With apologies about the Winders XP nature of this question, Greetings!

My problem involves two router/firewalls: one is the Westell ADSL "modem" and the other is my Linux router/firewall (iptables).

I am attempting to connect to a WinXP Pro computer at my office from a WinXP Pro computer at my home.

At the office, I have started the remote desktop server on the host machine and I have successfully setup a WinXP Pro computer on the office LAN, connected, worked, disconnected, unlocked the host, and repeated the operation several times so I have a "comfort level" with doing that.

When I try it from home, I get nowhere.

Office setup:

Static IP ADSL with Westell 2200 using NAT.

I have connected directly to the Westell and set up port forwarding for VPN, but when I did that, the port that was forwarded was 1723 (I had read a post here which said I'd have to forward port 1723, so that didn't surprise me.). After setting port forwarding on the Westell, I power cycled it and checked to see that the port forwarding was enabled. (I've done this before for pcAnywhere and our email, so I am pretty comfortable with that.)

We also have a firewall (Linux) which logs DROPs and REJECTs and ACCEPTs from outside, and I have tailed the log and see no record of any attempt to come in from my home (quasi-static) IP. (I call it quasi-static because it hasn't changed for 2+ years.)

So, I think my request for connection is not getting through the Westell and that I'm going to have to open forwarding for 3389.

If so, is that ALSO 3389 or INSTEAD OF 1723?

My static IP at the office is routable using www dot xyz dot org or by using the (known to me) dotted-decimal address. Inside, the NATed IP is 192.168.1.97 (eth0) which is handled by the Linux router/firewall. The LAN IP is 192.168.40.0/24 (eth1) and I am using DHCPD to assign specific IP (based on the HW addr of the NIC) to each client on the LAN so I know who is who.

If my requests from the outside were getting through to the Linux router, I think among the various /var/log/... choices, there would be a message in one of the logs.

I think I can get through the Linux firewall if I can see what is coming through the Westell. Am I right that I am getting stuck at the Westell and can someone advise me about my port confusion?

Thanks in advance.
Chuck

From this page (http://www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx) it appears that you just need to open 3389. I'm not entirely sure what the other port is for, but I think it should work with just 3389.

I could set it up for remote admin, but I'm always concerned about doing stuff like that from 25 miles away and then having to go anyway because it doesn't work right (especially if I find out it's not working at 3 a.m.!!).

I guess the threads dealing with Remote Desktop have a lot of comments in them about VPN, and I got confused by thinking of MS's Windows Remote Desktop as a VPN application. It's not, apparently; rather, one could say, it is a VPN-like application. So, I'll change it over to 3389 and I'll let you know how that works.

Thanks very much for the quick response. I'm off to the office now. Since I have to take the Westell down to do this, it's best to wait until quitting time anyway! You'll hear back from me soon (I hope!) :-)

Chuck

P.S. I asked this same question on a "Windows" forum four hours ago and nobody has touched it. So, a double thank you for answering this in a Linux forum! :-)

No problem. I suppose you could set it up to run over a VPN, but I don't think it's necessary. It might be more secure though - I'm not sure how Remote Desktop handles that sort of thing.

I hardly know where to start telling you about this, but here goes something.

I connected to the Westell and deleted NAT for PPTP (1723 udp & tcp & proto 47). There is no standard service on the Westell 2200 for Remote Desktop, so I added a custom service which I called, aptly enough, Windows Remote Desktop. I set the port range to 3389:3389 with home port 3389 and set it to UDP because the Microsoft KB said RDP (I've been calling it RDT for Remote Desk Top, I guess. But MS calls it RDP for Remote Desktop Protocol.) Anyway the KB said RDP would attempt to establish connection using UDP.

So, that done, I called my at home keypusher and attempted connection. No joy!

I tailed the logs and saw nothing, so I assumed I was not getting through the NAT in the Westell. Then, one of our attempts put up a message that mentioned VPN. Harrumph!

OK, so I went back to the Westell and added PPTP to the list of NAT enabled services.

Now when the keypusher tries to connect, I am showing DROPs in the Firewall for PROTO=47. Well, according to http://www.iana.org/assignments/protocol-numbers listing, that is GRE.

So, I have modified my firewall tables and I wonder if you'd suggest why this is not working.

Well, now I can't seem to retrieve a copy of my iptables script.

I'm whipped; I think I'll get some sleep and revisit this in the morning. The answer to my original question appears to be that you need to allow both 1723 (PPTP) which should include protocol 47 (GRE) and 3389 which MS specifies.

On my network here I just have 3389 forwarded from the router to my windows 2003 server. Whenever I want to get into it I just open up remote desktop client and put in my ip address.

:) If I'd stayed up another 30 minutes or so, I'd have seen this when you posted it. Can you tell me the specific wording of your forwarding statement?

I'd appreciate if you'd expand on your remark just a bit.

I assume when you say, "Whenever I want to get into it" you mean from outside your building so you are using a Remote Desktop "Client" through the Internet and then through some kind of "modem" (ADSL or cable).

Then, may I also assume you have a Linux router which is forwarding the 3389 to your windows 2003 server? Surely that Linux router is using iptables and, unless it ACCEPTs as a matter of POLICY, you must have some rules that perhaps you'd share with me.

I was already grey-headed before this started, but I'm about to snatch myself bald-headed. (Of course, that might be an improvement!)

On my network here I just have 3389 forwarded from the router to my windows 2003 server. Whenever I want to get into it I just open up remote desktop client and put in my ip address.

In any event, thanks for your reply. :cool:

if you are trying to use Remote Desktop its 3389 port. For what i understrood you have a router and then a firewall. This is where sometimes thinks can go wrong, does your router use NAT policy? does it forward everthing to the firewall, and then the firewall routes for the hosts?

usualy what goes wrong here, is to use a router with NAT policy and the a firewall with NAT policy, the solution would be to make your router in to a Bridge, and let the firewall with the NAT policy and create a rule that would accept 3389 packed and forward to the specified host