[SOLVED] Remote Desktop working in local network but not over public IP in another network

[James Noscoper]

Hello,

I've recently been traveling back and forth from home and I need to be able to do work on my computer by remote. I've port forwarded, enabled all the things necessary but it doesn't work. I can remote from the same network (the one my desktop is connected to) using a local IP (192..) but I can't use my public IP (which isn't static but should surely work as it's not changed yet), I'm unsure whether it's an issue with my firewall (avast premium), I've tried creating rules and it still doesn't connect. Am I missing something here?

Comp A (desktop) Comp B (any other device)
Comp B can remote on local 192.168. to Comp A
Comp B can't remote on public IP to Comp A

Port forward in router is set
Comp A is set to private network
Enabled the basic Allow Remote Desktop etc.
Tried setting packet rules for RDP In Private TCP/UDP allow

 

[bill001g]

So what do the port checkers say is the port open.

Have you tested on a different network than your...ie a completely different internet connection. It is very messy when you connect to your outside address using a machine on the inside. Both the source IP and the destination IP are the same IP on the wan side of the router. A router needs a special function many times called hairpin NAT. This tends to be something that is not documented even for routers that have the feature.

If the port checkers claim the port is closed verify that you actually have a public IP. Check that the IP you see on the wan port of your router is the same as you see on a site like whatsmyip.

 

[James Noscoper]

Port checkers say it's open, that's what makes me thinks it's a firewall issue.

I've port forwarded my router to route to my LAN ip

 

[bill001g]

If the port checker say it is open then any firewall is letting that traffic through correctly.

This makes me more certain the problem is the hairpin NAT issue. Try to connect from a different location or use a VPN service and then run RDP over the VPN.

 

[James Noscoper]

What do you mean different location? Moving my desktop somewhere else?
I could try the VPN one, are there any recommendations for one? preferably free

 

[SkyNetRising]

I could try the VPN one, are there any recommendations for one? preferably free

Can you show screenshots from?

desktop pc (A) - iconfig /all​

and router - port forward settings​

(upload to imgur.com and post link)

 

[bill001g]

Maybe go to a neighbors house or a internet cafe. If you can tether to a cell phone that might work too. The IP address you are coming from needs to be something different.

Free vpn tend to be scams and some have actually been caught running coin mining software on the machines to "pay" for the so called free vpn.

Most the larger vpn services will let you cancel with a full refund if you do it within a short time. Depends if you want to go through the hassle of refund. Many you can get for $10.

 

[James Noscoper]

Can you show screenshots from?

desktop pc (A) - iconfig /all​

and router - port forward settings​

(upload to imgur.com and post link)

IPConfig: https://snipboard.io/K4p7ID.jpg
router: https://snipboard.io/dxZTRX.jpg

 

[James Noscoper]

Maybe go to a neighbors house or a internet cafe. If you can tether to a cell phone that might work too. The IP address you are coming from needs to be something different.

Free vpn tend to be scams and some have actually been caught running coin mining software on the machines to "pay" for the so called free vpn.

Most the larger vpn services will let you cancel with a full refund if you do it within a short time. Depends if you want to go through the hassle of refund. Many you can get for $10.

I have a wifi USB adapter I can plug in and then use a hotspot from my phone, would that work?

 

[SkyNetRising]

IPConfig: https://snipboard.io/K4p7ID.jpg
router: https://snipboard.io/dxZTRX.jpg

That looks good.
Can you show also firewall rules allowing incoming RDP traffic?

 

[James Noscoper]

That looks good.
Can you show also firewall rules allowing incoming RDP traffic?

https://snipboard.io/6sM05q.jpg

Upload and share screenshots and images - print screen online | Snipboard.io

Easy and free screenshot and image sharing - upload images online with print screen and paste, or drag and drop.

snipboard.io

https://snipboard.io/jZIxqK.jpg

Upload and share screenshots and images - print screen online | Snipboard.io

Easy and free screenshot and image sharing - upload images online with print screen and paste, or drag and drop.

snipboard.io

I'm not sure what you mean by traffic

 

[bill001g]

I think the usb/phone hotspot option will work.

