Firewall Rule to Allow RDP from WAN to LAN......Need help

DINU

I am not looking to RDP from Public internet... I am trying to RDP from WAN(Private IP) to LAN IP

My WAN IP is private IP (ie) 192.168.50.X and trying to RDP LAN IP (ie) 192.168.30.X

to Access from public internet I will create Open VPN.. that setup yet to configure...

johnpoz

If you want to rdp to something behind pfsense, then yes you have to create port forward in pfsense. If source hitting pfsense wan is also rfc1918, you would also have to disable the default block of rfc1918 address in pfsense.

DINU

Already both Block private networks and loopback addresses & Block bogon networks in WAN have been untick...

johnpoz

And did you allow for rdp from a remote network in your host? Out of the box windows firewall not going to allow rdp from something not on the local network.

DINU

My NAT rule as follows :

Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports
WAN TCP * * LAN net 3389 (MS RDP) 192.168.30.30 3389 (MS RDP)

yes in host RDP access is allowed...

Derelict

Don't set a source port.

You had to go pretty deep into advanced settings and ignore warnings to get to that point.

I'd have to see a diagram to see if setting the source network of LAN net is applicable. It probably should not be set either.

DINU

Source port is not set it is any (*)

Let me check the advanced settings...

Derelict

How abouts you post an actual screen capture of the rule instead of a textual approximation of the same.

And there are two parts to a port forward. The NAT/PAT rule and the firewall rule. Best you post both.

DINU

Attach firewall rule & NAT == > WAN

Derelict

OK so you have a port forward on WAN with a destination address of LAN Net. How exactly do you expect that to work?

Why did you set the rule association to Pass? No docs state to do that.

And you are forcing the connection out WAN by setting that gateway on the rule.

DINU

Any update ???

johnpoz

Update? How exactly do you expect such a mess to work??

If you have questions about what something is or means, you need to ask.. Don't just go random clicking shit and picking stuff from the drop down..

To create a port forward in pfsense, really the only thing you have to touch is the port, redirect port, and the IP you want to send it too.. Everything else is going to be pretty much default.

And let the port forward create the firewall rule - which is default..

chpalmer

Turn the firewall off on the machine that your are trying to RDP into.

It will treat anything outside its own subnet as public and block it.

Your post with the graphic looks correct although MS recommends a TCP/UDP connection. I do not believe I ever have though. I normally do not leave such a rule in place any longer than I need it.

johnpoz

^ looks correct? What are you looking at? It sure not the mess he posted.. Has gateway set on his wan rule, the dest is Lan Net vs wan address in his port forward.

Here is the 3 things that need to be touched to port forward rdp

That is it, don't touch anything else - the defaults are all you need. It will create the firewall rule for you. You just need to make sure you turn off the default block rfc1918 rule because your source is actually rfc1918.

edit: Lets get tcp working before he worries about having a UDP connection ;) But sure if he wanted he could change it from default of tcp to tcp/udp.

DINU

I have tried with NAT Rule that did not helped so used PASS and took the screen shot at that time..

In one of the forum in netgate to mentioned gateway instead of default so I have tried that as well whether it may help...

Derelict

List of things to check is here:

https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

johnpoz

It should take you like 2 minutes top to trouble shoot a port forward..

Sniff on wan, do you see traffic to 3389? Sniff on Lan - do you see pfsense sending 3389 on to IP you want to send it to..

If you do - your problem is prob firewall on host your sending too, maybe rdp isn't even listening? Maybe it is using a different gateway other than pfsense? Maybe where you wanted to send it is now on a different IP? etc. etc..

Troubleshooting a port forward does not mean randomly changing settings ;)

MoonKnight

Hi,
And make sure you have enabled "Remote Desktop" on your computer you are trying to RDP :)

DINU

Thanks friends for the help, I can able to access my Windows Machines from WAN to LAN..
Two things I have done one is enabled firewall rules in WAN and added route in my source machine (ie) in WAN network.

route add 192.168.30.0 mask 255.255.255.0 192.168.50.100

johnpoz

So you turned off NAT in pfsense?