Why do I see two entries for a single instance of port forwading?

Firmware 8.1 on a Balance 20x.
The router has port forwarding enabled for RDP (TCP port 3389). There is also an inbound firewall rule that allows the forward and logs it.
The first time it logged an instance of RDP passing through the router, there were two log entries as shown here.
Anyone know why? Is this an RDP thing? I have been logging port forwarding for VNC for quite a while and that only creates one log entry per instance.

Are you using IP forwarding on WAN1? If so, I don’t think you need the port forwarder. Port forwarding is used when NAT is taking place. I am wondering if the first entry is the original packet just being routed through the firewall, and the second is the port forwarded packet.

The source port for the second entry is incremented by one which indicates a second connection attempt.

If this traffic is traversing VLans, one entry could be for WAN to untagged LAN, and the second is LAN to VLan.

Just throwing some ideas out… they are definitely worth what you paid for them. :slight_smile:

Not sure what you mean by IP forwarding on WAN1. No VLANs, but that’s a great guess.

Maybe its the RDP server asking for a password and the RDP client auto-answering with the password? The password is saved in the RDP client.

Eventually, I will get to try this with VNC to compare to older firmware versions.

@Michael234, sound like 2 sessions were created by the RDP. I notice there are using different source ports.

1 Like

I asked about IP Passthrough because your source IP is 192.168.1.50 and your destination is 192.168.8.9. Those are both private IP spaces - it caught me off guard, most of the time the WAN is on some kind of public IP from the ISP. Do you have more than one router in this network chain?

This was my first time logging RDP. I make a habit of logging forwarded ports but up till now had only been using VNC. So, it may be perfectly normal.

Yes, two routers - an “inner” and an “outer”. The 192.168.1.x subnet is the outer router connected to ISP and the 192.168.8.x is the inner one connected to outer one.

And are you using NAT on the “inner” router? If not, you don’t need the forwarder. With IP forwarding, all traffic destined for an IP is routed to that IP (if the firewall allows it). I would imagine that a forwarder combined with IP forwarding would result in a duplicate packet going out.

Here is the option I am talking about…