLAN3)

On the smoothie I had defined a pinhole (port forwarding) between Purple and Green to allow for a remote desktop connection to my main workstation on the green network (I changed the default port from 3389 to 2278).

I don't see a way to define pinholes with VLANs in the RV016 so I thought a workaround would be to go out and come back in. In an attempt to achieve this I configured a firewall rule as follows:

Action: Allow

Service: RDP [2278]

Source Interface: WAN1

Source: Any

Destination: 172.30.250.254~172.30.250.254 (my workstation on VLAN1)

When I try to connect, it bounces back fast (usually indicating a denial). Any ideas why this might not be working?

TIA

PS: Firmware 3.0.0.19-tm

David Carr · ‎09-16-2009

I know what the issue is. Set the rdp up in port forwarding, instead of using an access list. That way it will forward the rdp request directly to the computer behind the firewall. Set that up in the port forwarding tab.

View solution in original post

David Carr · ‎09-15-2009

Is there any way you can change the rdp port back to 3389 just to see if you can connect to the device. If you can then we can eliminate that the router is denying rdp.

briankays · ‎09-15-2009

Hello David,

Thanks for your response. I did as you instructed and changed the RDP port back to 3389. I then added RDP[3389] to the service list and created an allow rule as above. No go. An intersting point to note is that there is no log entry for the deny policy when I'm trying to go out on vlan2 and come back through the wan (I'm using my dyndns name, I'm assuming it's travelling out on the Internet and then back in and not being routed directly).

I tried another troubleshooting step which was to log in to a remote server via Logmein. I then initiated an RDP session to my dyndns.org address. I was still denied access but this time the log had the following entry:

Connection Refused - Policy violation TCP 70.xxx.xxx.xxx:3795->71.xxx.xxx.xxx:3389 on ixp1

So it seems that the firewall is denying the connection from the inside as well as from an outside source.

Maybe it's a firware issue? Think I should downgrade?

Again - thanks for any help you can provide.

David Carr · ‎09-16-2009

I know what the issue is. Set the rdp up in port forwarding, instead of using an access list. That way it will forward the rdp request directly to the computer behind the firewall. Set that up in the port forwarding tab.

briankays · ‎09-16-2009

That was it David. Not sure how I missed it - I've done port forwarding on Linksys routers for years. For some reason it was invisible to me. Perhaps because it's called "Forwarding" and I was looking for "Port Forwarding".

Anyway - I've got everything setup and working. It's a great little router!

Thanks again.

David Carr · ‎09-16-2009

Perfect, glad i could help.