RVS4000 Router - Port forwarding problems

Unanswered Question
Nov 24th, 2009
User Badges:

I added an alternate RDP port number for a machine. Port 8080, reboothed the server. I set port forewarding of the public side 8080 to the private side 8080 to 192.168.1.100. It works one day the next stops. When I try to RDP from work to my foreward IP it fails. But if I try from within the firewall LAN it works, and THEN it starts to work from my RDP session at work. Weird. anyone encounter the same thing? I just bought this router 2 days ago.


I did notice in the "Basic settings" area that port 8080 is used for "Remote Management" but neither the option "Enable" nor the option "Disable is selected.

Should I disable it?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Alejandro Gallego Tue, 11/24/2009 - 21:44
User Badges:
  • Cisco Employee,

Gene_Laoyan wrote:


I added an alternate RDP port number for a machine. Port 8080, reboothed the server. I set port forewarding of the public side 8080 to the private side 8080 to 192.168.1.100. It works one day the next stops. When I try to RDP from work to my foreward IP it fails. But if I try from within the firewall LAN it works, and THEN it starts to work from my RDP session at work. Weird. anyone encounter the same thing? I just bought this router 2 days ago.


I did notice in the "Basic settings" area that port 8080 is used for "Remote Management" but neither the option "Enable" nor the option "Disable is selected.

Should I disable it?

When you say that you added and "alternate" RDP port; do you mean you already have RDP forwarded to another computer? I will answer under the assumption that you do not.


First, do not use port 8080 as an external port or internal port. This port is typically used as default for many web based applications, our web UI is one of them.

Second, it appears that you have already enabled RDP on your server, and from your begining statement I want to beleive that you have changed the default RDP port 3389 to 8080 in the registry of the server. Changing the default port in the registry is fine and sometimes it needs to be done for different reasons; in your case you do not need to that. But whatever you decide if it is on 8080, change it.

Third, dont worry about the remote management because you are going to change the RDP port you are using (8080) to something else.


So, lets say you have three servers that you need to have access from the outside and you do not want to hop from one to another. This is what you need to do:


  1. change the current port forward of 8080 to something like 3500
  2. set the port forward rule on the RVS to read like this:


  • Name: RDP
  • External port 3500
  • internal port 3389
  • IP address of server


     3.    now if you have another server, it would look like this:

  • Name: RDP1  <= must be different or the router will give an error
  • External port 3600 <= new port number, i like to increment by 100. just habit.
  • internal port 3389
  • IP address of server

The key here, is that we can change the external port all day long, because we are using PAT (Port Address Translation). We tell the MS RDP client on our computer to make the connection on our specified port, but when the request hits the router, the router will see the traffic enter on port 3500, and will translate that traffic to the default port 3389. So the RDP session is established from point-to-point using ports 3500 => 3389 and that is why we can reuse 3389 internally and all the conversations of RDP are kept separate.

Let us know if you still have problems.

Gene_Laoyan Wed, 11/25/2009 - 16:57
User Badges:

I guess I should've defined what I meant by "Alternate Port Number". The default 3389 is still there and works AND 8080 is there and it works. I can RDP to both ports.


So, what I have is a server I can RDP to on port 3389 & 8080 (Internal LAN) but only port 8080 is forwarded from WAN 8080 to internal LAN 8080 to a specific IP.


My issue is, after a while, I can not RDP to port 8080. I am not port forwarding 3389. I reboot the server and I still can not RDP to it. I tried both DHCP and a static IP and it still exhibits this problem.


Here's the catch. If I initiate an RDP session to the server in question, 192.168.1.100:8080 it works, after that I can then RDP from the WAN. It's like it has to be triggered inside the local LAN first then it works.


The only ports forwarded so far is 8080 and only go to 192.168.1.100 and it's intermittent.


The key here is I need it to work with port 8080 and not the default 3389.

David Carr Thu, 11/26/2009 - 08:16
User Badges:
  • Silver, 250 points or more

It sounds like  a port issue with your ISP.  Port 8080 is a commont remote management port and they may be utilizing it for their devices also.  Have you tested with another port like 8081 or something to see if your getting complications with that?

