Hi,

My desired setup:
RDP from WAN from only certain IP addresses port forwarded to internal Windows server.

Internal server ip : 192.168.16.2

I have done the following:
- Created Open Port item for the server, allowed TCP 3389 start and end port from WAN IP to Local Computer IP

At this stage I can RDP from any IP on the net ok, so now to only allow certain IPs
- Created IP Objects for each allowed IP location
- Created IP Group and added those IP Objects
- Create Service Type Object called RDP (TCP Source 3389, Destination 3389)
- Edit Default Data Filter
- Add new entry, called RDP Deny All
Source IP : Any
Destination IP: 192.168.16.2
Service Type: RDP Service Type Object (I also tried manually specifying the port here rather than the object)
Filter: Block Immediately.

The above does not block RDP traffic.
If I set the Service Type to Any then it will block traffic.

Adding another Data Filter entry called Allow RDP Group (Above the previously described RDP block)
Source IP : RDP IP Group
Destination IP: 192.168.16.2
Service Type: RDP Service Type Object (I also tried manually specifying the port here rather than the object)
Filter: Pass Immediately

This will not allow my RDP traffic through.

At the moment I'm just trying to focus on getting the Firewall to block RDP (disabling the allow for now) and failing miserably.
It's almost like the router is not identifying the RDP service/ports - what could I be doing wrong?

Thanks for any help.

I've figured it out for myself.

I have to setup the Service Type Object as:
Source Port = 1 ~ 65535
Destination Port = 3389 ~ 3389

What I had (which seemed quite reasonable to me) was:
Source Port = 3389 ~ 3389
Destination Port = 3389 ~ 3389

Any ideas why I needed to make that change?

Yes, it's to do with psudo ports - stuff can travel on any port on the internet. So it could be RTP travelling on port 12345 but destined for 3389.