Remote Desktop, port forwarding, & Comcast, Oh my

AccidentalIT

I'm the accidental IT for my church. We've just replaced our firewall with pfSense. Now I need to figure out how to get remote desktop connection to work. Our ISP is Comcast Business. I'm not sure what I need to do to get Remote Desktop working again.

Previously, staff would open RDC at their home and give it our public IP address and a port number. The Comcast modem would pass that through to the old firewall which would port forward to a specific computers 3389 port. (Yes, I know we should be using VPN. That's another story.)

I've setup the forwarding in pfSense. That works. What doesn't work is adding the modem to the mix. The configuration of the modem changed after the firewall device broke to firewall until the pfSense firewall was added, and I don't know what they changed.

If I change the modem to bridge mode and set the pfSense WAN IP to our public IP, is that enough to get this working?

Gertjan

@accidentalit

Yes, it can be done.
Make a NAT rue that 'nats' port 3389 UDP to an internal, LAN device and your nearly done.
As far as I recall, Windws device do not accept, by default, connection from device that are not in the same LAN. You have to override that on your Windows device, the RDP connections settings.

But : me, and Microsoft warns you : do not do this, as you create a huge security issue.

You are supposed to set up an (Open) VPN server on pfSense.
And use the pfSense OpenVPN Client export utility ( a package to be installed on pFsense) , have the OpenVPN client installed on the PC of the remote user, and use it to make a secure connection from that remote PC to pfSense first.
And the remote clients have to make start a VPN connection to pfSense first.
Now they can run "mstsc" and give the LAN IP, or computer's DNS name, and connect securely.

Remember being told that half the planet way working 'from home' for the last 1 and a half years or so ?
These people were using some sort of VPN to their work, and then use the companies resources 'as they were on site'.

A 8 minutes demo : Configuring OpenVPN Remote Access in pfSense Software

I advise you to look at the other Netgate OpenVPN videos. They are a bit outdated, but still explain all the thing you might need to know.

OpenVPN is just the most used solution. IPSEC or the new WireGuard are alternatives.

SteveITS

@accidentalit said in Remote Desktop, port forwarding, & Comcast, Oh my:

If I change the modem to bridge mode and set the pfSense WAN IP to our public IP, is that enough to get this working?

Right. The pfSense needs to "see" the incoming request. So either it needs to hold the public IP, or the Comcast router needs to forward the packet (e.g. set the pfSense WAN IP as the Comcast DMZ, or set up all the port forwards in the Comcast router also).

AccidentalIT

Thank you for your help. It’s working now. Turns out that Comcast, in their infinite annoyance, changed our static ip without telling us. Once I used the correct ip, Remote Desktop worked just fine. Next I will be looking into adding a VPN to our mix.

JKnott

@accidentalit said in Remote Desktop, port forwarding, & Comcast, Oh my:

Turns out that Comcast, in their infinite annoyance, changed our static ip without telling us.

You might want to see if your host name is consistent. I'm on Rogers and I have a host name that's based on the modem and router MAC addresses, so it changes only when I change hardware, even if the IP address changes. Still, the IP changes so seldom, it's virtually static.