Port Forwarding Problem

Coldaddy · Aug 29, 2014, 2:09 AM

Desired outcome: Allow RDP to internal hosts from any Internet host.

I have the below configuration but cannot get the RDP session to connect:
Interface: WAN
Protocol: TCP/UDP
Source: Default
Source Port Range:Default
Destination: WAN Address
Destination Port Range: 3395
Redirect target IP: internal server address
Redirect target port: MS RDP
All else is default

When I try to connect I see 2 states get created on the firewall:
Proto: tcp
Source -> Router -> Destination: Internal server IP:3389 <- Firewall WAN IP:3395 <- client Internet address:51253
State: CLOSED:SYN_SENT

Prot: tcp
Source -> Router -> Destination: client Internet address:51253 -> Internal server IP:3389
State:SYN_SENT:CLOSED

Because of these states it seems like it cannot be a firewall on the client. The router is seeing the client try to connect. In the firewall log I see a ALLOW for the following:

WAN client external IP:51369 internal server IP:3389 TCP:S

I also see many BLOCKs the look like this:

WAN client external IP:500 firewall WAN IP:500 UDP

I have no idea why this traffic is generated.

Any ideas as to what could be wrong?

Thanks in advance,
Steve

Coldaddy · Aug 29, 2014, 4:28 PM

Adding info in the hopes someone will offer thoughts.

I traced on both sides (from client and at firewall). I see the client sends 3 TCP SYNs trying to set up a session but the firewall never responds.

Client trace:

2991 11:12:22 AM 8/29/2014 8.5426496 Unavailable Client pfsense WAN TCP TCP:Flags=…...S., SrcPort=61857, DstPort=3395, PayloadLen=0, Seq=30743765, Ack=0, Win=32768 ( Negotiating scale factor 0x0 ) = 32768 {TCP:38, IPv4:50}
4871 11:12:25 AM 8/29/2014 11.5782760 Unavailable Client pfsense WAN TCP TCP:[SynReTransmit #2991]Flags=…...S., SrcPort=61857, DstPort=3395, PayloadLen=0, Seq=30743765, Ack=0, Win=32768 ( Negotiating scale factor 0x0 ) = 32768 {TCP:38, IPv4:50}
7543 11:12:31 AM 8/29/2014 17.5960354 Unavailable Client pfsense WAN TCP TCP:[SynReTransmit #2991]Flags=…...S., SrcPort=61857, DstPort=3395, PayloadLen=0, Seq=30743765, Ack=0, Win=32768 ( Negotiating scale factor 0x0 ) = 32768 {TCP:38, IPv4:50}

pfsense WAN interface trace

1:12:22.639232 IP client IP.61857 > pfsenseWAN.3395: tcp 0
11:12:25.649408 IP client IP.61857 > pfsenseWAN.3395: tcp 0
11:12:31.666445 IP client IP.61857 > pfsenseWAN.3395: tcp 0

It's like the firewall is not responding...not sure why. There is also a lot of ISAKMP/IKE (UDP 500) traffic the client is generating…not sure why...I think this is just noise.

KOM · Aug 29, 2014, 4:51 PM

Are you testing this from inside the LAN?

Coldaddy · Aug 29, 2014, 4:57 PM

Thanks for the reply. No, I am testing from outside the LAN…basically from a couple of different locations on the Internet.

KOM · Aug 29, 2014, 5:14 PM

OK, I just hacked this up in my VMware Workstation lab and it works like a charm. First off, you specified 3395, but RDP listens on 3389 no? I specified MS RDP for both Destination Port Range and Redirect Target Port.

Coldaddy · Aug 29, 2014, 6:05 PM

So 3395 is the port being specified in the client connection and it is redirected to 3389 on the target internal server. If you are going to connect to more than 1 internal server you will need to have one port redirected to each server.

KOM · Aug 29, 2014, 6:20 PM

OK, I wondered if you were redirecting on purpose but you didn't say anything about multiple targets in your original post.

