Port Forwarding Problem
-
Are you testing this from inside the LAN?
-
Thanks for the reply. No, I am testing from outside the LAN…basically from a couple of different locations on the Internet.
-
OK, I just hacked this up in my VMware Workstation lab and it works like a charm. First off, you specified 3395, but RDP listens on 3389 no? I specified MS RDP for both Destination Port Range and Redirect Target Port.
-
So 3395 is the port being specified in the client connection and it is redirected to 3389 on the target internal server. If you are going to connect to more than 1 internal server you will need to have one port redirected to each server.
-
OK, I wondered if you were redirecting on purpose but you didn't say anything about multiple targets in your original post.
Can I assume the following?
1. You have Remote Desktop enabled on your LAN clients to allow remote connections?
2. You're running RDP and trying to connect to WAN_IP:3395?
Is there anything else different or special about your config? Honestly, I just hacked this up in 2 minutes and it worked perfectly.
-
Thanks for your help KOM. Yes multiple end points to RDP to. Yes the end points allow remote desktop connectivity and yes, using WAN_IP:3395 in RDP client from Internet client. I completely understand what you mean about how this should be simple. Hopefully I am missing something easy but just cant think of what. I really appreciate your help in thinking through it.
Steve
-
OK, now I'm just guessing…
In Firewall - NAT - Outbound, do you have Auto or Manual set?
My Diagnostics - States looks like this on successful connect:
tcp 192.168.1.101:3389 <- 10.10.6.1:3395 <- 10.10.10.121:60592 TIME_WAIT:TIME_WAIT
tcp 10.10.10.121:60592 -> 192.168.1.101:3389 TIME_WAIT:TIME_WAIT
tcp 192.168.1.101:3389 <- 10.10.6.1:3395 <- 10.10.10.121:60599 ESTABLISHED:ESTABLISHED
tcp 10.10.10.121:60599 -> 192.168.1.101:3389 ESTABLISHED:ESTABLISHEDMy real PC is 10.10.10.121, pfSense is 10.10.6.1 and Win7 client behind pfSense is 192.168.1.101.
Is this a new pfSense install or an old stable one? Which version?
-
This is selected:
Automatic outbound NAT rule generation
(IPsec passthrough included)This is a new new install. It was 2.1.4 but I recently updated it to 2.1.5.
-
If this is a test install or something you're playing around with, I might throw in the towel and just blow it away and start fresh.
If this is an existing install that you can't touch, then you've got a problem.
What do you have in Status - System Logs - Firewall? Look for or filter based on the IP address of the external PC trying ot get in. When I tried to RDP to the same box but used port 3396 instead of 3395, this was blocked in the firewall log:
Aug 29 19:42:17 WAN 10.10.10.121:61223 10.10.6.1:3396 TCP:S -
I see an PASS for the TCP SYN:
pass Aug 30 09:09:20 WAN <client external="" ip:50007=""> <internal destination="" server="" ip:3389=""> TCP:S
I will delete the rules, start over, and let you know the outcome.
Thanks again,
Steve</internal></client> -
I rebuilt the NAT entry which auto-created the firewall rule but this time I used a different redirect port (4001) and I tried a different internal host…and it worked! There must be something not right on the first host...I will investigate.
In any case, my hat is off to KOM...thanks for your patience and help!
Steve
-
500 TCP UDP Internet Security Association and Key Management Protocol (ISAKMP)
Bad if thats somehow being blocked.
Also, that port needs to not be rewritten. No randomization.
That should be automatic unless you have made a mess out of manual outbound NAT
Also, maybe you already have this right, but I will just say it.
You can forward from any port you like > 3389 both TCP and UDP
Unless you have some firewall rule above this firewall rule that is messing things up you should be fine.
-
Thanks for the reply kejianshi. I have not done any thing related to rules or NAT definitions for ISAKMP or port 500. I was just reporting early on that I saw that traffic in the traces. I found out that my problem was not on the firewall but on the server I was trying to RDP to. It has an Internet-facing interface and internal interface. The DG was defined on the Internet-facing interface. When I removed that and configured the DG on the internal interface all was well.