Firewall Rule to Allow RDP from WAN to LAN......Need help

  • Hi everyone,

    Here is my setup -

    Airtel Internet Modem -->Asus RT-AX88U Wireless Router --->PFsense-->LAN and DMZ

    so basically I have a Airtel Modem( connected to a hardware router IP- which is connected to Pfsense IP Machine in Vmware Workstation)

    The WAN IP for the Pfsense is and the LAN IP is

    I have port forwarded port 3389 from Hardware router (Asus RT-AX88U) to the LAN ip- have a the matching port forward rule trying RDP) to

    There is a default rule in LAN that says from LAN Net any thing can go any where on any port. I have created a WAN rules that reads:

    Protocol Source Source port Destination Destination Port Gateway
    TCP any any 3389 default

    do I need to Setup any NAT from WAN to LAN or some thing I have missing here...

    Pls advise...



  • LAYER 8 Global Moderator

    @DINU said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

    do I need to Setup any NAT from WAN to LAN or some thing I have missing here...

    You want to allow RDP from the public internet? Yeah that is BAD freaking idea, have you not been paying attention to the news?

    Are you going to lock down the source to a specific IP? If you need to rdp to boxes on your network from outside, I highly suggest you VPN into your network.

    You have a triple nat there.. So yeah you would have to forward traffic from your "modem" to your Asus, and then from Asus to pfsense, and then from pfsense to your end IP.

    But again I highly suggest you rethink doing such a thing.

  • I am not looking to RDP from Public internet... I am trying to RDP from WAN(Private IP) to LAN IP

    My WAN IP is private IP (ie) 192.168.50.X and trying to RDP LAN IP (ie) 192.168.30.X

    to Access from public internet I will create Open VPN.. that setup yet to configure...

  • LAYER 8 Global Moderator

    If you want to rdp to something behind pfsense, then yes you have to create port forward in pfsense. If source hitting pfsense wan is also rfc1918, you would also have to disable the default block of rfc1918 address in pfsense.

  • Already both Block private networks and loopback addresses & Block bogon networks in WAN have been untick...

  • LAYER 8 Global Moderator

    And did you allow for rdp from a remote network in your host? Out of the box windows firewall not going to allow rdp from something not on the local network.

  • My NAT rule as follows :

    Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports
    WAN TCP * * LAN net 3389 (MS RDP) 3389 (MS RDP)

    yes in host RDP access is allowed...

  • LAYER 8 Netgate

    Don't set a source port.

    You had to go pretty deep into advanced settings and ignore warnings to get to that point.

    I'd have to see a diagram to see if setting the source network of LAN net is applicable. It probably should not be set either.

  • Source port is not set it is any (*)

    Let me check the advanced settings...

  • LAYER 8 Netgate

    How abouts you post an actual screen capture of the rule instead of a textual approximation of the same.

    And there are two parts to a port forward. The NAT/PAT rule and the firewall rule. Best you post both.

  • Attach firewall rule & NAT == > WAN
    Port_forward_WAN.jpg Firewall_Rule_WAN.jpg

  • LAYER 8 Netgate

    OK so you have a port forward on WAN with a destination address of LAN Net. How exactly do you expect that to work?

    Why did you set the rule association to Pass? No docs state to do that.

    And you are forcing the connection out WAN by setting that gateway on the rule.

  • Any update ???

  • LAYER 8 Global Moderator

    Update? How exactly do you expect such a mess to work??

    If you have questions about what something is or means, you need to ask.. Don't just go random clicking shit and picking stuff from the drop down..

    To create a port forward in pfsense, really the only thing you have to touch is the port, redirect port, and the IP you want to send it too.. Everything else is going to be pretty much default.

    And let the port forward create the firewall rule - which is default..

  • Turn the firewall off on the machine that your are trying to RDP into.

    It will treat anything outside its own subnet as public and block it.

    Your post with the graphic looks correct although MS recommends a TCP/UDP connection. I do not believe I ever have though. I normally do not leave such a rule in place any longer than I need it.

  • LAYER 8 Global Moderator

    ^ looks correct? What are you looking at? It sure not the mess he posted.. Has gateway set on his wan rule, the dest is Lan Net vs wan address in his port forward.

    Here is the 3 things that need to be touched to port forward rdp


    That is it, don't touch anything else - the defaults are all you need. It will create the firewall rule for you. You just need to make sure you turn off the default block rfc1918 rule because your source is actually rfc1918.

    edit: Lets get tcp working before he worries about having a UDP connection ;) But sure if he wanted he could change it from default of tcp to tcp/udp.

