Firewall Rule to Allow RDP to LAN..?

  • Hi everyone,

    Here is my setup -

    Vigin Modem>TP-LINK Wireless Router>PFsense>LAN

    so basically i have a Virgin Modem connected to a hardware router IP- which is connected to Pfsense IP . (Virtual Machine)

    The WAN IP for the Pfsense is and the LAN IP is

    I have port forwarded port 3389 from Hardware router (TP-LINKS) to the IP of pfsense WAN ip-

    I have setup NAT+firewall rule successfully and can RDP from work, however i cannot seem to RDP to internal LAN if i am connected from Wireless Router (network If i turn the firewall function off in pfsense then i am able to RDP successfully- (so looks like its a rule issue)

    so what is going on guys,  can someone guide me on how to create a rule so that when i connect from Wireless Router to as its proving to be too dificult to setup?

    Thanks in Advance!

  • Modify your WAN interface, at the bottom of the screen is an option to block private networks. Uncheck this.

  • its already unticked, do i not need to create any rules, as when i turn firewall and NAt option completely off then it works?


  • Yes, you need to create rules. One from to on the OPT? link and to on the LAN. This will need to be above all rules for their interface. If this doesn't work, please post your rules and we can help from there.

  • ive attached two screen print showing a route from TP LINK to and a rule on pfsense (which im not sure its correct) can you please provide step by step guide on how to do this in Pfsense? (sorry as im new to pfsense and have limited knowledge)

  • okay first thing, you are looking on the LAN and not the WAN. There should be a default rule in LAN that says from LAN Net any thing can go any where on any port. So then you need a WAN rules that reads:

    Protocol    Source    Source port    Destination                            Destonation port Gateway …. Comments.
    TCP          any          any                192.168.0.<octet of="" system="">      3389                *            What ever you like.

    You will also have a the matching port forward rule > 192.168.0.<octet of="" system="">. I think you may have this completed already.</octet></octet>

  • ok, ive done what you suggested its highlighted in yellow and its still not working, do i need to reboot pfsense after i make changes? also ive attached screen prints of whats configured. The strange thing is if i come from outside (internet) the RDP works Nat+Rule, but why is proving to be difficult from a router thats connected to Pfsense? your help is appreciated…

    ive also added firewall logs that may help-

  • firewall log attached-

  • What does your port forward rule look like?

  • here you go…

  • What is the outbound NAT doing? Auto or not?

  • nothing by looks of it?

  • You might want to go ahead and switch to manual NAT and NAT only on the WAN interface and do pure routing otherwise.

  • this is becoming very difficult to configure, would you mind elaborate and provide step by step on how to configure manual NAT please? Changing it to manual mode, will require me to re-create all rules is this correct?

    when i enable manual i see these rules?


  • Those should be the only rules you need. Are you using ESX 5 per chance?

  • Yes it's a esx 5 virtual environment, pfsense and all other machines are VM's?

  • In my lab, yes they are. I will throw up your type of config and see what happens. I suspect mine will work .. my bridge doesn't though :(.

  • Finally got the bridge working. So tell me, did you leave the default of keep state on all the rules?
    holly crap I just noticed that your route to is not correct. Just thinking of network basics.
    It should read GW (pfSense WAN port) not .1.
    Are you trying to access them their address or the WAN IP?

  • excellent changing the DG to did the trick, i cant believe i didnt pick that up! (something so simple) :)

    Thanks for your help all is now working..


  • Hi,

    Just wanted to know, if i turn off the firewall functionality in Pfsesne it will also disable NAT, (router mode) how can i then access from internet, how do i forward port forwading in a router mode only?

    also- do you have any custom captive portal page or know of any site i can download and tweak it?  :)


  • With firewall disabled, so is the NAT as that is a function of the firewall. So, you don't port forward in router mode only.

    I don't know of any captive portal custom stuff. Perhaps those that are monitory the Captive portal threads can let you know.

  • in a hardware router, you have an option to port forward to a LAN IP also known as (virtual servers) is this option not available in Pfsense?


  • generally in a hardware firewall/router, you cannot disable the entire FW like you can in pfsense. You can setup allow all rules and then do what kind of NATing you like.

Log in to reply