1) Configure the VIP for RDP.
External IP address (WAN IP): 10.47.3.70
Internal IP address (LAN IP): 10.154.3.73
External RDP port: 3389
Internal RDP port: 4865
Version 7.0.5 from CLI:
# config firewall vip edit "RDP_VIP" set id 0 set uuid 5dea9a42-bc94-51ec-f537-f62f295c39ba set comment "RDP_VIP" set type static-nat set extip 10.47.3.70 set nat44 enable set nat46 disable set mappedip "10.154.3.73" set extintf "any" set arp-reply enable set nat-source-vip disable set portforward enable set gratuitous-arp-interval 0 set ssl-client-rekey-count 0 set color 0 set protocol tcp set extport 3389 set mappedport 4865 set portmapping-type 1-to-1 next end
From GUI:
2) Configure firewall policy to allow RDP via VIP.
Source Interface: External/WAN (port1)
Destination Interface: Internal/LAN (port3)
Source Address: all
Destination Address: RDP_VIP
Action: Accept
Version 7.0.5 from CLI:
# config firewall policy edit 6 set name "VIP_RDP" set uuid 9b63637c-bc94-51ec-a41f-8dd40c0681bf set srcintf "port1" set dstintf "port3" set action accept set srcaddr "all" set dstaddr "RDP_VIP" set schedule "always" set service "ALL" set logtraffic all set nat enable next
From GUI:
3) Update the RDP port from 3389 to 4865 at the registry editor of internal LAN host.
Windows 10:
- Press Windows logo + R then key in regedit (Registry Editor).
- Navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp.
- Search for PortNumber.
- Select Edit -> Decimal.
- Enter the new port number (4865) and select 'OK'.
- Close the registry editor and restart desktop.
IMPORTANT:
- Enable RDP connection at Control Panel -> System & Security -> System and allow 'Remote Access'.
- If there is a Windows Defender Firewall, create an inbound rule to allow port 4865 as customized RDP port.
4) Test the RDP connection.
Go to RDP (Remote Desktop Connection) application then input the external (WAN) IP address and the username of the internal (LAN) host.
5) Refer to the debug flow output below at successful RDP connection.
# diag debug reset # diag debug flow filter addr 10.47.3.70 # diag debug flow filter port 3389 # diag debug flow show fun enable # diag debug flow show iprope enable # diag debug console time enable # diag debug flow trace start 100 # diag debug enable
To end:
# diag debug disable
# diag debug reset
# 2022-04-22 19:11:37 id=20085 trace_id=24 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.244.165:50447->10.47.3.70:3389) tun_id=0.0.0.0 from port1. flag [S], seq 530146839, ack 0, win 64240" 2022-04-22 19:11:37 id=20085 trace_id=24 func=init_ip_session_common line=6003 msg="allocate a new session-0663ec13, tun_id=0.0.0.0" 2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_dnat_check line=5306 msg="in-[port1],
out-[]" 2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_dnat_tree_check line=830 msg="len=1" 2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_check_one_dnat_policy line=5166 msg="checking gnum-100000 policy-1" 2022-04-22 19:11:37 id=20085 trace_id=24 func=get_new_addr line=1227 msg="find DNAT: IP-10.154.3.73, port-4865" 2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_check_one_dnat_policy line=5261 msg="matched policy-1, act=accept, vip=1, flag=100, sflag=2000000" 2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_dnat_check line=5318 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100" 2022-04-22 19:11:37 id=20085 trace_id=24 func=fw_pre_route_handler line=178 msg="VIP-10.154.3.73:4865, outdev-port1" 2022-04-22 19:11:37 id=20085 trace_id=24 func=__ip_session_run_tuple line=3502 msg="DNAT 10.47.3.70:3389->10.154.3.73:4865" 2022-04-22 19:11:37 id=20085 trace_id=24 func=vf_ip_route_input_common line=2604 msg="find a route: flag=00000000 gw-10.154.3.73 via port3" 2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_fwd_check line=788 msg="in-[port1], out-[port3], skb_flags-020000c0, vid-1, app_id: 0, url_cat_id: 0" 2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_tree_check line=561 msg="gnum-100004, use addr/intf hash, len=2" 2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_check_one_policy line=2029 msg="checked gnum-100004 policy-6, ret-matched, act-accept" 2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_user_identity_check line=1817 msg="ret-matched" 2022-04-22 19:11:37 id=20085 trace_id=24 func=get_new_addr line=1227 msg="find SNAT: IP-10.154.3.70(from IPPOOL), port-50447" 2022-04-22 19:11:37 id=20085 trace_id=24 func=__iprope_check_one_policy line=2247 msg="policy-6 is matched, act-accept" 2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_fwd_check line=825 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-6" 2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_fwd_auth_check line=844 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-accept, idx-6" 2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_reverse_dnat_check line=1306 msg="in-[port1], out-[port3], skb_flags-020000c0, vid-1" 2022-04-22 19:11:37 id=20085 trace_id=24 func=iprope_reverse_dnat_tree_check line=923 msg="len=0" 2022-04-22 19:11:37 id=20085 trace_id=24 func=fw_forward_handler line=874 msg="Allowed by Policy-6: SNAT" 2022-04-22 19:11:37 id=20085 trace_id=24 func=__ip_session_run_tuple line=3489 msg="SNAT 192.168.244.165->10.154.3.70:50447" 2022-04-22 19:11:37 id=20085 trace_id=25 func=print_pkt_detail line=5824 msg="vd-root:0 received a packet(proto=6, 192.168.244.165:50447->10.47.3.70:3389) tun_id=0.0.0.0 from port1. flag [.], seq 530146840, ack 784303826, win 1026" 2022-04-22 19:11:37 id=20085 trace_id=25 func=resolve_ip_tuple_fast line=5910 msg="Find an existing session, id-0663ec13, original direction" 2022-04-22 19:11:37 id=20085 trace_id=25 func=__ip_session_run_tuple line=3502 msg="DNAT 10.47.3.70:3389->10.154.3.73:4865" 2022-04-22 19:11:37 id=20085 trace_id=25 func=npu_handle_session44 line=1162 msg="Trying to offloading session from port1 to port3, skb.npu_flag=00000400 ses.state=04000204 ses.npu_state=0x00000100" 2022-04-22 19:11:37 id=20085 trace_id=25 func=fw_forward_dirty_handler line=410 msg="state=04000204, state2=00000001, npu_state=00000100"
|