Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense inside LAN

    Firewalling
    3
    11
    181
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @n00bie
      last edited by

      @n00bie
      So did you allready set the static routes for the LAN on the firewalls in front of pfSense?

      If so you just need to add a pass rule to the WAN for TCP/UDP, source = any (or whatever you want), destination = LAN subnet (or an alias, which you have added to the desired hosts), destination port = MS RDP.

      To allow access from the local subnets, you also need to go to the WAN interface settings and remove the check at "block private networks".

      N 1 Reply Last reply Reply Quote 0
      • N
        n00bie @viragomann
        last edited by

        @viragomann
        I haven't done anything on Sophos FW.
        I was on google, for the past few days, trying to find a similar case for pfSense, with no luck.
        Not quite sure on how to tell Sophos FW, that there is as new LAN behind 192.168.32.21 interface.
        "block private networks" on WAN int. has been unchecked.
        That Cisco box, from ISP, is not reachable for me, only ISP has access to that one.

        S V 2 Replies Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance @n00bie
          last edited by

          @n00bie You can either create NAT rules/port forwards (.32.21:3014 -> .1.14:3389), or in the Sophos add a static route so 192.168.1.0/24 is sent to 192.168.32.21 (and allow the traffic there via WAN firewall rule). I don't know Sophos to tell you how, but it should be findable.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @n00bie
            last edited by

            @n00bie
            After adding the pass rule for RDP, I mentioned above, you should already be able to access your hosts from 192.168.32.0/24, which might you call "LAN".

            However, consider that the computers will block access from outside of the subnet by default. You will have to allow RDP access from outside on their firewalls as well.

            To get access from behind the VPN, you need to

            • add the department LAN to the VPN, so that its traffic is routed over the connection.
            • add a static route for the department LAN on the Sophos

            Iss the VPN terminated on the Sophos or on the Cisco.

            If you cannot configure the VPN, you can only forward traffic to the department LAN on the Sophos at its best.

            N 1 Reply Last reply Reply Quote 0
            • N
              n00bie @viragomann
              last edited by

              @viragomann @SteveITS
              For now im focusing on getting this work inside our office LAN. Nothing has been done on Sophos FW. VPN is terminated on Sophos.
              I have done so far (not working config):
              On client inside secure dep. i have one incomming rule (windows FW) and one outgoing rule, that allows port 3389.
              On pfSense i have created this NAT rule.
              And its not working (RDP to 192.168.32.21 and 192.168.1.100 are no go).
              pfSense_NAT.png

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @n00bie
                last edited by viragomann

                @n00bie
                There is one additional point, I didn't think of before.
                The LAN devices in 192.168.32.0/24 themself need a static route for the department LAN pointing to pfSense.
                If they get the IP from a DHCP, you can probably deploy the route with it. Otherwise you would need to add a route on each device you want to access the department LAN.

                Another (better) way would be to cut the pfSense from the LAN and put it into a separate network segment with the Sophos (maybe a VLAN). Then you only need to route on the Sophos.

                N 1 Reply Last reply Reply Quote 0
                • N
                  n00bie @viragomann
                  last edited by

                  @viragomann
                  Office LAN get IP from local DHCP server but i was hoping that config is only needed on pfSense.
                  NAT rule is self explainng :)
                  when TCP/UDP on 192.168.32.21 send it to 192.168.1.100:3389. Right?
                  I would rather have solution on pfSense and not involving Sophos, as those two boxes are 2 stories apart.

                  V S 2 Replies Last reply Reply Quote 0
                  • V
                    viragomann @n00bie
                    last edited by

                    @n00bie
                    If the LAN devices doesn't pull their DHCP lease from pfSense, there is nothing pfSense can do to affect the routes.

                    But yes, you can port forward the traffic on the pfSense WAN to the devices behind. But you NAT rule seems wrong.

                    Source: 192.168.32.0/24 (or any or an alias also including VPN tunnel pool)
                    source port: any
                    destination: WAN address
                    destination port MS RDP
                    redirect target: any IP in the department LAN
                    redirect target port: MS RDP

                    For further devices to access, you can either add additional IPs to pfSense WAN or use other ports.
                    In case of alternative ports use the this as destination port, e.g. 3388, but at redirect target as well MS RDP.

                    N 1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Rebel Alliance @n00bie
                      last edited by

                      @n00bie Agreed, source ports are always random. If you change that your setup should work to RDP to 192.168.32.21:3389.

                      Or if you meant to use 192.168.32.21:3014 then set 3014 as the destination port.

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote ๐Ÿ‘ helpful posts!

                      1 Reply Last reply Reply Quote 0
                      • N
                        n00bie @viragomann
                        last edited by

                        @viragomann @SteveITS
                        Thank you gentlemen!
                        It works now. viragoman put me in right direction.
                        No need to open any ports on clients windows FW or anything else, just correct NAT rule.
                        I have 2 clients in secure dep., one with 3389 and second with 3390 RDP port (have to change default RDP in windows).
                        Then clone standard NAT rule and just change redirect target and RDP port.
                        Here is my config, that works.pfSense_NAT.png

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.