connecting to BEFSR41 via Remote Desktop Connection

Discussion in 'Networking Issues' started by JodyMac12, Dec 1, 2006.

  1. JodyMac12

    JodyMac12 LI Guru Member

    Hello all -

    after spending several hours over the past week with linksys tech support, I think i have given up on them. i have a small network at my office: 5 pcs + 1 laptop all running windows xp pro. i have a bellsouth dsl connection that uses a netopia modem / router, which then goes into my linksys router, then to a linksys 8-port hub, then to the computers.

    it used to be set up so that i could connect to my work computer from home via remote desktop connection. alas, something happened to the settings, and now we can't seem to get it set back the way it was. the setup was such that from home i would type in the static ip address that bellsouth assigned me in the 'computer' field of remote desktop, and i would connect every time. i'm pretty sure that in this arrangement, the netopia router was set up in 'bridge' mode, with the linksys router controlling the wan and the lan. we had the computer that i connected to setup with an ip address that we assigned (something like, and the other computers set up to obtain their ip addresses automatically. it should be noted that when this worked properly, i was using a befsr11. during this tech support nightmare of the past week or so, i was told that that unit had a problem, so i purchased the befsr41.

    presently, we have all the computers in the network obtaining their ip's automatically, the netopia is in bridge mode, and the conection type on the befsr41 is PPPoE, using my bellsouth user name & id. although i know this is not the way it was set up before, i can't seem to get that point across to tech support. right now, we are trying this approach: we have set up a port on the linksys (8080), and supposedly, i should be able to connect to the office by typing in the ip address from bellsouth then :8080 (ie in remote desktop. when i do this, it says i have a protocol error (code 0x1104). what's interesting, though, is if i type the same thing in the address bar of explorer at my home computer, it connects me to the setup page of the linksys router at work. so it seems like i'm close, but not quite there yet.

    the last time i talked to linksys, they told me that if i set my computer at home up as having a static ip, then this latest method would work. i don't want to change anything at home (i'd have to reconfigure my wireless router there) unless i really think it will help - can anyone assist me? many thanks in advance!
  2. JodyMac12

    JodyMac12 LI Guru Member

    In staring at the different options on the router set-up page, I somehow remembered how we had it set up before, which is like this: I assigned an ip address to the computer that I want to access from outside the office. Then I enabled DMZ, and set the DMZ host ip address to match the ip address I assigned to the computer I want to access. Now I can access my work computer from home via RDC, which is how I had it set up before.

    Now, in looking at the ‘port range forwarding’ area of the router set-up page, it looks like i could configure that to work, also. can anyone advise if the ‘port range forwarding’ method is preferable to the ‘DMZ’ method I am now using, (and why). If it is, I’ll give that a try. Thanks!
  3. ArgoNavis

    ArgoNavis LI Guru Member

    Hello, JodyMac12,

    This all sounds logical, and correct. The Netopia would have to be acting as a bridge, if the BEFSR41 is being assigned the external public IP address.

    The internal computer that you would like to gain access to with Remote Desktop should really not obtain it's ip automatically. More formally, this is known as obtaining an IP address through DHCP. If you do this, the IP address could change, which will make it impossible to achieve consistent access to this PC. The best configuration would be to assign this computer a private static IP address -- in the computer's own TCP/IP configuration -- and make sure that this IP address is outside of the router's DHCP IP address range.

    For example, suppose your BEFSR41 is configured to use DHCP starting at with 100 users, then the address you mentioned previously -- -- would work just fine for your internal work PC.

    The symptoms you described above would make perfect sense if your home computer's Remote Desktop client attempted to start a "conversation" with the BEFSR41 router's web configuration interface instead of the internal computer to which you really intended to connect.

    My hunch is that there was a misunderstanding. I suspect that the Linksys folks had you configure the BEFSR41's own remote configuration access to port 8080. This is not really what you want to do, since it opens up your router to anyone in the world who can guess your router's access password. This is an unnecessary security vulnerability. I would disable the "remote access" feature on the router's administration management page (I've forgotten the exact name of the page).

