Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot RDP out of network

    General pfSense Questions
    2
    24
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      You've gotten pretty clicky-clicky with your stuff indicating a basic misunderstanding of what you're actually doing.

      What is the IP network of LAN?

      Why all the outbound NAT rules for OPT1.  Is that another WAN?

      Why are you limiting LAN to TCP/UDP only? That's certainly not the default config.

      Where are you trying to RDP to?  Are you sure it's not being blocked inbound there?

      Read and understand this.  Particularly the part about what interface rules should be placed on and that you are passing traffic coming INTO pfSense, not going out of it.

      https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • B
        Basenji
        last edited by

        Derelict, Your are right. I got to the point where I was clicking on everything trying to get it to work you should have seen it before I cleaned it up ;)

        The LAN network is 172.31.192.xxx

        OPT1 was going to be another WAN, but I have not go that far.

        I though I was allowing it for all when I made the rule  for TCP/UDP

        I am trying to RDP to a server at my office, but it appeared that across the LAN I cannot rdp to another PC

        I will print it out and read it now.

        Thank you.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          You can do anything, including RDP, as long as the traffic is passed into LAN.

          How are you getting to the remote RDP?  Over the internet?  VPN?  Is there a port forwarded there or something?

          I'd bet your problem is there, not locally.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • B
            Basenji
            last edited by

            I am using RDP straight to the server. When I am out of my test environment I can connect both over the internet and when I connect with my  VPN, but when I am in my test environment I cannot connect either way. I am seeing DNS event ID 1014 ( see image) in the logs on my PC that I have not seen before, and I am not having a problem getting to the internet.

            dns.jpg
            dns.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Where is the server?  What IP address?  What interface? I have no idea what your test environment is.  I am not a mindreader.  Draw a diagram.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • B
                Basenji
                last edited by

                My apologies.  Here is the set up including the server I am trying to RDP to.

                network.jpg
                network.jpg_thumb

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  On your LAN interface, disable all the rules you added and reenable the last one that you disabled.  Then post another screen shot.

                  If you do that and you still can't RDP, then the problem is in one of the other routers or firewalls, not pfSense.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • B
                    Basenji
                    last edited by

                    Ok, I did that and the same results. I cannot RDP to it.  I have verified that the port 3389 is open as well.

                    ![open port.jpg](/public/imported_attachments/1/open port.jpg)
                    ![open port.jpg_thumb](/public/imported_attachments/1/open port.jpg_thumb)
                    ![lan diabled.jpg](/public/imported_attachments/1/lan diabled.jpg)
                    ![lan diabled.jpg_thumb](/public/imported_attachments/1/lan diabled.jpg_thumb)
                    network2.jpg
                    network2.jpg_thumb

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Your problem is elsewhere.

                      Do a packet capture on pfSense WAN filtering on port 3389 and try a connection.  You will see it going out but not getting a reply.

                      You have three other routers in the mix.  I don't know why you insist the problem is with the one with a pass any any any rule on it.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • B
                        Basenji
                        last edited by

                        ok I will do the packet capture. The only reason I think it has to do with PFsense is because if I remove that and use my normal network I can RDP without a problem.  I do understand there is 2 additional routers in the mix, but assumed that if it worked outside of the network with the PFsense  it should work behind it as well. Or am I looking at it the wrong way?  Like I said I am not a firewall guy, I'm trying to learn it. The PFSense manual is on order.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          I don't know.  Double NAT sucks.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • B
                            Basenji
                            last edited by

                            ok. I set the comcast modem in bridge mode and still cannot RDP. I tried a packet capture and nothing was captured (no data) which I thought was odd.

                            Im not even seeing anything blocked in the log files after I clear them and then try to connect.

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              No idea, dude.  There is nothing special about RDP.  It's just packets.

                              Did you port forward both TCP and UDP?  If not, do that.

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                Why are you using the same LAN subnet in both locations?  Over NAT it shouldn't matter but maybe there's something in the RDP protocol that's jacking up somehow.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • B
                                  Basenji
                                  last edited by

                                  I appreciate all the time you spent with me today. Its still not working after changing the scope to 192.168.1.0

                                  I might just blow the whole install away and start from scratch.

                                  Thanks again.

                                  1 Reply Last reply Reply Quote 0
                                  • DerelictD
                                    Derelict LAYER 8 Netgate
                                    last edited by

                                    Can you simply browse the internet?  If so, it's not pfSense.

