NAT - Port Fowarding
-
@jharrel
What is the role of pfSense in communication path? -
My existing PC failed and had to rebuild my firewall. Hence a new version of the pfsense software which I rebuilt from my copies of my previous build.
My NAT’s work once, then I have to resave my Rules and I can log in again. I think something is not right with my WAN setup.
My ISP gave me 7 Static IP addresses and I maybe 6 of the lines are initializing correctly.
-
You haven't answered the question..
How is pfsense in the path. Do you just rdp to your work pc? Is there firewalls at work that only allow a specific IP? Are you vpn'ing to work pc?
Why are you using 7 static IPs at home? Back to the work connection - doe this limit which source IP you can connect from?
When this fails, does internet work from pfsense? etc. etc.
Is pfsense at the work or home location, both?
-
I use PFsense first as my firewall. I then want 3 users to connect from outside the firewall so I purchased 3 IP addresses that I setup TYPE as IP Alias. I then set NAT to redirect the outside IP to a specific inside IP address. I let the NAT setup create the rules for my connections.
It worked great in my previous version and setup.
-
@jharrel said in NAT - Port Fowarding:
I use PFsense first as my firewall. I then want 3 users to connect from outside the firewall so I purchased 3 IP addresses that I setup TYPE as IP Alias. I then set NAT to redirect the outside IP to a specific inside IP address. I let the NAT setup create the rules for my connections.
It worked great in my previous version and setup.
Note: The 7 IP's are for my work as I have been a hosting site for a few years. Most IP's are used for RDP connections. I only use PFSense at work not at home.
I did use VPN's on my old setup but I removed the VPN connections 3 months ago.
-
Not a clue to why anyone would do it that way? If you have 3 people you want to connect in to some rdp... Then let them vpn - this requires only 1 IP, and is WAY more secure... Limit them to the rdp you want to allow if required.
I really want to help - but I don't help stupid.. This just seems stupid to me, sorry.
-
Or have them RDP on different ports.
But VPN is better for sure.
-
Well, Stupid is as Stupid does. You must live a boring life if you only do things 1 way.
I ran RDP Nat redirection for 5 years without issues, if I am in a client's office and want to connect to my office I sure do not want to install a VPN connector to my office.
But you aren't helping me now because you don't help stupid. So pretend this is to someone else.
-
Your life must be full of grief trying to do things the wrong complicated stupid way, vs the easy simple secure way ;)
You ran RDP open to the public internet is just beyond moronic... The thousands and thousands of bruteforce attemps you must of seen must of been great for your logging ;) And quite sure your boxes were most likely compromised unless you actually took time and didn't set easy to remember bruteforce passwords.. Lets not forget also the very large number of just plain security issues the the rdp itself if your boxes are not constantly patched and managed.
So your at some clients location running on their hardware? Or your own? I can rdp to any box I want on my network via simple phone click on my phone even or tablet. Or since I would always have "my" laptop anywhere I am at its clickity clickity as well to get anything I need on my network - be it rdp or ssh or any sort of web interface, other than a bit slower its like I am on my own network...
But sure you have fun opening up RDP to the public internet so its "simple" for you to connect ;) Nor do I have to play for multiple IPs just so can RDP. ;)
If you were going to do it that way - as Derelict mentioned its simple to just forward say 13389 to your 3889 port, and then 23389 to another box 33389 to 3rd box, etc. All only require 1 IP, and while still not really secure as vpn will draw less bruteforce attempts and less log spam running on different ports.
-
Thanks for your note Champ!
-
if I am in a client's office and want to connect to my office I sure do not want to install a VPN connector to my office.
If you are at a client's office you just run OpenVPN on your laptop, that is just sitting there already configured and always ready to go, and connect out. You don't have to install anything on the client's network.
If you're running OpenVPN for support on the client's network that you have set up as part of your management scheme, maybe you won't have to physically go there in the first place. ;)
It's really time to think about security. Port forwarded RDP is something that will likely bite you eventually.
-
@jharrel Seems you forget the thumbs up with your thanks... But your welcome... Anytime...Can walk you through how to run the openvpn wizard if you need it.. Lots of pictures I'm guessing, with arrows and click here signs.. Just ask and be happy to walk you through it ;)
-
Thank John!
