Link to home
Create AccountLog in
Avatar of king daddy
king daddyFlag for United States of America

asked on

change WAN IP address on firewall to another IP in the block


I had an external company add a DNS record for RDS. The IP I gave them is the first in my block (.34 - .38). The default gateway is .33. Well, the .34, which I gave for remote desktop services, is configured for my WAN entry on the firewall. When we enter the or the public IP into Internet Explorer, we get the firewall. When entering either of those into an RDP client, we get the remote desktop server as expected.

Rather than change DNS, can I just change the WAN entry on the firewall to .38 without issue?

Avatar of king daddy
king daddy
Flag of United States of America image


I went ahead and changed it to .38. Still connected.

I enter both and the .34 public IP into an RDP client and get to the remote server.

I enter either of those into IE and it fails to connect showing IE cannot display the webpage.

any help appreciated.
I changed back to .34 on the WAN and now is not working from an RDP client and goes to the firewall when using the public IP in IE.
Everything you done so far is how its supposed to work...not sure what you are trying to achieve?

When you enter an ip or dns name in IE it connects to port 80 on the far side
RDP runs on port 3389

Hence when you have .38 as your firewall ip and .34 is entered into an RDP client then yes it will go to the .34 server
Browsing with IE to the same ip will result in you connecting to the RDP server on port 80 - so if you aren't running IIS on the RDP server then you will get a blank page...

Or did I miss something?
first, thanks for responding and sorry for any confusion.

I am trying to enter into an RDP client and get to my terminal server. It fails stating it can't find the computer.

when I enter the public IP address into an RDP client, I get to the terminal server. I am told that the public DNS record has been configured for some time and should work. At one point earlier, it did. I entered into my RDP client and successfully connected to the terminal server. I rebooted the server and after I couldn't connect using the aforementioned URL. No idea what I did.

I was concerned when entering the public IP .34 into IE brought me to my firewall. I then noticed it was configured in the WAN setting. However, I thought entering .34 into IE would bring me to my remoteApps page of the remote server. I set up the sonicwall NSA220 to redirect the public .34 IP to the remote servers LAN IP, which it does, in an RDP client. I thought it would do the same for the remoteApps connection in IE. Guess not. As you explained, different ports for IE and RDP, so different settings I have not configured on the firewall for that I guess.

I then had the brilliant idea to change the WAN IP to public .38 so going to .34 would go to the remoteApp page of my remote server when entering .34 into IE. That obviously didn't work. So I changed it back to .34 and as before when I enter the public IP,
IE brings me to my firewall,
RDP client brings me to the remote server,
but does not bring me to the remote server when entered into RDP.

I simply wanted to enter into RDP and get to the remote server, while also entering it into IE and getting to the remoteApps page of the remote server, like when I go to FQDN/RDweb of my remote server. I don't even care at this point about IE. I just need users to be able to enter and get to the remote server.

thanks again.
Ok lets see...

When you ping from external - does it return the correct public ip?
If you can currently from an external client RDP to the correct server that means ports are setup correctly on the firewall, so it should work long as the dns name is resolving correctly...
ping fails to

I am doing this from my desktop in the office. The remote server is at a datacenter but we have an e-line connecting the sites. I can get to the remote server by public IP, LAN IP, and domain FQDN. Cannot get to it using

I ran a DNS test on two different websites and only a couple of servers found the IP address.

I will try from home later when I spend the night working on this to see if I can get to it externally. This may be a setting in remote desktop services on 2008 R2, as ooposed to a firewall issue. Not sure though.

Thanks for your help
I posted this question and haven't received a response.

feel free to post something to give yourself extra points for helping me out with this mess.
to note, I followed this to set up the firewall
When you ping and it fails - you mean you get 'ping request could not find host...' or you get 'request timed out'?

If you get the first that means its a DNS issue where you probably need to wait for dns propagation to take place(since this is public dns you are updating)

If you get the 2nd then I'd expect it to be working - since its probably just blocking ping...again depends on the settings on the other end etc...
could not find host. A tech company that managed the network before I started here still deals with DNS. They confirmed a little while ago that they set it up about a month ago when I first asked them to. We already paid the invoice too. I've emailed to check things out. Waiting to hear back.