Gene_Laoyan Thu, 11/26/2009 - 09:53
User Badges:

I used/tested 2 different Netgear Routers a Linksys and D-Link and all of those worked with no problem reliably for several days port forwarding 8080. I was doing the testing & Research to see which would work best for me. I chose this model for the gigabit switch and I didn't want or need wireless. This eliminates my ISP. My neighbor has a Belkin something and we have the same ISP and he has no problem port forwarding. We both have 25Mbit/sec fibre to the home.


So to recap, my RVS4000 intermittently stops port forwarding port 8080 and using another port is not an option.

David Carr Fri, 11/27/2009 - 09:10
User Badges:
  • Silver, 250 points or more

I would call the SBSC at 866-606-1866 so they can troubleshoot this case with you.  They will determine if the router is defective or if it is a bug on the router.

Gene_Laoyan Fri, 11/27/2009 - 09:31
User Badges:

OK, Than you for helping me. I think I will just return it for another one of the same model.

David Carr Fri, 11/27/2009 - 11:27
User Badges:
  • Silver, 250 points or more

Let us know if the replacement works without issues so we can update the community.  Thank You.

Gene_Laoyan Tue, 12/01/2009 - 15:18
User Badges:

UPDATE:


OK, I got the new Router and loaded my old config file. Confirmed port 8080 was forwarding correctly and it is so far. It has only been 24hrs so I will let runn for another 24hrs and try connecting again from the WAN side to port 8080.

Gene_Laoyan Wed, 12/02/2009 - 08:37
User Badges:

Well, as of today at 8:33am California time all port forwarding has stopped. I can no longer connect to my public IP. I'm going to call Cisco as a last ditch effort as there may be a setting I don't know of. If it doesn't work I will go back to the Netgear model that worked.


Thanks

Gene_Laoyan Wed, 12/02/2009 - 09:54
User Badges:

Holy Cow Batman!

Check this out, I was also port forwarding port 21 (ftp) so for kicks, I ftp'd to mu public IP and it let me in. So then I tried to rdp to port 8080 of which I have port forward set to internal 8080 to a specific IP.............and it worked!!!

Sup with dat?

This sounds like a bug.

Alejandro Gallego Wed, 12/02/2009 - 12:19
User Badges:
  • Cisco Employee,

Gene_Laoyan wrote:


I guess I should've defined what I meant by "Alternate Port Number". The default 3389 is still there and works AND 8080 is there and it works. I can RDP to both ports.


So, what I have is a server I can RDP to on port 3389 & 8080 (Internal LAN) but only port 8080 is forwarded from WAN 8080 to internal LAN 8080 to a specific IP.


My issue is, after a while, I can not RDP to port 8080. I am not port forwarding 3389. I reboot the server and I still can not RDP to it. I tried both DHCP and a static IP and it still exhibits this problem.


Here's the catch. If I initiate an RDP session to the server in question, 192.168.1.100:8080 it works, after that I can then RDP from the WAN. It's like it has to be triggered inside the local LAN first then it works.


The only ports forwarded so far is 8080 and only go to 192.168.1.100 and it's intermittent.


The key here is I need it to work with port 8080 and not the default 3389.

To clarify this earlier post please let me know if I am correct:

  1. On server (192.168.1.100) the REGISTRY Key has NOT been changed for RDP connections to 8080
  2. You have enabled Remote Management ON the Server via IIS and the site responds on port 8080
  3. Internally you are able to RDP to the server WITHOUT specifying port 8080


I do not understand why we need to RDP to the server on 8080 INTERNAL? The problem I see with this is just as I explained a while back, port 8080 is just a not a good idea. The server will always respond on 3389 for all RDP requests unless the REG Key has been changed. Again, I beleive you are trying to access the server via the Web Management interface which may be why this works sometimes and not others.

Please let us know if I am heading in the right direction.

Gene_Laoyan Wed, 12/02/2009 - 14:08
User Badges:

Strangely I lost connection again as well as port 21 (ftp).


Here's the setup...

My internal LAN server 192.168.1.100 uses RDP ports 3389 & 8080. From within the LAN I can RDP to just 192.168.1.100 & 192.168.1.100:8080. My router is set to port forward port 8080 to port 8080 of my internal LAN to the IP 192.168.1.100. When connecting to my public IP 1.2.3.4:8080 it sometimes works and sometimes fails. More fail than works. I have run this on two RDP ports for many years on many servers.


