Firewall Rule to Allow RDP to LAN..?

zaf · Aug 24, 2012, 9:29 PM

ive attached two screen print showing a route from TP LINK to 192.168.0.0 and a rule on pfsense (which im not sure its correct) can you please provide step by step guide on how to do this in Pfsense? (sorry as im new to pfsense and have limited knowledge)

podilarius · Aug 24, 2012, 9:39 PM

okay first thing, you are looking on the LAN and not the WAN. There should be a default rule in LAN that says from LAN Net any thing can go any where on any port. So then you need a WAN rules that reads:

Protocol Source Source port Destination Destonation port Gateway …. Comments.
TCP any any 192.168.0.<octet of="" system=""> 3389 * What ever you like.

You will also have a the matching port forward rule 192.168.5.1 > 192.168.0.<octet of="" system="">. I think you may have this completed already.</octet></octet>

zaf · Aug 24, 2012, 10:40 PM

ok, ive done what you suggested its highlighted in yellow and its still not working, do i need to reboot pfsense after i make changes? also ive attached screen prints of whats configured. The strange thing is if i come from outside (internet) the RDP works Nat+Rule, but why is proving to be difficult from a router thats connected to Pfsense? your help is appreciated…

ive also added firewall logs that may help-

zaf · Aug 24, 2012, 10:43 PM

firewall log attached-

podilarius · Aug 25, 2012, 3:52 AM

What does your port forward rule look like?

zaf · Aug 25, 2012, 3:08 PM

here you go…

podilarius · Aug 25, 2012, 7:15 PM

What is the outbound NAT doing? Auto or not?

zaf · Aug 25, 2012, 8:44 PM

nothing by looks of it?

podilarius · Aug 26, 2012, 2:51 AM

You might want to go ahead and switch to manual NAT and NAT only on the WAN interface and do pure routing otherwise.

zaf · Aug 27, 2012, 5:05 PM

this is becoming very difficult to configure, would you mind elaborate and provide step by step on how to configure manual NAT please? Changing it to manual mode, will require me to re-create all rules is this correct?

when i enable manual i see these rules?

Thanks

podilarius · Aug 27, 2012, 5:10 PM

Those should be the only rules you need. Are you using ESX 5 per chance?

zaf · Aug 27, 2012, 8:56 PM

Yes it's a esx 5 virtual environment, pfsense and all other machines are VM's?

podilarius · Aug 27, 2012, 10:53 PM

In my lab, yes they are. I will throw up your type of config and see what happens. I suspect mine will work .. my bridge doesn't though :(.

podilarius · Aug 28, 2012, 7:31 PM

Finally got the bridge working. So tell me, did you leave the default of keep state on all the rules?
holly crap I just noticed that your route to 192.168.0.0/24 is not correct. Just thinking of network basics.
It should read 192.168.0.0/24 GW 192.168.5.6 (pfSense WAN port) not .1.
Are you trying to access them their 192.168.0.0/24 address or the WAN IP?

zaf · Aug 30, 2012, 9:23 PM

excellent changing the DG to 192.168.5.6 did the trick, i cant believe i didnt pick that up! (something so simple) :)

Thanks for your help all is now working..

Cheers

zaf · Aug 31, 2012, 7:41 PM

Hi,

Just wanted to know, if i turn off the firewall functionality in Pfsesne it will also disable NAT, (router mode) how can i then access from internet, how do i forward port forwading in a router mode only?

also- do you have any custom captive portal page or know of any site i can download and tweak it? :)

cheers

podilarius · Aug 31, 2012, 8:18 PM

With firewall disabled, so is the NAT as that is a function of the firewall. So, you don't port forward in router mode only.

I don't know of any captive portal custom stuff. Perhaps those that are monitory the Captive portal threads can let you know.

zaf · Aug 31, 2012, 10:38 PM

in a hardware router, you have an option to port forward to a LAN IP also known as (virtual servers) is this option not available in Pfsense?

Thanks

podilarius · Aug 31, 2012, 11:50 PM

generally in a hardware firewall/router, you cannot disable the entire FW like you can in pfsense. You can setup allow all rules and then do what kind of NATing you like.