Still, I am pretty confused from being slammed today but I am 99% sure that one time, and only once, I connected through RDP using Maybe I am delirious though...

Ok, could not find host means the DNS server(your private dns server) can't resolve to the dns name...

This could be due to a number of things
On your client machine are you using internal dns ip's in your primary/secondary dns entries of the nic? Possibly the dns server(usually your DC) can't resolve to ''

Run this command on client


Does it return ip's? If not then your DNS server can't resolve the entry, need to see how its configured to see why...
Avatar of Shane McKeown
Shane McKeown
Flag of Ireland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
it did not return anything. said can't find.

so this got me thinking. I tried from the datacenter on my vCenter server, different DNS servers. Still replicated from the office through AD though.

either way, I was able to get a credentials prompt to the remote server by going to definitely looking like an internal DNS issue. I have two in the office, with both in the DHCP scope settings. I see them both on my NIC but nslookup only showed one when it ran.

not sure what's up with that. I have been able to get to every website I have tried to get to and no one in the office has reported any issues.
that website shows this

it does not show
Cool, yes looks that way, since from another machine you are working fine...

nslookup will always use the primary dns server ip - which narrows the search down - the issue must be on that server
To test using your other internal dns server from nslookup run

server <other dns server ip>

Does that resolve? If yes, then the issue is on your primary DNS server

As for the reverse lookup - that's fine, I forgot that unless you tell your ISP to create a proper reverse dns entry then it will always resolve to your ISP's this case that's not relevant...think we've got to the stage where we know this is an internal dns issue...
seems internal. the nslookup using the other DNS server resolved to the correct IP.

ARGH!! All this time fiddling with the remote server and it was my DNS on my machine!

Thanks for helping - I am going to have a tequila (or three) and call it day since I'll be back tomorrow.

Now to add some DNS issue to my list of things to do! Please look out for that question (I'll post the link here) as I'm sure I could benefit from your expertise.
Good news...always good when you get to a resolution(forgive the pun!!)

Cool, will keep an eye out for it...
spoke to soon. Can't resolve from home. Tried nslookup from the remote server itself and no dice. Still works by IP though. So far nslookup has only worked once on one DNS server in the office.

Right, you said from EXTERNAL dns testing websites on the internet you can't see this ''

But from 1 internal DC you can see it...

By any chance have you(or some one else) setup a static host record in DNS console pointing to this server?

From home, if dns propagation is working on the internet in general, you should be able to ping this host...i've never heard of dns being 'blocked' from different countries(you mentioned a dns testing server in France/Turkey that can locate it) but none in the US?

Go to this site -

Enter in your domain name(not rds) and select 'Type' as ALL
What is returned? Is rds listed in any of the A records from that?
Correct. One dns server in office finds it. However, earlier today the other one found it, but couldn't yesterday. Additionally, I can no longer connect rdp from the datacenter, but could yesterday.

I'll check dns but I'm the only one and I'm 99% sure I didn't do anything in dns for this server.

Can't ping IP or from home. However, nslookup found it from home using local cable ISP.  Can't rdp though.

I used and it displayed only a handful of servers around the world That resolved it. If you refresh the page, it changes servers and still some resolve it and some don't. Only one or two per page in the US actually resolve it.

The website you sent did not list RDS. My mx did show, and the hosted website. I had to try a record for RDS and it did find the correct ip address.

I don't understand what's going on. One thing is that my RDS server name is remoteBR.domain.local but the external is Shouldn't matter though. My current 2003 term server is named ts and external is Just wanted to mention.

Thx again.
Tried your website again and now it is not finding when set to all or A record.
So now from home rdp connects. Pinging RDS resolves ip but ping fails. nslookup now fails. Weird I can't ping and nslookup fails but ping resolves ip and rdp connects.

