Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How do I setup rules to enable RDP on multiple servers behind pfSense with NAT?

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 5 Posters 16.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Assar
      last edited by

      I'm planing to replace my old Netgear router with a PC based pfSense fw.
      My external IP range is 82.xx.xx.0 / 26 which means 61 unique IP:s to use.
      Inside LAN I have a couple of servers and some workstations, all configured with local NAT IP.
      When I'm at home I want to administrate my servers via RDP and therefore each server has its own external IP.

      I imagine rule should look like this:
      Destination: 82.xx.xx.3
      Port: MS RDP

      And then…???

      // Martin

      1 Reply Last reply Reply Quote 0
      • S
        Seth
        last edited by

        I wouldn't setup 1 to 1 relationships exposing your internal devices to the world akin to sitting in front of the keyboard.

        Consider VPN client to site or site to site with pfsense.

        Or build an SSL VPN box from 3SP SSL-Explorer.  Go as far as to place this box in the DMZ with restrictive FireWall rules to the protected LAN.

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          Seth: this is not true.
          Only if You create a rule that allows everything in.
          The "normal" way is to only allow the ports you use.
          –> The 1:1 NAT approach is viable.

          @Assar: You create on the WAN a VIP for each Server you have. Then use the VIP in a 1:1 NAT mapping.
          After that create a rule on the WAN for each server you want access allowed.

          Alternatively you could forward just single ports from the VIP's
          --> "normal" forwarding of ports and not 1:1

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • S
            Seth
            last edited by

            Assar your correct that this is viable and I agree with your approach.  My assertion was to allow access security from many location not limiting to just one or a few.  Tunneling the RDP stream isn't a bad idea ether even though your not currently able to decode RDP.

            1 Reply Last reply Reply Quote 0
            • A
              Assar
              last edited by

              @GruensFroeschli
              Tanks.
              You set me on track about VIP.
              I searched more on forum and found out that this q should be placed in NAT part.
              Found a good post there:
              http://forum.pfsense.org/index.php/topic,6965.msg39493.html#msg39493

              @Seth
              You are so right about the bad part in exposing RDP to the world, but this is the way things are done right now.
              The goal at the moment is to repace an old Netgear router with the same functionality.
              (Excluding the builtin random dying function in Netgear)

              1 Reply Last reply Reply Quote 0
              • F
                fastcon68
                last edited by

                I have also had this as a challenge and here is what I did to fix it.  I move terminal servicess to a different port because we where using Citrix.  I have 4 different servers and could connect to any of them from the outside by using a different TS port on each server.
                RC

                1 Reply Last reply Reply Quote 0
                • G
                  gbelanger
                  last edited by

                  Your best bet is probably, like mentioned above, to assign a different port and do port-based dnat (port forwarding) to your internal servers based on their ports.

                  Example:

                  Map 3389 to your Internal server (192.168.0.5)
                        3390 to another machine (192.168.0.6)
                      3391 to another machine … etc..

                  Then, using MSTSC, you can specify an alternate port by using the WAN_IP:port syntax (64.34.153.10:3390)

                  But it would be considered a better practice to open these ports through a VPN (PPTP works well) or at the very least, limit access to a given source IP address.

                  Guillaume Bélanger
                  http://www.exosource.com

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.