I open the ports 21 , 3389 and any other port but it show me that they are close why?
-
Hello everybody, I finnaly set my pfsense on m company, ip wan is 192.168.1.44 and ip lan is 10.0.0.1
I want open the port 3389 to let some other employé that he works in his home to access to server windows 2012 r2 that it has 10.0.0.10 like ip adress and I create this rule on the wan and lan rules like this:
on interface wan :
Action: pass
Interface: WAN
Protocol: TCP
Source: Any
Destination: WAN Address
Destination port range: 3389
on the interface lan
Action: pass
Interface: LAN
Protocol: TCP
Source: Any
Destination: WAN Address
Destination port range: 3389but when I make test I find the port 3389 that it is closed.
so what's the problem?
Should I put my public adress? or what's wrong? -
So you've allowed RDP access to pfSense WAN address. What should pfSense do with that RDP packets?
You have to forward it to the server behind pfSense. Additionally add a port forwarding rule in NAT > Port forward and set the servers IP as translation address.The firewall rule on LAN is useless. Rules has to be set on the incoming interface, responses are allowed by states automatically.
Since your WAN is in a private network, ensure you've unchecked "Block private networks" in the interface settings.
Of course, the packets also have to be forwarded to pfSense on your internet router.However, generally it's not recommended to open RDP access on WAN. Recommended solution is to set up a VPN and direct access to internal devices over it.
-
"@viragomann Recommended solution is to set up a VPN and direct access to internal devices over it."
This your asking for trouble otherwise.
Just a thought how is the remote user going to access RDP or VPN if your WAN address is a private rfc1918 address from home ?
rfc1918 -> Internet -> rfc1918 isn't routable.
-
@viragomann thank you very much for your ansewer.
so on the rule in nat I set this:
Interface: wan:
protocole: tcp
destination: wan
destination port range: 3389
redirect range ip: 10.0.0.10 (ip adresse of server that I want access to it from my home (windows server 2012 r2 that I already have access to it before setting pfsense)
range targetport: 3389
description: accès à distance pour mon serveurand I already uncheked “Block private networks” but It stills the same probleme the port is closed so what can I do?
I have a public ip unique so what can I do? -
@nogbadthebad I didn't understand your suggetion please Can You explain more, because my adresse wan is private so what canI do? when I create rule nat I put my adresse ip public but it stills he same probleme the port is closed so?
-
@nihad123 said in I open the ports 21 , 3389 and any other port but it show me that they are close why?:
@nogbadthebad I didn't understand your suggetion please Can You explain more, because my adresse wan is private so what canI do? when I create rule nat I put my adresse ip public but it stills he same probleme the port is closed so?
Your WAN address isn't routable on the internet so what address will the guy working from home connect to, your WAN address wont be contactable from the Internet.
If you go to http://www.whatsmyip.org I bet it doesn't come back with 192.168.1.44, meaning your pfSense router isn't directly connected to the Internet.
When I VPN into my home network from the Internet I use the public IP address provided by my ISP.
I'd suggest you read up on RFC1918.
https://tools.ietf.org/html/rfc1918
I'm guessing there is a WAN router further upstream from your pfSense router.
-
@nogbadthebad yeees that what I see, the interface wan pfsense has ip private so how can I resolve this problem? should install openvpn on my pfsense ? or what?
-
What's between "the internet" and your pfSense WAN? You never answered that but it's important.
-
What's the device between the Internet and pfSense ?
Ideally it would be best to turn it into a modem if you can or can you connect pfSense directly to the Internet.
-
@nihad123 said in I open the ports 21 , 3389 and any other port but it show me that they are close why?:
destination: wan
Has to be "WAN address"
@nihad123 said in I open the ports 21 , 3389 and any other port but it show me that they are close why?:
ip adresse of server that I want access to it from my home (windows server 2012 r2 that I already have access to it before setting pfsense
How did your set up look like before?
If you just have inserted pfSense between your ISP router and your LAN, you have also to reconfigure the router to forward incoming packets to pfSense now instead of the server directly, as I mentioned already above.
Maybe you want to forward all incoming traffic to pfSense by setting it as "exposed host" in the router, if all your services you want to reach from the Internet are behind pfSense.
If there is nothing else connected to the pfSense WAN network -
@jahonix modem fibre
-
@viragomann how can I reconfigure the router to forward incoming packets to pfSense now instead of the server directly,
because before I reconfigure the router to forward incoming packet to the server windows 2012 by its ip adresse 192.168.1.10 and by the port 3389 but when I set up the pfsense , the ip adress of server 2012 become 10.0.0.10 and I change only the adresse of the server de 192.168.1.10 to 10.0.0.10 but it still the problem of cloesing, so what can do, I change the adress to 10.0.0.1 the adress lan of pfsense or what?
-
@nihad123 said in I open the ports 21 , 3389 and any other port but it show me that they are close why?:
@jahonix modem fibre
Are you sure its running in modem mode ?
What is the make and model ?
-
@nogbadthebad said in I open the ports 21 , 3389 and any other port but it show me that they are close why?:
I’m guessing there is a WAN router further upstream from your pfSense router.
I have router-----pfsense----windows_servers2012
-
@nogbadthebad yes pfsense en modem mode because all machine after pfsense have ip adresse from the adressage plage of dhcp that i define to lan pfsense, I want say that machine after pfsense has 10.0.0.15 10.0.018 ... and it connect to the internet
-
You have to forward incoming access to pfSense WAN address (192.168.1.44) now, of course if the router isn't in modem / bridge mode.
If pfSense does all the filtering now, you can forward all incoming traffic to it. Some routers have a DMZ option for that, others call it "Exposed host".
-
@viragomann I changed anything on my router so I think that it is inin modem mode , so I will forward incoming access to pfsense wand adress 192.168.1.44, and after that what I will do on nat and rules pfesense?
-
Yes. But I don't think your router is in modem mode.
-
What exactly is the make and model of the upstream device?
What is the connection into it, ADSL, Ethernet, ... ?
Do you have access to this device to change its config ?
The issue here is the device between the Internet and your pfSense box.
-
@nihad123 said in I open the ports 21 , 3389 and any other port but it show me that they are close why?:
I think that it is inin modem mode , so I will forward incoming access to pfsense wand adress 192.168.1.44
If your isp device was in "modem" mode then pfsense wan would be a public IP - not a rfc1918 address.