Remote Desktop over different networks!

That's rather interesting and, I believe, the source of all the problems. As far as I know, on my setup, the modem itself is transparent, so that the IP assigned to the WAN side of the router is, in fact, the public IP my ISP has assigned to my account (for the time being).

With your setup, however, it looks like you would need to have a double port-forward setup in order to get from the internet in to the RDP port (3389, by default) on the machine you want to remote onto.

To me, that would suggest that, at the modem, you would need to set up port forwarding for Port 3389 so that it was forwarded to the appropriate port on your router's IP, or in other words, to 10.0.0.1:3389. That should (emphasis on uncertainty therein ) result in any TCP/IP or UDP packets addressed to 76.76.167.15:3389 being forwarded on to your router at 10.0.0.1:3389.

Then, you would want to set up a second port forwarding scheme on the router itself so that Port 3389 was forwarded on to Port 3389 at the private IP that the router has assigned to the machine you want to remote onto (or else, forwards it to port 3389 of the static IP you've assigned to the machine in question).

Since the router would see a packet addressed to 10.0.0.1 hitting it on port 3389, the second forwarding rule should (again, emphasis on uncertainty) cause the router itself to forward that packet on to, say, 192.168.1.99:3389 - i.e., assuming the target machine had private IP 192.168.1.99, the rule would forward the packet on to port 3389 on that machine.

One thing I'm curious about, though, is exactly what's located at 10.0.0.138? You state that that's the DNS IP the modem assigned to your router, so I'm going to guess that that is also the IP address for the LAN side of the modem itself. One way to double-check is to see what IP the modem has assigned to the router for the Default Gateway - I'm going to guess that it's also 10.0.0.138, which would make sense if the modem's LAN side IP address is 10.0.0.138.

Basically, I've tried to diagram what I think's going on in the attached pic file:




Where 221.207.9.31 is a made-up public IP address representing say, your computer at work. All of the rest should be clear from the discussion above.

So, when you send an RDP packet from work, with source=221.207.9.31:3389, and destination=76.76.167.15:3389, it hits your modem, which says (metaphorically), "Hey, I'm 76.76.167.15, but I didn't ask for anything on port 3389, and I don't have anything in my NAPT table telling me to send this packet on to anyone inside the LAN, so I'm just going to discard it."

Part of the problem here is that your modem uses NAPT, which is a variation on NAT (as indicated in this Wiki stub). Basically, without a routing rule set up by you, the modem has no idea what to do with the packet, and so discards it (silently, too - SOP for most network routers).

Now, unfortunately, I'm not really up on all of the intricacies of NAPT and how it deviates from NAT; however, since NAPT basically permits packets from port 3389 of each machine connected to its LAN side to be multiplexed onto one public IP, there might be troubles if you were trying to remote onto more than one machine on your local network. But, since that's not the case, I would want to try and set up a forwarding rule in the modem so that anything that came in over port 3389 would be forwarded as is to the router, in this case, 10.0.0.1:3389.

Provided that this gets our RDP packet through the modem and into the router's WAN interface on port 3389, the next step would be to have the router also forward all packets hitting port 3389 on its WAN interface to the private IP that's been assigned (statically, or dynamic but reserved) to the machine you want to remote onto. In this case, you would set up a forwarding rule in the router that told it to take all packets hitting 10.0.0.1:3389 and forward them to 192.168.1.99:3389.

That, I think, should - I hope - allow you to remote onto the machine you're trying to hit.

Now, from a public computer (e.g., your work computer) you would open the RDP connection dialog and tell the app to connect to 76.76.167.15; however, from another machine on your local system, you would specify that you wanted to connect to 192.168.1.99 - because the router knows what to do with IP addresses that start 192.168.1.xxx, it should simply route that packet on to the target machine without having to even think about the forwarding rule (since the packet is simply staying within the same subnetwork). On the other hand, any packet that comes in from the modem addressed to 10.0.0.1:3389 should get forwarded on to 192.168.1.99:3389 (absent the forwarding rule, the router would react in the same way the modem did - metaphorically speaking - "Hey, who ordered this? I didn't, and I don't have an IP association for it in my personal NAT table, so I'll just silently discard it").

