Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot RDP out of network

    Scheduled Pinned Locked Moved General pfSense Questions
    24 Posts 2 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      No idea, dude.  There is nothing special about RDP.  It's just packets.

      Did you port forward both TCP and UDP?  If not, do that.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Why are you using the same LAN subnet in both locations?  Over NAT it shouldn't matter but maybe there's something in the RDP protocol that's jacking up somehow.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          Basenji
          last edited by

          I appreciate all the time you spent with me today. Its still not working after changing the scope to 192.168.1.0

          I might just blow the whole install away and start from scratch.

          Thanks again.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Can you simply browse the internet?  If so, it's not pfSense.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              Basenji
              last edited by

              I can that's what did not make sense and why I reached out here.

              If your saying the rules I had were fine, ill blow it away and start again.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                If it was the firewall blocking RDP there would be firewall logentries.  But if you want to start over, I'd backup your config first so maybe if that works and you feel like it you can restore it and find out why.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • B
                  Basenji
                  last edited by

                  Good plan. I will do that and we'll see what happens.

                  1 Reply Last reply Reply Quote 0
                  • B
                    Basenji
                    last edited by

                    I did get a capture.  Not sure if this tells you anything.

                    17:01:48.652290 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 7846, offset 0, flags [none], proto UDP (17), length 61)
                        192.168.1.2.50427 > 8.8.8.8.53: [udp sum ok] 8475+ A? www.pfsense.org. (33)
                    17:01:48.652555 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 128, id 7845, offset 0, flags [none], proto UDP (17), length 74)
                        192.168.1.2.65419 > 8.8.8.8.53: [udp sum ok] 8872+ A? www.electricsheepfencing.com. (46)
                    17:01:48.680257 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 91: (tos 0x20, ttl 45, id 28817, offset 0, flags [none], proto UDP (17), length 77, bad cksum 0 (->4b35)!)
                        8.8.8.8.53 > 192.168.1.2.50427: [udp sum ok] 8475 q: A? www.pfsense.org. 1/0/0 www.pfsense.org. A 208.123.73.69 (49)
                    17:01:48.716860 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 118: (tos 0x20, ttl 45, id 41368, offset 0, flags [none], proto UDP (17), length 104, bad cksum 0 (->1a13)!)
                        8.8.8.8.53 > 192.168.1.2.65419: [udp sum ok] 8872 q: A? www.electricsheepfencing.com. 2/0/0 www.electricsheepfencing.com. CNAME electricsheepfencing.com., electricsheepfencing.com. A 208.123.73.69 (76)
                    17:01:50.300695 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30916, offset 0, flags [none], proto UDP (17), length 44)
                        192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
                    17:01:55.515485 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto UDP (17), length 44)
                        192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
                    17:01:56.166321 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30918, offset 0, flags [DF], proto TCP (6), length 52)
                        192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0x9a8b (correct), seq 638309427, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
                    17:01:58.545163 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 9279, offset 0, flags [DF], proto TCP (6), length 41)
                        192.168.1.2.54517 > 192.168.1.1.80: Flags [.], cksum 0xe0a9 (correct), seq 480782460:480782461, ack 2381554296, win 256, length 1
                    17:01:58.545823 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 57770, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->d5d1)!)
                        192.168.1.1.80 > 192.168.1.2.54517: Flags [.], cksum 0xdfa8 (correct), seq 1, ack 1, win 513, length 0
                    17:01:59.166111 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30919, offset 0, flags [DF], proto TCP (6), length 52)
                        192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0x9a8b (correct), seq 638309427, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
                    17:02:00.500873 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 103: (tos 0x0, ttl 128, id 29952, offset 0, flags [none], proto UDP (17), length 89)
                        192.168.1.2.60572 > 157.56.106.184.3544: [udp sum ok] UDP, length 61
                    17:02:00.545108 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 151: (tos 0x20, ttl 45, id 31372, offset 0, flags [none], proto UDP (17), length 137, bad cksum 0 (->491d)!)
                        157.56.106.184.3544 > 192.168.1.2.60572: [udp sum ok] UDP, length 109
                    17:02:00.728467 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30920, offset 0, flags [none], proto UDP (17), length 44)
                        192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
                    17:02:05.165127 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 30921, offset 0, flags [DF], proto TCP (6), length 48)
                        192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0xae9a (correct), seq 638309427, win 8192, options [mss 1460,nop,nop,sackOK], length 0
                    17:02:05.268329 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 (00:0d:b9:1b:05:f6) tell 192.168.1.2, length 46
                    17:02:05.268369 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.1 is-at 00:0d:b9:1b:05:f6, length 46
                    17:02:05.944083 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30922, offset 0, flags [none], proto UDP (17), length 44)
                        192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
                    17:02:08.546450 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 9280, offset 0, flags [DF], proto TCP (6), length 41)
                        192.168.1.2.54517 > 192.168.1.1.80: Flags [.], cksum 0xe0a9 (correct), seq 0:1, ack 1, win 256, length 1
                    17:02:08.547114 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 48216, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->fb23)!)
