Setting up NAT to perform RDP



  • I'm trying to NAT a local IP to a WAN IP to try performing RDP using an outside pc going to the NAT'ed IP of the pc inside a pfsense fw.

    What I did so far is:
    1. Created a WAN and LAN rule for the meantime with "any" for the source/destination and ports, etc, in short all are set to any
    2. Created a NAT/Forwarding.

    Interface: WAN
    Protocol: TCP/UDP
    Source: 121.x.x.x one of the WAN IP in my block
    Ports: Any (also tried 3389)
    Destination: 192.168.0.7 (the local IP of the client machine)
    Ports: Any (also tried 3389)
    Filter Rule: Pass
    NAT Reflection: use system default

    Am I missing something here?

    Thanks
    jepoy



  • Just an update, I tried to play around with the NAT setup and I tried to NAT the local IP: 192.168.0.7 to the WAN IP of the pfsense interface 121.x.x.x

    It did successfully performed RDP but when I chose another WAN IP which is within the WAN IP block, I mean if the pfsense WAN IP interface is

    121.x.x.1 = successful
    121.x.x.2 = unsuccessful

    Do I need to do an extra action? or am I missing something here?

    Thanks
    jepoy



  • Issue Solved!! The way I'm doing it was wrong. I created a rule on "Port Forwarding" instead of "1:1".

    I guess I need to familiarize myself with it's GUI :)

    Thanks
    jepoy


  • LAYER 8 Global Moderator

    Opening up rdp to the public internet is more than likely not a good idea.. Did you lock down the firewall rule to only allow your source IP to get to it?  Is this a temp thing to allow someone to help you?  Leaving rdp open to the public internet is going to attract lots of attempts to login.

    Its a much better idea if you need to remote to something on your network to vpn in… Much more secure connection to your network..

    So in the last 24 hours I see 24 hits in my log, and I only allow 500 entries total..  So far today 8/25 in less than 6 hours see 6 hits, so like 1 an hour etc..




  • I see, well I have to learn first vpn, hehehe…

    thanks
    jepoy


  • LAYER 8 Global Moderator

    Its pretty straight forward, clickity clickity through the openvpn wizard.. If you have questions - ask away in the openvpn section..  Here to help..





  • @jepoytengco:

    Created a WAN and LAN rule for the meantime with "any" for the source/destination and ports, etc, in short all are set to any

    You hopefully deleted that already - at least from WAN!?



  • Guys, just an update, yesterday was still working fine. Internet connection and RDP. My colleague (mid shift) turned off the computer yesterday. This morning when I arrived the office, kind of weird that the computer hass no internet connection. So I doubted the NAT activity yesterday and I disabled the NAT 1:1 rule first then the internet connection's back. But when I enable it again, internet's down again.

    Any clues?

    Thanks
    jepoy


  • LAYER 8 Global Moderator

    why do you have a 1:1 nat???  At no point is 1:1 nat need or desired for rdp access..



  • Basically the purpose of this NAT is just to point a WAN IP to a local IP and just for trial experimental so as to practice NAT. And one sample of services running on this NAT is rdp.

    Thanks
    jepoy


  • LAYER 8 Global Moderator

    well are you doing 1:1 or port forward.. To be honest a 1:1 nat is not something normally desired.. Once you you do a 1:1 nat you can for sure limit that with firewall rules.  But normally boxes have a limited number of ports needed inbound from the public so its just easier to control and maintain with simple port forwards.



  • I understand, I just simply want to try it out but thanks really for the advice. Yep, I've been trying to perform 1:1

    Thanks
    jepoy


  • LAYER 8 Global Moderator

    "I've been trying to perform 1:1"

    So you have 1:1 setup and then other port forwards as well.. This doesn't play nice together.  You either do 1:1 or you port forward not a combination of both to the same IP?  To be honest if you have 1 IP and you want to forward to other machines its confusing to setup 1:1 so you setup 1:1 and that says all unsolicited go to 192.168.1.100, but then you try and forward port 80 to 192.168.1.101 ?? etc..

    Do you have multiple public IPs where you could use 1 for your napt for all your other boxes.  And for public IP 2 you tie this to a 1:1 nat for 192.168.1.100 etc..

    If your flipping stuff around between port forward and 1:1 did you check your state table if your saying stuff is not working?  But again 1:1 is not a very common need..



  • No port forward. Yes I have multiple IP's since we're on a /29 block

    thanks
    jepoy


  • LAYER 8 Global Moderator

    So you setup vip on one of your other IPs in your /29 and setup the vip on that and setup the outbound nat for that box your doing 1:1 nat to to use that vip?

    If you are going to do port forwarding with your other IPs, you want to make sure that your answering are going back via the correct IP, etc.  If I recall pfsense will auto do it correctly - but if your having issues you need to verify..

    So you created all of the vips for your IPs in the /29 ??


Log in to reply