                                    Chattanooga, Tennessee, USA
                                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      Basenji
                                      last edited by

                                      I can that's what did not make sense and why I reached out here.

                                      If your saying the rules I had were fine, ill blow it away and start again.

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        If it was the firewall blocking RDP there would be firewall logentries.  But if you want to start over, I'd backup your config first so maybe if that works and you feel like it you can restore it and find out why.

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          Basenji
                                          last edited by

                                          Good plan. I will do that and we'll see what happens.

                                          1 Reply Last reply Reply Quote 0
                                          • B
                                            Basenji
                                            last edited by

                                            I did get a capture.  Not sure if this tells you anything.

                                            17:01:48.652290 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 7846, offset 0, flags [none], proto UDP (17), length 61)
                                                192.168.1.2.50427 > 8.8.8.8.53: [udp sum ok] 8475+ A? www.pfsense.org. (33)
                                            17:01:48.652555 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 128, id 7845, offset 0, flags [none], proto UDP (17), length 74)
                                                192.168.1.2.65419 > 8.8.8.8.53: [udp sum ok] 8872+ A? www.electricsheepfencing.com. (46)
                                            17:01:48.680257 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 91: (tos 0x20, ttl 45, id 28817, offset 0, flags [none], proto UDP (17), length 77, bad cksum 0 (->4b35)!)
                                                8.8.8.8.53 > 192.168.1.2.50427: [udp sum ok] 8475 q: A? www.pfsense.org. 1/0/0 www.pfsense.org. A 208.123.73.69 (49)
                                            17:01:48.716860 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 118: (tos 0x20, ttl 45, id 41368, offset 0, flags [none], proto UDP (17), length 104, bad cksum 0 (->1a13)!)
                                                8.8.8.8.53 > 192.168.1.2.65419: [udp sum ok] 8872 q: A? www.electricsheepfencing.com. 2/0/0 www.electricsheepfencing.com. CNAME electricsheepfencing.com., electricsheepfencing.com. A 208.123.73.69 (76)
                                            17:01:50.300695 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30916, offset 0, flags [none], proto UDP (17), length 44)
                                                192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
                                            17:01:55.515485 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto UDP (17), length 44)
                                                192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
                                            17:01:56.166321 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30918, offset 0, flags [DF], proto TCP (6), length 52)
                                                192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0x9a8b (correct), seq 638309427, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
                                            17:01:58.545163 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 9279, offset 0, flags [DF], proto TCP (6), length 41)
                                                192.168.1.2.54517 > 192.168.1.1.80: Flags [.], cksum 0xe0a9 (correct), seq 480782460:480782461, ack 2381554296, win 256, length 1
                                            17:01:58.545823 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 57770, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->d5d1)!)
                                                192.168.1.1.80 > 192.168.1.2.54517: Flags [.], cksum 0xdfa8 (correct), seq 1, ack 1, win 513, length 0
                                            17:01:59.166111 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30919, offset 0, flags [DF], proto TCP (6), length 52)
                                                192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0x9a8b (correct), seq 638309427, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
                                            17:02:00.500873 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 103: (tos 0x0, ttl 128, id 29952, offset 0, flags [none], proto UDP (17), length 89)
                                                192.168.1.2.60572 > 157.56.106.184.3544: [udp sum ok] UDP, length 61
                                            17:02:00.545108 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 151: (tos 0x20, ttl 45, id 31372, offset 0, flags [none], proto UDP (17), length 137, bad cksum 0 (->491d)!)
                                                157.56.106.184.3544 > 192.168.1.2.60572: [udp sum ok] UDP, length 109
                                            17:02:00.728467 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30920, offset 0, flags [none], proto UDP (17), length 44)
                                                192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
                                            17:02:05.165127 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 30921, offset 0, flags [DF], proto TCP (6), length 48)
                                                192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0xae9a (correct), seq 638309427, win 8192, options [mss 1460,nop,nop,sackOK], length 0
                                            17:02:05.268329 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 (00:0d:b9:1b:05:f6) tell 192.168.1.2, length 46
                                            17:02:05.268369 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.1 is-at 00:0d:b9:1b:05:f6, length 46
                                            17:02:05.944083 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30922, offset 0, flags [none], proto UDP (17), length 44)