 

I've attached some prt screens for ur viewing pleasure. Tell me if it looks ok.

And that was a very nice break down of the case at hand...the diagram too!

 

WooooooooooHooooooooo!!!!!!! It Works...I Got My G/f To Test For Me...woot

One problem though...attached on my prt screen. My Comodo Firewall was blocking her IP at first. I had to allow her, and then she took over my computer. So now I have to find a way to allow all incoming RDC protocols...nah, that might be to risky. I guess i'll have to find a way to allow my Internet address that's assigned to my computer at work.

Either way..I finally got this s*** to work. I'm happy now.

Edit: Man, I feel like I just popped a video game or suthin' ...After all!

 

I just tried connecting from my the desktop machine and it wouldn't work..so there is a possibility that you can only connect using that Internet IP from outside the network. So that means, there's a possibility that it was working all along before, but I just didn't have faith that it would work from outside if it wouldn't work from inside.

Anyhow...much thanks to u Shyster..I wanna give u like +100 reps right now..but NBR isn't allowing me. And I have tried different threads.

Thanks to u to gerryf, wirelessman and everybody else who assisted.

 

that is a strange setup you have....DSL or cable?

It looks like your modem is routing...so you have a router and a router.

I am not familiar with 500 series speedtouch....I am betting it is a DSL modem using pppoe....and that you are using the router because it came with only one port?

In that case, I probably would have put the modem into bridge mode, let the linksys router handle all the network trafficking, and you would have a far easier go of it.

 

Well everything u said above seems correct. Yea I guess it's a modem/router...it does have one port. I got the router for wireless, and also a desktop is connected to it. The connection type is PPPoA. Bridge mode huh...what would doing that do. I've got all the info. on configuring it. So I might be able to set it up like that sometime when i'm feeling bridgy! But for now imma leave it as is. But just out of curiousity, can u explain to me what putting it in bridge mode would do?

Edit: Yes it's an ADSL modem...

There's a ton of info. on WiKi about Bridging...imma get to reading.

 

Awesome! If your IP at work is fixed, you should be able to set the port forward (on the router, at least) so that it's limited to just that specific IP. On the other hand, since you need to authenticate with a UID and PW, you could pick a really strong PW and rely on that.

 

Bridging would (should) work, because it would essentially render the modem transparent for purposes of traffic passing from the ISP's network into your local subnetwork. You can actually do the same thing on your computer by creating a bridge connection between your wireless and your wired connections.

If the modem can be set to operate as a bridge, then the ISP's DHCP servers would be assigning the public IP to the router, and the router's DNS servers and default gateway on the WAN side would be set to the ISP's IP address, not to the modem's internal 10.0.0.xx IP.

 

I'm a tad bit confused here..what exactly are u saying?
My issue is when I get to work (or anywhere for that matter) and I try to log in to my home network, Comodo Firewall may prevent the connection from going through, rendering me unable to connect. because it would bring up a prompt on my home computer asking me to block or allow the connection attempt. (as was the case when my g/f attempted to connect remotely) If i'm not here to allow it then most likely the connect attempt would time out, rendering me unable to connect. So therefore I may have to 1) Find some way to allow all remote connections, no matter the IP address by creating such rule in Comodo; or 2) Uninstall Comodo....

I think this is exactly what I would want...But wouldn't this make my network somewhat easier to break into. I mean, it sounds like i'm basically taking down a wall...like a 'firewall'...like an extra layer of protection is being removed. Am I making sense here? Would this be the case? Seeing that the outside world will now have a direct link/connection to my router (inside network)...or does it just seem that way?

 

You should be able to specify a rule that allows requests coming from your work computer's IP through the firewall. You could also set a rule so that all RDP requests are passed through irrespective of IP address. Other than that, since I've never worked with Commodo, I don't know if you can set up a more nuanced rule for passing RDP packets through. Even if you decide to pass all RDP packets through to the target computer, you still have to authenticate with UID/PW so you still have that protection.

Actually, if you've got two separate firewalls running, you may be causing more troubles for your network rather than making it better. Certainly, if each firewall has to pass on each communication, that will slow the network down and degrade performance. You can also get stuck in a situation where one firewall passes something through but the other stops it, which could happen on one conversation, with each firewall blocking one half of the conversation.

