Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Setting up RDP with router and pfSense

    Scheduled Pinned Locked Moved NAT
    7 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gilesitis
      last edited by

      I've done a few searches and can't seem to find a guide on how to set up RDP using a router and a pfSense FW.

      I'd like to leave the router in its normal operation (i.e., not bridged) and connect it to a pfSense box. Is this possible? Or do I have to put the router/modem in bridge mode?

      I've tried port forwarding on both devices for RDP, but no luck. I've checked all the other Windows settings and Windows firewall to allow 3389 through.

      I'm hoping there is a post or how-to guide out there somewhere, I just can't seem to find it. Or if anyone has accomplished this, I would be so grateful if you would share how exactly you set it up.

      In my environment, the router/modem (it's one of those Frontier combos) is on the 192.168.254.0/24 subnet. The pfSense box is on the 192.168.1.0/24 subnet. I'm sure I'm overlooking something fairly simple.

      Many thank for guidance on this.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Do you have unchecked "Block private networks" in the WAN interface settings? The check has to be removed to enable access, since your WAN is in a private subnet.

        1 Reply Last reply Reply Quote 0
        • G
          gilesitis
          last edited by

          I just unchecked it. Still no dice.

          I am wondering if I need to set port-forwarding for RDP on the Frontier router or just on the pfSense box?

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            Best practice is to bridge the router if possible and assign to public address to pfSense WAN interface.

            Otherwise, in a double NAT setup, you have to forward the services on both routers, of course, on the outside router to pfSense WAN address and on pfSense to the LAN device. Best practice in such a setup is to forward the whole traffic to pfSense if there are no other devices in the network between which should also be accessed from outside.
            Tomato routers have special settings for this, often called "exposed host" or DMZ.

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan
              last edited by

              I'm using ones in a while a RDP (Windows 2008 server) access from the "outside".
              I'm having a router in front of pfSense.
              Works ok, but, as stated, you should NAT (PAT) twice.
              One for pfSense and ones for your router.

              Normally, I'm NOT using the RDP access, because I use the VPN capabilities of pfSense.
              Guess what : the VPN connection should also be NAT in your router (the VPN Wizard added a Firewall rule to your WAN connection - NAT isn't needed because the destination is pfSense itself).

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              1 Reply Last reply Reply Quote 0
              • G
                gilesitis
                last edited by

                @viragomann:

                Best practice is to bridge the router if possible and assign to public address to pfSense WAN interface.

                Otherwise, in a double NAT setup, you have to forward the services on both routers, of course, on the outside router to pfSense WAN address and on pfSense to the LAN device. Best practice in such a setup is to forward the whole traffic to pfSense if there are no other devices in the network between which should also be accessed from outside.
                Tomato routers have special settings for this, often called "exposed host" or DMZ.

                Thank you. Bridge mode on the Frontier router and adding a rule seemed to do the trick.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "Normally, I'm NOT using the RDP access, because I use the VPN capabilities of pfSense."

                  So why do you want rdp access?  I hope your restricting it to limited source IPs atleast.. Opening up rdp to the public internet is not something I would suggest from a security point of view.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.