Your question "I do not understand why we need to RDP to the server on 8080 INTERNAL?"

Because I do not want to port foreward 3389 because it is default and everyone knows the port number. So doing so, anyone can randomly try and connect via RDP without having to redirect to another port. Too easy. Why I chose 8080? Because it is a port that is open on our firewall. All other ports are closed. Why? I dunno, I just know it's opened. :-P


Remote management is set to "Disable". So port 8080 should not be an issue.

Port 8080 is just another port and it should be treated as so and just forwarded. Strangely today the other ports I am forwarding fail as well now 443, 21 & 80.But to be honest, previously I did not check them because I was focusing on 8080.

If port 8080 is an issue then why do all the other ports fail at the same time?


So my issue is now, why is my second brand new RVS4000 intermittently failing to port forward any of the ports I assigned to forward?

If it means anything the firmware is v1.3.0.5


Also you asked/said...

The server will always respond on 3389 for all RDP requests unless the REG Key has been changed.

Yes and no. You can add an additional listener port number. In my case the server will always listen to BOTH ports.


I beleive you are trying to access the server via the Web Management interface which may be why this works sometimes and not others.

No. I am opening "Remote Desktop" and connecting to my public IP address 1.2.3.4:8080. Nothing to do with IIS or Server web management.



For kicks, if you want to try it yourself, copy the text below to a .reg file on a test Server/XP machine and then reboot it. You will be able to RDP to both ports 3389 & 8080.

----------------------------------------------------------------------------------------------------------------------



Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp-AltPort01]
"CfgDll"="RDPCFGEX.DLL"
"fEnableWinStation"=dword:00000001
"MaxInstanceCount"=dword:ffffffff
"PdName"="tcp"
"PdClass"=dword:00000002
"PdDLL"="tdtcp"
"PdFlag"=dword:0000004e
"OutBufLength"=dword:00000212
"OutBufCount"=dword:00000006
"OutBufDelay"=dword:00000064
"InteractiveDelay"=dword:00000032
"PortNumber"=dword:00001F90
"KeepAliveTimeout"=dword:00000000
"LanAdapter"=dword:00000000
"WdName"="Microsoft RDP 5.2"
"WdDLL"="rdpwd"
"WsxDLL"="rdpwsx"
"WdFlag"=dword:00000036
"InputBufferLength"=dword:00000800
"CdClass"=dword:00000000
"CdName"=""
"CdDLL"=""
"CdFlag"=dword:00000000
"Comment"=""
"fInheritAutoLogon"=dword:00000001
"fInheritResetBroken"=dword:00000001
"fInheritReconnectSame"=dword:00000001
"fInheritInitialProgram"=dword:00000001
"fInheritCallback"=dword:00000000
"fInheritCallbackNumber"=dword:00000001
"fInheritShadow"=dword:00000001
"fInheritMaxSessionTime"=dword:00000001
"fInheritMaxDisconnectionTime"=dword:00000001
"fInheritMaxIdleTime"=dword:00000001
"fInheritAutoClient"=dword:00000001
"fInheritSecurity"=dword:00000000
"fInheritColorDepth"=dword:00000000
"fPromptForPassword"=dword:00000000
"fResetBroken"=dword:00000000
"fReconnectSame"=dword:00000000
"fLogonDisabled"=dword:00000000
"fAutoClientDrives"=dword:00000001
"fAutoClientLpts"=dword:00000001
"fForceClientLptDef"=dword:00000001
"fDisableEncryption"=dword:00000001
"fHomeDirectoryMapRoot"=dword:00000000
"fUseDefaultGina"=dword:00000000
"fDisableCpm"=dword:00000000
"fDisableCdm"=dword:00000000
"fDisableCcm"=dword:00000000
"fDisableLPT"=dword:00000000
"fDisableClip"=dword:00000000
"fDisableExe"=dword:00000000
"fDisableCam"=dword:00000001
"Username"=""
"Domain"=""
"Password"=""
"WorkDirectory"=""
"InitialProgram"=""
"CallbackNumber"=""
"Callback"=dword:00000000
"Shadow"=dword:00000001
"MaxConnectionTime"=dword:00000000
"MaxDisconnectionTime"=dword:00000000
"MaxIdleTime"=dword:00000000
"KeyboardLayout"=dword:00000000
"MinEncryptionLevel"=dword:00000002
"NWLogonServer"=""
"WFProfilePath"=""
"WdPrefix"="RDP"
"TraceEnable"=dword:00000000
"TraceDebugger"=dword:00000000
"TraceClass"=dword:00000000
"DrawGdiplusSupportLevel"=dword:00000001
"ColorDepth"=dword:00000003


