LAN RDP not working with pfSense?



  • Hi,
    I have two WAN connections, which are comnbined as a multi wan with pfsense. pfsense is running as a hyper-v machine on my windows server 2012 r2. Multi WAN is working, I've already tried it out by changing my gateway (of my client) to the lan address of pfsense (from 5,5mbit/s to 10mbit/s). Now I want to have pfsense as gateway on my server. But when I change the gateway to pfsense (192.168.0.207), I can't connect to the server with rdp (tried Windows 7 + 8 clients; error in attachment). But ping is working on ip and name. I even tried to turn off the firewall on the server.
    I don't understand, why there is a connection to the gateway, when I connect  to my server in LAN.
    Anyway, I tried to set a rule on pfsense to pass rdp (3389) on the lan interface, but that doesn't work either.
    It stil seems to block 3389. I tried to "ping" with nmap and it says, the port 3389 is "filtered"

    In even found a old post about the same problem, but it wasn't helpful for me: https://forum.pfsense.org/index.php?topic=38317.0

    network details (IP addresses are not chosen wisely, will be changed soon :) )
    Router1: 192.168.0.1
    Router2: 192.168.0.138
    DNS: 192.168.0.5 = Windows Server = DHCP Server
    pfsense:
    192.168.0.207 (LAN)
    192.168.0.206 (WAN2 –> Router2)
    192.168.0.205 (WAN1 --> Router1)

    EDIT: Restarting the server -> same result
    when I change the gateway back to Router1 or Router2, rdp is working again
    I hope you know what the german error message approximately means :)



  • The way you have this set up is going to cause you many problems.
    It will never work right if all your interfaces are on 192.168.0.x
    If you have to do this in Hyper-V, you should have dedicated nics for the WAN interfaces.
    If possible, your WAN interfaces should have public IPs- connect directly to the modems, or disable NAT on the router. Please review some of the basic tutorials.



  • Actually it works, only rdp makes problems.
    Why should I have dedicated NICs(you mean physically right?), when I can use virtual NICs
    At first, I wanted to seperate my LAN, so that both routers are in a different lan. But I want to have the possibility, that certain PCs are receiving pfsense as gateway, and some will get Router1/2 directly as gateway.
    I know that this setup is not as usual, but I don't see why that would be a problem.

    EDIT: It's just my private network, not a company  ;)



  • If it's working, great. But what you consider 'not as usual' is 'not setup correctly'.
    I think you would find more people willing to help out if you had a more usual configuration.
    Good luck.



  • Ok, but I can't install 3 additional NICs in my server, because I don't have enough slots.
    And if I use public IPs for my Routers, I don't have the possibility to change the gateway to one of the routers.
    Sorry for being so stubborn, but I don't understand why this network is not setup correctly.  Does pfSense not allow to use private addresses on WAN Interfaces? Or is it generally bad to use a gateway, that doesn't lead directly to a different network? What exactly is the problem?



  • Your biggest problem is that all your interfaces are on the same subnet. For the firewall to route traffic correctly the LAN, WAN, and WAN2 must be on different subnets.



  • Any chance you can get access to a small VLAN switch?

    You could use that to effectively "split" one of your NIC's into two (or more) VLAN's.



  • Any chance you can get access to a small VLAN switch?

    Not at the moment

    So, if I change my router adresses and the pfSense WAN adresses to a 192.168.1.x network, the firewall should be working right? Or do I have to use public adresses?

    And there is no way to set the firewall manually, when I use the same subnet?



  • Again, the short answer is the LAN(s) and WAN(s) need to be on different subnets to allow  for proper routing.  If you can start there (move WAN to 192.168.1.x and leave the LAN on 192.168.0.x) pfSense can be made to work "properly".

    What is the hardware this is running on?  Is this a VM or baremetal install?  What are the modems/ISP you're connecting to? You mentioned not having enough free slots for extra NIC's, you know you can easily get dual or quad port NIC's right?

    The best setups IMHO are using your ISP's gear as a modem only and getting the WAN port(s) in pfSense a public address.  This lets pfSense act as the master "gatekeeper" of all your internet traffic (in or out) and is what it was designed for.  You may have needs or applications that make this more difficult or impossible.

    Tell us more about what you're trying to accomplish and what you got to do it with and we can try and help more.



  • @divsys:

    What is the hardware this is running on?  Is this a VM or baremetal install?

    He mentioned earlier it was a Hyper-V install.



  • Vm is running on Hyper-V on Windows Server 2012 R2.
    Router/Modems are a Fritzbox 7390 and a Technicolor TG788 (standard ISP modem/router)

    you know you can easily get dual or quad port NIC's right?

    right, didn't think of that  :D. But they aren't cheap, are they? (I mean 1gbit/s) I don't want to spend a lot of money for that. But the alternative would be VLAN, right?

    But if I use pfsense as a "gatekeeper", having the WAN on a different subnet, is it possible  to realise this example?

    1 person is downloading  with both connections with 10mbit/s. Another person wants to play a game online and needs a good latency. person 1 is now limited to only use 1 connection, so that the other connection is completely free for the gamer.

    maybe also QoS would be an alternative, but is the latency really unaffected then?