  • I have tried with NAT Rule that did not helped so used PASS and took the screen shot at that time..

    In one of the forum in netgate to mentioned gateway instead of default so I have tried that as well whether it may help...

  • LAYER 8 Netgate

  • LAYER 8 Global Moderator

    It should take you like 2 minutes top to trouble shoot a port forward..

    Sniff on wan, do you see traffic to 3389? Sniff on Lan - do you see pfsense sending 3389 on to IP you want to send it to..

    If you do - your problem is prob firewall on host your sending too, maybe rdp isn't even listening? Maybe it is using a different gateway other than pfsense? Maybe where you wanted to send it is now on a different IP? etc. etc..

    Troubleshooting a port forward does not mean randomly changing settings ;)

  • Hi,
    And make sure you have enabled "Remote Desktop" on your computer you are trying to RDP :)

  • Thanks friends for the help, I can able to access my Windows Machines from WAN to LAN..
    Two things I have done one is enabled firewall rules in WAN and added route in my source machine (ie) in WAN network.


    route add mask

  • LAYER 8 Global Moderator

    So you turned off NAT in pfsense?

  • @johnpoz

    Yes I have turned off NAT in pfsense...

    now I need help in configuring Open VPN for my mentioned design... to access my LAN network through Internet...

    Airtel Internet Modem -->Asus RT-AX88U Wireless Router --->PFsense-->LAN and DMZ..

    I need to do triple NAT here.. apart from doing this ... can you suggest some other good options...

  • LAYER 8 Global Moderator

    Well if you turned off nat in pfsense, then you would need to route.. And you would really need to be connected via a transit network or your going to run into issues with asymmetrical traffic unless you do host routing on each box that actually sits in any transit network (the network between routers)..

  • @DINU said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

    I need to do triple NAT here.. apart from doing this ... can you suggest some other good options...

    i went back and read the entire thread again. Why do you need this part: Asus RT-AX88U Wireless Router?


  • LAYER 8 Global Moderator

    I doubt he does to be honest... Should just be used as AP to be honest... And now that he has nat turned off good luck getting that modem and asus to actually route and not nat ;)

    He should put his modem into bridge mode, and just use pfsense as his edge nat and firewall, and wireless should just be AP... Simplifies the whole mess.

  • @akuma1x

    I want my family to connect their internet directly without PFsense..SO I have connected Asus RT-Ax88U router between Airtel internet moden and Pfsense...

  • @DINU said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

    I want my family to connect their internet directly without PFsense..SO I have connected Asus RT-Ax88U router between Airtel internet moden and Pfsense...

    I'm assuming wirelessly, like for mobile devices and stuff? Or wired into the Asus? Is this so they aren't filtered or less confusing for them, or what?

    You should, like @johnpoz says above, change it up a little bit.

    Airtel Internet Modem (in bridge mode) -> pfsense -> LAN -> Asus RT-AX88U (VLAN'd for only your family to use)

    That would make NAT-ing and VPN-ing (like you say you want to do) and etc. into or out of your network so much easier, promise.


  • LAYER 8 Global Moderator

    As you have explained it, its a complete and utter mess..

    Isolating traffic is very simple, keeping your family away from your network is very simple and does not require such an nonsense network. Pfsense, vlan switch and AP that does vlans.. Can be done with dumb switches and and dumb AP as well - just a bit more complicated and and extra hardware depending..

    But what you have drawn out is just a mess.. and complete and utter nightmare to try and actually manage.

    If you explain what you want, we can show you how to do it correctly, easy and with a min budget..

  • I have below components

    1. Airtel Internet Modem
    2. TP-Link T2500G-10MPS 8-Port Gigabit L2 Managed
    3. Desktop Tower Server which have my LAN VMs on it.(with Two Physical NIC's)
    4. Asus RT-AX88U Wireless Router
    5. Laser Printer

    I have installed pfsense on my tower server as VM.

    I need the following :

    1. I want my family to connect internet through wifi without any disturbance even I reboot pfsense they should not get affected.
    1. I want to access my LAB through wifi from internal network.
    2. I want to access my LAB machines through internet(ie) from remote site as well.
    3. I want to connect my printer through pfsense LAN network.

    Kindly provide me the network design to achieve above..

    Thanks in Advance,

  • LAYER 8 Global Moderator

    So bridge your modem, connect it to your VM Pfsense on wan.. Then put your networks behind, connected via your smart switch.. Do whatever vlans you want, put 3rd party firmware on your asus so you can do vlans = done!

    If your soho wifi router can not run 3rd party firmware that actually supports vlans, then get a real AP.

