Setting up NAT to perform RDP

jepoytengco · Aug 25, 2016, 6:34 AM

I'm trying to NAT a local IP to a WAN IP to try performing RDP using an outside pc going to the NAT'ed IP of the pc inside a pfsense fw.

What I did so far is:
1. Created a WAN and LAN rule for the meantime with "any" for the source/destination and ports, etc, in short all are set to any
2. Created a NAT/Forwarding.

Interface: WAN
Protocol: TCP/UDP
Source: 121.x.x.x one of the WAN IP in my block
Ports: Any (also tried 3389)
Destination: 192.168.0.7 (the local IP of the client machine)
Ports: Any (also tried 3389)
Filter Rule: Pass
NAT Reflection: use system default

Am I missing something here?

Thanks
jepoy

jepoytengco · Aug 25, 2016, 7:13 AM

Just an update, I tried to play around with the NAT setup and I tried to NAT the local IP: 192.168.0.7 to the WAN IP of the pfsense interface 121.x.x.x

It did successfully performed RDP but when I chose another WAN IP which is within the WAN IP block, I mean if the pfsense WAN IP interface is

121.x.x.1 = successful
121.x.x.2 = unsuccessful

Do I need to do an extra action? or am I missing something here?

Thanks
jepoy

jepoytengco · Aug 25, 2016, 8:47 AM

Issue Solved!! The way I'm doing it was wrong. I created a rule on "Port Forwarding" instead of "1:1".

I guess I need to familiarize myself with it's GUI :)

Thanks
jepoy

johnpoz · Aug 25, 2016, 10:41 AM

Opening up rdp to the public internet is more than likely not a good idea.. Did you lock down the firewall rule to only allow your source IP to get to it? Is this a temp thing to allow someone to help you? Leaving rdp open to the public internet is going to attract lots of attempts to login.

Its a much better idea if you need to remote to something on your network to vpn in… Much more secure connection to your network..

So in the last 24 hours I see 24 hits in my log, and I only allow 500 entries total.. So far today 8/25 in less than 6 hours see 6 hits, so like 1 an hour etc..

jepoytengco · Aug 25, 2016, 3:20 PM

I see, well I have to learn first vpn, hehehe…

thanks
jepoy

johnpoz · Aug 25, 2016, 3:48 PM

Its pretty straight forward, clickity clickity through the openvpn wizard.. If you have questions - ask away in the openvpn section.. Here to help..

KOM · Aug 25, 2016, 4:55 PM

Yes, it's pretty simple.

https://doc.pfsense.org/index.php/OpenVPN_Remote_Access_Server

https://doc.pfsense.org/index.php/OpenVPN_Client_Export_Package

jahonix · Aug 25, 2016, 9:20 PM

@jepoytengco:

Created a WAN and LAN rule for the meantime with "any" for the source/destination and ports, etc, in short all are set to any

You hopefully deleted that already - at least from WAN!?

jepoytengco · Aug 26, 2016, 3:25 AM

Guys, just an update, yesterday was still working fine. Internet connection and RDP. My colleague (mid shift) turned off the computer yesterday. This morning when I arrived the office, kind of weird that the computer hass no internet connection. So I doubted the NAT activity yesterday and I disabled the NAT 1:1 rule first then the internet connection's back. But when I enable it again, internet's down again.

Any clues?

Thanks
jepoy

johnpoz · Aug 26, 2016, 12:18 PM

why do you have a 1:1 nat??? At no point is 1:1 nat need or desired for rdp access..

jepoytengco · Aug 26, 2016, 3:24 PM

Basically the purpose of this NAT is just to point a WAN IP to a local IP and just for trial experimental so as to practice NAT. And one sample of services running on this NAT is rdp.

Thanks
jepoy

johnpoz · Aug 26, 2016, 4:28 PM

well are you doing 1:1 or port forward.. To be honest a 1:1 nat is not something normally desired.. Once you you do a 1:1 nat you can for sure limit that with firewall rules. But normally boxes have a limited number of ports needed inbound from the public so its just easier to control and maintain with simple port forwards.

jepoytengco · Aug 27, 2016, 8:14 AM

I understand, I just simply want to try it out but thanks really for the advice. Yep, I've been trying to perform 1:1

Thanks
jepoy

johnpoz · Aug 27, 2016, 3:41 PM

"I've been trying to perform 1:1"

So you have 1:1 setup and then other port forwards as well.. This doesn't play nice together. You either do 1:1 or you port forward not a combination of both to the same IP? To be honest if you have 1 IP and you want to forward to other machines its confusing to setup 1:1 so you setup 1:1 and that says all unsolicited go to 192.168.1.100, but then you try and forward port 80 to 192.168.1.101 ?? etc..

Do you have multiple public IPs where you could use 1 for your napt for all your other boxes. And for public IP 2 you tie this to a 1:1 nat for 192.168.1.100 etc..

If your flipping stuff around between port forward and 1:1 did you check your state table if your saying stuff is not working? But again 1:1 is not a very common need..

jepoytengco · Aug 27, 2016, 3:38 PM

No port forward. Yes I have multiple IP's since we're on a /29 block

thanks
jepoy

johnpoz · Aug 27, 2016, 3:45 PM

So you setup vip on one of your other IPs in your /29 and setup the vip on that and setup the outbound nat for that box your doing 1:1 nat to to use that vip?

If you are going to do port forwarding with your other IPs, you want to make sure that your answering are going back via the correct IP, etc. If I recall pfsense will auto do it correctly - but if your having issues you need to verify..

So you created all of the vips for your IPs in the /29 ??