    Instead of opening up the router's web configuration interface to the world, what you really want to do is to open a path from the external internet through your router to your internal work PC, so that the Windows Remote Desktop interface will respond when you attempt to access it. Think of it this way, when you "place a call" from your home computer, to whom would you like to "speak"? Your work router, or the internal work computer?

    This doesn't make a great deal of sense to me. Your home computer is initiating the connection, so there is no reason for it to have a static IP. Going back to my telephone analogy above, your home computer is "placing the call", and hence it needs to know how to find the server -- the computer at work which is running your Remote Desktop service. Your work computer will never need to "call" your home computer, however, so you don't need to make any special provisions on your home computer/network.

    Excellent! Good for you!

    Frankly, however, I would not recommend using a DMZ.

    You're asking a good question. When you select the "DMZ" option, you are telling the router to redirect all incoming connections from the internet to the computer which is specified as the DMZ host. In your case, every incoming connection, on (almost) every port will be sent along to your internal work computer. This includes the necessary ports for the Remote Desktop connection, but is not limited to those ports. This is tantamount to placing your work computer (the DMZ host) into direct contact with the public internet, and forces MS Windows to defend itself against all potential attacks. Specifically, your DMZ host won't really have any of the protections afforded by an external firewall, or by NAT (Network Address Translation).

    From a computer security perspective, it is generally considered to be unwise to place a host -- especially a workstation -- directly onto the internet without an intervening firewall.

    Making the choice between putting your work PC into the DMZ, or using a port forward is simple -- use the port forward. Please note that there are serious security implications to what you're attempting to do, which I'll address below. However, here's how you would use the "port forwarding" capability of the BEFSR41. Incidentally, you should probably do this from your office, since you will probably lose your connection if you attempt to do this remotely.
    1. Turn off the DMZ feature on your router. Make sure to save this setting.
    2. Assign a static IP to your work computer. Make sure this static IP is not in the router's DHCP range (see above)
    3. Go to the router's Port Forwarding page. Assign a port forward as follows.
      • You can use any name/description that makes sense to you, eg, "Remote Desktop",
      • Use the static IP you are using for your internal work PC (eg,,
      • Enable Both TCP and UDP protocols,
      • Assign forwarding from port 3389 to port 3389,
      • Don't forget to enable the rule by checking the box at the end of the line.
    4. Save the router settings by hitting the button at the bottom of the page.
    Once you've completed this, the router should forward only the Remote Desktop connection port 3389 to your internal PC. All other ports would be blocked by the router, and your computer will be "behind" your NAT firewall. This configuration would already be a substantial improvement.

    I mentioned that there are security implications above, so let me make a few comments in that regard:
    1. The default MS Remote Desktop port (3389) is well known, and will encourage attacks. I would recommend changing the default port to some unassigned port number larger than or equal to 1024, and less than or equal to 65535. A random number will probably work, and I would keep this number to yourself.
    2. There are several encryption levels which one can enable for Remote Desktop Protocol -- I would enable the highest 128-bit encryption. I don't think that's the default, however I'm not sure.
    3. There have been attacks against Microsoft's Remote Desktop, and the facility does have some weaknesses.
    4. Make absolutely sure to choose a strong password for your Remote Desktop access. You can google on "strong password" for what will probably be a veritable plethora of hits. Suffice it to say, make it a long password with numbers, letters, capitals and symbols -- and avoid dictionary words.
    5. If your internal computer becomes compromised by an attacker, you risk compromising your entire network. Just as you are providing yourself a "backdoor", you are providing everyone else a backdoor -- albeit a locked door -- but this requires you to have complete faith in the "lock".
    One thing you might consider investigating, is a "VPN" -- a Virtual Private Network. This is a tool which creates a private, encrypted tunnel between two computers -- in this case, your home and work computers. You could then use Remote Desktop "within" that tunnel. In my opinion, this would increase your security substantially. Note that this is not necessarily a trivial thing to install, and is certainly a subject which is beyond the scope of this thread, but it's nonetheless something you might want to keep in the back of your mind.