Can I assume the following?

1. You have Remote Desktop enabled on your LAN clients to allow remote connections?

2. You're running RDP and trying to connect to WAN_IP:3395?

Is there anything else different or special about your config? Honestly, I just hacked this up in 2 minutes and it worked perfectly.

Coldaddy · Aug 29, 2014, 6:38 PM

Thanks for your help KOM. Yes multiple end points to RDP to. Yes the end points allow remote desktop connectivity and yes, using WAN_IP:3395 in RDP client from Internet client. I completely understand what you mean about how this should be simple. Hopefully I am missing something easy but just cant think of what. I really appreciate your help in thinking through it.

Steve

KOM · Aug 29, 2014, 6:54 PM

OK, now I'm just guessing…

In Firewall - NAT - Outbound, do you have Auto or Manual set?

My Diagnostics - States looks like this on successful connect:

tcp 192.168.1.101:3389 <- 10.10.6.1:3395 <- 10.10.10.121:60592 TIME_WAIT:TIME_WAIT
tcp 10.10.10.121:60592 -> 192.168.1.101:3389 TIME_WAIT:TIME_WAIT
tcp 192.168.1.101:3389 <- 10.10.6.1:3395 <- 10.10.10.121:60599 ESTABLISHED:ESTABLISHED
tcp 10.10.10.121:60599 -> 192.168.1.101:3389 ESTABLISHED:ESTABLISHED

My real PC is 10.10.10.121, pfSense is 10.10.6.1 and Win7 client behind pfSense is 192.168.1.101.

Is this a new pfSense install or an old stable one? Which version?

Coldaddy · Aug 29, 2014, 7:31 PM

This is selected:

Automatic outbound NAT rule generation
(IPsec passthrough included)

This is a new new install. It was 2.1.4 but I recently updated it to 2.1.5.

KOM · Aug 29, 2014, 7:46 PM

If this is a test install or something you're playing around with, I might throw in the towel and just blow it away and start fresh.

If this is an existing install that you can't touch, then you've got a problem.

What do you have in Status - System Logs - Firewall? Look for or filter based on the IP address of the external PC trying ot get in. When I tried to RDP to the same box but used port 3396 instead of 3395, this was blocked in the firewall log:

Aug 29 19:42:17 WAN 10.10.10.121:61223 10.10.6.1:3396 TCP:S

Coldaddy · Aug 30, 2014, 2:13 PM

I see an PASS for the TCP SYN:

pass Aug 30 09:09:20 WAN <client external="" ip:50007=""> <internal destination="" server="" ip:3389=""> TCP:S

I will delete the rules, start over, and let you know the outcome.

Thanks again,
Steve</internal></client>

Coldaddy · Aug 30, 2014, 2:19 PM

I rebuilt the NAT entry which auto-created the firewall rule but this time I used a different redirect port (4001) and I tried a different internal host…and it worked! There must be something not right on the first host...I will investigate.

In any case, my hat is off to KOM...thanks for your patience and help!

Steve

kejianshi · Aug 30, 2014, 2:28 PM

500 TCP UDP Internet Security Association and Key Management Protocol (ISAKMP)

Bad if thats somehow being blocked.

Also, that port needs to not be rewritten. No randomization.

That should be automatic unless you have made a mess out of manual outbound NAT

Also, maybe you already have this right, but I will just say it.

You can forward from any port you like > 3389 both TCP and UDP

Unless you have some firewall rule above this firewall rule that is messing things up you should be fine.

Coldaddy · Aug 30, 2014, 3:33 PM

Thanks for the reply kejianshi. I have not done any thing related to rules or NAT definitions for ISAKMP or port 500. I was just reporting early on that I saw that traffic in the traces. I found out that my problem was not on the firewall but on the server I was trying to RDP to. It has an Internet-facing interface and internal interface. The DG was defined on the Internet-facing interface. When I removed that and configured the DG on the internal interface all was well.