Question RDP works with local ip but not public static ip in same network ?

taraztu

Distinguished
Oct 27, 2012
2
0
18,510
I have a windows 2008 R2 Server which is connected to a dedicated internet and has a Public static IP. I use a Mikrotik router as a primary router and has port forwarded the public static IP to the Server. Also i have kept a static IP for the Server to access locally.
Till few days back everything was working well, but now the RDP works with local IP but not public static IP in same network. The RDP works fine over other networks with public static IP. I tried everythng from rebooting Server to Mikrotik router but nothing helped. I would be thankful if someone could help me in solving this issue. (Please note that I used LAN & Wireless LAN to access both the IP's)
 
You seem much more informed on this topic than many we see asking about this so I will explain in some detail.

The difference between using the public IP on a external network and using the public IP on the lan network is the path the data takes.

So lets say your public IP is a.b.c.d. And lets say your local IP are 192.168.1.100 for the pc and 192.168.1.101 for the server.

So normally when you traffic goes to the internet say to x.x.x.x your traffic looks like this.
source ip 192.168.1.100 dest ip x.x.x.x-----------NAT----- source ip a.b.c.d destination ip x.x.x.x

Now for traffic coming from some random IP on the internet to your server because of the port forwarding rules that data translation looks like this.
Source ip w.x.y.z destinatio ip a.b.c.d (your public ip). -----NAT--- source ip w.x.y.z destination 192.168.1.101.

Now in case you discuss your traffic goes

Source IP 192.168.1.100 destination ip a.b.c.d ---NAT-- source IP a.b.c.d destination IP a.b.c.d <----note both the source and destination IP are the same.
The traffic now must do another nat.
Source IP a.b.c.d destination ip a.b.c.d --NAT-- source ip a.b.c.d destination ip 192.168.1.101.

When the traffic goes back to the client machine it must reverse this process.

This is very confusing to even think about and many routers are too stupid to do this. If it is handled it can be done in 2 ways.

First the router could have a special feature many times called hairpin NAT. In most cases even if the router supports this they do not document it.
The other way depends on luck. Some routers actually ignore the destination IP and blindly send all data to the gateway (ie ISP router). They will do this even when the IP is their own public IP.
The ISP router will get the packet and look up its path for the destination IP and send it back to the router. Since the router now thinks this is a incoming packet rather than a outgoing one it will process it correctly.
Not all ISP routers will do this partially to prevent data loops.

Hard to say why it used to work. You can look for a option to turn on hairpin nat (it can be called other stuff).
 
Last edited: