Thanks for the response, Routes on the firebox look to be correct as far as i can tell
IPv4 Routes
Destination Gateway Genmask Flags Metric Interface
0.0.0.0 172.16.0.1 0.0.0.0 UG 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 lo
168.63.129.16 172.16.0.1 255.255.255.255 UGH 0 eth0
172.16.0.0 0.0.0.0 255.255.255.0 U 0 eth0
172.16.8.0 0.0.0.0 255.255.255.0 U 0 eth1
172.18.2.0 0.0.0.0 255.255.255.240 U 0 eth2
Interface eth 2 is the one not behaving correctly
the routes from the vm attached to the same subnet as eth2 above are
IPv4 Route Table
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.18.2.1 172.18.2.4 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
168.63.129.16 255.255.255.255 172.18.2.1 172.18.2.4 11
169.254.169.254 255.255.255.255 172.18.2.1 172.18.2.4 11
172.18.2.0 255.255.255.240 On-link 172.18.2.4 266
172.18.2.4 255.255.255.255 On-link 172.18.2.4 266
172.18.2.15 255.255.255.255 On-link 172.18.2.4 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 172.18.2.4 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 172.18.2.4 266
Persistent Routes:
None
Can't upload/attach pcap files so have shared them via the following link https://integralict-my.sharepoint.com/:f:/g/personal/matt_integralict_com_au/Ev2sMXknnoRFnjbm_GlIPfwBCGs5Fb9pCR4iv8AKJ361dw?e=OW6aah
'INTWGAZ rdptest.pcap' shows the connection attempt on the fireboxes eth2 interface.
'optionalvm rdptest.pcap' was captured from the vm with ip 172.18.2.4 and was filtered to port 3389 the only traffic seen is that to/from the bastion connection I was using to get to the server (anything 172.16.254.0/24 is the bastion subnet)
Not sure any of this helps let me know if there's additional info I can provide.