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp-AltPort01\UserOverride]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp-AltPort01\UserOverride\Control Panel]


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStationsRDP-Tcp-AltPort01\UserOverride\Control Panel\Desktop]
"Wallpaper"=""

Alejandro Gallego Wed, 12/02/2009 - 17:33
User Badges:
  • Cisco Employee,

OK, I have a better understanding of what you have. On a side note you dont need to add the reg key, you can also create another port on the server's NIC Firewall properties (guess it will do the samething). Never doubted that you could not do this.

As far as hidding the RDP default port I am totally for it, which is why I suggested to use 3500 External to 3389 Internal. I know you really want to use 8080, but because our routers resppond to 8080 (I know remote manage is not enabled) and also a whole slew of other applications, forwarding 8080 to internal is not a good idea. I would change the rule: 8080 External to 3389 internal or 9090 External to 8080 Internal, try that and see if it works. (I still dont like 8080

)

Now I know this does not answer the problem with the other ports, so I will try to focus on that.

You stated that you know port 8080 is an open port on the Firewall, is this implying an other device in front of the RVS? i dont beleive so from the original post. Port 80 and 8080 are typically never blocked and performing port scans will show that. Ports 443, 21, 25 and others are typically coded to be blocked, bacause of what they are typically used for. So if you did a port scan and it showed that other ports are blocked, that does not mean we cant use them.

So, what I would like to see is the log from the router. Go to "Administration >> Log" and enable it. Once that is done lets try to make some connections and take a look at what the router is doing. If you have a syslog server, that would be even better.


I will make you a deal, I will begin testing this behavior in lab right now and you promise to just play along and get rid of that 8080 External port forward to 8080 internal rule.

Gene_Laoyan Wed, 12/02/2009 - 19:59
User Badges:

OK, i'm always in for the "good ol college try".


Port 21, 80 & 443 remain the same.


WAN port 8080 side is now mapped to port 3389 LAN side.

I confirmed RDP works from WAN side using 1.2.3.4:8080

Cleared all the logs.


So were clean as of 7:55pm, confirmed working and logging. Sorry, no syslog server. Let's see what tomorrow brings.



Typically I leave it alone overnite and try connecting the next day from a remote site via the forward facing public IP. That's when it starts to fail.


"You stated that you know port 8080 is an open port on the Firewall, is this implying an other device in front of the RVS?"

There is nothing in front of the RVS4000. Also, I have tested mapping WAN 443 & 21 to port 8080 or 3389 and it works as well. But those WAN ports are dedicated to another server.


/Sidenote: Why isnt there a logoff on the routers admin page?

Alejandro Gallego Wed, 12/02/2009 - 21:52
User Badges:
  • Cisco Employee,

"Sidenote: Why isnt there a logoff on the routers admin page?"


Yes.



Gene_Laoyan Thu, 12/03/2009 - 12:21
User Badges:

OK, this morning it was up and down (all ports) a few times. I finally logged in via RDP right now.

Which logs do you want?


/Gripe: Why does the viewing of the logs start from the begining of the log? Most start at the last or at least scrolls. This "Next Page" button thing is driving me nuts.

Gene_Laoyan Thu, 12/03/2009 - 14:39
User Badges:

UPDATE:

So far, it looks like if I stay connected it's solid. I'm going to disconnect now and see what happens in an hour.

Alejandro Gallego Fri, 12/04/2009 - 08:57
User Badges:
  • Cisco Employee,

We should get a good idea of what is going on from the "Firewall", and "System" logs. If the router is denying connections we should be able to see that with those two logs. This is really random, as I have not been able to replicate your problem. If this continues, having your config file would be helpful. Just change passwords, and private info before you back up the configs to send or post.