The firewall has to be working properly since the port testing site can talk to your RDP machine. Traffic is allowed in from that location so it should also work from your phone.

What is confusing the router is the double NAT.

So lets look at 2 examples.
You take your PC and talk to say some site like 1.2.3.4 and we pretend your external IP is 20.30.40.50

So your packet looks like

192.168.0.100 source IP 1.2.3.4 destination.

The router translates this to

20.30.40.50 source IP 1.2.3.4 destination. It reverses this when the traffic goes the other way.

Now lets look at some site accessing your RDP

3.4.5.6 source IP 20.30.40.50 destination IP.
Router translates this to
3.4.5.6 source IP 192.168.0.123 destination ip (your port forwarded server)

Now the problem you send traffic to 20.30.40.50 from your inside ip

192.168.0.100 source 20.30.40.50 dest

NAT

20.30.40.50 source 20.30.40.50 dest Unless the router has special support it will get confused by this especially when the traffic is coming back from the server

 

[James Noscoper]

I've just realised I've given my friend the wifi adapter, so may take a few days to get back.

so you're saying the router is sending it to itself and not my desktop? But isn't that what the port forwarding does? or maybe I've done it in correctly
Is trying my desktop on another network the only test I can do?

edit: just been looking at my other posts and then looking around the router settings and it says that with disabling NAT boost will allow for QoS, data traffic, port triggering. Is port triggering similar to portforwarding (virtual server on tp-link)

 

[gggplaya]

How fast is your ISP internet connection? You don't need NAT boost unless your ISP internet is over 300ish mbps, this is where cheaper router CPU's struggle with the speed and need NATboost to help cope with the higher traffic.

Also, remoting into you home only through a port is a security nightmare. I'd recommend you buy a higher end router with VPN support from wireguard or OpenVPN. Wireguard is much faster for slower processors, about 3x more than openvpn. The router's processor is dictate the max bandwidth of the VPN connection. But this will allow a remote computer to log into your network and act as if it were on the local LAN. But with encryption and better authentication than simple port forwarding.

 

[James Noscoper]

It's about 70 mbps tops but the router came with it already turned on? could it be classed as a cheaper router?

I'm not very tempted on buying new things, I'm only doing this so I can do University work at home when I work. The router I have can be accessed via https:// not sure if that's relevant

I'm just confused on why it doesn't work. I will try tomorrow disabling my avast to see if it works without it.

 

[gggplaya]

It's about 70 mbps tops but the router came with it already turned on? could it be classed as a cheaper router?

I'm not very tempted on buying new things, I'm only doing this so I can do University work at home when I work. The router I have can be accessed via https:// not sure if that's relevant

I'm just confused on why it doesn't work. I will try tomorrow disabling my avast to see if it works without it.

There's no need for NAT boost with only a 70mbps connection. If it needs NAT boost to achieve gigabit speeds, I think that makes it a cheaper router.

According to TPLINK"NAT boost improves the peak connection speed of your home network’s internet service. However, you should consider turning it off if you require any conflicting features like Port Forwarding, QoS, Traffic Monitor, and Parental Control. "

This is because CUT-THROUGH-FORWARDING (NAT BOOST) doesn't hold or look at any metadata for an internet packet. The processor doesn't make any decisions with the data. It just forwards it immediately to the destination without thinking about it. This lowers processor overhead and allows routers with slower processor to achiever higher NAT throughput speeds. Otherwise, cheaper routers wouldn't have the processing power to achieve gigabit internet speeds.

Can your router be access via HTTPS from outside the home network because that's a security problem? Typically there's a setting to turn this on/off and normally it should be off by default.

 

[James Noscoper]

Yes this is off but I thought that's what you meant.

other than buying a new router is there any other ideas?