cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6571
Views
0
Helpful
26
Replies

RVS4000 Router - Port forwarding problems

Gene_Laoyan
Level 1
Level 1

I added an alternate RDP port number for a machine. Port 8080, reboothed the server. I set port forewarding of the public side 8080 to the private side 8080 to 192.168.1.100. It works one day the next stops. When I try to RDP from work to my foreward IP it fails. But if I try from within the firewall LAN it works, and THEN it starts to work from my RDP session at work. Weird. anyone encounter the same thing? I just bought this router 2 days ago.

I did notice in the "Basic settings" area that port 8080 is used for "Remote Management" but neither the option "Enable" nor the option "Disable is selected.

Should I disable it?

26 Replies 26

Alejandro Gallego
Cisco Employee
Cisco Employee

Gene_Laoyan wrote:

I added an alternate RDP port number for a machine. Port 8080, reboothed the server. I set port forewarding of the public side 8080 to the private side 8080 to 192.168.1.100. It works one day the next stops. When I try to RDP from work to my foreward IP it fails. But if I try from within the firewall LAN it works, and THEN it starts to work from my RDP session at work. Weird. anyone encounter the same thing? I just bought this router 2 days ago.

I did notice in the "Basic settings" area that port 8080 is used for "Remote Management" but neither the option "Enable" nor the option "Disable is selected.

Should I disable it?

When you say that you added and "alternate" RDP port; do you mean you already have RDP forwarded to another computer? I will answer under the assumption that you do not.

First, do not use port 8080 as an external port or internal port. This port is typically used as default for many web based applications, our web UI is one of them.

Second, it appears that you have already enabled RDP on your server, and from your begining statement I want to beleive that you have changed the default RDP port 3389 to 8080 in the registry of the server. Changing the default port in the registry is fine and sometimes it needs to be done for different reasons; in your case you do not need to that. But whatever you decide if it is on 8080, change it.

Third, dont worry about the remote management because you are going to change the RDP port you are using (8080) to something else.

So, lets say you have three servers that you need to have access from the outside and you do not want to hop from one to another. This is what you need to do:

  1. change the current port forward of 8080 to something like 3500
  2. set the port forward rule on the RVS to read like this:

  • Name: RDP
  • External port 3500
  • internal port 3389
  • IP address of server


     3.    now if you have another server, it would look like this:

  • Name: RDP1  <= must be different or the router will give an error
  • External port 3600 <= new port number, i like to increment by 100. just habit.
  • internal port 3389
  • IP address of server

The key here, is that we can change the external port all day long, because we are using PAT (Port Address Translation). We tell the MS RDP client on our computer to make the connection on our specified port, but when the request hits the router, the router will see the traffic enter on port 3500, and will translate that traffic to the default port 3389. So the RDP session is established from point-to-point using ports 3500 => 3389 and that is why we can reuse 3389 internally and all the conversations of RDP are kept separate.

Let us know if you still have problems.

I guess I should've defined what I meant by "Alternate Port Number". The default 3389 is still there and works AND 8080 is there and it works. I can RDP to both ports.

So, what I have is a server I can RDP to on port 3389 & 8080 (Internal LAN) but only port 8080 is forwarded from WAN 8080 to internal LAN 8080 to a specific IP.

My issue is, after a while, I can not RDP to port 8080. I am not port forwarding 3389. I reboot the server and I still can not RDP to it. I tried both DHCP and a static IP and it still exhibits this problem.

Here's the catch. If I initiate an RDP session to the server in question, 192.168.1.100:8080 it works, after that I can then RDP from the WAN. It's like it has to be triggered inside the local LAN first then it works.

The only ports forwarded so far is 8080 and only go to 192.168.1.100 and it's intermittent.

The key here is I need it to work with port 8080 and not the default 3389.

It sounds like  a port issue with your ISP.  Port 8080 is a commont remote management port and they may be utilizing it for their devices also.  Have you tested with another port like 8081 or something to see if your getting complications with that?

I used/tested 2 different Netgear Routers a Linksys and D-Link and all of those worked with no problem reliably for several days port forwarding 8080. I was doing the testing & Research to see which would work best for me. I chose this model for the gigabit switch and I didn't want or need wireless. This eliminates my ISP. My neighbor has a Belkin something and we have the same ISP and he has no problem port forwarding. We both have 25Mbit/sec fibre to the home.

So to recap, my RVS4000 intermittently stops port forwarding port 8080 and using another port is not an option.

I would call the SBSC at 866-606-1866 so they can troubleshoot this case with you.  They will determine if the router is defective or if it is a bug on the router.

OK, Than you for helping me. I think I will just return it for another one of the same model.

Let us know if the replacement works without issues so we can update the community.  Thank You.

UPDATE:

OK, I got the new Router and loaded my old config file. Confirmed port 8080 was forwarding correctly and it is so far. It has only been 24hrs so I will let runn for another 24hrs and try connecting again from the WAN side to port 8080.