Gene_Laoyan Fri, 12/04/2009 - 09:22
User Badges:

OK, this morning I was able to get in and all ports worked.

Pardon my ignorance but how do I save the logs to a text file? Remember, I have never used this router before.


"If the router is denying connections we should be able to see that with those two logs."

Funny you mention that. I had 5 IP's in my log, traced them back all 5 to china. So last night I blocked the entire inetnum range with the "IP Based ACL".

IPS reports the following...


Attacker
NoIP                 AddressFrequency
1  221.195.73.68  14
2  125.65.112.161  8
3  210.83.80.190  6
4  218.24.197.194  4
5  218.6.15.138  3


Attacked Category
NoCategoryFrequency
1DoS / DDoS46
2Buffer Overflow1
3Access Control0
4Scan0
5Trojan Horse0
6Other0
7P2P0
8IM0
9Virus Worm0
10Web Attacks0
Gene_Laoyan Fri, 12/04/2009 - 10:05
User Badges:

At 10:01am today I just lost connection. My RDP session just stopped. But I can still get to my neighbors and he has a belkin sometinhg router. I can connect to his machine/server via RDP. We have the same ISP/Carrier.

Alejandro Gallego Fri, 12/04/2009 - 11:17
User Badges:
  • Cisco Employee,

OK, so I am going to get back on my soap box and yell at you again.




Remove all together any reference on the external side that has to do with anything, portforward, port trigger, etc. that reference a well known port. I know you may still need to leave 443, 25 as is; so for those, make sure your server is locked nice and tight. Port 8080 (not meaning to sound rude) is a typical web port, being for UIs or not. Turn that off. What they are doing (most likely) is a port scan, and they see 8080 as an available port. Because it is 8080, DoS and buffer overflows are typical webserver attacks. Since that port is also being forwarded to your server for RDP; and if they figure this out, that will put your server in a very dangerous situation.

I am glad to hear that you hard coded those addresses on your router, very smart. The bummer part is that those are only a tiny slice of addresses that may pose a threat. If you are running an email server and use a service like Postini, make sure that you have rules in the firewall that only allow mail to and from the Postini servers, and nowhere else. For ftp, I would either turn it off, or just give people access to it only when needed. If you use it all the time, then make rules that would only allow your IP to access it. I am sure, that we have other denied connections that may also reference port 8080 directly.

Keep us posted.


EDIT:

Your above post said that you were able to RDP to your freind's box with no problem, I am not surprised. I have never thought the problem to be on your machine. There is no question the router is either denying the connection, or just getting confused. With the added info of your IPS log, I beleive the router may be seeing the RDP connection on 8080 as an attack. If so, we should have log entries.

Gene_Laoyan Fri, 12/04/2009 - 11:27
User Badges:

OK, As soon as I can connect back I will disable all but one port forwarding port and use a not so common port number for my RDP. I'll let you know when it's done.

As of 11:27 now I can not connect.

Alejandro Gallego Fri, 12/04/2009 - 11:35
User Badges:
  • Cisco Employee,

Go through all your logs as well and post pertinent info. This is nutty but we will get it stable.

Gene_Laoyan Fri, 12/04/2009 - 16:29
User Badges:

Well....

I finally got in but my logs rolled over and wrote over the times I knew I lost connection....lol.


So I did as you asked and shut down all portforwarding except my super special top secret port I am using to RDP.

It's the weekend so I dun't know when I will be able to check remotely if I lose connection.


Also, in the IPS| Report, how is that graph read? The times don't appear to correlate with the current time.

Gene_Laoyan Mon, 12/07/2009 - 09:21
User Badges:

As of today, I can not connect to my system from the WAN side. This is "End Game". Returning the router and getting the Netgear model I tested that worked.


Thanks all.

Alejandro Gallego Mon, 12/07/2009 - 22:56
User Badges:
  • Cisco Employee,

I am really sorry to hear that. I hope you at least tried to call tech support before you threw in the towel. It really just seemed like we had some random misconfiguration on the router somewhere. Please let us know if there is anything we can do.

Actions

This Discussion