Port forwarding to internal server

Hi there
I'm pretty new to this and tried some stuff already, but I can't get through this. I've got a Firebox M290 configured with my networking behind it. I want to access my servers, but I can't get through. This is what I have done:

  • Created SNAT with internal IP from the server I want to access as Host IP. Internal port is set to 3389. Interface is set to the external interface.
  • Created a firewall policy from Any-External to the SNAT create in first step. Port is set to 10001.
  • If I try to connect from an external source to publicIP:10001 I can't get through to my servers.

Anyone any idea what I'm doing wrong here?


  • Options
    edited May 2022

    Any denies in Traffic Monitor when this access is tried?

    You can turn on Logging on this policy to see allowed packets in Traffic Monitor.

    If you add Any-Trusted to the From: field of this policy, you can test this from inside the firewall by going to publicIP:10001

    We generally recommend using a client VPN connection instead of connecting to a RDP server directly over the Internet - even though you are using a non-normal RDP port.
    Once the VPN client is connected, then you can use RDP to access the server much more safely.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative
    edited May 2022

    Hi @Maarten

    You can test if the SNAT is working by adding "Any-Trusted" to your rule's from field and then trying to connect to the RDP from another computer to the external IP/port. If it works internally that way, it's the internal computer refusing to respond to an external IP.

    I would strongly suggest using a VPN like Bruce mentioned. Changing the port to something different isn't really going to protect whatever server you're forwarding to, and it's trivial to run a port scan to find open RDP ports that aren't on the standard 3389. With the VPN, the users must authenticate to the firewall before even attempting to make that connection.

    If you must do it via a straight SNAT/port forward, I would strongly suggest limiting what IPs can access it in the From field of the rule vice leaving it as any-external.

    -James Carson
    WatchGuard Customer Support

  • Options
    edited May 2022

    Please please please tell me why it is you do not use a VPN first? Why bother with a port forward at all? Why not just stick the server in a DMZ and post the credentials on Facebook? Seriously.....

    As Bruce said...off porting...I will never guess what port it is on....BUT, my port scanner will! Takes about 2 seconds.

Sign In to comment.