Well, as of today at 8:33am California time all port forwarding has stopped. I can no longer connect to my public IP. I'm going to call Cisco as a last ditch effort as there may be a setting I don't know of. If it doesn't work I will go back to the Netgear model that worked.

Thanks

Holy Cow Batman!

Check this out, I was also port forwarding port 21 (ftp) so for kicks, I ftp'd to mu public IP and it let me in. So then I tried to rdp to port 8080 of which I have port forward set to internal 8080 to a specific IP.............and it worked!!!

Sup with dat?

This sounds like a bug.

Gene_Laoyan wrote:

I guess I should've defined what I meant by "Alternate Port Number". The default 3389 is still there and works AND 8080 is there and it works. I can RDP to both ports.

So, what I have is a server I can RDP to on port 3389 & 8080 (Internal LAN) but only port 8080 is forwarded from WAN 8080 to internal LAN 8080 to a specific IP.

My issue is, after a while, I can not RDP to port 8080. I am not port forwarding 3389. I reboot the server and I still can not RDP to it. I tried both DHCP and a static IP and it still exhibits this problem.

Here's the catch. If I initiate an RDP session to the server in question, 192.168.1.100:8080 it works, after that I can then RDP from the WAN. It's like it has to be triggered inside the local LAN first then it works.

The only ports forwarded so far is 8080 and only go to 192.168.1.100 and it's intermittent.

The key here is I need it to work with port 8080 and not the default 3389.

To clarify this earlier post please let me know if I am correct:

  1. On server (192.168.1.100) the REGISTRY Key has NOT been changed for RDP connections to 8080
  2. You have enabled Remote Management ON the Server via IIS and the site responds on port 8080
  3. Internally you are able to RDP to the server WITHOUT specifying port 8080

I do not understand why we need to RDP to the server on 8080 INTERNAL? The problem I see with this is just as I explained a while back, port 8080 is just a not a good idea. The server will always respond on 3389 for all RDP requests unless the REG Key has been changed. Again, I beleive you are trying to access the server via the Web Management interface which may be why this works sometimes and not others.

Please let us know if I am heading in the right direction.

Strangely I lost connection again as well as port 21 (ftp).

Here's the setup...

My internal LAN server 192.168.1.100 uses RDP ports 3389 & 8080. From within the LAN I can RDP to just 192.168.1.100 & 192.168.1.100:8080. My router is set to port forward port 8080 to port 8080 of my internal LAN to the IP 192.168.1.100. When connecting to my public IP 1.2.3.4:8080 it sometimes works and sometimes fails. More fail than works. I have run this on two RDP ports for many years on many servers.

Your question "I do not understand why we need to RDP to the server on 8080 INTERNAL?"

Because I do not want to port foreward 3389 because it is default and everyone knows the port number. So doing so, anyone can randomly try and connect via RDP without having to redirect to another port. Too easy. Why I chose 8080? Because it is a port that is open on our firewall. All other ports are closed. Why? I dunno, I just know it's opened. :-P

Remote management is set to "Disable". So port 8080 should not be an issue.

Port 8080 is just another port and it should be treated as so and just forwarded. Strangely today the other ports I am forwarding fail as well now 443, 21 & 80.But to be honest, previously I did not check them because I was focusing on 8080.

If port 8080 is an issue then why do all the other ports fail at the same time?

So my issue is now, why is my second brand new RVS4000 intermittently failing to port forward any of the ports I assigned to forward?

If it means anything the firmware is v1.3.0.5

Also you asked/said...

The server will always respond on 3389 for all RDP requests unless the REG Key has been changed.

Yes and no. You can add an additional listener port number. In my case the server will always listen to BOTH ports.

I beleive you are trying to access the server via the Web Management interface which may be why this works sometimes and not others.

No. I am opening "Remote Desktop" and connecting to my public IP address 1.2.3.4:8080. Nothing to do with IIS or Server web management.

For kicks, if you want to try it yourself, copy the text below to a .reg file on a test Server/XP machine and then reboot it. You will be able to RDP to both ports 3389 & 8080.

----------------------------------------------------------------------------------------------------------------------

