Firewall Rule to Allow RDP to LAN..?

zaf · Aug 22, 2012, 9:20 PM

Hi everyone,

Here is my setup -

Vigin Modem>TP-LINK Wireless Router>PFsense>LAN

so basically i have a Virgin Modem connected to a hardware router IP- 192.168.5.1 which is connected to Pfsense IP 192.168.0.1 . (Virtual Machine)

The WAN IP for the Pfsense is 192.168.5.6 and the LAN IP is 192.168.0.1

I have port forwarded port 3389 from Hardware router (TP-LINKS) to the IP of pfsense WAN ip- 192.168.5.6

I have setup NAT+firewall rule successfully and can RDP from work, however i cannot seem to RDP to internal LAN if i am connected from Wireless Router (network 192.168.5.0). If i turn the firewall function off in pfsense then i am able to RDP successfully- (so looks like its a rule issue)

so what is going on guys, can someone guide me on how to create a rule so that when i connect from Wireless Router 192.168.5.0 to 192.168.0.0 as its proving to be too dificult to setup?

Thanks in Advance!

podilarius · Aug 23, 2012, 10:38 AM

Modify your WAN interface, at the bottom of the screen is an option to block private networks. Uncheck this.

zaf · Aug 23, 2012, 10:43 PM

its already unticked, do i not need to create any rules, as when i turn firewall and NAt option completely off then it works?

Thanks

podilarius · Aug 24, 2012, 4:30 AM

Yes, you need to create rules. One from 192.168.5.0/24 to 192.168.0.0/24 on the OPT? link and 192.168.0.0/24 to 192.168.5.0/24 on the LAN. This will need to be above all rules for their interface. If this doesn't work, please post your rules and we can help from there.

zaf · Aug 24, 2012, 9:29 PM

ive attached two screen print showing a route from TP LINK to 192.168.0.0 and a rule on pfsense (which im not sure its correct) can you please provide step by step guide on how to do this in Pfsense? (sorry as im new to pfsense and have limited knowledge)

podilarius · Aug 24, 2012, 9:39 PM

okay first thing, you are looking on the LAN and not the WAN. There should be a default rule in LAN that says from LAN Net any thing can go any where on any port. So then you need a WAN rules that reads:

Protocol Source Source port Destination Destonation port Gateway …. Comments.
TCP any any 192.168.0.<octet of="" system=""> 3389 * What ever you like.

You will also have a the matching port forward rule 192.168.5.1 > 192.168.0.<octet of="" system="">. I think you may have this completed already.</octet></octet>

zaf · Aug 24, 2012, 10:40 PM

ok, ive done what you suggested its highlighted in yellow and its still not working, do i need to reboot pfsense after i make changes? also ive attached screen prints of whats configured. The strange thing is if i come from outside (internet) the RDP works Nat+Rule, but why is proving to be difficult from a router thats connected to Pfsense? your help is appreciated…

ive also added firewall logs that may help-

zaf · Aug 24, 2012, 10:43 PM

firewall log attached-

podilarius · Aug 25, 2012, 3:52 AM

What does your port forward rule look like?

zaf · Aug 25, 2012, 3:08 PM

here you go…

podilarius · Aug 25, 2012, 7:15 PM

What is the outbound NAT doing? Auto or not?

zaf · Aug 25, 2012, 8:44 PM

nothing by looks of it?

podilarius · Aug 26, 2012, 2:51 AM

You might want to go ahead and switch to manual NAT and NAT only on the WAN interface and do pure routing otherwise.

zaf · Aug 27, 2012, 5:05 PM

this is becoming very difficult to configure, would you mind elaborate and provide step by step on how to configure manual NAT please? Changing it to manual mode, will require me to re-create all rules is this correct?

when i enable manual i see these rules?

Thanks

podilarius · Aug 27, 2012, 5:10 PM

Those should be the only rules you need. Are you using ESX 5 per chance?

zaf · Aug 27, 2012, 8:56 PM

Yes it's a esx 5 virtual environment, pfsense and all other machines are VM's?

podilarius · Aug 27, 2012, 10:53 PM

In my lab, yes they are. I will throw up your type of config and see what happens. I suspect mine will work .. my bridge doesn't though :(.

podilarius · Aug 28, 2012, 7:31 PM

Finally got the bridge working. So tell me, did you leave the default of keep state on all the rules?
holly crap I just noticed that your route to 192.168.0.0/24 is not correct. Just thinking of network basics.
It should read 192.168.0.0/24 GW 192.168.5.6 (pfSense WAN port) not .1.
Are you trying to access them their 192.168.0.0/24 address or the WAN IP?

zaf · Aug 30, 2012, 9:23 PM

excellent changing the DG to 192.168.5.6 did the trick, i cant believe i didnt pick that up! (something so simple) :)

Thanks for your help all is now working..

Cheers

zaf · Aug 31, 2012, 7:41 PM

Hi,

Just wanted to know, if i turn off the firewall functionality in Pfsesne it will also disable NAT, (router mode) how can i then access from internet, how do i forward port forwading in a router mode only?

also- do you have any custom captive portal page or know of any site i can download and tweak it? :)

cheers