Port Forwarding Problem



  • Desired outcome: Allow RDP to internal hosts from any Internet host.

    I have the below configuration but cannot get the RDP session to connect:
    Interface: WAN
    Protocol: TCP/UDP
    Source: Default
    Source Port Range:Default
    Destination: WAN Address
    Destination Port Range: 3395
    Redirect target IP: internal server address
    Redirect target port: MS RDP
    All else is default

    When I try to connect I see 2 states get created on the firewall:
    Proto: tcp
    Source -> Router -> Destination: Internal server IP:3389 <- Firewall WAN IP:3395 <- client Internet address:51253
    State: CLOSED:SYN_SENT

    Prot: tcp
    Source -> Router -> Destination: client Internet address:51253 -> Internal server IP:3389
    State:SYN_SENT:CLOSED

    Because of these states it seems like it cannot be a firewall on the client.  The router is seeing the client try to connect.  In the firewall log I see a ALLOW for the following:

    WAN client external IP:51369  internal server IP:3389 TCP:S

    I also see  many BLOCKs the look like this:

    WAN client external IP:500 firewall WAN IP:500 UDP

    I have no idea why this traffic is generated.

    Any ideas as to what could be wrong?

    Thanks in advance,
    Steve



  • Adding info in the hopes someone will offer thoughts.

    I traced on both sides (from client and at firewall).  I see the client sends 3 TCP SYNs trying to set up a session but the firewall never responds.

    Client trace:

    2991 11:12:22 AM 8/29/2014 8.5426496 Unavailable Client pfsense WAN TCP TCP:Flags=…...S., SrcPort=61857, DstPort=3395, PayloadLen=0, Seq=30743765, Ack=0, Win=32768 ( Negotiating scale factor 0x0 ) = 32768 {TCP:38, IPv4:50}
    4871 11:12:25 AM 8/29/2014 11.5782760 Unavailable Client pfsense WAN TCP TCP:[SynReTransmit #2991]Flags=…...S., SrcPort=61857, DstPort=3395, PayloadLen=0, Seq=30743765, Ack=0, Win=32768 ( Negotiating scale factor 0x0 ) = 32768 {TCP:38, IPv4:50}
    7543 11:12:31 AM 8/29/2014 17.5960354 Unavailable Client pfsense WAN TCP TCP:[SynReTransmit #2991]Flags=…...S., SrcPort=61857, DstPort=3395, PayloadLen=0, Seq=30743765, Ack=0, Win=32768 ( Negotiating scale factor 0x0 ) = 32768 {TCP:38, IPv4:50}

    pfsense WAN interface trace

    1:12:22.639232 IP client IP.61857 > pfsenseWAN.3395: tcp 0
    11:12:25.649408 IP client IP.61857 > pfsenseWAN.3395: tcp 0
    11:12:31.666445 IP client IP.61857 > pfsenseWAN.3395: tcp 0

    It's like the firewall is not responding...not sure why.  There is also a lot of ISAKMP/IKE (UDP 500) traffic the client is generating…not sure why...I think this is just noise.



  • Are you testing this from inside the LAN?



  • Thanks for the reply.  No, I am testing from outside the LAN…basically from a couple of different locations on the Internet.



  • OK, I just hacked this up in my VMware Workstation lab and it works like a charm.  First off, you specified 3395, but RDP listens on 3389 no?  I specified MS RDP for both Destination Port Range and Redirect Target Port.



  • So 3395 is the port being specified in the client connection and it is redirected to 3389 on the target internal server. If you are going to connect to more than 1 internal server you will need to have one port redirected to each server.



  • OK, I wondered if you were redirecting on purpose but you didn't say anything about multiple targets in your original post.

    Can I assume the following?

    1.  You have Remote Desktop enabled on your LAN clients to allow remote connections?

    2.  You're running RDP and trying to connect to WAN_IP:3395?

    Is there anything else different or special about your config?  Honestly, I just hacked this up in 2 minutes and it worked perfectly.



  • Thanks for your help KOM.  Yes multiple end points to RDP to.  Yes the end points allow remote desktop connectivity and yes, using WAN_IP:3395 in RDP client from Internet client.  I completely understand what you mean about how this should be simple.  Hopefully I am missing something easy but just cant think of what.  I really appreciate your help in thinking through it.

    Steve



  • OK, now I'm just guessing…

    In Firewall - NAT - Outbound, do you have Auto or Manual set?

    My Diagnostics - States looks like this on successful connect:

    tcp 192.168.1.101:3389 <- 10.10.6.1:3395 <- 10.10.10.121:60592 TIME_WAIT:TIME_WAIT 
    tcp 10.10.10.121:60592 -> 192.168.1.101:3389 TIME_WAIT:TIME_WAIT 
    tcp 192.168.1.101:3389 <- 10.10.6.1:3395 <- 10.10.10.121:60599 ESTABLISHED:ESTABLISHED 
    tcp 10.10.10.121:60599 -> 192.168.1.101:3389 ESTABLISHED:ESTABLISHED

    My real PC is 10.10.10.121, pfSense is 10.10.6.1 and Win7 client behind pfSense is 192.168.1.101.

    Is this a new pfSense install or an old stable one?  Which version?



  • This is selected:

    Automatic outbound NAT rule generation
              (IPsec passthrough included)

    This is a new new install.  It was 2.1.4 but I recently updated it to 2.1.5.



  • If this is a test install or something you're playing around with, I might throw in the towel and just blow it away and start fresh.

    If this is an existing install that you can't touch, then you've got a problem.

    What do you have in Status - System Logs - Firewall?  Look for or filter based on the IP address of the external PC trying ot get in.  When I tried to RDP to the same box but used port 3396 instead of 3395, this was blocked in the firewall log:



  • I see an PASS for the TCP SYN:

    pass  Aug 30 09:09:20 WAN <client external="" ip:50007="">  <internal destination="" server="" ip:3389="">  TCP:S

    I will delete the rules, start over, and let you know the outcome.

    Thanks again,
    Steve</internal></client>



  • I rebuilt the NAT entry which auto-created the firewall rule but this time I used a different redirect port (4001) and I tried a different internal host…and it worked!  There must be something not right on the first host...I will investigate.

    In any case, my hat is off to KOM...thanks for your patience and help!

    Steve



  • 500 TCP UDP Internet Security Association and Key Management Protocol (ISAKMP)

    Bad if thats somehow being blocked.

    Also, that port needs to not be rewritten.  No randomization.

    That should be automatic unless you have made a mess out of manual outbound NAT

    Also, maybe you already have this right, but I will just say it.

    You can forward from any port you like > 3389 both TCP and UDP

    Unless you have some firewall rule above this firewall rule that is messing things up you should be fine.



  • Thanks for the reply kejianshi.  I have not done any thing related to rules or NAT definitions for ISAKMP or port 500. I was just reporting early on that I saw that traffic in the traces.  I found out that my problem was not on the firewall but on the server I was trying to RDP to.  It has an Internet-facing interface and internal interface. The DG was defined on the Internet-facing interface.  When I removed that and configured the DG on the internal interface all was well.