RDP to hostname.

  • Hello,

    Im trying to configure my pfsense to allow me to rdp to multiple machines over the single 3389 port via different host names.. such as.. computer1.domain.com etc.
    can someone advise me on how to configure as everything i tried so far is not working.

    If you need more information please ask.

    ![DNS Override.PNG](/public/imported_attachments/1/DNS Override.PNG)
    ![DNS Override.PNG_thumb](/public/imported_attachments/1/DNS Override.PNG_thumb)
    ![DNS Domain Override.PNG](/public/imported_attachments/1/DNS Domain Override.PNG)
    ![DNS Domain Override.PNG_thumb](/public/imported_attachments/1/DNS Domain Override.PNG_thumb)
    ![dns records.PNG](/public/imported_attachments/1/dns records.PNG)
    ![dns records.PNG_thumb](/public/imported_attachments/1/dns records.PNG_thumb)

  • I THINK I understand what you are trying to do, I may be wrong but here goes.

    If you have a single external WAN IP, you cannot forward to multiple LAN addresses using the same port if only using a single external WAN port. The FQDN only resolves the IP address, not the port number. For example, HTTP by default is port 80, if I had two webservers on my LAN I could not run them both on a single external IP that defaults to port 80.

    RDP by default is 3389, so forward that port on the WAN to the primary server IP.

    On the backup, change the RDP port, I will post a link below on how to do that, and forward that port on the WAN to the backup.

    You can still use the different FQDN to get to each, but the WAN IP will be same in the authoritative DNS entry. Internally you can differentiate but remember the port number will be different also.


    BTW  - I would not expose any machine to the WAN using RDP, I would use OpenVPN and access the servers through the VPN link, much safer.

  • i got one Ext IP..
    i thought you can use the sub domain name and allow PFsense to override it and transfer the ext ip to my int ip. or maybe use the server dns service. ?
    I was informed that you have it as everything from e.g domain.com will contact my dns service and then finds that the sub domain is pointing to a server inside my lan.

    i cant use open vpn at work thats why i need to rdp over wan.

    i had the setup prior where i had different ext ports to map to 3389. but i wanted to tighten it down and only have one port open or something.

    how about VIPS ?

  • You cannot forward a single port to multiple destinations, doesn't work.

    However, use a reverse proxy like ha-proxy (and I think squid in reverse mode can do it as well) to "resolve" the destination at the router (like host1.example.com, host2.example.com, …) and forward accordingly.

    Read more about it here  https://doc.pfsense.org/index.php/Haproxy_package

  • Haproxy can do it for http / https / ssl traffic by means of the Host header or SNI servername in a ssl request. However for RDP or SSH and most other protocols this is not possible as they don't send the hostname they intend to connect to readable from the first data packet/bytes passing over the tcp connection where the client speaks first.

    VIP's could work, but you must have multiple routed IP's from the ISP.. As you only have 1 public IP thats out the window as well..

    A full Microsoft-Terminal-Server-gateway server can do it behind pfSense, with appropriate gateway configuration on the rdp client. Or connect a VPN first before connecting to the servers.

  • Use OpenVPN instead.  Connect via VPN and then RDP to any system on your network.  So much more secure.

  • Rebel Alliance Developer Netgate

    Even if it were possible… Why would you want to expose multiple RDP services to the Internet? That's a bad idea in general. Use a VPN and your access problem disappears entirely, in addition to your security issues.

  • I agree with KOM and jimp. If you have a way to check the failed login attempts on 3389, you will be shocked. We got a few clients with 3389 exposed by their previous service provider. 12000+ login attempts every day.. OpenVPN –>>RDP is the best way to go specially when you have multiple hosts

  • @PiBa:

    …don't send the hostname ... readable from the first data packet/bytes passing over the tcp connection where the client speaks first

    Thanks, you learn something new every day.

Log in to reply