    You can connect your other vms to whatever vlans you want on your host.

    Do you need a drawing?

    I ran such a network for many years before I put my pfsense on actual hardware.. An I still run some VMs on different vlans. Its really basic 101 networking.. Running pfsense is not all that different than running on hardware, only difference is your running some virtual switches vs just hardware one.. Be happy to put together an example drawing if that is what you want with a few vlans, etc.

    What you run as your hypervisor means nothing other than some details on how you setup up the vswitches and do some vlans on your VM Host.

    Once you have a vlan capable switch, and AP that does vlans - how you segment your network is very simple. The whole thing with having the correct hardware that allows you to do what you want. A vlan capable switch and AP is key - then segmentation becomes simple configuration. The whole point behind vlans ;)

  • Can you pls put me drawing and send it to me ? It will be really helpful....

    my switch have Vlan capable....

    So bridge your modem, connect it to your VM Pfsense on wan.. Then put your networks behind, connected via your smart switch.. Do whatever vlans you want, put 3rd party firmware on your asus so you can do vlans = done!

    As per above, wifi asus router will come behind firewall and if i reboot my pfsense then it will affect the internet which is being use by my family (TV, Mobile, Laptop, etc..) I dont want that to happen...

    FYI : I have Windows 2012 R2 on my host with VMware work station installed. pfsense is on VMware workstation... already I have different Vswitch from Vmware workstation for my LAN, DMZ, freeSAN etc..

  • Any Update pls ??

  • LAYER 8 Global Moderator

    @DINU said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

    if i reboot my pfsense

    Why and the F would you do that.. The only time you need to reboot pfsense would be to upgrade its version.

  • I said I don't my family to use PFsense firewall... They have to access the internet without any disturbance...

    Do you have any recommended diagram ?

    If not I will prepare on my own....

  • LAYER 8 Global Moderator

    Do it how you were doing then, but your going to need pfsense to be natting and port forwarding, you your going to have a mess and stuff behind pfsense not going to be able to get to the internet, cuz your native firmware is not going to nat downstream networks, or more likely even know how to route to them, etc.

    So what I would do is just turn nat back on in pfsense and if you need to get to stuff behind pfsense from network upstream, then do a simple port forward.

  • I have changed my connection below

    ISP Modem--->pfSense(VM)---> LAN--->Asus Wifi router

    LAN have Windows 2012 R2 DHCP Server(Scope : 192.168.30.X) with domain configured.All my Windows clients in LAN will get IP from Windows DHCP server. I can able to access internet from my Windows client.

    I have configured Asus Wifi router in Wireless router mode, my router IP is and DHCP Enabled : to, so my WIFI users will get IP from routers.
    In router in WAN status I can see : Internet status: Disconnected.

    Unable to access the internet through wifi, when I try to ping getting request time out. but when I try to do tracert I can able to reach the IP.

    Looks like DNS issue, let me know what could be the issue.


  • LAYER 8 Global Moderator

    Thought you said you didn't want to put pfsense in front.. If your going to put pfsense in front, then you wouldn't be freaking natting at your asus.. But you wouldn't be routing either, you would use it as just an AP.. If your going to use it as downstream router, then you have to add a gateway in pfsense to know how to get to that downstream network.. And then you still run into the problem of hosts on your transit network..

    Use your wifi router as just an AP, put on a different vlan if want..

    If you want to use your wifi router as downstream nat router, yeah its wan would need to be able to talk to pfsense to get to the internet.. What is it using for dns, your saying devices behind your asus can tracert to Where do the clients point for dns, most likely your asus.. Where does it point for dns?

  • @johnpoz :

    I want to use my asus wifi router as downstream NAT router... I have DHCP enabled with DNS pointing to and

  • LAYER 8 Global Moderator

    As a nat router there is nothing to do.. It would get its wan IP from pfsense lan.. And use whatever dns you hand it via dhcp.

    It would then for its clients hand out some other IP range, pointing to itself for gateway and to itself for dns..

    When a client asks for dns, the router would ask pfsense for dns, etc.

    If you want your clients or router to use for dns then set that, and make sure its allowed.. Your not trying to redirect or block other dns at pfsense or your asus router? If your asus router is saying it not connected to internet.. Then yeah you have some sort of problem - does its wan get an IP from pfsense dhcp server?

    You understand your in the same boat now, if you reboot pfsense, or the host pfsense is running on as a vm, yoru downstream router has no internet.. So if your going to go that route, then why not just use your asus as AP and as a vlan off pfsense directly?

Log in to reply