MultiWAN and rdp



  • The task was originally this: it was necessary to configure automatic switching between the two providers if one of them shutdown. I have three pfsenses. Two of them are gatways for the third and the third pfsense is gateway for client computer (win 2012). First and second pfsenses have two interfaces - WAN and LAN: WAN connect to Internet; LAN connect to its own network. The third pfsensne (which connected to client computer) have three interfaces - two WAN and one LAN. Each WAN connected to its own pfsense-gateway and LAN connected to client computer and they have own network. LAN of the first, second and WAN of the third pfsense have own network. Client computer's LAN and LAN of the third pfsense have own network. I configured auto-switching.

    And I have new question: how connect to this scheme rdp-port (3389) from "outer space internet"?

    Sorry for my bad English, I used google-translate service :)



  • IMHO best practice would be to use a VPN to connect in then run RDP over that. If you do that, you still need to port forward an OpenVPN server port like 1194.
    Anyway, you could forward 3389 by:
    a) Forward the port on each front pfSense (1 and 2) to the WAN of pfSense 3.
    b) On pfSense 3 forward 3389 to the server.
    c) On all the port forwards, allow pfSense to automatically create an associated firewall rule
    d) On pfSense 3 create a gateway group "MyServer" with WAN1 gateway tier 1, WAN2 gateway tier 2.
    e) Edit WAN1 and WAN2 gateway and choose a real outside alternative monitor IP for each (like 8.8.8.8 and 8.8.4.4)
    e) Use a dynamic DNS service, in Services->Dynamic DNS, add an entry for your name (e.g. myserver.dynsdns-ip.com) and interface "MyServer"

    pfSense will monitor the gateways. When WAN1is down, it will change the dynamic DNS name to be the public IP of WAN2. Use the name to connect from outside.

    Note: If pfSense 1 and 2 public WAN have dynamic public IPs, then pfSense 3 may not notice when those change. Install the Cron package. Edit the dyndns update job to run frequently (e.g. every 5 minutes) - it will then check the public IPs and notice if they have changed.


Log in to reply