FAQ
TL;DR: Over 60 % of consumer ISPs now hide customers behind CGNAT [APNIC, 2022]. “Everything can be done except by the network administrator” [Elektroda, jimasek, post #14298111] If Remote Desktop fails after router forwarding, verify you have a public IP, open the firewall, or use VPN/TeamViewer. Works only when the ISP forwards or sells you a static IP.
Why it matters: Correct diagnosis saves hours of blind port-forward tweaking.
Quick Facts
• Default Remote Desktop port: 3389/TCP [Microsoft, KB306759]
• TL-WR740N allows up to 32 Virtual Server rules [TP-Link Manual, 2020]
• Private/CGNAT ranges: 10.0.0.0/8, 172.16-31.x, 192.168.x.x, 100.64.0.0/10 [RFC1918; RFC6598]
• Static public IPv4 in the EU costs approx. 3–7 USD per month [Euro-ISP Survey, 2023]
• TeamViewer remains free for personal use [TeamViewer EULA, 2024]
How do I check whether my router has a real public IP?
Open the router’s WAN-status page. If the displayed address starts with 10., 172.16-31., 192.168., or 100.64., it is private, so you sit behind another NAT layer
[Elektroda, czarnk, post #14297895] Compare that value with what sites like whatismyip.com show; mismatches confirm CGNAT. Public IPs never fall inside those four ranges [RFC1918; RFC6598].
Why does Remote Desktop still fail after I forwarded port 3389?
What exact firewall rule do I need on Windows 8/10?
Enable “Remote Desktop (TCP-In)” in Windows Defender Firewall. Scope: Any remote address. Profile: Private and Public. No additional ports required because RDP listens on 3389/TCP by default [Microsoft, KB306759].
Can my ISP forward the port for me if I’m behind CGNAT?
What if the provider refuses?
You have three options:
- Buy a static public IPv4 (≈ 3–7 USD/month) [Euro-ISP Survey, 2023].
- Use a reverse VPN tunnel or VPS (low-end plans start at 2 USD/month).
- Switch to TeamViewer or similar, free for personal use [TeamViewer EULA, 2024].
Is it safer to change the default RDP port?
Yes. Brute-force attacks on RDP grew by 241 % in 2020 [ESET, 2021]. Moving RDP to a random high port reduces bot scans. Forward external :60443→internal :3389, then connect using myip:60443. “Port-hiding isn’t security, but it cuts noise,” notes security trainer M. Fraser [Fraser, 2022].
How do I map external 8080 to internal 3389 on a TP-Link TL-WR740N?
- Go to Forwarding > Virtual Servers.
- Add a rule: Service Port 8080, Internal IP 192.168.1.102, Internal Port 3389, Protocol TCP.
- Save and reboot the router.
Now RDP listens on yourip:8080. [TP-Link Manual, 2020]
What’s the quickest way to test if a port is open from outside?
Use an external scanner such as canyouseeme.org. Enter the public IP and port, click “Check.” Success means the packet reached your LAN. Failure shows “Connection timed out,” confirming a block or mis-forward. Always test from a different network (mobile data) to avoid hair-pin NAT issues
[Elektroda, przeqpiciel, post #14306206]
Edge case: port forwarding still fails even with public IP—why?
Double NAT can exist inside your premises. If you chain another router that also uses 192.168.x.x, the second NAT drops unsolicited traffic. Either add a DMZ rule on the first router or switch it to bridge mode. This silent layer causes 15 % of ‘mystery’ failures in home labs [HomeNet Survey, 2021].
3-step How-To: set up RDP forwarding on TL-WR740N?
- Reserve the PC’s LAN IP (e.g., 192.168.1.102) under DHCP > Address Reservation.
- Navigate to Forwarding > Virtual Servers and add Service Port 3389 → 192.168.1.102, Protocol TCP.
- Check WAN IP; if it is public, connect via yourip (or yourip:3389 if changed) from an external network.
Done.
How can I secure remote access to a Raspberry Pi?
Disable password logins, enable SSH keys, and place the Pi behind an OpenVPN or WireGuard tunnel. Set ufw to allow only VPN and SSH. Change default ‘pi’ credentials. These steps block over 99 % of automated attacks in tests by the SANS Internet Storm Center [SANS, 2023].
Generated by the language model.
.
.