Redirecting RDP

CaptainNerd

Hi all. I'm new to pfsense and trying to get a weird redirect to work... I essentially have RDP going out 5190 from my work network, and back in to 3389 at home.

work -> internet -> my spectrum gigabit router (port forward) -> pfsense wan -> pfsense lan -> windows box

I have the spectrum router set to port forward to the ip that pfsense has allocated from it (192.168.1.8)... and I can see it in the logs and I've done an easy rule to pass the traffic... So when I connect I see an allow in the firewall logs...

[green check] Jun 29 13:24:36 	WAN 	Easy Rule: Passed from Firewall Log View (1530280773) 	66.160.19.54:58243		192.168.1.8:3389		TCP:S 

That's about where It stops as I cannot get it to connect to my windows box on the LAN side (10.1.1.100) no matter what I try... which normally I set everything to "any and allow" just to get it working then slowly whittle it down to more restrictive options...

I've tried;
Firewall -> NAT -> Port Forward
Interface/Protocol/Source Address/Source Ports /Dest. Address /Dest. Ports /NAT IP /NAT Ports

WAN/TCP/66.160.19.54/3389/192.168.1.8/3389/10.1.1.100/3389
WAN/TCP/*/3389/192.168.18/3389/10.1.1.100/3389
WAN/TCP/*/*/*/3389/10.1.1.100/3389
LAN/TCP/*/3389/192.168.1.8/3389/10.1.1.100/3389
LAN/TCP/ */*/*/3389/10.1.1.100/3389

I'm not sure why PFSense won't bridge from WAN->LAN with the easyrule putting traffic through. I also turned off block private networks and loopbacks just to see if that would help. Still not working. I also tried putting pfsense in the dmz on my spectrum router but that didn't work either.

Thank you in advance!

viragomann

Basically it's not recommended to expose RDP to public addresses. You should go over a VPN instead.

If you want to do that anyway, lets go on:
First check if your router does NAT on incoming connections. If it does you have to unchecked "Block private networks" in the WAN interface settings on pfSense and to replace the works public IP with the routers internal IP in the rules below.
In that case it is highly recommended that you only forward RDP from your works public address to pfSense on the router, don't put pfSense into the DMZ!

Assuming your work network has the static public IP 66.160.19.54, you need such a NAT port forwarding rule:
Interface/Protocol/Source Address/Source Ports/Dest. Address /Dest. Ports/NAT IP/NAT Ports
WAN/TCP/66.160.19.54/*/WAN address/3389/10.1.1.100/3389

Also you need this firewall rule:
Action/Interface/Protocol/Source Address/Source Ports/Dest. Address/Dest. Ports/Gateway/
pass/WAN/TCP/66.160.19.54//10.1.1.100/3389/

If you put the pfSense WAN address in the DMZ on your router, it should forward any incoming connection to pfSense. If you don't do that you have at least to forward port 3389 to pfSense WAN address.

Ensure that these points are given first. If it doesn't work though, we can go to troubleshooting.

jahonix

@viragomann said in Redirecting RDP:

Basically it's not recommended to expose RDP to public addresses.

While I second this advise there's another possible solution: just make your work's public IP the only source allowed to connect to your RDP session (once it's working).