Using Firewall IP Filter and NAT
Posted by Gabriel Yu on 02 April 2008 02:07 AM

Requirement is:

I have two external parties needing to connect (using Remote Desktop RDP on port 3389) to two different internal servers.
Also, only user1 should be able to connect to server1; and only user2 should connect to server2.

There are two parts to this:

  • Firstly, the Vigor's Firewall will examine the incoming packets, and decide whether to block or allow them according to their Source and Destination IP Addresses and port numbers.
  • Those packets which are allowed will then be passed to the Vigor's NAT function which will redirect them to the appropriate internal server. 

Lets start with the NAT step...
Routers are unable to forward one port to two different computers, and so we must use 2 different public port numbers.  Fortunately the Vigor's NAT > Port Redirection allows us to translate port numbers transparently to the application.

Index 1 - Any packets received at the Vigor's public port 3389 will be forwarded to server1 at port 3389.
Index 2 - Any packets received at the Vigor's public port 3390 will be forwarded to server2 at port 3389.
Note that both servers will receive the incoming packets to their port 3389, so no server re-configuration is required.

At this point we can test.  If we open Remote Desktop connection on a PC connected to the internet and enter our Vigor's public IP Address, the RDC will use the default port (3389) and connect to server1.  If we enter our Vigor's public IP Address, a colon (:) and port number 3390, the PC  should connect to server2.

But anyone who knows our Vigor's public IP address, the port numbers (and any username/password on the servers) can connect. We want to allow only user1 to connect to server1.

On to the Firewall step...
Since the Firewall examines the incoming packets, the IP Addresses will still be the Public Source and Destination IP Addresses.  So if our Vigor has a static public IP of, and user1's router has a static public IP address of (note that this is not a private 192.168.*.* address), the  new firewall rule would be : 

  • Add new Filter Set .  Rule 1sets up the default action of blocking all access to Vigor's public IP address ( and port 3389
  • Now add rule 2 for the case where the packet is coming from user1 (source = and destination is Vigor's port 3389

Now you will have to add another Firewall rule at Filter set 6 rule 3 - similar to Filter set 6 rule 2 above, except with user2's public IP as the Source Address and with port number 3390 (instead of 3389).

Finally you will need to link the new rule set into the existing rules.  Go back to Filter Setup, where you should now see filter sets 1 (Default Sall Filter), 2 (Default Data Filter) , and 6 (the one we just created).   Select Set 2 (Default Data Filter" and in the bottom right corner is a field for "Next Filter Set".  Select the value "Set#6" and click [OK].

(357 vote(s))
Not helpful

Comments (0)