If this was just an external issue I'd say you have a routing issue(or your isp has) - where one minute you can connect - and the next you can't

From home can you run

tracert <rds public ip address> - do this complete?
Run it a few times - notice if there are similar breaking points - might highlight a routing issue...

You mentioned from your LAN network you are connecting to a Datacenter? So this is at some point going over internet to this datacenter? Or are you on a VPN connection?
Totally weird, and frustrating.

Tracert timed out on the same hop (#11) on []

Ran 3 times from home.

From the datacenter it times out immediately. No hops are successful. This is where the server is located so it shouldn't need to go out so not sure if anything should've shown anyway.

From the office it made one hop then failed. The one hop was again tw and was my office's default gateway.

No VPN. It a tw e-line (point-to-point Ethernet at 50 Mb) that connects the office with the datacenter about 120 miles north.

Crazy thing is I just connected over rdp again from home. Couldn't about 30 minutes ago. It fails more than succeeds. Tried a minute later from work and couldn't.
Ok, from those tests we can make some assumptions/conclusions...

'Tracert timed out on the same hop (#11)' - this shows consistency at least...almost like the issue is at that router where it can't find path to the other side to complete the link

'From datacenter times out immediately' - yes you shouldn't see any hops(since machine is already within the same network), but timed out? Again if ICMP is disabled within the network this would be hard to make a conclusion from that

'From the office it made one hop then failed. The one hop was again tw' - since this is a 'point-to-point' link that eliminates the internet from the loop, almost like its a routing issue(on the datacenter side since you've issues from home as well)

What else is in the datacenter? Can you test to another machine up there? That would at least tell us if the issue was on the server itself(rds) or if you are having issues connecting to other machines on the datacenter we can safely say its network related still...

When you say datacenter - you mean a rented service you are purchasing from someone like RackSpace?
To be clear, the eline provides no Internet. Only access to datacenter. Our Internet at office is a15Mb tw circuit. So when I go to, it's over the Internet circuit, not the p2p. However, I guess when I go to RDS (local) in rdp, it connects and goes over p2p. Also, if I enter LAN IP it connects without issue. Lastly, regarding connecting, I always connect using the public IP (I had a couple of users test and same thing, connect with IP, not Actually, lastly, in office if I type RDS/RDweb in IE I get the published apps and an rdp icon on the web page. I was hoping to go to and get the same thing over the Internet. That does not work either. IP does not work in IE for published web apps.

Datacenter is a physical location where I have my own equipment. EMC San, another San, two VMware hosts, sonic wall and switches, etc. I can connect without issue. I open a console from my vsphere client to the term server -RDS- and work on it that way. I've never lost connection between office and datacenter. I have a few consoles open to vm servers there on my desktop in the office.

Thx again for sticking with this thus far. So aggravating that it doesn't just work.
Knock on wood about not losing connection. Sorry, superstitious.
Still a bit confused by your layout...

You have an office - what is in the office(machines I mean)
Datacenter - you have rds in this location yes?

So from your office you access the datacenter over this 'eline' connection - which is a p2p
So 'So when I go to, it's over the Internet circuit' - this doesn't make sense in my head...or am I missing something/mistaken in understanding your site?

Break this down into simple blocks(heck if you can attach a diagram that would be a big help, sometimes I get lost in site layouts...)
I'll attach something later. Out right now but this is it.

Office - 2 VMware hosts, 2 San, Sonicwall, current remote server and email server in office. Doc mgt system servers in office. All servers vm's. 70 users with mix of laptops and desktops. One TW 15 Mb Internet circuit. One cable backup Internet circuit. One TW 50 Mb p2p between office and data center. P2P is direct between sites with no Internet.

Data center - 2 VMware hosts, 2 sans, Sonicwall, etc. on different subnet. AD integrated. 2 DCs, file server, DNS. One TW 15 Mb Internet circuit, one TW 50 Mb p2p to office. Backup Internet provided by datacenter as needed. Setting it up to run new remote server and new exchange server from data center. RDS is new remote server and is here, in data center.