All in all, you'd probably be better off picking the better of the two firewalls and going with that one. I don't think that you'd be losing any substantial amount of protection by sticking with one good firewall as opposed to two (potentially conflicting) firewalls.

 

Why do you show two IP addresses per network element?

 

1. I will try and configure a rule to allow all IPs to pass through w/ out prompt in reference to RDP connections in Comodo.

2. Okay..I think I defintely have to set up the modem as a bridge and let the router recieve the public Internet address. Why? Because my linksys router supports DDNS but seeing that it has 10.0.0.1 as the Internet IP it refuses to synchronize with DynDns.com. This is why I instead had to download the DynDns utility software onto the computer. (But it didn't work properly; because when I signed in to my DynDns account online from work it was showing me the Internet IP my "work" computer was using, instead of my home computer) So I guess my account needs to be linked w/ my router as well.

So i'm guessing from what you've said above, that once I set the modem in bridge mode my router will have the Public Internet IP address. That should resolve the issue of the router not being able to sync w/ DynDns.com

And also, I have to do this as there would be no other way of me being able to know what my Internet address is if i'm not here.

 

That sounds like a reasonable conclusion.

 

I show two IPs for the modem and the router because each of those nodes actually has two interfaces, one on each side in the diagram. Every router has at least two interfaces; that's the only way a router can mediate between two networks.

 

Question Shyster...i'm not exactly sure how to go about setting up the modem in Bridge mode. I have two options..The first; I was reading THIS from the website that tells me all the info. about my modem. At the bottom of the page; they call it dhcp spoofing but it sounds like what I want, which is to set the modem in bridge mode. But that method requires me to upload the config. file and I would need to know the password for the PPPoA account itself, which I do not know.

Second option is to set the bridge feature via the CLI (Command Line Interface), which I don't mind doing but i'm just not sure how to do it. I've attached an image of some different parameter options I have. The full pdf file can be found HERE. At the very bottom, release 4.2 under the CLI section; 2,381kb. Can u please download the pdf and take a look at the bridge commands and tell me which u think might be the config. steps I should take to set the modem in bridge mode.

 

I won't go over stuff since last I checked in...Shyster has you on the right path.

Just to add the area he didn't have experience with--in the old version of Comodo I used, once you have approved an RDP connection once (and checked "REMEMBER THIS ACTION" I think) it will create the rule for you so all future RDP connections pass through.

In your scenario, it is creating a rule to allow incoming connections to the terminal server through port XXX (cannot recall number).

The remote IP address isn't relevent...just the port and the service it is connecting to.

It'd pretty clear most of your issues were related to the funky router/router set up you were using. Once that is clear you should be home free. Not only did you have a router/router setup, you also had two DHCP servers on your network ... fortunately the routers segmented your home network into two networks, or you would have had some serious headaches.

 

M,

Call your ISP and tell them you have purchased your own router and you want to set your adsl modem to bridge mode--they get about a thousand calls a day like this and have a quick step by step they will walk you through

 

You will still need your username and password, which you plug into your Linksys router--that will handle the handshake between your network and the head office.

They can give you that info after you answer a security question or two

 

I was thinking that! I might gotta call them up. And if so I would rather configure the modem in bridge mode manually by uploading the .ini config. file. And the config. file looks kinda complex as well..I wonder if I would have to edit it in any way.

Edit: I just saw this..i'll call them on Thursday...we have some holidays here for the next few days.

 

NM Shyster...I believe i've found the .ini config file that I need; which doesn't seem to require any editing by myself and it wouldn't require me to use the CLI either. So I just need to call my ISP and get that password for the PPPoA account and I should be good to go!

 

That sounds really fantastic. It's good when a plan comes together (finally ).

 

Most will only reset it and give you that one. So then you can change it to what you want.

 

Nice to see you back blue, had a good time gathering corns on the fields?

 

Okay...i've had no luck trying to get the modem in bridge mode. And i'm not gonna stress over it. I don't think my router even supports the interface type that my adsl service uses; which is PPPoA. I only see the option for PPPoE on my linksys router. (see attached)

Either way...I did get RDC to work so i'm still more than satisfied. I believe my limitations in this case are due to the modem my ISP provides, my router's seemed to be limitations and most importantly the type of Internet Service being used...;that being PPPoA..which I know nothing about really!

