PfSense 2.0.1 on Vmware 5.0 Port forwarding problem

  • Thanks for reading in advance!

    So, I'm a newbie on using PfSense…and have a problem forwarding ports (80,443, 3389) from the internet to a server behind a virtual PfSense firewall, hopefully someone can help me. :)

    I will try to describe my setup as best as I can:

    I've installed a Vmware ESXi 5.0 server, basic install, no modifications whatsoever. This machine has two physical interfaces, eth0 and eth1.
    eth0 is connected to vswitch0 and is used for vmware management. this interface has an external IP adres (XXX.XXX.XXX.30) so that I can reach the ESX-machine from everywhere I want on the 'net. This is working perfectly.
    eth1 is connected to vswitch1 and is used for internet and access to the virtual machines. vswitch1 is connected to the WAN interface of the PfSense, also with an external IP address (XXX.XXX.XXX.31)
    Furthermore, a third vswitch (vswitch2) is present. This vswitch does not have a 'real' adapter connected but is used for the internal network; the PfSense LAN port (IP is connected to this vswitch, as is a (virtual) Windows 2008 server, vmware tools installed.
    The Windows machine has the default gateway set to the LAN IP address of the PfSense, I can reach websites from the Windows machine on the internet, IP address of this machine is
    For the physical interfaces in vmware I chose Intel E1000 to be presented to the PfSense.

    I want to give RDP access to the Windows machine from the internet. So, I've allowed RDP on the Windows machine, made the necessary Windows firewall adjustments (done automatically off course) and created a NAT + Firewall rule on the PfSense that traffic from any IP address on the internet on port 3389 are forwarded to internal IP However, no traffic is allowed. Rules for website access (i.e. 80, 443) to that Windows-machine are also not functioning. I've tried shutting down the Windows firewall, this doesn't help. I can ping the server from the PfSense.

    When I go through the logfiles on the PfSense, firewall section, two notifications keep popping up:
    @1 scrub in on em1 all fragment reassemble
    @1 block drop in log all label "Default deny rule"

    I can make the first notification disappear by going to System > Advanced > Firewall and NAT and checking the box on the "Disable Firewall Scrub". However, no matter what I try, the second message won't go away and traphic to the internal Windows-machine keeps getting blocked.

    Long story, but is there anyone who can tell me what I'm doing wrong?  ???

  • Can you post your rules in the WAN section of pfSense? From your description, it appears that you have set the source port to 3389. In normal communication, the destination port is 80, 443, or 3389 and the source port matches the source ip (as in any source on any source port is allowed to on either port 80, 443, or 3389)
    You port forward rules needs to match up to this as well. You are also going to have to change the default web configuration ports on pfSense so that there is no conflict. port 8080 and port 8443 should work.

  • At the moment there is only one rule in place, just for testing purposes:

    Proto: TCP  Source: * Port: * Destination: Port: 3389 Gateway: * Queue: * Schedule: empty

    The corresponding NAT Rule is as follows:

    If: WAN Proto: TCP Src. addr: * Src. ports: * Dest. addr: LAN address Dest. ports: 3389 NAT IP: NAT Ports: 3389

  • On the port forward NAT, the DEST Address should be the WAN address or a VIP on the WAN interface and not anything on the LAN side. The NAT ip and everything else looks good.

  • Thanks!! That was the solution!

Log in to reply