RDC Port Forwarding thru Comcast Modem
-
Hi and Thank You in advance. I'm a NOOB with this firewall stuff. I'm trying to user Remote Desktop Connection (RDPC to remote into a local computer. The RDC address I'm connecting to is 24.n.n.n:5nn11. 24.n.n.n is the Comcast modem WAN address.
I have a Comcast Business DPC3941B modem with bridge mode disabled. Its WAN address is 24.n.n.n and LAN address is 10.1.10.1. Its LAN port is connected to the pfSense WAN port which has the DHCP address 10.1.10.91. The LAN address of the computer I'm trying to remote into is 10.124.n.45.
In pfSense -> Firewall -> NAT -> Port Forward I've setup a rule to forward incoming port 5nn11 to IP address 10.124.n.45 port 3389.
For several weeks this all worked just fine. Last week without anyone on our end changing anything, it quit connecting with the target device is turned off, RDC is not enabled, etc. From another internal computer I can successfully remote into that computer using just its IP address.
Any help would be greatly appreciated.
The Comcast modem IPv4 firewall is set to minimum security and Disable Firewall for True Static IP Subnet Only is checked. IPv6 is set to Typical Security.
-
Some notes:
- if 10.1.10.91 is not a DHCP reservation, consider making it a static IP and setting it as the DMZ
- otherwise the Comcast router would need to forward the port to the pfSense, which can then forward the port to the PC
- check the PC's firewall allows the connection (a "public" network would likely block it)
- set an account lockout policy on the PC
- consider MFA (Duo is free for under 10 accounts)
- consider Snort or Suricata to block failed RDP connections
- consider only allowing RDP from approved addresses or only allow your country (pfBlocker)
On top of all that we've seen a few cases where the Comcast router internal security or whatever gets in the way and rebooting the Comcast router fixes/resets it. Once we had to power it off. It seemed like Comcast was blocking the connection. Have not seen that for a year or two though.
-
@steveits Thank you for your quick reply.
-
The Comcast modem is the DHCP server and provides the pfSense WAN address of 10.1.10.91.
-
The firewall settings on the modem is supposed to allow everything to pass WAN to LAN.
-
The destination PC's firewall is configured to allow remote desktop connections from any source.
-
I'm not sure what you mean by an account lockout policy. Do you mean that after X attempts to connect, the account is locked from further attempts?
-
Is MFA multi-factor-authentication? Both are good ideas but can wait until I get RDC working in the first place.
-
Both Snort and Suricata are also good ideas once I get RDC to work in the first place.
Remote access using RDC worked for a couple months. As I said, I'm a NOOB at this stuff and haven't a clue why it stopped working.
-
-
@accidentalit said in RDC Port Forwarding thru Comcast Modem:
The firewall settings on the modem is supposed to allow everything to pass WAN to LAN
"allow" is different than "forward the port to." The remote PC connects to 24.n.n.n:port and the Comcast router has to send that to 10.1.10.91. If, say, the pfSense WAN IP changes, that forwarding won't work anymore.
You can test if pfSense is OK by plugging another PC into the Comcast router and connecting to 10.1.10.91:port and if it works, then the issue is presumably upstream in the Comcast router.
Yes, MFA is that, and the lockout policy is in Windows to do just that. Otherwise "they" will just guess passwords forever. It also helps to not have a login with a first/common name like "Adam" or "Admin" or "Jeff" as they try those frequently.
-
@steveits Thank you for your clarification.
I Love your suggestion! Trying to remote to 10.1.10.91:5nn45 worked like it is supposed to. The problem is with the Comcast modem.
Would changing the modem to bridge mode finish solving this annoying problem?
-
Bridge mode would give your pfSense a public WAN IP so there would not be port forwarding on the Comcast. Basically, yes.