Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to RDP (PFSense)

    Scheduled Pinned Locked Moved Firewalling
    18 Posts 9 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Thato P
      last edited by

      Good day All,

      Trust that you are well.

      I recently setup a new PFSense firewall for our company and with that said, I am able to login into the web interface without any issues using the Public IP/WAN address of the PFsense machine (a wan rule has been created for this).

      However, I also created an additional rule to say that only wan addresses should be able to remote control local machine IP addresses - in additional to this we have also setup a NAT(port forwarding for remote desktop access from the wan machine IP to the local machine IP). The PC we have placed behind the PFSense firewall is able to connect to the internet so remote controlling the PC behind the PFSense firewall should not be an issue.

      We have another PFSense firewall which is setup in the same way as described above and remote controlling a PC or server is not an issue behind that firewall - I have even compared the setup of both PFSense firewalls and there is no difference however I am unable to remote control the PC behind the new PFSense setup. Would anyone perhaps know if there is a rule that I am missing.

      Any help will be highly appreciated.

      GertjanG 1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad
        last edited by

        Use a VPN, don't open up your network to RDP.

        https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        1 Reply Last reply Reply Quote 1
        • T
          Thato P
          last edited by

          Hi, thanks for the prompt feedback.

          I did think about VPN, however we unfortunately do not want to go that route as the initial PFSense firewall was not configured to have VPN. Is there anything else we could try perhaps?

          GrimsonG 1 Reply Last reply Reply Quote 0
          • GrimsonG
            Grimson Banned @Thato P
            last edited by

            @Thato-P said in Unable to RDP (PFSense):

            I did think about VPN, however we unfortunately do not want to go that route as the initial PFSense firewall was not configured to have VPN.

            Then change that, configuring a VPN on pfSense isn't hard.

            On the other side, opening the WebUI and RDP to the public WAN is beyond stupid. An admin should loose his job over something idiotic as this.

            1 Reply Last reply Reply Quote 1
            • T
              Thato P
              last edited by

              @Grimson , thanks for your response. Will definitely look into it.

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @Thato P
                last edited by Gertjan

                @Thato-P said in Unable to RDP (PFSense):

                Trust that you are well.

                Oh, yes ! Things are much better these days, since Microsoft -- finally -- acknowledged that RDP is to exposed to attacks and should be used only on local, not routable networks. Finally - after many years .... they stated that it can't be really repaired ...
                On the other hand : the cracks are in the open know, everybody can locate and crack an RDP accessible system.

                edit : this was world info, some 2 weeks or less, even on CNN Europe ....

                So : do what we all do : activate a VPN, with certs or password or both.
                No need to NAT anything - connect to the VPN server on your pfSense, and run "mstsc" without any issues nor side effects.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  @Gertjan said in Unable to RDP (PFSense):

                  since Microsoft -- finally -- acknowledged that RDP is to exposed to attacks and should be used only on local, not routable networks

                  Do you have specific link to this - love to put it in my can responses when I see people asking about rdp being opened up.

                  That above link doesn't actually say that - that I saw..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @johnpoz
                    last edited by Gertjan

                    @johnpoz said in Unable to RDP (PFSense):

                    specific link

                    Ok for specific : this one, just a couple of hours ago : https://nakedsecurity.sophos.com/2019/06/06/microsoft-dismisses-new-windows-rdp-bug-as-a-feature/

                    That page shows some info already.
                    Google Microsoft RDP and you'll be a happy man.

                    I found the subject myself because I do have (yes, I do !) a XP system alive **.
                    I received an update .... => that made me really curious.
                    I learned that XP and Vista were patched - or these OS's are declared 'dead' many years ago - even my favourite "7 Pro" will step back in about 10 months. I don't know what to do in the future : Microsoft scares the hell out of me with there recent desktop OS's. I guess I still have to maintain this paper with all my "tips tricks hacks".

                    ** to replace them with Windows 10 Pro ? I've got a spare Pc @home, a 'powerful' PC (Dell XPS 8800 / SSD /2 HD's / 16 Gb / Nvidia 1070 / whatever ) - it plays x-Plane 11 rather descent.
                    But when Windows pops up with an update - or worse, it tells me it had installed an update, so, up to us to hunt down the "what is broken now" ?
                    Just this week : "10" came out with a new massive update : I saw with my own eyes a low-bud portable, branded "Ok for 10" : it went 'dark for more the 12 hours while 'updating' : the owner (no me) though it was dead ..... I advised him to leave it in a corner, and check back on it "tomorrow or so". It actually did ....

