DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Firewall rule to allow multiple IPs for RDP

  • vindex
  • Topic Author
  • Offline
  • New Member
  • New Member
More
27 Feb 2013 14:18 #75375 by vindex
Hi,

I have a draytek 2830 (FW 3.3.6.1db_232201), I'm trying to setup an allow rule on the firewall for 5 IPs (soon to be more) that need to access a terminal server on the network.

First I have opened the port
NAT - Open Ports
Index - 1 / Enable - Ticked / Comment - RDP / WAN Interface - WAN1 / Local Computer - TS IP / Protocol - TCP / Start Port 3389 / End Port - 3389

Then created the IP Objects for each of the external IPs
Object Setting - IP Object
Index - 1 / Name - Site1 / Interface - ANY / Address Type - Single / Start Address - Public IP of Site1 / Invert Selection - Ticked

Then created a IP Group to bundle all the IPs together
Object Setting - IP Group
Index - 1 / Name - RDP_GROUP / Interface - WAN / Moved all the sites to Selected IP Objects

Then create the Firewall rule
Firewall - General Setup
Ticked Call Filter - Enabled / Start Filter Set - Set#1/ Ticked Data Filter - Enabled / Start Filter Set - Set#2
Ticked Accept large incoming .....
Ticked Enable Strict Security Firewall

Filter Setup - Default Data Filter
Filter Rule 2 - Enabled / Comments - rdp_allow / Direction - WAN -> LAN/RT/VPN / Source IP - RDP_GROUP / Destination IP - TS IP / Service Type: TCP, Port: From any to 3389 / Fragments - Don't Care / Block Immediately

I can't seem to get it to work, it just blocks everything.

I've tried setting up the filter without using groups and putting in a single site IP address, for the source, and ticking invert selection and it works fine...

Could someone enlighten me to the correct procedure?

Thanks

Please Log in or Create an account to join the conversation.

More
01 Mar 2013 11:19 #75396 by sicon
with the open port it will allow ANY address to connect in on the port.
You need to create a Rule in the data filter Source ANY Destination ANY Service RDP to "BLOCK if no further match"
Then under that rule create another rule with the Source of your allowed IPS and the service of RDP to Pass.

It will then work

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami