RDP not allowed through pfsense



  • Good day guys. I'm new to pfsense and i put up a firewall behind a gateway huawei HG8245Q2 router. I'm trying to do remote desktop connection from the internet to a windows server behind the pfsense but somehow I cannot remotely connect. I have opened the port 3389 in pfsense and do port forward in the router, created a rule on the windows firewall to allow rdp as well but I can't seems to connect. I'm trying to remote connect from the inside (192.168.1.133) to our public ip because we are behind a NAT. Remote connect to windows server ip 192.168.100.5 but not connecting. I believe I'm missing something, somewhere and I need help from you guys. Previously i was able to do rdp to the windows server without the pfsense but now I'm not sure which device it not allowing the connection. I tried port test from the pfsense for port 3389 and it works so I'm stuck on what to do next.



  • Putting pfSense behind that Huawei box sets up a double-NAT situation. Doing RDP in that setup is going to be a bit more complicated. Life will be easier if there is a way to configure the Huawei device to run in bridge mode such that your public IP address is given to the pfSense WAN connection. I have no idea if that Huawei router can do that or not, though.

    First, let me give you the standard caution -- DO NOT open ports 3389 to the Internet! That opens up an enormous security hole. You should do remote access using a VPN instead. Connect with the VPN tunnel and then use RDP to open a remote desktop session to a Windows machine.

    If you insist on opening 3389 to the Internet anyway, you could try setting up the port forward on the Huawei so that it forwards all port 3389 traffic to the pfSense WAN IP address. Then on the pfSense box you have another port forward that sends 3389 to the server IP behind pfSense on the LAN side.



  • @bmeeks Really appreciate your reply. Actually I have a port forward on the huawei to the local ip and on the pfsense I also have a port 3389 open but still not allowing the connection. Is there a way to check if the connection reaches the firewall or not?



  • @mandy47 said in RDP not allowed through pfsense:

    @bmeeks Really appreciate your reply. Actually I have a port forward on the huawei to the local ip and on the pfsense I also have a port 3389 open but still not allowing the connection. Is there a way to check if the connection reaches the firewall or not?

    Sure. You can use the built-in wireshark feature under DIAGNOSTICS to capture packets on the WAN or LAN. In your case I would capture first on the WAN to see if the RDP packet arrives at the pfSense box. Look under DIAGNOSTICS > PACKET CAPTURE



  • thanks so much @bmeeks but is it okay if I do this. I'm on the inside (private ip) doing a rdp to the public ip because I can do that before without the pfsense behind the gateway router (huawei) its like in going out to get in thru rdp. i hope it makes sense. thanks



  • @mandy47 said in RDP not allowed through pfsense:

    thanks so much @bmeeks but is it okay if I do this. I'm on the inside (private ip) doing a rdp to the public ip because I can do that before without the pfsense behind the gateway router (huawei) its like in going out to get in thru rdp. i hope it makes sense. thanks

    When you are on the inside and trying to remote out and back in via the public IP, then you will need something called NAT reflection configured on the pfSense side. That brings other complications. Are you trying to go "out" and "back in" just for testing? If so, try it from totally outside your network like maybe use an RDP client from your phone while outside your network.



  • Yeah, Im doing that for testing only but I just check the packet capture the rdp is not reaching the WAN of the pfsense so I think on the huawei router side I also need to check if the packet is hitting our public ip. I guess the bridge mode would totally resolve my problems but still need to try if I can make this work without it. Thanks a lot sir.



  • @mandy47 said in RDP not allowed through pfsense:

    Yeah, Im doing that for testing only but I just check the packet capture the rdp is not reaching the WAN of the pfsense so I think on the huawei router side I also need to check if the packet is hitting our public ip. I guess the bridge mode would totally resolve my problems but still need to try if I can make this work without it. Thanks a lot sir.

    Doing anything from inside the LAN out to the public WAN side and back in requires something called NAT reflection. You can Google that term (and also you will find info about it here on the pfSense forum). It's not a great thing to use except in extinuating circumstances.

    Before you waste a lot of time setting that up and experiencing the additional headaches it can cause (just so you can test), why not instead try what I suggested and actually go outside your network and then try to come back in? There are some free RDP apps for iPhone and I assume for Android, too. Install one of those, go out somewhere out of Wi-Fi range so your phone switches to cellular data and then attempt an inbound RDP connection.

    I tested my RDP setup originally by simply walking out to my mailbox using my iPhone to RDP back in to my network. My mailbox was far enough from the house to force my iPhone out of Wi-Fi mode and over to cellular data (I have a very large yard). That way I was hitting my WAN public IP truly from outside my LAN.


  • LAYER 8 Rebel Alliance

    Why you should NOT open Services like RDP to the whole world / hide it behind a VPN: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

    -Rico



  • Thanks Rico. I would definitely wont open those ports on my WAN. I will work on setting up a vpn client to connect to the pfsense for my internal servers.



  • @mandy47 said in RDP not allowed through pfsense:

    Thanks Rico. I would definitely wont open those ports on my WAN. I will work on setting up a vpn client to connect to the pfsense for my internal servers.

    VPN is definitely the way to go. I glossed over it in my later posts because I had already mentioned it in my first reply in this thread, but all of my "testing" I referenced for RDP connections was actually being done through my VPN setup and then into RDP.



  • @bmeeks is there a link or tutorial you can recommend that I can use to setup vpn client on the pfsense box. Thanks in advance.



  • @mandy47 said in RDP not allowed through pfsense:

    @bmeeks is there a link or tutorial you can recommend that I can use to setup vpn client on the pfsense box. Thanks in advance.

    Sure -- here is the official documentation link: https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/index.html.

    And here is a link to the OpenVPN sub-forum here on the pfSense forums: https://forum.netgate.com/category/34/openvpn.

    The documentation link I provided is actually part of the very first "sticky post" in the OpenVPN sub-forum.


  • LAYER 8 Rebel Alliance



  • @mandy47 said in RDP not allowed through pfsense:

    @bmeeks is there a link or tutorial you can recommend that I can use to setup vpn client on the pfsense box. Thanks in advance.

    For your application, you actually want a VPN Server on your pfSense box. Your VPN client piece will be on the remote devices (smart phone, laptop, etc.) that you use to connect back to your LAN. You will install the OpenVPN Client Export package on pfSense in order to export suitable certificate packages for various platforms such as Windows, IOS, etc.

    If you are new to VPN technology, think of it as a very long network cable that reaches anywhere in the world. One end is plugged into your LAN, and the other end is wherever you need to remotely connect back to your LAN. With VPN, that connection is highly secure. Once the VPN connection is made, your remote device behaves like it is directly connected to your LAN, but you can control exactly what type of traffic flows over the VPN connection with firewall rules. So you can allow anything over the VPN connection to and from your LAN, or just specific things like RDP and probably DNS. It's your choice as the admin for what to allow over the VPN.


Log in to reply