How do I setup rules to enable RDP on multiple servers behind pfSense with NAT?
I'm planing to replace my old Netgear router with a PC based pfSense fw.
My external IP range is 82.xx.xx.0 / 26 which means 61 unique IP:s to use.
Inside LAN I have a couple of servers and some workstations, all configured with local NAT IP.
When I'm at home I want to administrate my servers via RDP and therefore each server has its own external IP.
I imagine rule should look like this:
Port: MS RDP
I wouldn't setup 1 to 1 relationships exposing your internal devices to the world akin to sitting in front of the keyboard.
Consider VPN client to site or site to site with pfsense.
Or build an SSL VPN box from 3SP SSL-Explorer. Go as far as to place this box in the DMZ with restrictive FireWall rules to the protected LAN.
GruensFroeschli last edited by
Seth: this is not true.
Only if You create a rule that allows everything in.
The "normal" way is to only allow the ports you use.
–> The 1:1 NAT approach is viable.
@Assar: You create on the WAN a VIP for each Server you have. Then use the VIP in a 1:1 NAT mapping.
After that create a rule on the WAN for each server you want access allowed.
Alternatively you could forward just single ports from the VIP's
--> "normal" forwarding of ports and not 1:1
Assar your correct that this is viable and I agree with your approach. My assertion was to allow access security from many location not limiting to just one or a few. Tunneling the RDP stream isn't a bad idea ether even though your not currently able to decode RDP.
You set me on track about VIP.
I searched more on forum and found out that this q should be placed in NAT part.
Found a good post there:
You are so right about the bad part in exposing RDP to the world, but this is the way things are done right now.
The goal at the moment is to repace an old Netgear router with the same functionality.
(Excluding the builtin random dying function in Netgear)
I have also had this as a challenge and here is what I did to fix it. I move terminal servicess to a different port because we where using Citrix. I have 4 different servers and could connect to any of them from the outside by using a different TS port on each server.
Your best bet is probably, like mentioned above, to assign a different port and do port-based dnat (port forwarding) to your internal servers based on their ports.
Map 3389 to your Internal server (192.168.0.5)
3390 to another machine (192.168.0.6)
3391 to another machine … etc..
Then, using MSTSC, you can specify an alternate port by using the WAN_IP:port syntax (126.96.36.199:3390)
But it would be considered a better practice to open these ports through a VPN (PPTP works well) or at the very least, limit access to a given source IP address.