    Finally, as an aside, if your BEFSR41 firmware supports it, you might consider using the configuration backup feature on your Linksys to help you reconfigure the box, if something like this happens again. This will allow you to instantly reconfigure the router from a file stored on your computer.

    HTH -- good luck!


    --------------- <*> ---------------

    Some links that might be helpful to you:

    Remote Desktop Configuration:

    Changing the default port:

    Remote Desktop security:
  4. JodyMac12

    JodyMac12 LI Guru Member

    Thank you very much, Argo -
    i still need to assign a new port number, but i wanted to let you know how much i appreciate your input - very cool!
  5. JodyMac12

    JodyMac12 LI Guru Member

    Hello Argo -
    well it's only been six months, and i have finally tried to set up a new port number for remote desktop. i put in the new number in place of '3389' in the 'port forwarding' area of the router, and changed the registry setting of the computer i am connecting to to this same new port number. then, when i connect from the remote computer, the address i input is set up like 192.168.1.x:newportnumber. i am not able to connect, though - am i missing a step? i tried 2 different 'new' port numbers, both within the range you specified...any ideas?
  6. ArgoNavis

    ArgoNavis LI Guru Member

    Hello Jody!

    It certainly has been awhile. I'd forgotten about this thread. :)

    I'm going to assume that when you speak of "the remote computer", you are speaking of a computer which is on the public internet -- on the "internet side" of your router -- and not on the same internal subnet as the computer you want to control.

    Executive summary: If the above assumption is correct, then you need to be using the public IP which is assigned to your gateway router, rather than the 192.168.1.x private IP.

    Here's the long story. Your gateway router -- the Linksys BEFSR41 -- is being provided a publicly routable IP address by your ISP. This is how your router, and your entire subnet/LAN is addressed from the outside. Your router uses NAT (Network Address Translation) to associate packets coming from the internet -- with a public IP -- into packets intended for the internal subnet/LAN, which use private non-routable IP addresses. What this means is that your computers are accessed differently, depending upon whether the requests are coming from "outside" the router, or "inside" the router.

    Now, suppose you have an internal computer which is assigned the private IP address, and Remote Desktop (RD) on that computer has been configured for port 12345. The first step you should take is to verify that the computer has been properly configured. Do this by using a different internal computer to test the connection, and using the IP/port If that works, your configuration works.

    Next, open up the web configuration interface for your gateway router. Go to the Port Forwarding section, and configure a port forward from port 12345 to port 12345 to the internal private IP address By doing this, you are establishing a mapping so that the router knows what to do with an external request on port 12345. The router now knows that it should forward such packets -- coming from the outside -- to the internal computer known as

    The final step is to find out your external/public IP for the router. You can do this by looking at some of the configuration pages on the router itself. Or, alternatively, you can go to any internal computer and direct your web browser to the following website: (there are quite a few similar websites which do the same thing). This is the IP address you must use if you want to access your subnet from the public internet. Let's say, for example, that the website tells you that your public IP is This gives you the final piece of the puzzle. From the outside/public internet, you should now be able to access the internal computer which has been configured for RD by using the following IP:port combination:

    The is the public IP of your router, and will direct the RD packets to your router. Since the packets are specified to use port 12345, your router knows to map these packets from to -- and your internal computer will then hopefully respond with an RD connection.