                    On my big PC this update (also called May 1903) took close to one hour ...... wtf !

                    Sorry for going out-of-subject.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    1 Reply Last reply Reply Quote 1
                    • jahonixJ
                      jahonix
                      last edited by

                      https://forum.netgate.com/topic/143948/more-details-about-bluekeep-the-microsoft-rdp-vulnerability

                      Microsoft's RDP is so flawed that actually the NSA is begging admins to patch their systems immediately.

                      There is no scenario where you would want to expose RDP to public access (unless you want to become a malware hub).

                      1 Reply Last reply Reply Quote 2
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        @jahonix said in Unable to RDP (PFSense):

                        There is no scenario where you would want to expose RDP to public access (unless you want to become a malware hub).

                        Completely agree.. .But there is MS docs about using it to access your systems in the cloud, etc.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • KOMK
                          KOM
                          last edited by

                          I imagine they would have you restrict the source network first.

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • A
                            Abdrouf4995
                            last edited by

                            exposing pfsense webUI to the internet should not be considered as an option at all if you are already have a public ip that accessible from the internet you are few clicks a way from setting up openvpn on pfsense. it's really easy it's even got a wizard.
                            you can even setup 2 factor auth with it using freeRadius for extra security.
                            dude I'm paranoid about opening port on my lan let alone the WAN.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @KOM
                              last edited by

                              @KOM said in Unable to RDP (PFSense):

                              you restrict the source network first.

                              You would sure hope so!! But how many have it open so mobile users can access, etc. etc.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • RicoR
                                Rico LAYER 8 Rebel Alliance
                                last edited by

                                I don't get the point what's the problem with setting up some VPN RAS and hide all services behind it. โ˜น
                                Depending on User size the work is 5min/5hrs/5 days.
                                With someone taking down your whole network encrypting everything and your work is 5 weeks to 5 months...maybe your company is dead then.

                                -Rico

                                1 Reply Last reply Reply Quote 0
                                • KOMK
                                  KOM
                                  last edited by

                                  In my experience, the problem isn't so much that installing & configuring OpenVPN is hard. It's not. The problem is getting your users to accept that this is how to connect now with them whining endlessly, especially if those whining users are senior management. You tell them the risks and they go "Ya ya ya whatever give me my RDP!" Of course, if your network gets owned and goes down, those same idiots will be stomping on your head as why this happened and why didn't you do something about it beforehand.

                                  A 1 Reply Last reply Reply Quote 0
                                  • A
                                    Abdrouf4995 @KOM
                                    last edited by

                                    @KOM lol i totally understand these types of people.
                                    normally i just outsmart them by telling them that this is the only way to do it.
                                    i always argue with my manager that don't tell me how to fix your problem, just tell me your problem i will fix it and don't ask me how i fix it.
                                    this is because in most cases the don't have any knowledge about networking.

                                    KOMK 1 Reply Last reply Reply Quote 0
                                    • RicoR
                                      Rico LAYER 8 Rebel Alliance
                                      last edited by Rico

                                      True words.
                                      But if network security is (part) of my business my job is also to convince those idiots. My network my Rules. โ˜บ
                                      So what could be the worst case? Fired by a non-tech head chief telling me how to run the network? Sure go ahead, I don't want to make this job then. โ˜บ

                                      -Rico

                                      1 Reply Last reply Reply Quote 0
                                      • KOMK
                                        KOM @Abdrouf4995
                                        last edited by

                                        @Abdrouf4995 said in Unable to RDP (PFSense):

                                        this is because in most cases the don't have any knowledge about networking.

                                        That's never stopped a manager from giving his opinions before ๐Ÿ˜† ๐Ÿ˜† ๐Ÿ˜† I have personally argued several times with someone who never learns that intra-LAN traffic doesn't hit the firewall. He doesn't know what a gateway is for, and yet he argues with me as if he had a clue. He is the poster boy for Dunning-Kruger Effect:

                                        "Incompetent people, the researchers found, are not only poor performers, they are also unable to accurately assess and recognize the quality of their own work. These low performers were also unable to recognize the skill and competence levels of other people, which is part of the reason why they consistently view themselves as better, more capable, and more knowledgeable than others."

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.