Remote Desktop Connection

For my work I connect to various remote virtual machines. Some of these machines are on networks which requires my IP be whitelisted. The target environment is in azure and I do have admin access.

The issue I’m having is that I’m not able to connect using rdp even after I whitelist my IP. However, if I temporarily turn off the whitelisting requirement and accept any IP, then I’m able to connect. To get my public IP I google “what is my public IP” which should tell me how the outside world sees my machine.

For outbound rules I have my max transit duo router setup as below…

I have also changed from “custom” to “high compatibility”, but that did not seem to fix the issue.

Any ideas?

What protocol / methods are you using to connect to these remote machines, just RDP or do you have to connect to a VPN first?

Do you have multiple WANs connected to your Peplink that your traffic may get sent down, if so do you whitelist each of their public IPs (assuming they are static).

If you have links that are potentially being used and do not have static addresses to whitelist you have a couple of options:

  1. Make an outbound policy rule to match the traffic and nail it to a specific WAN that you can reliably whitelist the IP for.

  2. Setup a FusionHub somehwere that gives you a stable public IP on the intenet to appear from and tunnel the traffic there.

Edit - You also say turning off the whitelisting at the far end solves the issue, do you have any logs that show what your public IP is appearing from when you are connected - does that IP match what you think it should be?

If you can whitelist a DNS name, another approach would be to setup Dynamic DNS (DDNS) as long as you are directly connecting, not going through a VPN tunnel.

I need to do some research to answer these questions. Thank you for the reply. I’ll get back to you ASAP.

Got it. I’m stuck with ip based whitelisting at the moment but good idea. I’ll see if I can add such a rule and if so I’ll look into a dynamic dns.

What protocol / methods are you using to connect to these remote machines, just RDP or do you have to connect to a VPN first?

It varies, but for now I’m just focused on the direct RDP connections.

Do you have multiple WANs connected to your Peplink that your traffic may get sent down, if so do you whitelist each of their public IPs (assuming they are static).

Yes, I have multiple WAN connections; 2 cellular modems.
No, I did not whitelist both IPs. They are not static, but I should be able to whitelist for each session based on my current IP. Question is, how do I know the public IP of the connection that I’m not using?

I am still looking for logs that might show me the public IP of the connection that is failing.

This is getting even stranger. Clearly I don’t understand some important part of what is going on.

When I have only 1 possible connection (cellular 1; ATT) I’m still not able to RDP. My public IP has not changed since this morning and this IP is whitelisted. In azure I’m able to run a test to determine if the IP is allowed to connect and the test does succeed. Yet, I’m unable to connect via RDP.

I also created an outbound rule that sets the connection to use cellular 1 for TCP 3389. Still no luck.

What am I missing?

The plot thickens.

To recap:
Cellular 1

  • Public IP has stayed the same all day
  • I whitelisted the IP
  • Turned all other connections off
  • Still cannot connect via RDP
  • This is using ATT service

Cellular 2

  • I whitelisted the IP
  • Turned all other connections off
  • I can connect via RDP
  • This is using Verizon

Could this be related to the carrier? Or, could this be a problem with my cellular 1 modem?

Could you share a screen grab of that rule and where it sits in your order of outbound policies (remember they are processed top down and first match wins) for us to sanity check it for you, pretty sure RDP uses TCP and UDP on 3389 so make a rule for both.

So this is where things can become a little more complicated, a lot of cellular carriers are using CGNAT or other forms of large scale NAT/PAT at their network edge. It is entirely possible that the IP you see for a whatismyip website may not be the same one used to translate an RDP session behind - hence my suggetion to check the logs at Azure if the IP matches your expectations.

Potentialy yes, could be AT&T are just blocking outbound RDP requests (raw RDP across the publuc internet is frankly considered a bad idea, the protocol is often abused for many illiegitimate purposes).

One way you could owrk around this would be to consider setting up a FusionHub Solo in a public cloud provider and tunnel your traffic via the hub this will give you a single stable public IP on the internet to appear from, as well as giving you the potential for some more seamless failover between your two cellular WANs without your public IP changing.

There are a number of guides on the forum on how to set this up in Digital Ocean, Vultr etc. for a very low monty cost.

Thank you for all of this.

I’m in the process of setting up fusion hub solo. That seems like the solution I’m going to need in order to have a reliable static IP. I was hoping to use speed fusion cloud, but since it does not offer a static IP, I’m going to give this a try.

I’ll post back here once I finish the setup. There is an article that describes how to do the deployment to azure, so I’m just following those steps.

I’ll need to recreate the outbound rules after I get this setup. I’ll screenshot and post them here as well.
I already deleted the prior outbound rule because I eliminated the possibility of using more than one connection by disabling all connections except for one. When the RDP session still didn’t work, I know there was something else going on.

Ok, I got fusion hub setup and I’m connected using static IP. Now RDP works fine.

Here’s my outbound polies…

I’m not doing anything special right now because I have all traffic going though the VPN.

My next step is to learn how bonding works. I want to ensure that I’m using all available connections to primarily increase reliability, but also I’d like to enable bandwidth bonding as well. So, I have some reading to do.

Thank you so much for the help. Also, thank you @MartinLangmaid for the awesome setup video for fusion hub.

  • Paul

With ‘send all traffic to’ configured you are ready to use bonding. To use bonding make multiple WANs available (set them so they show as priority one on the dashboard) then edit the SpeedFusion VPN profile on the device and make sure they are all set to Priority 1 there also.

1 Like

I have step 1 done. Multiple wans are connected and they are place in priority 2. P1 is wan which is not connected.

Here’s what the profile setting looks like.

So, I guess I’m already using multiple connection to improve reliability and for bandwidth bonding, right? I’ll try the other options for fec and smoothing as well.

It took me a while to find the profile. Finally, I found the note in the device saying that I setup Incontrol to manage the profile. That got me headed in the right direction.

Thank you again

You can check by logging into the web admin and going to Status > Speedfusion where you can see which WANs are being actively used. eg here is one of mine with two WANs in use:

1 Like

Very nice. Got it.

I need to get familiar with the profile settings. Currently I have 1 fast (50+ Mpbs) and 1 slow (1-5 Mbps) connection going through the vpn. When I use Fusion, I’m seeing speeds close to 5Mbps. Most likely due to how I have the profile setup.

Set fast wan as priority 1 within the speedfusion profile and the slower one as priority 2. This will give you hot failover. Very little point in bonding all traffic across two active WANs like this.

1 Like

That makes perfect sense.

1 Like