Firewall Rule to Restrict RDP Port Forward Not Working

AffordableIT

I have a USG110 that I set up for a client.  They have a software vendor who insists on using RDP for remote support.  I set up Port Forwarding to send RDP traffic (on a non-standard port) to the server.  In the firewall, I set up a rule to allow traffic from WAN1, with a source IP of the Vendor's public IP addresses to reach the server.  It is straightforward, and I understand that this rule should only allow the forwarded RDP traffic from those particular public IP addresses to reach the server, and block all others.  However, when I enable to NAT rule, RDP over that port from any PC on the internet is able to reach the server.  Is there something else I should be doing?  I have set something similar for another client with their remote VOIP phones, and it seems to work properly.  I don't know why it should be different here.  Any help is appreciated.

Zyxel_Stanley

Hi @AffordableIT  

You can make sure if your policy control rules allowed any traffic from internet.

And also check if default rule action is deny.

PeterUK

Maybe you have another rule in place for RDP that allows all?

AffordableIT

Stanley,

Thank you for the input.  It turns out that I needed an explicit DENY rule for RDP traffic (#2 on list) from any IP right under the rule allowing the forwarded RDP port from the specific IP addresses (#1 on list).  I could not determine which subsequent rule was allowing it from any IP location, but the DENY rule took care of it.


Thanks again.

Zyxel_Stanley

Hi @AffordableIT

It's good to know your issue has resolved. 😎