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp-AltPort01]
"CfgDll"="RDPCFGEX.DLL"
"fEnableWinStation"=dword:00000001
"MaxInstanceCount"=dword:ffffffff
"PdName"="tcp"
"PdClass"=dword:00000002
"PdDLL"="tdtcp"
"PdFlag"=dword:0000004e
"OutBufLength"=dword:00000212
"OutBufCount"=dword:00000006
"OutBufDelay"=dword:00000064
"InteractiveDelay"=dword:00000032
"PortNumber"=dword:00001F90
"KeepAliveTimeout"=dword:00000000
"LanAdapter"=dword:00000000
"WdName"="Microsoft RDP 5.2"
"WdDLL"="rdpwd"
"WsxDLL"="rdpwsx"
"WdFlag"=dword:00000036
"InputBufferLength"=dword:00000800
"CdClass"=dword:00000000
"CdName"=""
"CdDLL"=""
"CdFlag"=dword:00000000
"Comment"=""
"fInheritAutoLogon"=dword:00000001
"fInheritResetBroken"=dword:00000001
"fInheritReconnectSame"=dword:00000001
"fInheritInitialProgram"=dword:00000001
"fInheritCallback"=dword:00000000
"fInheritCallbackNumber"=dword:00000001
"fInheritShadow"=dword:00000001
"fInheritMaxSessionTime"=dword:00000001
"fInheritMaxDisconnectionTime"=dword:00000001
"fInheritMaxIdleTime"=dword:00000001
"fInheritAutoClient"=dword:00000001
"fInheritSecurity"=dword:00000000
"fInheritColorDepth"=dword:00000000
"fPromptForPassword"=dword:00000000
"fResetBroken"=dword:00000000
"fReconnectSame"=dword:00000000
"fLogonDisabled"=dword:00000000
"fAutoClientDrives"=dword:00000001
"fAutoClientLpts"=dword:00000001
"fForceClientLptDef"=dword:00000001
"fDisableEncryption"=dword:00000001
"fHomeDirectoryMapRoot"=dword:00000000
"fUseDefaultGina"=dword:00000000
"fDisableCpm"=dword:00000000
"fDisableCdm"=dword:00000000
"fDisableCcm"=dword:00000000
"fDisableLPT"=dword:00000000
"fDisableClip"=dword:00000000
"fDisableExe"=dword:00000000
"fDisableCam"=dword:00000001
"Username"=""
"Domain"=""
"Password"=""
"WorkDirectory"=""
"InitialProgram"=""
"CallbackNumber"=""
"Callback"=dword:00000000
"Shadow"=dword:00000001
"MaxConnectionTime"=dword:00000000
"MaxDisconnectionTime"=dword:00000000
"MaxIdleTime"=dword:00000000
"KeyboardLayout"=dword:00000000
"MinEncryptionLevel"=dword:00000002
"NWLogonServer"=""
"WFProfilePath"=""
"WdPrefix"="RDP"
"TraceEnable"=dword:00000000
"TraceDebugger"=dword:00000000
"TraceClass"=dword:00000000
"DrawGdiplusSupportLevel"=dword:00000001
"ColorDepth"=dword:00000003

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp-AltPort01\UserOverride]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp-AltPort01\UserOverride\Control Panel]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStationsRDP-Tcp-AltPort01\UserOverride\Control Panel\Desktop]
"Wallpaper"=""

OK, I have a better understanding of what you have. On a side note you dont need to add the reg key, you can also create another port on the server's NIC Firewall properties (guess it will do the samething). Never doubted that you could not do this.

As far as hidding the RDP default port I am totally for it, which is why I suggested to use 3500 External to 3389 Internal. I know you really want to use 8080, but because our routers resppond to 8080 (I know remote manage is not enabled) and also a whole slew of other applications, forwarding 8080 to internal is not a good idea. I would change the rule: 8080 External to 3389 internal or 9090 External to 8080 Internal, try that and see if it works. (I still dont like 8080

)

Now I know this does not answer the problem with the other ports, so I will try to focus on that.

You stated that you know port 8080 is an open port on the Firewall, is this implying an other device in front of the RVS? i dont beleive so from the original post. Port 80 and 8080 are typically never blocked and performing port scans will show that. Ports 443, 21, 25 and others are typically coded to be blocked, bacause of what they are typically used for. So if you did a port scan and it showed that other ports are blocked, that does not mean we cant use them.

So, what I would like to see is the log from the router. Go to "Administration >> Log" and enable it. Once that is done lets try to make some connections and take a look at what the router is doing. If you have a syslog server, that would be even better.

I will make you a deal, I will begin testing this behavior in lab right now and you promise to just play along and get rid of that 8080 External port forward to 8080 internal rule.

OK, i'm always in for the "good ol college try".

Port 21, 80 & 443 remain the same.

WAN port 8080 side is now mapped to port 3389 LAN side.

I confirmed RDP works from WAN side using 1.2.3.4:8080

Cleared all the logs.

So were clean as of 7:55pm, confirmed working and logging. Sorry, no syslog server. Let's see what tomorrow brings.



Typically I leave it alone overnite and try connecting the next day from a remote site via the forward facing public IP. That's when it starts to fail.

"You stated that you know port 8080 is an open port on the Firewall, is this implying an other device in front of the RVS?"

There is nothing in front of the RVS4000. Also, I have tested mapping WAN 443 & 21 to port 8080 or 3389 and it works as well. But those WAN ports are dedicated to another server.

/Sidenote: Why isnt there a logoff on the routers admin page?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: