Firewall Rule to Allow RDP from WAN to LAN......Need help

johnpoz · Sep 29, 2019, 3:12 PM

Ok... So couple of things... Your handing out 2 different ns there, the 8.8.4.4 and the router... You can never be sure which one the client will use in such a setup..

BTW - you understand handing out a public NS like that means your clients will never be able to resolve anything locally.. And you will be sending any queries for anything local out to google..

Also you have wins setup there.. WTF?? And it sure and the hell would not be 8.8.8.8 ;)

So something is blocking your wifi clients from talking to pfsense for dns then... More than likely your asus is doing some sort of BS dns redirect... If your not seeing the query to pfsense, then there is NO WAY it can forward it on now is there..

Vs trying to weed through all the noise, its easier to filter your traffic down on your sniff to the IP your interested in, ie the wan IP of your wifi router.. By default packet capture stops at 100, so its possible you missed it? I would limit your sniff to only the ip of your wifi router.. Then try your test again.. I would also go into AP mode and try it that way... Easy way to get into AP mode is just turn off dhcp on your wifi router, give it an IP on your network - 192.168.30 in your case, and connect the wifi router to your network via one of the LAN ports on the router vs its wan... Now your wifi clients should get dhcp from pfsense.. And this would take any nonsense filtering your router is doing out of the picture... So then sniff on pfsense again and validate your dns query is getting pfsense..

Pfsense can not do anything with traffic it never sees..

DINU · Sep 29, 2019, 4:06 PM

@johnpoz :

Just to test I have connected my Asus Wifi router in AP mode changed the router IP : 192.168.30.100 and disabled DHCP, connected cable in LAN port.

I have connected wifi client through wifi router. I can see it is taking IP from Windows DHCP server which is on LAN network. I can able to ping pfSense LAN gateway(i)192.168.30.1 but internet is not working attached screen shot below :

johnpoz · Sep 29, 2019, 4:11 PM

And did you sniff to see that traffic is getting to pfsense.. Again pfsense can not do anything with traffic that it does not see..

Not sure what you think a nslookup for 8.8.8.8 is going to do that doesn't point traffic there? And you also asked some box at 192.168.30.10..

And what box is that? Your windows dhcp server?

if you want to change the server you use with nslookup you need to call it out via server command

$ nslookup
Default Server:  pi-hole.local.lan
Address:  192.168.3.10

> server 8.8.8.8
Default Server:  dns.google
Address:  8.8.8.8

> google.com
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4009:811::200e
          216.58.192.238

DINU · Sep 29, 2019, 4:31 PM

@johnpoz :

192.168.30.10 is Windows DNS Server along with domain controller.. I have added 8.8.8.8 and 8.8.4.4 in DNS forwarder as well.

FYI : In DHCP scope I have added nameserver as 8.8.8.8 and 8.8.4.4

johnpoz · Sep 29, 2019, 4:45 PM

Ok... Again lets go over it yet again... Have you sniffed trying to go to 8.8.8.8 for your dns query.. Is pfsense showing the traffic actually got there?? Maybe your client is blocking dns queries?

You know know you can ping pfsense IP 30.1, and you know how to direct your dns to 8.8.8.8 - so validate that pfsense is actually seeing this traffic!

How about you change your dns server via the command to say pfsense IP.. does it work then?

DINU · Sep 29, 2019, 4:58 PM

@johnpoz said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

Ok... Again lets go over it yet again... Have you sniffed trying to go to 8.8.8.8 for your dns query.. Is pfsense showing the traffic actually got there?? Maybe your client is blocking dns queries?
I have tried to 8.8.8.8 for dns query from pfsense it is working.
You know know you can ping pfsense IP 30.1, and you know how to direct your dns to 8.8.8.8 - so validate that pfsense is actually seeing this traffic!
How about you change your dns server via the command to say pfsense IP.. does it work then? I have changed IP to pfsense (ie)192.168.30.1 I dont see dns query is working from wifi client.

If any client passing through wifi router .. internet is not working. Any client in LAN network (ie) windows 07, windows 2012 server internet is working fine.. so I can say pfsense is routing the internet correctly..but when it comes to wifi router ..wifi client is not getting connection to internet..

johnpoz · Sep 29, 2019, 5:14 PM

Can a wifi client ping pfsense 192.168.30.1 from your wifi client? Have you validated the pings are being answered by pfsense via say a sniff on pfsense, validating the mac address is actually pfsense?

Your never going to figure out what is happening without some basic troubleshooting.

example

$ arp -a

Interface: 192.168.9.100 --- 0xf
  Internet Address      Physical Address      Type
  192.168.9.8           00-1f-29-54-17-14     dynamic
  192.168.9.10          00-11-32-7b-29-7d     dynamic
  192.168.9.11          00-11-32-7b-29-7e     dynamic
  192.168.9.253         00-08-a2-0c-e6-24     dynamic

You can see that mac for pfsense IP is actually pfsense interface.. Status interfaces

Status     up
MAC Address     00:08:a2:0c:e6:24 - ADI Engineering
IPv4 Address     192.168.9.253

Sniff on pfsense ping and dns query..

$ ping 192.168.9.253

Pinging 192.168.9.253 with 32 bytes of data:
Reply from 192.168.9.253: bytes=32 time<1ms TTL=64
Reply from 192.168.9.253: bytes=32 time<1ms TTL=64
Reply from 192.168.9.253: bytes=32 time<1ms TTL=64
Reply from 192.168.9.253: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.9.253:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

12:07:05.640192 IP 192.168.9.100 > 192.168.9.253: ICMP echo request, id 1, seq 1239, length 40
12:07:05.640235 IP 192.168.9.253 > 192.168.9.100: ICMP echo reply, id 1, seq 1239, length 40
12:07:06.646101 IP 192.168.9.100 > 192.168.9.253: ICMP echo request, id 1, seq 1240, length 40
12:07:06.646124 IP 192.168.9.253 > 192.168.9.100: ICMP echo reply, id 1, seq 1240, length 40
12:07:07.652045 IP 192.168.9.100 > 192.168.9.253: ICMP echo request, id 1, seq 1241, length 40
12:07:07.652069 IP 192.168.9.253 > 192.168.9.100: ICMP echo reply, id 1, seq 1241, length 40
12:07:08.657025 IP 192.168.9.100 > 192.168.9.253: ICMP echo request, id 1, seq 1242, length 40
12:07:08.657045 IP 192.168.9.253 > 192.168.9.100: ICMP echo reply, id 1, seq 1242, length 40

    192.168.9.100.51363 > 8.8.8.8.53: [udp sum ok] 25160+ [1au] A? www.lasjldsjfsljflsjdslfj.com. ar: . OPT UDPsize=4096 (70)
12:10:49.834316 00:08:a2:0c:e6:24 > 00:13:3b:2f:67:62, ethertype IPv4 (0x0800), length 173: (tos 0x0, ttl 118, id 33758, offset 0, flags [none], proto UDP (17), length 159)
    8.8.8.8.53 > 192.168.9.100.51363: [udp sum ok] 25160 NXDomain q: A? www.lasjldsjfsljflsjdslfj.com. 0/1/1 ns: com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1569777031 1800 900 604800 86400 ar: . OPT UDPsize=512 (131)
12:10:50.739582 00:13:3b:2f:67:62 > 00:08:a2:0c:e6:24, ethertype IPv4 (0x0800), length 73: (tos 0x0, ttl 128, id 48270, offset 0, flags [none], proto UDP

DINU · Sep 29, 2019, 6:46 PM

@johnpoz said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

Can a wifi client ping pfsense 192.168.30.1 from your wifi client? Have you validated the pings are being answered by pfsense via say a sniff on pfsense, validating the mac address is actually pfsense?

Your never going to figure out what is happening without some basic troubleshooting.

example

$ arp -a

Interface: 192.168.9.100 --- 0xf
  Internet Address      Physical Address      Type
  192.168.9.8           00-1f-29-54-17-14     dynamic
  192.168.9.10          00-11-32-7b-29-7d     dynamic
  192.168.9.11          00-11-32-7b-29-7e     dynamic
  192.168.9.253         00-08-a2-0c-e6-24     dynamic

You can see that mac for pfsense IP is actually pfsense interface.. Status interfaces

Status     up
MAC Address     00:08:a2:0c:e6:24 - ADI Engineering
IPv4 Address     192.168.9.253

Sniff on pfsense ping and dns query..

$ ping 192.168.9.253

Pinging 192.168.9.253 with 32 bytes of data:
Reply from 192.168.9.253: bytes=32 time<1ms TTL=64
Reply from 192.168.9.253: bytes=32 time<1ms TTL=64
Reply from 192.168.9.253: bytes=32 time<1ms TTL=64
Reply from 192.168.9.253: bytes=32 time<1ms TTL=64

Ping statistics for 192.168.9.253:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

12:07:05.640192 IP 192.168.9.100 > 192.168.9.253: ICMP echo request, id 1, seq 1239, length 40
12:07:05.640235 IP 192.168.9.253 > 192.168.9.100: ICMP echo reply, id 1, seq 1239, length 40
12:07:06.646101 IP 192.168.9.100 > 192.168.9.253: ICMP echo request, id 1, seq 1240, length 40
12:07:06.646124 IP 192.168.9.253 > 192.168.9.100: ICMP echo reply, id 1, seq 1240, length 40
12:07:07.652045 IP 192.168.9.100 > 192.168.9.253: ICMP echo request, id 1, seq 1241, length 40
12:07:07.652069 IP 192.168.9.253 > 192.168.9.100: ICMP echo reply, id 1, seq 1241, length 40
12:07:08.657025 IP 192.168.9.100 > 192.168.9.253: ICMP echo request, id 1, seq 1242, length 40
12:07:08.657045 IP 192.168.9.253 > 192.168.9.100: ICMP echo reply, id 1, seq 1242, length 40

    192.168.9.100.51363 > 8.8.8.8.53: [udp sum ok] 25160+ [1au] A? www.lasjldsjfsljflsjdslfj.com. ar: . OPT UDPsize=4096 (70)
12:10:49.834316 00:08:a2:0c:e6:24 > 00:13:3b:2f:67:62, ethertype IPv4 (0x0800), length 173: (tos 0x0, ttl 118, id 33758, offset 0, flags [none], proto UDP (17), length 159)
    8.8.8.8.53 > 192.168.9.100.51363: [udp sum ok] 25160 NXDomain q: A? www.lasjldsjfsljflsjdslfj.com. 0/1/1 ns: com. SOA a.gtld-servers.net. nstld.verisign-grs.com. 1569777031 1800 900 604800 86400 ar: . OPT UDPsize=512 (131)
12:10:50.739582 00:13:3b:2f:67:62 > 00:08:a2:0c:e6:24, ethertype IPv4 (0x0800), length 73: (tos 0x0, ttl 128, id 48270, offset 0, flags [none], proto UDP

I can see the mac of pfsense LAN network in my wifi client and also able to ping that IP of that mac, but DNS query is not working.

johnpoz · Sep 29, 2019, 7:17 PM

And is unbound running on pfsense?

Or did you turn it off - why do you keep asking 30.10 anything?

Lets see query from your boxes you say work, and then from your wireless client... This isn't freaking rocket science here.. I don't care you if you query 30.1 or 8.8.8.8 - you have yet to show a sniff that your actually getting to pfsense..

do a dns query from one of your other physical boxes, not some VM... Lets see it query pfsense 30.1 for dns, and then do the query from your wifi.

Also lets actually see your LAN rules..

DINU · Sep 29, 2019, 7:43 PM

@johnpoz said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

And is unbound running on pfsense?

Or did you turn it off - why do you keep asking 30.10 anything?

Lets see query from your boxes you say work, and then from your wireless client... This isn't freaking rocket science here.. I don't care you if you query 30.1 or 8.8.8.8 - you have yet to show a sniff that your actually getting to pfsense..

do a dns query from one of your other physical boxes, not some VM... Lets see it query pfsense 30.1 for dns, and then do the query from your wifi.

Also lets actually see your LAN rules..

I have removed my wifi router cable connected to second NIC of physical machine. Now, I have connected network switch and from switch I have connected my Windows 10 laptop to do simple test whether internet is working through direct connection. Attached Outbound and LAN firewall rule.

when do DNS query to 192.168.30.1 I can see below :

What I can see is any thing goes through second NIC of physical server (ie) through LAN network .. unable to get internet...

Second NIC of physical host is taking IP from Windows DHCP server...

johnpoz · Sep 29, 2019, 7:48 PM

Dude freaking sniff already... And is anything even listening on 30.1 for dns???

Going to say this one last time - pfsense can not do anything with traffic it never sees.. I have showed you multiple times how to do a sniff and validate dns query actually gets to pfsense lan interface so it can do something with it.. Be it answer it itself or pass it on to some other dns..

DINU · Sep 29, 2019, 7:48 PM

@johnpoz said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

dude freaking sniff already... And is anything even listening on 30.1 for dns???

I have tried DNS query from one of the machine (ie) VM which is sitting on LAN network and able to query..

johnpoz · Sep 29, 2019, 7:56 PM

I said do it from a physical network device.. And that sure doesn't look right.. how come it didn't come back with pfsense name for the 30.1 address?

$ nslookup
Default Server:  pi-hole.local.lan
Address:  192.168.3.10

> server 192.168.9.253
Default Server:  sg4860.local.lan
Address:  192.168.9.253

See how the IPs resolve to their name... sg4860.local.lan for pfsense IP 9.253

So what your saying is no physically connected device can do a dns query that actually gets to pfsense for pfsense do anything with? How is that a pfsense problem? You have something wrong in your VM host setup..

DINU · Sep 29, 2019, 8:07 PM

@johnpoz said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

I said do it from a physical network device.. And that sure doesn't look right.. how come it didn't come back with pfsense name for the 30.1 address?
$ nslookup
Default Server:  pi-hole.local.lan
Address:  192.168.3.10

> server 192.168.9.253
Default Server:  sg4860.local.lan
Address:  192.168.9.253
See how the IPs resolve to their name... sg4860.local.lan for pfsense IP 9.253

So what your saying is no physically connected device can do a dns query that actually gets to pfsense for pfsense do anything with? How is that a pfsense problem? You have something wrong in your VM host setup..

when I do nslookup pfSenseFR.localdomain I can get queried and get IP as 192.168.30.1 in my local VM..But when I do same in another physical machine dns is not working .

So what your saying is no physically connected device can do a dns query that actually gets to pfsense
Yes you are correct.. I am saying this from beginning....

Can you guide me how to connect physical device through second NIC to use as LAN network to connect pfsense network

johnpoz · Sep 29, 2019, 8:12 PM

How are you pinging it if not connected??? Your saying you never pinged it from a physical device?

How do you have it setup, what are you using for a VM host software?

DINU · Sep 29, 2019, 8:16 PM

@johnpoz said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

How are you pinging it if not connected??? Your saying you never pinged it from a physical device?
I never said that I am unable to connect to LAN network. I am saying that unable to browse the internet from my physical device connected through LAN network..
How do you have it setup, what are you using for a VM host software?
I have windows 2012 R2 in my physical host and VMware workstation as host software..
I have two physical NIC in my host..
one is connected (ie) bridged to pfsense WAN and
Second NIC is bridged with pfsense LAN

DINU · Sep 29, 2019, 9:21 PM

Pls find below my network connected :

bmeeks · Sep 29, 2019, 11:12 PM

@DINU said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

Pls find below my network connected :

In your drawing, two devices have the same IP address. Virtual Machine #3 (DHCP and Sec DNS) is shown as having IP 192.168.30.11, but so is the Windows 10 Laptop machine shown hanging off the external switch. That won't work. Is it a typo?

DINU · Sep 29, 2019, 11:22 PM

@bmeeks said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

@DINU said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

Pls find below my network connected :

In your drawing, two devices have the same IP address. Virtual Machine #3 (DHCP and Sec DNS) is shown as having IP 192.168.30.11, but so is the Windows 10 Laptop machine shown hanging off the external switch. That won't work. Is it a typo?

it is typo error Windows 10 Laptop is 192.168.30.111

bmeeks · Sep 30, 2019, 12:29 AM

@DINU said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

@bmeeks said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

@DINU said in Firewall Rule to Allow RDP from WAN to LAN......Need help:

Pls find below my network connected :

In your drawing, two devices have the same IP address. Virtual Machine #3 (DHCP and Sec DNS) is shown as having IP 192.168.30.11, but so is the Windows 10 Laptop machine shown hanging off the external switch. That won't work. Is it a typo?

it is typo error Windows 10 Laptop is 192.168.30.111

I just noticed another issue that hopefully is also a typo. You have the Asus router shown with IP 192.168.30.100, but you are also showing that same IP address apparently assigned to the eth1 interface on the VM Physical Host. That can't be correct.

And the external switch you are showing, is it a dumb switch or a managed switch? If managed, are any VLANs defined in it and is at least one trunk port configured?

And which hypervisor are you using? Is it ESXi, Hyper-V or something else?