Setting up RDP with router and pfSense



  • I've done a few searches and can't seem to find a guide on how to set up RDP using a router and a pfSense FW.

    I'd like to leave the router in its normal operation (i.e., not bridged) and connect it to a pfSense box. Is this possible? Or do I have to put the router/modem in bridge mode?

    I've tried port forwarding on both devices for RDP, but no luck. I've checked all the other Windows settings and Windows firewall to allow 3389 through.

    I'm hoping there is a post or how-to guide out there somewhere, I just can't seem to find it. Or if anyone has accomplished this, I would be so grateful if you would share how exactly you set it up.

    In my environment, the router/modem (it's one of those Frontier combos) is on the 192.168.254.0/24 subnet. The pfSense box is on the 192.168.1.0/24 subnet. I'm sure I'm overlooking something fairly simple.

    Many thank for guidance on this.



  • Do you have unchecked "Block private networks" in the WAN interface settings? The check has to be removed to enable access, since your WAN is in a private subnet.



  • I just unchecked it. Still no dice.

    I am wondering if I need to set port-forwarding for RDP on the Frontier router or just on the pfSense box?



  • Best practice is to bridge the router if possible and assign to public address to pfSense WAN interface.

    Otherwise, in a double NAT setup, you have to forward the services on both routers, of course, on the outside router to pfSense WAN address and on pfSense to the LAN device. Best practice in such a setup is to forward the whole traffic to pfSense if there are no other devices in the network between which should also be accessed from outside.
    Tomato routers have special settings for this, often called "exposed host" or DMZ.



  • I'm using ones in a while a RDP (Windows 2008 server) access from the "outside".
    I'm having a router in front of pfSense.
    Works ok, but, as stated, you should NAT (PAT) twice.
    One for pfSense and ones for your router.

    Normally, I'm NOT using the RDP access, because I use the VPN capabilities of pfSense.
    Guess what : the VPN connection should also be NAT in your router (the VPN Wizard added a Firewall rule to your WAN connection - NAT isn't needed because the destination is pfSense itself).



  • @viragomann:

    Best practice is to bridge the router if possible and assign to public address to pfSense WAN interface.

    Otherwise, in a double NAT setup, you have to forward the services on both routers, of course, on the outside router to pfSense WAN address and on pfSense to the LAN device. Best practice in such a setup is to forward the whole traffic to pfSense if there are no other devices in the network between which should also be accessed from outside.
    Tomato routers have special settings for this, often called "exposed host" or DMZ.

    Thank you. Bridge mode on the Frontier router and adding a rule seemed to do the trick.


  • Rebel Alliance Global Moderator

    "Normally, I'm NOT using the RDP access, because I use the VPN capabilities of pfSense."

    So why do you want rdp access?  I hope your restricting it to limited source IPs atleast.. Opening up rdp to the public internet is not something I would suggest from a security point of view.