    There are three additional considerations you need to be aware of:
    1. The internal computer -- IP in my example -- really should be configured to use a static IP. If it is not, then it is possible that it will be assigned a different internal IP address at some point. If that happens, your router will still direct the incoming packets to, even though the computer is now at a different IP address. This will break your ability to connect.
    2. The gateway router (BEFSR41) should either have a static IP from your ISP, or you should make use of a Dynamic DNS (DDNS) service such as or The reason for this is that if your ISP assigns a different public IP to your router, you will no longer know the proper address for it, and hence you won't know what IP to give to your RDC client. This will also break your ability to connect. If your ISP has assigned a static IP for your router, then this won't happen. If you have a dynamic IP from your ISP, then a DDNS service can provide a mapping from a unchanging hostname (ie, to the dynamic IP which is currently assigned to your router.
    3. Finally, at the risk of repeating myself, you do need to be mindful of the security implications of what you're doing. You should really consider establishing the RD connection through a secure VPN tunnel. I simply wouldn't trust a bare RDC connection through the public internet. However, to quote the old saw, VPNs are beyond the scope of this post. ;-)
    I hope this helps get you a step further.

  7. frenchy2k1

    frenchy2k1 LI Guru Member

    the 192.168.1.x address is a "private" address. It only has meaning inside your LAN. To connect remotely, you need to type the bellsouth IP with the new port number. The routing you set on the router with that port number (the fact it will be redirected to the given computer) will take care of directing your call to the right address inside your LAN.
  8. JodyMac12

    JodyMac12 LI Guru Member

    Yes: "the remote computer", i am speaking of is on the public internet -- on the "internet side" of the router -- and not on the same internal subnet as the computer you want to control.

    I'm afraid i was misleading when i described the address i was typing in to RDC from the remote computer as being '192.168.1.x:newportnumber' - all i was trying to portray was that i was adding the port number to the address after a colon ( : )...i am using the public address asigned by my ISP, bellsouth, which is something like, then adding the port so it looks like, where 12345 is the new port #.

    anyway, i tried to test the connection from a different computer on the inside of the router as you suggested, and i got an unexpected result. i typed in the private ip address of the computer i want to connect to ( from your example), but by accident, i hit enter before i added the port number on the end. it connected instantly. i then tried to connect using the address, and it would not connect. i double-checked to be sure that i had set the port number in the registry to '12345' and that i had set the port forwarding from 12345 to 12345, and that i had checked the box to enable it. so, i'm still confused...
  9. ArgoNavis

    ArgoNavis LI Guru Member

    Hi, Jody!
    Gak! I've been misled! ;-)

    Well, then, as far as what I wrote previously... as Rosanne Rosannadanna used to say: Well, that's very different. Nevermind...

    That's actually a really helpful piece of information. Getting the RD connection to work from inside is a necessary first step. Can you scan over the following two Microsoft KB documents to see if there's anything here that might be helpful? (Just in the event you haven't already done so...)
    Let me call your attention to a few points. In the Registry Editor, make sure you click the "decimal" radio button in the Edit > Modify dialog. Also, the PortNumber value should be of type REG_DWORD.

    I know this is perhaps a silly question, however when you tried connecting to the RDC server by specifying its private IP, are you sure you were actually talking to the computer you thought you were talking to? Is it possible you were connecting to some other RDC server that was still using port 3389 by mistake?

    Also, after making the registry change, you might try rebooting the computer to make sure that the updated key value "takes". I could imagine a scenario where the RDC server only inspects that key value once, the first time it is started.

  10. JodyMac12

    JodyMac12 LI Guru Member

    Hey Argo -

    yes, i have read (and printed) the articles you referred me to - i feel like i am following those instructions...

    i also feel like i am editing ther registry as you indicate, and i am sure i connecting to the pc i am trying to connect to...

    i also began to restart the computer every time after changing the registry...

    BUT, i am still not able to connect using any port number other than 3389. i have tried 3 different random port numbers (within the range you specified earlier), and i am not able to connect using any of them, whether i use the format or However, when i set the port number back to 3389, i can connect from 'inside' the router whether i type in or I must be changing the port number in the proper places, or it wouldn't work with 3389, right? should i keep trying other port numbers? Should i give up and do the VPN thing you keep mentioning? is that costly? thanks again for your help!!
  11. ArgoNavis

    ArgoNavis LI Guru Member

    Hello Jody,

    No, it's unlikely to be related to your choice of port number (although, it is important to choose a port number which is not being used). My guess is that you have the Windows firewall turned on, and it is blocking the incoming requests on your new port number.