                        192.168.1.1.80 > 192.168.1.2.54517: Flags [.], cksum 0xdfa8 (correct), seq 1, ack 1, win 513, length 0
                    17:02:10.761866 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30923, offset 0, flags [DF], proto TCP (6), length 52)
                        192.168.1.2.54520 > 70.89.208.13.80: Flags , cksum 0x1487 (correct), seq 2543449493, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
                    17:02:10.762820 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 33822, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->de94)!)
                        70.89.208.13.80 > 192.168.1.2.54520: Flags [S.], cksum 0x979c (correct), seq 1887383183, ack 2543449494, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
                    17:02:10.763399 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30924, offset 0, flags [DF], proto TCP (6), length 40)
                        192.168.1.2.54520 > 70.89.208.13.80: Flags [.], cksum 0xd53a (correct), seq 1, ack 1, win 256, length 0
                    17:02:10.763686 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 256: (tos 0x0, ttl 128, id 30925, offset 0, flags [DF], proto TCP (6), length 242)
                        192.168.1.2.54520 > 70.89.208.13.80: Flags [P.], cksum 0x94a1 (correct), seq 1:203, ack 1, win 256, length 202
                    17:02:10.763787 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 32040, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->e596)!)
                        70.89.208.13.80 > 192.168.1.2.54520: Flags [.], cksum 0xd371 (correct), seq 1, ack 203, win 511, length 0
                    17:02:10.764296 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 566: (tos 0x0, ttl 128, id 30926, offset 0, flags [DF], proto TCP (6), length 552)
                        192.168.1.2.54520 > 70.89.208.13.80: Flags [P.], cksum 0x8cfa (correct), seq 203:715, ack 1, win 256, length 512
                    17:02:10.764383 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 5998, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->4b51)!)
                        70.89.208.13.80 > 192.168.1.2.54520: Flags [.], cksum 0xd173 (correct), seq 1, ack 715, win 509, length 0
                    17:02:10.764998 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 552: (tos 0x0, ttl 64, id 52474, offset 0, flags [DF], proto TCP (6), length 538, bad cksum 0 (->93d2)!)
                        70.89.208.13.80 > 192.168.1.2.54520: Flags [P.], cksum 0x22fa (correct), seq 1:499, ack 715, win 513, length 498
                    17:02:10.765233 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31505, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->e7ad)!)
                        70.89.208.13.80 > 192.168.1.2.54520: Flags [F.], cksum 0xcf7c (correct), seq 499, ack 715, win 513, length 0
                    17:02:10.766114 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30927, offset 0, flags [DF], proto TCP (6), length 40)
                        192.168.1.2.54520 > 70.89.208.13.80: Flags [F.], cksum 0xd07f (correct), seq 715, ack 499, win 254, length 0
                    17:02:10.766229 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 22690, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->a1d)!)
                        70.89.208.13.80 > 192.168.1.2.54520: Flags [F.], cksum 0xcf7b (correct), seq 499, ack 716, win 513, length 0
                    17:02:11.005964 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 58058, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7ff4)!)
                        70.89.208.13.80 > 192.168.1.2.54520: Flags [F.], cksum 0xcf7b (correct), seq 499, ack 716, win 513, length 0
                    17:02:11.006387 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30928, offset 0, flags [DF], proto TCP (6), length 40)
                        192.168.1.2.54520 > 70.89.208.13.80: Flags [.], cksum 0xd17c (correct), seq 716, ack 500, win 0, length 0
                    17:02:11.159887 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30929, offset 0, flags [none], proto UDP (17), length 44)
                        192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
                    17:02:13.385739 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 694: (tos 0x0, ttl 128, id 9281, offset 0, flags [DF], proto TCP (6), length 680)
                        192.168.1.2.54517 > 192.168.1.1.80: Flags [P.], cksum 0x91f3 (correct), seq 1:641, ack 1, win 256, length 640
                    17:02:13.386430 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 55382, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->df25)!)
                        192.168.1.1.80 > 192.168.1.2.54517: Flags [.], cksum 0xdd2d (correct), seq 1, ack 641, win 508, length 0

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Yeah.  Three connection attempts from 192.168.1.2 to 70.89.208.13:3389 with nothing coming back.

                      17:01:56.166321 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30918, offset 0, flags [DF], proto TCP (6), length 52)
                          192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0x9a8b (correct), seq 638309427, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
                      17:01:59.166111 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30919, offset 0, flags [DF], proto TCP (6), length 52)
                          192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0x9a8b (correct), seq 638309427, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
                      17:02:05.165127 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 30921, offset 0, flags [DF], proto TCP (6), length 48)
                          192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0xae9a (correct), seq 638309427, win 8192, options [mss 1460,nop,nop,sackOK], length 0

                      What interface is that capture from?  Looks like LAN.  Do it on WAN and try again.  Put 3389 in the port field before you start it please.

                      I'm making some assumptions because your log is mangled.  Post your captures inor attach them since the brackets are being interpreted as formatting codes.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • B
                        Basenji
                        last edited by

                        unbelievable. I killed 3 days on this thing and wasted your time. I blew it away and left everything at default and now it works. Just kill me.  I apologize for wasting your time.

                        I did save the old config so I can do as you said.

                        Thank you again for responding and trying to help me out. I really appreciate it.

                        ~ Michael

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          Glad you got it working.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.