Firewall Rule to Allow RDP from WAN to LAN......Need help

DINU

Can you pls put me drawing and send it to me ? It will be really helpful....

my switch have Vlan capable....

So bridge your modem, connect it to your VM Pfsense on wan.. Then put your networks behind, connected via your smart switch.. Do whatever vlans you want, put 3rd party firmware on your asus so you can do vlans = done!

As per above, wifi asus router will come behind firewall and if i reboot my pfsense then it will affect the internet which is being use by my family (TV, Mobile, Laptop, etc..) I dont want that to happen...

FYI : I have Windows 2012 R2 on my host with VMware work station installed. pfsense is on VMware workstation... already I have different Vswitch from Vmware workstation for my LAN, DMZ, freeSAN etc..

DINU

Any Update pls ??

johnpoz

@DINU said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

if i reboot my pfsense

Why and the F would you do that.. The only time you need to reboot pfsense would be to upgrade its version.

DINU

I said I don't my family to use PFsense firewall... They have to access the internet without any disturbance...

Do you have any recommended diagram ?

If not I will prepare on my own....

johnpoz

Do it how you were doing then, but your going to need pfsense to be natting and port forwarding, you your going to have a mess and stuff behind pfsense not going to be able to get to the internet, cuz your native firmware is not going to nat downstream networks, or more likely even know how to route to them, etc.

So what I would do is just turn nat back on in pfsense and if you need to get to stuff behind pfsense from network upstream, then do a simple port forward.

DINU

I have changed my connection now....as below

ISP Modem--->pfSense(VM)---> LAN--->Asus Wifi router

LAN have Windows 2012 R2 DHCP Server(Scope : 192.168.30.X) with domain configured.All my Windows clients in LAN will get IP from Windows DHCP server. I can able to access internet from my Windows client.

I have configured Asus Wifi router in Wireless router mode, my router IP is 192.168.50.1 and DHCP Enabled : 192.168.50.2 to 192.168.50.100, so my WIFI users will get IP from routers.
In router in WAN status I can see : Internet status: Disconnected.

Unable to access the internet through wifi, when I try to ping google.com getting request time out. but when I try to do tracert 8.8.8.8 I can able to reach the IP.

Looks like DNS issue, let me know what could be the issue.

Thanks,
Dinu

johnpoz

Thought you said you didn't want to put pfsense in front.. If your going to put pfsense in front, then you wouldn't be freaking natting at your asus.. But you wouldn't be routing either, you would use it as just an AP.. If your going to use it as downstream router, then you have to add a gateway in pfsense to know how to get to that downstream network.. And then you still run into the problem of hosts on your transit network..

Use your wifi router as just an AP, put on a different vlan if want..

If you want to use your wifi router as downstream nat router, yeah its wan would need to be able to talk to pfsense to get to the internet.. What is it using for dns, your saying devices behind your asus can tracert to 8.8.8.8.. Where do the clients point for dns, most likely your asus.. Where does it point for dns?

DINU

@johnpoz :

I want to use my asus wifi router as downstream NAT router... I have DHCP enabled with DNS pointing to 8.8.8.8 and 8.8.4.4.

johnpoz

As a nat router there is nothing to do.. It would get its wan IP from pfsense lan.. And use whatever dns you hand it via dhcp.

It would then for its clients hand out some other IP range, pointing to itself for gateway and to itself for dns..

When a client asks for dns, the router would ask pfsense for dns, etc.

If you want your clients or router to use 8.8.8.8 for dns then set that, and make sure its allowed.. Your not trying to redirect or block other dns at pfsense or your asus router? If your asus router is saying it not connected to internet.. Then yeah you have some sort of problem - does its wan get an IP from pfsense dhcp server?

You understand your in the same boat now, if you reboot pfsense, or the host pfsense is running on as a vm, yoru downstream router has no internet.. So if your going to go that route, then why not just use your asus as AP and as a vlan off pfsense directly?

DINU

It would then for its clients hand out some other IP range, pointing to itself for gateway and to itself for dns..
I have configured DHCP as below in my Asus router :
DHCP : 192.168.50.2 to 192.168.50.100
Gateway 192.168.50.1
DNS : 8.8.8.8, 8.8.4.4

When a client asks for dns, the router would ask pfsense for dns, etc.
I have configured primary 8.8.8.8 and seconday 8.8.4.4 in pfsense DNS

Your not trying to redirect or block other dns at pfsense or your asus router? If your asus router is saying it not connected to internet.. Then yeah you have some sort of problem
I am not blocking any DNS at pfsense or asus router

does its wan get an IP from pfsense dhcp server?
Asus router is not getting WAN IP from Windows DHCP server... Note : I have not used pfsense DHCP...instead of it I have Windows DHCP server.

