Port Mapping with Multiple Assigned Source Ports

  • Need help..
    I am about 48hrs into a new PFSense Router and am having a hard time getting a port forward application to work similar to a NETBSD device it replaced.  We have multiple employees who utilize Microsoft Remote Desktop to access their company computers from home.  Previous IT guys assigned each user a port like 3445 that would be NAT mapped to their computer's paddles and the standard port 3389 for MRD.
    I've exhausted my various combination of settings and have not found a similar example on the forum so far.  Any help greatly appreciated.  Screenshot enclosed of trial config.
    ![Screen Shot 2017-09-11 at 2.38.46 PM.png](/public/imported_attachments/1/Screen Shot 2017-09-11 at 2.38.46 PM.png)
    ![Screen Shot 2017-09-11 at 2.38.46 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-09-11 at 2.38.46 PM.png_thumb)

  • LAYER 8 Global Moderator

    First off, your previous IT guys were morons ;)  If you want your employees to be able to RDP to devices on the work network they should VPN into your network.  This is going to be way more secure than opening up RDP to the public internet no matter if you change the port or not.

    But you can for sure do what your asking..

    You can forward whatever Port you want to some IP behind pfsense to 3389

    So you could for example
    3345 forward to 3389
    3346 forward to 3389
    3347 forward to 3389

  • Thanks for responding and I agree VPN is the way to go and is my ultimate plan but I was trying to get functionality of the replaced router.  My problem is getting the proper settings in the NAT forwarding age to make this work.  I have tried various combinations but have been unable to have the ports properly mapped.  I guess it is source vs destination settings vs redirect settings.  Do I have to set source ports or are the assigned ports entered into the destination fields and then the user's work computer ip and port 3389 entered into the redirect fields.
    I'm using http://canyouseeme.org to test the mapping and have yet to be successful.



  • LAYER 8 Global Moderator

    I think your confusing what a source port is - would never come into play.. And you also would have to worry about the box running rdp firewall… Window machines out of the box would not allow rdp from a remote IP.. So you would have to modify their IP..  But here I will do a quick test and show you the screens..

    Create the forward, make sure firewall rule was created and not being blocked by some specific wan rule you created.

    Rules are evaluated top down, first rule to trigger wins.  No other rules are evaluated.

    You can see now when I check canyouseeme on the 3345 port it shows open..  You sure the ports your forwarding are allowed to your wan of pfsense?  Its not behind some other nat is it?  Check out the port forward troubleshooting doc


  • Here's an example. External port 5202 is forwarded to 5201 on IP

    ![Screenshot 2017-09-12 17.30.36.png](/public/imported_attachments/1/Screenshot 2017-09-12 17.30.36.png)
    ![Screenshot 2017-09-12 17.30.36.png_thumb](/public/imported_attachments/1/Screenshot 2017-09-12 17.30.36.png_thumb)

  • Thanks so much for the help.  Port forwarding is working now.  Next step getting my colleagues to us a VPN instead.

Log in to reply