Again guys, thanks for the help and guidance in getting this to work! Kudos to you Shyster.

 

*UPDATE II*

Even though I couldn't get the modem into bridge mode, [because it wouldn't work properly with the config. files I upload to it] that's ok beacuse I can still manage to connect to my computer at home remotely. I'm at work right now and i'm connected to my laptop at home. My main reason for wanting to get the modem in bridge mode was to get my router to sync w/ DynDns online....but it turns out that the DynDns utility u download onto ur computer from their website eliminates the need for you to set up the router to sync w/ the online service..I think this was a mistake on my end. DynDns shows you two Internet IPs when u log in from a remote location online. The Internet IP of ur computer at home and the IP of the one that ur using ATM. I thought that the latter was the updated IP of the home network. But that's not the case...I don't know if you'll be able to catch what am saying from my explanation but in laman terms; It doesn't seem like I will need to have my router sync w/ the DynDns service online, once I have the utility from DynDns downloaded on the said remote computer...which I have!

So it works w/ out issues! Thanks all......

 

goto www.gbridge.com to download the small application
which will let you to access RDP of any of your own machine.
it has a lot of other cool features too. It requires a gmail account though.
enjoy...

 

MIcrosoft has inbuilt support for peer to peer connectivity through teredo service. So you can make a direct connection to any xp,vista PC even which behind NAT. I use this software to connect to my office PC, connection is also fast as it is p2p : http://www.lanoninternet.com/

 

Was not fun with a torn ligament in my wrist and a fractured bone in my hand . I had a cast on for 5 weeks. Now have to get surgery on my wrist and go back into a cast again.

 

Sorry to hear that, is it the writing hand?

 

did anyone figure this out?

I see from the diagram you guys made that your modem is natting and then your router is natting LOL!

you need to change your modem to transparent. pretty easy change, then once thats done apply the modem's old settings to your router. and then you wont have any issues.

 

Why are u laughing at my set up focusfre4k! ...Yes I got it to work..you didn't see my post #53? I can connect from anywhere in the world to my computer here at home. I do it like everyday from work....My ISPs set up might be somewhat more messed up than the norm but it's working for me nevertheless. I couldn't get the modem in "transparent"/bridge mode using config. files but as I said, nevertheless...It Works!!!!...and i'm happy.

 

just seems like an extra step, but if its working then great! Just wanted to follow up and make sure it was making sense. double NAT'ing can cause issues, granted you can get it working. it just takes a bit of work like you have discovered.

-edit
Also, I suggest you change all default ports for RDP connections to something unstandard. there are bots that crawl over IP's looking for this kinda vulnerability

 

Yea I know, it is an extra step and I personally would have preferred it not be that way. But I did try to set up the modem in bridge mode to no avail. There isn't a built-in setting to do it, so I had to try configuring it in bridge/transparent mode using config. files but it didn't work out so...I have to live w/ it or get another modem...I prefer to do the former seeing that it works anyhow.

Oh, and I didn't know the RDP port could be changed. I looked it up..thanks a million for that tip!
+rep

 

yep its a reg change. you can call your ISP and they need to config it on their redbacks

working for a provider I can tell you thats what needs to be done


but its all good!

if you need anything just let me know!

 

hmm...so you're saying beside the reg. change the ISP has to do something too for my RDC to work?

 

well, here is the deal. your modem is acting as a router(NAT) depending on that it could be blocking all inbound requests for say port 3389 like you want. then after that request goes through the modem its hitting your real router. which is blocking all incoming connections. thats two things you got to port forward and its a pain. simplest way is going to be get that modem in transparent bridge mode. what type of modem is it? actiontec?

 

Well it works fine w/ the default 3389. But not with the port# I tried to use. So I switched everything back to how it was w/ default 3389 and it works fine. So yea, it's a good idea to change it to your own but it seems like too much trouble.

 

hmmm I am not sure why the listener did not stick. you could troubleshoot it using netstat to see what ports are currently set to listening. look for the one you want to use and the default.