                                                192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
                                            17:02:08.546450 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 9280, offset 0, flags [DF], proto TCP (6), length 41)
                                                192.168.1.2.54517 > 192.168.1.1.80: Flags [.], cksum 0xe0a9 (correct), seq 0:1, ack 1, win 256, length 1
                                            17:02:08.547114 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 48216, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->fb23)!)
                                                192.168.1.1.80 > 192.168.1.2.54517: Flags [.], cksum 0xdfa8 (correct), seq 1, ack 1, win 513, length 0
                                            17:02:10.761866 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30923, offset 0, flags [DF], proto TCP (6), length 52)
                                                192.168.1.2.54520 > 70.89.208.13.80: Flags , cksum 0x1487 (correct), seq 2543449493, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
                                            17:02:10.762820 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 33822, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->de94)!)
                                                70.89.208.13.80 > 192.168.1.2.54520: Flags [S.], cksum 0x979c (correct), seq 1887383183, ack 2543449494, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
                                            17:02:10.763399 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30924, offset 0, flags [DF], proto TCP (6), length 40)
                                                192.168.1.2.54520 > 70.89.208.13.80: Flags [.], cksum 0xd53a (correct), seq 1, ack 1, win 256, length 0
                                            17:02:10.763686 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 256: (tos 0x0, ttl 128, id 30925, offset 0, flags [DF], proto TCP (6), length 242)
                                                192.168.1.2.54520 > 70.89.208.13.80: Flags [P.], cksum 0x94a1 (correct), seq 1:203, ack 1, win 256, length 202
                                            17:02:10.763787 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 32040, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->e596)!)
                                                70.89.208.13.80 > 192.168.1.2.54520: Flags [.], cksum 0xd371 (correct), seq 1, ack 203, win 511, length 0
                                            17:02:10.764296 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 566: (tos 0x0, ttl 128, id 30926, offset 0, flags [DF], proto TCP (6), length 552)
                                                192.168.1.2.54520 > 70.89.208.13.80: Flags [P.], cksum 0x8cfa (correct), seq 203:715, ack 1, win 256, length 512
                                            17:02:10.764383 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 5998, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->4b51)!)
                                                70.89.208.13.80 > 192.168.1.2.54520: Flags [.], cksum 0xd173 (correct), seq 1, ack 715, win 509, length 0
                                            17:02:10.764998 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 552: (tos 0x0, ttl 64, id 52474, offset 0, flags [DF], proto TCP (6), length 538, bad cksum 0 (->93d2)!)
                                                70.89.208.13.80 > 192.168.1.2.54520: Flags [P.], cksum 0x22fa (correct), seq 1:499, ack 715, win 513, length 498
                                            17:02:10.765233 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31505, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->e7ad)!)
                                                70.89.208.13.80 > 192.168.1.2.54520: Flags [F.], cksum 0xcf7c (correct), seq 499, ack 715, win 513, length 0
                                            17:02:10.766114 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30927, offset 0, flags [DF], proto TCP (6), length 40)
                                                192.168.1.2.54520 > 70.89.208.13.80: Flags [F.], cksum 0xd07f (correct), seq 715, ack 499, win 254, length 0
                                            17:02:10.766229 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 22690, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->a1d)!)
                                                70.89.208.13.80 > 192.168.1.2.54520: Flags [F.], cksum 0xcf7b (correct), seq 499, ack 716, win 513, length 0
                                            17:02:11.005964 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 58058, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7ff4)!)
                                                70.89.208.13.80 > 192.168.1.2.54520: Flags [F.], cksum 0xcf7b (correct), seq 499, ack 716, win 513, length 0
                                            17:02:11.006387 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30928, offset 0, flags [DF], proto TCP (6), length 40)
                                                192.168.1.2.54520 > 70.89.208.13.80: Flags [.], cksum 0xd17c (correct), seq 716, ack 500, win 0, length 0
                                            17:02:11.159887 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30929, offset 0, flags [none], proto UDP (17), length 44)
                                                192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
                                            17:02:13.385739 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 694: (tos 0x0, ttl 128, id 9281, offset 0, flags [DF], proto TCP (6), length 680)
                                                192.168.1.2.54517 > 192.168.1.1.80: Flags [P.], cksum 0x91f3 (correct), seq 1:641, ack 1, win 256, length 640
                                            17:02:13.386430 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 55382, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->df25)!)
                                                192.168.1.1.80 > 192.168.1.2.54517: Flags [.], cksum 0xdd2d (correct), seq 1, ack 641, win 508, length 0

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.