Since the p2p offers no Internet access, the office accesses the Internet over the 15 Mb TW Internet line. So when I go to, it's out through the 15 Mb Internet circuit, not direct to the RDS server over the Eline since I am entering external web address ( When I simply enter RDS into an RDP client in the office, it does use the Eline to connect to RDS as RDS is in the LAN, rather than going out to the Internet.

So accessing is successful over RDP within the LAN by IP or host name and over the Internet consistently by IP and in infrequently by
To be clear, within the LAN I can enter RDS or it's static LAN address into RDP and connect without issue because it's over the P2P.

Entering from anywhere at all into RDP works infrequently. Entering the public IP of the RDS server always works from anywhere.

Thx again.
Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Just want to say thanks again for your help with this.

Yes, the point is to use this as a means of external access, as well as internal access to published apps. Once authenticated, I see published apps internally through IE. I am unable to access these published apps through IE by going to, externally over the Internet.

Your logic is spot on.

My exchange server is not yet up there. I have no other externally accessible servers there. At least none with a DNS record.

I'm going to contact the company that manages this for us and see what they can find.
Was just able to access from home, can't from office. Crazy.
Yep, sounds like a hard one to put an answer to...

I'd def get the DNS experts in on this to see what they can see, since DNS lookups fail on PUBLIC test sites that isn't normal for sure...mind if I ask who the hosting company is?

But at end of the day since its DNS related(i.e. ip always works) I think we've managed to narrow it down and now just need input from the hosts themselves to see what is up with their end...

Last way to confirm this(although I think this step is redundant really)
Create a record in your hosts file on pc (C:\Windows\System32\Drivers\etc folder)
<public ip address>

Test now using that dns name - it will connect every time I would guess...and confirm that the issue is with the dns hosting side
So I was going to try this from my work machine since its working from home. As you may have guessed, it worked without needing to edit the hosts file. I mean, unbelievable. Worst thing is that I know it's not magically resolved (forgive my pun as well) so I'll wait until it doesn't work then edit the hosts file.

Check the tracert command again just to see that it completes all the way(now that its working)


Just to see it complete...
Now it does not work from home or work. When it does again I'll run the tracert and post the results.
Even with the host addition?
No. I wanted to wait on that to capture a tracert when it works without editing hosts. I'll add it though and see what it reports back.
with hosts file edited from home it gives error that it can't connect to remote computer stating remote access is not enabled, computer is turned off, or computer not available on network when using IP still works though.

tracert still fails at the aforementioned TW hop (.30)
Ok this makes absolutely no sense...

You've added the entry to hosts - when you now ping it resolves to the correct ip - yes?

Yet RDP will not connect using '' but it DOES connect with the public ip?

I've seen a lot in the IT world over a lot of years...this doesn't compute...

Does tracert complete if you run
tracert <public ip>
Tell me about it.

Ping times out but does display correct IP.

RDP does not connect with error message in previous post using .com. It does connect with public IP.

Tracert times out at level3 Atlanta using public IP

There is still the issue of public DNS resolving websites unable to find the entries for this. Also, occasionally it works.

Ok, so the trace times out at 2 different points depending on if its a dns trace or a direct ip trace...again might be something to that but not sure...

Yes the public testing sites having issues usually means this is a problem with the hosting dns records, see what they have to say first and then we might get something

The timeouts on the trace I normally say is a routing issue(on the router where things time out) but if there IS an issue with DNS hosting then that could explain that as well...

I'm off for the night now, pick this up tomorrow, hopefully you'll get an answer from someone!
Have a good one. Really appreciate the help in troubleshooting this.
outside company stated there was an issue with the record propagating / caching in the secondary DNS server there. It was updated and since we haven't had an issue connecting using Will continue to monitor over the next day or so before telling users about the new server being in production.

thanks again for sticking with this.
Sweet...glad you got it sorted...least we were on the right path ;)
totally. just kinda sucks that it was on their end and we spent a lot of time on it for nothing (well, I learned some stuff, so I guess it wasn't exactly for nothing).

Anyway, I will look over your posts and award points in a manner that may help someone else get to the troubleshooting steps you mentioned.

thanks again