Configure routers and windows for rdp between subnetworks

Started by rogerty, June 18, 2023, 07:50:19 AM

Previous topic - Next topic

rogerty

Hello,

I have a question about ip connectivity between my home and work networks

Because I do teleworking from home, for isolation purposes,  I have this setup in my home:

the first router is connected to my provider (using dynamic ip, not static...) and has the ip 192.168.1.1 (a movistar router "GPT-2741GNAC")

the second router (ZXHN H367A) connected to the first router with the wan port at 192.168.1.2 and the lan ip set to 192.168.2.1, used to connect to my office laptop with the ip 192.168.2.100.

the third router (redmi ac2100) is connected to the first router with the wan port at 192.168.1.3 and the lan ip set to 192.168.3.1, used to connect to my home devices to the network 192.168.3.x: My home pc, for example has the ip 192.168.3.24

This way, network 192.168.2.x is isolated from network 192.168.3.x.

However, I want to access to my home pc trough rdp only from my office laptop.

Note1: I am already able to  access to 192.3.24 from any other device in the same 192.168.3.x network

I've tried to configure zxhn to port forwarding with no success: these are the settings I've tried:

in "internet" section, "security", "port forwarding":

name: myname
protocol tcp and udp
wan host ip address: from 192.168.3.24 to 192.168.3.24
lan host 192.168.2.100
wan port from 3389 to 3389
lan host port from 3389 to 3389

note 3: in "lan host" I can only write 192.168.2.x addresses

neither ping nor rdp works...

thanks in advance...

deanwebb

Ping won't work because it is ICMP, which is not explicitly permitted in the rule.

My first step would be a "permit all" rule between the hosts, see if that works. Is there some other filter that needs to be set, like a zone permission?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

OP, you need to make a rule within the router at 192.168.1.3 to allow connection to 192.168.3.24:3389.

Network diagrams can really help here:

[Provider modem, 192.168.1.1] ---> [office router, 192.168.1.2]
  |
  |__\   [home router, 192.168.1.3]
       /


Things to remember. On home equipment like this they usually always allow traffic outbound. Outbound directions therefore are:
1. office router -> provider modem -> internet
and
2. home router -> provider modem -> internet.

Outbound routing is normally handled by the default route or default gateway!

Since you want to go from office router -> home router, you need to do a couple of things or rather there's a couple of ways to do this:

1. route from the office net to the home net, and configure a firewall rule on the home router to allow the traffic in to the computer
or
2. dont configure any routes but instead configure a PAT rule (and matching firewall rule) on the home net to translate inside:192.168.3.24:3389 to outside:192.168.1.3:3389 and then from the office computer, try to RDP to 192.168.1.3:3389


Option 1 uses routing so the PAT isnt required, just the firewall rule.

Option 2 uses PAT so the "outside" IP of your RDP server is the 192.168.1.3:3389 and all routers are on that network on the WAN side so will just ARP and send trafic to the mac address.

icecream-guy

don't allow RDP inbound to your network from the internet, it's just asking for trouble.  RDP has so many vulnerabilities and risks, it's just not a smart thing to do.

Recent Microsoft Remote Desktop Security Advisories
https://stack.watch/product/microsoft/remote-desktop/
:professorcat:

My Moral Fibers have been cut.

deanwebb

Quote from: icecream-guy on June 21, 2023, 01:40:54 PM
don't allow RDP inbound to your network from the internet, it's just asking for trouble.  RDP has so many vulnerabilities and risks, it's just not a smart thing to do.

Recent Microsoft Remote Desktop Security Advisories
https://stack.watch/product/microsoft/remote-desktop/

Oh yeah, I was thinking this was on an internal-only network. But because your work PC has internet connectivity, opening up RDP means your work PC is now an attacker pivot point to your home PC. Would attackers be interested in getting to your home PC via your work PC? Absolutely. They have purpose-built tools exactly for that purpose. You would likely be better off having your home PC next to your work PC and no network connection between the two.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

icecream-guy

Quote from: deanwebb on June 23, 2023, 10:05:10 AM
Quote from: icecream-guy on June 21, 2023, 01:40:54 PM
don't allow RDP inbound to your network from the internet, it's just asking for trouble.  RDP has so many vulnerabilities and risks, it's just not a smart thing to do.

Recent Microsoft Remote Desktop Security Advisories
https://stack.watch/product/microsoft/remote-desktop/

Oh yeah, I was thinking this was on an internal-only network. But because your work PC has internet connectivity, opening up RDP means your work PC is now an attacker pivot point to your home PC. Would attackers be interested in getting to your home PC via your work PC? Absolutely. They have purpose-built tools exactly for that purpose. You would likely be better off having your home PC next to your work PC and no network connection between the two.

as well, it is very handy to troubleshoot issues outside of the network, to see what : the outside: would see,
:professorcat:

My Moral Fibers have been cut.