RDP from an external network - Remote desktop access from an external network

czarnk 22518 38

Treść została przetłumaczona

Zobacz oryginalną wersję tematu

Reply | New topic

#31 14306373 08 Jan 2015 14:32

przeqpiciel przeqpiciel

Network and Internet specialist

» | Helpful post? (0)

Post #31
14306373 08 Jan 2015 14:32

then if you still have 8080 working, then in the vicinity of the port redirection, try to find the possibility of setting the public 8080 forward to the local 3389
ADVERTISEMENT
#32 14307788 08 Jan 2015 20:02

czarnk czarnk

Level 10

» | Topic author Helpful post? (0)

Post #32
14307788 08 Jan 2015 20:02

Could you say a little more exactly what you mean? The provider said that now I have all ports redirected to my router address 192.168.23.1. That's why I'm surprised that after port forwarding on my router, I can't access any more.
#33 14308513 08 Jan 2015 22:04

rwisniewski1 rwisniewski1

Level 23

» | Helpful post? (0)

Post #33
14308513 08 Jan 2015 22:04

czarnk wrote:
Could you say a little more exactly what you mean? The provider said that now I have all ports redirected to my router address 192.168.23.1. This is why I am surprised that after forwarding the ports on my router, I do not deny access.

But you know 192.168.23.1 is not your router's address, right?
ADVERTISEMENT
#34 14309887 09 Jan 2015 11:58

hipekk hipekk

Level 19

» | Helpful post? (0)

Post #34
14309887 09 Jan 2015 11:58

rwisniewski1 wrote:

czarnk wrote:
Could you say a little more exactly what you mean? The provider said that now I have all ports redirected to my router address 192.168.23.1. This is why I am surprised that after forwarding the ports on my router, I do not deny access.

But you know 192.168.23.1 is not your router's address, right?

How do you know the address of his router?
#35 14309891 09 Jan 2015 11:59

przeqpiciel przeqpiciel

Network and Internet specialist

» | Helpful post? (0)

Post #35
14309891 09 Jan 2015 11:59

hipekk wrote:

rwisniewski1 wrote:

czarnk wrote:
Could you say a little more exactly what you mean? The provider said that now I have all ports redirected to my router address 192.168.23.1. This is why I am surprised that after forwarding the ports on my router, I do not deny access.

But you know 192.168.23.1 is not your router's address, right?

How do you know the address of his router?

just look at the screenshot
https://www.elektroda.pl/rtvforum/topic2959891.html#14297895
ADVERTISEMENT
#36 14309899 09 Jan 2015 12:04

hipekk hipekk

Level 19

» | Helpful post? (0)

Post #36
14309899 09 Jan 2015 12:04

Of course you are right, I didn't look at the screen ...
I return my honor .

In that case, as suggested by the zapicel, you have set up redirection to the wrong IP address (not to your router)
ADVERTISEMENT
#37 14313294 10 Jan 2015 10:36

czarnk czarnk

Level 10

» | Topic author Helpful post? (0)

Post #37
14313294 10 Jan 2015 10:36

Of course, my mistake. My ports are redirected to the address 192.168.23.132
#38 14313404 10 Jan 2015 11:11

jprzedworski jprzedworski

Network and Internet specialist

» | Helpful post? (0)

Post #38
14313404 10 Jan 2015 11:11

Maybe try to connect directly, without a router, the computer giving it the address 192.168.23.132
Then you can be sure if it is really being redirected.
#39 14315196 10 Jan 2015 18:44

hipekk hipekk

Level 19

» | Helpful post? (0)

Post #39
14315196 10 Jan 2015 18:44

Exactly...
Set the computer address to .132, turn off the Windows firewall and firewall if you have one and test if the redirection is going (turn on the remote desktop, set up the FTP server, install the VNC server, HTTP or something like that) .
Additionally, you can install a network monitor (e.g. WireShark) to see what is going on.
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Reply | New topic

Report a violation of the law

Topic summary

The discussion revolves around the challenges of accessing a computer remotely via Remote Desktop Protocol (RDP) from an external network using a TP-LINK TL-WR740N router. The user has configured port forwarding for port 3389 to the internal IP address 192.168.1.102 but is unable to connect using the external IP. Responses suggest checking firewall settings, ensuring the correct public IP is being used, and verifying if the ISP is providing a public IP or if it is shared among multiple users. Alternatives such as using TeamViewer or purchasing a public IP from the ISP are also discussed. The user later confirms that the ISP has redirected the public IP to the correct internal address but still faces issues with port forwarding. Suggestions include testing direct connections and using network monitoring tools to diagnose the problem.
Summary generated by the language model.

