Unable to RDP (PFSense)

Thato P

Good day All,

Trust that you are well.

I recently setup a new PFSense firewall for our company and with that said, I am able to login into the web interface without any issues using the Public IP/WAN address of the PFsense machine (a wan rule has been created for this).

However, I also created an additional rule to say that only wan addresses should be able to remote control local machine IP addresses - in additional to this we have also setup a NAT(port forwarding for remote desktop access from the wan machine IP to the local machine IP). The PC we have placed behind the PFSense firewall is able to connect to the internet so remote controlling the PC behind the PFSense firewall should not be an issue.

We have another PFSense firewall which is setup in the same way as described above and remote controlling a PC or server is not an issue behind that firewall - I have even compared the setup of both PFSense firewalls and there is no difference however I am unable to remote control the PC behind the new PFSense setup. Would anyone perhaps know if there is a rule that I am missing.

Any help will be highly appreciated.

NogBadTheBad

Use a VPN, don't open up your network to RDP.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Thato P

Hi, thanks for the prompt feedback.

I did think about VPN, however we unfortunately do not want to go that route as the initial PFSense firewall was not configured to have VPN. Is there anything else we could try perhaps?

Grimson

@Thato-P said in Unable to RDP (PFSense):

I did think about VPN, however we unfortunately do not want to go that route as the initial PFSense firewall was not configured to have VPN.

Then change that, configuring a VPN on pfSense isn't hard.

On the other side, opening the WebUI and RDP to the public WAN is beyond stupid. An admin should loose his job over something idiotic as this.

Thato P

@Grimson , thanks for your response. Will definitely look into it.

Gertjan

@Thato-P said in Unable to RDP (PFSense):

Trust that you are well.

Oh, yes ! Things are much better these days, since Microsoft -- finally -- acknowledged that RDP is to exposed to attacks and should be used only on local, not routable networks. Finally - after many years .... they stated that it can't be really repaired ...
On the other hand : the cracks are in the open know, everybody can locate and crack an RDP accessible system.

edit : this was world info, some 2 weeks or less, even on CNN Europe ....

So : do what we all do : activate a VPN, with certs or password or both.
No need to NAT anything - connect to the VPN server on your pfSense, and run "mstsc" without any issues nor side effects.

johnpoz

@Gertjan said in Unable to RDP (PFSense):

since Microsoft -- finally -- acknowledged that RDP is to exposed to attacks and should be used only on local, not routable networks

Do you have specific link to this - love to put it in my can responses when I see people asking about rdp being opened up.

That above link doesn't actually say that - that I saw..

Gertjan

@johnpoz said in Unable to RDP (PFSense):

specific link

Ok for specific : this one, just a couple of hours ago : https://nakedsecurity.sophos.com/2019/06/06/microsoft-dismisses-new-windows-rdp-bug-as-a-feature/

That page shows some info already.
Google Microsoft RDP and you'll be a happy man.

I found the subject myself because I do have (yes, I do !) a XP system alive **.
I received an update .... => that made me really curious.
I learned that XP and Vista were patched - or these OS's are declared 'dead' many years ago - even my favourite "7 Pro" will step back in about 10 months. I don't know what to do in the future : Microsoft scares the hell out of me with there recent desktop OS's. I guess I still have to maintain this paper with all my "tips tricks hacks".

** to replace them with Windows 10 Pro ? I've got a spare Pc @home, a 'powerful' PC (Dell XPS 8800 / SSD /2 HD's / 16 Gb / Nvidia 1070 / whatever ) - it plays x-Plane 11 rather descent.
But when Windows pops up with an update - or worse, it tells me it had installed an update, so, up to us to hunt down the "what is broken now" ?
Just this week : "10" came out with a new massive update : I saw with my own eyes a low-bud portable, branded "Ok for 10" : it went 'dark for more the 12 hours while 'updating' : the owner (no me) though it was dead ..... I advised him to leave it in a corner, and check back on it "tomorrow or so". It actually did ....

On my big PC this update (also called May 1903) took close to one hour ...... wtf !

Sorry for going out-of-subject.

jahonix

https://forum.netgate.com/topic/143948/more-details-about-bluekeep-the-microsoft-rdp-vulnerability

Microsoft's RDP is so flawed that actually the NSA is begging admins to patch their systems immediately.

There is no scenario where you would want to expose RDP to public access (unless you want to become a malware hub).

johnpoz

@jahonix said in Unable to RDP (PFSense):

There is no scenario where you would want to expose RDP to public access (unless you want to become a malware hub).

Completely agree.. .But there is MS docs about using it to access your systems in the cloud, etc.

KOM

I imagine they would have you restrict the source network first.

Abdrouf4995

exposing pfsense webUI to the internet should not be considered as an option at all if you are already have a public ip that accessible from the internet you are few clicks a way from setting up openvpn on pfsense. it's really easy it's even got a wizard.
you can even setup 2 factor auth with it using freeRadius for extra security.
dude I'm paranoid about opening port on my lan let alone the WAN.

johnpoz

@KOM said in Unable to RDP (PFSense):

you restrict the source network first.

You would sure hope so!! But how many have it open so mobile users can access, etc. etc.

Rico

I don't get the point what's the problem with setting up some VPN RAS and hide all services behind it.
Depending on User size the work is 5min/5hrs/5 days.
With someone taking down your whole network encrypting everything and your work is 5 weeks to 5 months...maybe your company is dead then.

-Rico

KOM

In my experience, the problem isn't so much that installing & configuring OpenVPN is hard. It's not. The problem is getting your users to accept that this is how to connect now with them whining endlessly, especially if those whining users are senior management. You tell them the risks and they go "Ya ya ya whatever give me my RDP!" Of course, if your network gets owned and goes down, those same idiots will be stomping on your head as why this happened and why didn't you do something about it beforehand.

Abdrouf4995

@KOM lol i totally understand these types of people.
normally i just outsmart them by telling them that this is the only way to do it.
i always argue with my manager that don't tell me how to fix your problem, just tell me your problem i will fix it and don't ask me how i fix it.
this is because in most cases the don't have any knowledge about networking.

Rico

True words.
But if network security is (part) of my business my job is also to convince those idiots. My network my Rules.
So what could be the worst case? Fired by a non-tech head chief telling me how to run the network? Sure go ahead, I don't want to make this job then.

-Rico

KOM

@Abdrouf4995 said in Unable to RDP (PFSense):

this is because in most cases the don't have any knowledge about networking.

That's never stopped a manager from giving his opinions before I have personally argued several times with someone who never learns that intra-LAN traffic doesn't hit the firewall. He doesn't know what a gateway is for, and yet he argues with me as if he had a clue. He is the poster boy for Dunning-Kruger Effect:

"Incompetent people, the researchers found, are not only poor performers, they are also unable to accurately assess and recognize the quality of their own work. These low performers were also unable to recognize the skill and competence levels of other people, which is part of the reason why they consistently view themselves as better, more capable, and more knowledgeable than others."