So if your going to go that route, then why not just use your asus as AP and as a vlan off pfsense directly?
I have tried with AP as well I have same issue, unable to access internet but able to tracert 8.8.8.8...... Thats what I have surprise now... even in AP mode I am unable to access the internet.

johnpoz

Are you allowing udp? What are you firewall rules on your lan? And your saying your other clients can access, just not your wifi?

DINU

And your saying your other clients can access, just not your wifi?
Yes my other clients(ie) Windows machine sitting in LAN able to access internet..but not wifi clients...

johnpoz

So when your AP mode your clients get an IP from dhcp from yoru lan network, your windows dhcp server? They point to pfsense for gateway?

DINU

@johnpoz said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

They point to pfsense for gateway?

Yes correct...

johnpoz

You can ping pfsense IP? But dns does not work? Sniff on pfsense do you see traffic from your wifi client for dns?

Pfsense can not tell the difference between something on lan that is wired, or something that is wireless and bridged via AP to your lan..

Your not running a captive portal on pfsense are you? Your not doing any sort of thing with static arps? Validate the traffic for your dns query is actually getting to pfsense.. If you see it, then sniff on pfsense wan while you do the same test - do you see pfsense send on the query out its wan?

DINU

@johnpoz said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

You can ping pfsense IP? But dns does not work? Sniff on pfsense do you see traffic from your wifi client for dns?

Yes I can able to ping pfsene gateway IP from my wifi client.. but dns is not working... let me do sniff and let you know..

Attached screenshot of my wifi router WAN is getting IP from LAN DHCP Server after reboot of pfsense... but internet is not working because of DNS issue...

DINU

@johnpoz said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

Validate the traffic for your dns query is actually getting to pfsense.. If you see it, then sniff on pfsense wan while you do the same test - do you see pfsense send on the query out its wan?

can you guide me how to do that ?

DINU

I have created nameservers pointing to 8.8.8.8 & 8.8.4.4 in Windows DHCP server as well.

In Windows DNS server I have created forwarders to 8.8.8.8 and 8.8.4.4 as well...

I have another question here, I have connected cable between LAN network(Second physical NIC card and router WAN port .. I can see IP's are getting from DHCP server including gateway and DNS... as I have posted screen shot...

DINU

@DINU said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

Validate the traffic for your dns query is actually getting to pfsense.. If you see it, then sniff on pfsense wan while you do the same test - do you see pfsense send on the query out its wan?

From Wifi client dns query is not working because it dont have internet connection and also it is sitting on differnt subnet...pfsense is sending the dns query out its WAN already I have informed that in my LAN windows machine internet is working fine...note : my LAN windows clients are connected to domain...

johnpoz

Lets troubleshoot 1 issue at a time... Look on your client specifically for what its using for dns.. Your clients behind some nat wifi router is normally going to get the wifi routers IP for its dns.. Doesn't always matter what you set in the wifi routers wan settings. Be it static or via dhcp.

Look on your client.. what does it show for its dns? windows simple ipconfig /all will show you this.

From you wifi client can you ping pfsense IP? 192.168.30.1? Using your fav dns tool on your client - can it resolve anything?

$ ping 192.168.9.253

Pinging 192.168.9.253 with 32 bytes of data:
Reply from 192.168.9.253: bytes=32 time<1ms TTL=64
Reply from 192.168.9.253: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.9.253:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C

$ nslookup www.google.com
Server:  pi-hole.local.lan
Address:  192.168.3.10

Non-authoritative answer:
Name:    www.google.com
Addresses:  2607:f8b0:4009:804::2004
          172.217.4.36

$ dig www.google.com

; <<>> DiG 9.14.4 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26297
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         1214    IN      A       172.217.4.36

;; Query time: 2 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Sun Sep 29 08:26:07 Central Daylight Time 2019
;; MSG SIZE  rcvd: 59

To validate your actually getting to pfsense for anything.. Sniff on pfsense for the traffic, on your lan interface under diag packet capture menu

dig @192.168.9.253 www.sljfdljdsflsjlfd.com

8:28:51.351448 00:13:3b:2f:67:63 > 00:08:a2:0c:e6:24, ethertype IPv4 (0x0800), length 107: (tos 0x0, ttl 128, id 35658, offset 0, flags [none], proto UDP (17), length 93)
    192.168.9.101.56267 > 192.168.9.253.53: [udp sum ok] 3723+ [1au] A? www.sljfdljdsflsjlfd.com. ar: . OPT UDPsize=4096 (65)

Set your capture for lan, port 53, udp.. set the level of detail to full... See above on the sniff it shows what I did a query for www.sljfdljdsflsjlfd.com

If your behind your natting asus router, your getting an IP from its dhcp server, and its different than that 192.168.30.x right? 192.168.50/24 ?? not 192.168.50/16 for example which would overlap your asus wan network.