    While I'm sure it's probably reasonable to turn off the firewall entirely for a brief test, I'm always loathe to suggest this, since it doesn't take long for an unprotected system to fall victim to the virus du jour. Let me suggest the following procedure. Do this on the computer you would like to control with Windows Remote Desktop:
    1. Open your Control Panel
    2. Open the Windows Firewall control applet
    3. Make sure that the firewall is turned on
    4. Make sure that the Don't Allow Exceptions checkbox is not checked
    5. Open the Exceptions tab at the top
    6. Uncheck the Remote Desktop entry in the list
    7. Click the Add Port... button
    8. Add a new port as follows:
      1. Give the service a name, eg, Remote Desktop (xxxx) where xxxx is the new port number
      2. Enter the new port number you've entered into the registry
      3. Make sure that the TCP radio button is selected
      4. Hit the OK button
    9. Make sure that the new port/service you just entered into the list is checked
    10. Hit the OK button
    This procedure will open a port through your firewall to allow incoming connections from outside this computer. Make sure that the port number you specify in this procedure is the same port number that you entered into the registry.

    I think that resolving your current issue should really be the first order of business. Once you can access your RD server on a non-standard port from within your subnet, I would get it to work from the outside through your BEFSR41 and an appropriately configured port forward.

    Once that works, however, I would definitely work on bringing up a secure tunnel through which to establish your RDC connection. While I have written of using a VPN, this is only one of the options you could choose. Ultimately it probably depends on what is easiest for you, while still providing you the connection security that you need. While I encourage you to pursue this, it can also be non-trivial to configure a secure connection using one of these technologies. There are plenty of no-cost and low-cost alternatives, so cost should not be an issue. Here are just a few possible choices:
    • A L2TP tunnel into a Microsoft Remote Access Server on the inside of your LAN. This is probably the easiest course of action if you already have an existing Windows server.
    • An IPSEC tunnel, however this type of tunnel can be difficult to configure,
    • An SSH tunnel, although you would need to have an SSH server on the inside, which may possibly mean that you would have to configure an SSH server on Windows (for some links, you can use this as a starting point,
    • An SSL-based VPN solution, such as,
    • A centrally-managed VPN solution like Hamachi
    If you already have a Windows server, then an L2TP tunnel would probably be my choice. If you have access to a Mac OSX or *nix box on your LAN, then it would be simple to bring up an SSH server. Both of these strategies would allow you to use the respective servers as endpoints for a secure tunnel to get onto your subnet. Once you're on the subnet, you can connect directly to the target machine using RDC.

    OpenVPN is a very nice SSL-based VPN, and you could configure it directly on the machine which you want to control. The How-To documentation on the website is quite good, but there will be some effort involved.

    Quite possibly, the easiest method to create an ad hoc VPN with relatively no effort is to use Hamachi. This service will not give you the same level of security as a VPN that is completely administered by you, however you may feel that this compromise is acceptable for your purposes.

    A discussion of VPNs is probably well beyond the purview of these forums, so if you do intend on pursuing this path, I would be happy to help you by PM.

  12. JodyMac12

    JodyMac12 LI Guru Member

    Argo you rock!

    It was the windows firewall - once i fixed it like you instructed, no problem connecting, either inside the router (using the format or outside the router (using the format Thank you again! Frankly, i feel like this is such a big improvement security-wise from my previous methods of connecting (for a while i used DMZ, most recently the standard port 3389) that i'm not really in a big hurry to do the VPN type thing (although Hamachi sounds pretty easy...)

    I'll let you know if i take that plunge, but for now, thaks again for your help with this issue!

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice