Windows Remote Assistance - Inbound AND outbound not working

  • Hi all,

    Hoping someone can give me a hand. I have a strange issue with Windows Remote assistance (click start, type help, select Invite someone to my pc to help). I can neither request users connect to me, nor can I connect to any users. When my family members require remote assistance, I always have to tether through my phone to make it work. Any ideas on how to fix this? I dont care as much about allowing inbound remote requests to work, but as I am the primary support for much of my extended family, not being able to connect outbound from behind my pfsense device is becoming more frustrating. I appreciate any help or tips, thanks!

    ![remote error.png](/public/imported_attachments/1/remote error.png)
    ![remote error.png_thumb](/public/imported_attachments/1/remote error.png_thumb)

  • Rebel Alliance Developer Netgate

    Are you using a proxy on the firewall such as squid?

    That's about the only thing I can think of that might interfere. That, or maybe if you have some outbound ports blocked.

  • Thanks for the response. No squid or any other proxy packages, and the only rules I have for outbound are allows. Its relly strange, Im just not sure why it doesnt seem to work and not sure how to troubleshoot it :(

    ![wan rules.png](/public/imported_attachments/1/wan rules.png)
    ![wan rules.png_thumb](/public/imported_attachments/1/wan rules.png_thumb)

  • LAYER 8 Global Moderator

    You sure the problem is not on their end?  Remote assistance if they are behind a nat can send you their rfc1918 address that would never work.

    Same thing goes if you sent out a request..  So look I just created a remote request, look in the invitation file it lists my private IP.  And in the great tool that it is also gives my vpn IP address <rolleyes>That tool works fine if everyone is on public IP space ;)  Never the case - maybe it will be worth something when everyone is on ipv6..

    I would suggest you either use rdp directly and have them forward the 3389 port on their end.  Or I would really suggest you use something like teamviewer to support them.  This uses a service on the internet to brokerage the connection.  They make an outbound connection to the internet, you talk to that service and it allows your 2 machines to talk.  This type of system doesn't care if both sides are behind a nat, etc.

    Its quite simple to use.  They don't even need to install anything, they can just run it and give you a code.. You run teamviewer on your side and put in the code.  No need for accounts, no need to install anything.  Works on windows, linux and mac..  Shoot even has mobile versions so you can support them from your iphone or android if you so desire.  And FREE to boot..


  • Thanks for the analysis johnpoz. I'm about 95% sure that its something with pFsense. On the same computer, if I try to connect on my home network, I am unable to connect outbound, but if I then tether to my Verizon based android device, I am able to connect just fine using the same invitation file. Looking at the last file I used, its seems to give both the public and private IP, maybe it opens a unPnP port through the local router and then translates that to the local LAN accress after? Not sure what magic it uses.

    RCTICKET="65538,1,;50.177.2**.2**:64325,,PJdqXc+o6MSaygjghkgklhQliRHRSTbgXEo3vVnpEzfMDWs2zj7DWKijx6k8kwM,,*,ZRiwfgdhhjJA+521EShgfdh9MPk=" PassStub="Zw+3RhgfdhgfrdWEMz" RCTICKETENCRYPTED="1" DtStart="1467677610" DtLength="360" L="0"/>

    I may eventually have to go to a third party solution, the nice thing about the remote assistance is that its installed by default across all newer Windows version, and trying to walk a senior citizen on how to even access a third party tool over the phone across the country so I can remotely access a machine is never a speedy experience.

    I am just interested as to why I cant seem to make it work behind the pfsense, I think your tip in IPv6 rings a bell when I was investigating this the first time, but I think that's just used for the "easy connect" feature, not the send a file feature. All the addresses in the invite files I have appear to be ipv4.

    Anyway, thanks for the tips, if anyone else has any ideas please let me know!

  • LAYER 8 Global Moderator

    Well pfsense does not have UPnP enabled…Unless you turn it on. So no pfsense is not going to open up anything via UPnP.. But that would have nothing to do with you connecting to them..  Do their routers have UPnP enabled - most likely not since that got turned off by default by pretty much every maker I know since it can be a HUGE security issue.  They use to come with UPnP enabled out of the box, but that changed AFAIK many many years ago.

    Pfsense doesn't give 2 shits what port you connect to going in the outbound direction unless you have edited the default lan rules.  So in your setup with that example pfsense would have to know to forward 64235 to your address which I assume is 50399 ??  Or is it listening on 64325 as well.  You could check with netstat on your windows box what ports are being listened by and which process.

    I don't care if the people are living in a home for the specially extra retarded ;)  If you can not have them go to http://teamviewer and download and run the exe.. Or you could just email them the file.. They are prob not even using a computer and are prob sitting in front of a etch-a-sketch ;)

    You would will be amazed at how easy it is to get them running teamviewer.. If you have them install it.. You could just take control over their machine whenever be it they are there or not.. That is what I would do for those extra special family members you have to support ;)

Log in to reply