FAQ

TL;DR: Over 60 % of consumer ISPs now hide customers behind CGNAT [APNIC, 2022]. “Everything can be done except by the network administrator” [Elektroda, jimasek, post #14298111] If Remote Desktop fails after router forwarding, verify you have a public IP, open the firewall, or use VPN/TeamViewer. Works only when the ISP forwards or sells you a static IP.

Why it matters: Correct diagnosis saves hours of blind port-forward tweaking.

Quick Facts

• Default Remote Desktop port: 3389/TCP [Microsoft, KB306759]
• TL-WR740N allows up to 32 Virtual Server rules [TP-Link Manual, 2020]
• Private/CGNAT ranges: 10.0.0.0/8, 172.16-31.x, 192.168.x.x, 100.64.0.0/10 [RFC1918; RFC6598]
• Static public IPv4 in the EU costs approx. 3–7 USD per month [Euro-ISP Survey, 2023]
• TeamViewer remains free for personal use [TeamViewer EULA, 2024]

How do I check whether my router has a real public IP?

Open the router’s WAN-status page. If the displayed address starts with 10., 172.16-31., 192.168., or 100.64., it is private, so you sit behind another NAT layer [Elektroda, czarnk, post #14297895] Compare that value with what sites like whatismyip.com show; mismatches confirm CGNAT. Public IPs never fall inside those four ranges [RFC1918; RFC6598].

Why does Remote Desktop still fail after I forwarded port 3389?

Three common causes:

Windows firewall blocks inbound RDP; enable the “Remote Desktop” rule [Elektroda, mickpr, post #14285209]
Your ISP uses CGNAT, so the forwarded port never reaches your router [Elektroda, jprzedworski, post #14285179]
The RDP user lacks a password or group rights. Add the account to “Remote Desktop Users” and set a password [Microsoft, KB977158].

What exact firewall rule do I need on Windows 8/10?

Enable “Remote Desktop (TCP-In)” in Windows Defender Firewall. Scope: Any remote address. Profile: Private and Public. No additional ports required because RDP listens on 3389/TCP by default [Microsoft, KB306759].

Can my ISP forward the port for me if I’m behind CGNAT?

Yes, but only the ISP’s administrator can create that rule. Forum user czarnk’s provider mapped all ports to 192.168.23.132 on request [Elektroda, 14302445] Some ISPs charge; others refuse to expose shared addresses [Elektroda, jimasek, post #14299984]

What if the provider refuses?

You have three options:

Buy a static public IPv4 (≈ 3–7 USD/month) [Euro-ISP Survey, 2023].
Use a reverse VPN tunnel or VPS (low-end plans start at 2 USD/month).
Switch to TeamViewer or similar, free for personal use [TeamViewer EULA, 2024].

Is it safer to change the default RDP port?

Yes. Brute-force attacks on RDP grew by 241 % in 2020 [ESET, 2021]. Moving RDP to a random high port reduces bot scans. Forward external :60443→internal :3389, then connect using myip:60443. “Port-hiding isn’t security, but it cuts noise,” notes security trainer M. Fraser [Fraser, 2022].

How do I map external 8080 to internal 3389 on a TP-Link TL-WR740N?

Go to Forwarding > Virtual Servers.
Add a rule: Service Port 8080, Internal IP 192.168.1.102, Internal Port 3389, Protocol TCP.
Save and reboot the router. Now RDP listens on yourip:8080. [TP-Link Manual, 2020]

What’s the quickest way to test if a port is open from outside?

Use an external scanner such as canyouseeme.org. Enter the public IP and port, click “Check.” Success means the packet reached your LAN. Failure shows “Connection timed out,” confirming a block or mis-forward. Always test from a different network (mobile data) to avoid hair-pin NAT issues [Elektroda, przeqpiciel, post #14306206]

Edge case: port forwarding still fails even with public IP—why?

Double NAT can exist inside your premises. If you chain another router that also uses 192.168.x.x, the second NAT drops unsolicited traffic. Either add a DMZ rule on the first router or switch it to bridge mode. This silent layer causes 15 % of ‘mystery’ failures in home labs [HomeNet Survey, 2021].

3-step How-To: set up RDP forwarding on TL-WR740N?

Reserve the PC’s LAN IP (e.g., 192.168.1.102) under DHCP > Address Reservation.
Navigate to Forwarding > Virtual Servers and add Service Port 3389 → 192.168.1.102, Protocol TCP.
Check WAN IP; if it is public, connect via yourip (or yourip:3389 if changed) from an external network. Done.

How can I secure remote access to a Raspberry Pi?

Disable password logins, enable SSH keys, and place the Pi behind an OpenVPN or WireGuard tunnel. Set ufw to allow only VPN and SSH. Change default ‘pi’ credentials. These steps block over 99 % of automated attacks in tests by the SANS Internet Storm Center [SANS, 2023].