Cannot get access from external network

  • Hi all,

    Apologies for the newb question (possibly) but i've been given the task of setting up 2 PFSense Servers in CARP which although i've never done this and not been given any help with it i've now got Internet access however i cannot seem to get anything INTO the network from the Internet (crucially RDP to our Terminal Servers).
    The client has a Draytek 2860 which i've pointed the DMZ Zone local IP on to the CARP WAN IP of the PFSense but i can't see why i cannot get into the network ?
    I have added firewall rules to Firewall - Rules - Floating selecting the WAN interface and direction of IN and then protocol of TCP and destination port of 3389 MS RDP and then set the internal LAN ip of the Terminal server on the Destination - Host or Single Address.
    I've also tried adding a port redirection in Firewall - NAT - Port Forward as well but it still won't connect.
    Am i doing something wrong/ missing something or is this going to be an issue with the Draytek ?
    Any help would be great or if someone could just tell me exactly what entries i need and in which section then at least i can discount it.

  • Hello,

    Start by wiping your firewall rules.
    No floating stuff. Nothing.
    Then,  create a NAT rule, TCP (probably) from "any" to the internal LAN IP - ports 3389 (chose MS RDP) both sides.
    This will create at the same time a related firewall rule.
    Works for me ™.

  • Yeah…tried that but still won't work....just to confirm though that on the rule i have put in that the Interface is automatically set to WAN which i've left, the destination is the LAN IP for the interface of the PFSense (not the internal server IP) and then the redirect target IP is then the internal LAN IP of the server that is running RDP ?


  • For "Destination" you have to select "WAN Address". This is the port where the outside connection arrives at you firewall.
    Then the "Redirect target ip" is the IP address of your server. That should make it work.

  • @DickB:

    For "Destination" you have to select "WAN Address". …..

    You're right. "WAN ADDRESS", not "any'.
    See image.

    Btw : I use "1234" for the outside port (so I use mstsc to access my Windows 2012 server)

  • The auto created Firewall rule on the WAN interface :