Outbound RDP blocked? [Solved]



  • Today I got my new home pfSense box setup and configured my WAN and LAN interfaces as well as DHCP server.  That's all working fine and the devices on my LAN can access the Internet fine.  However I'm no longer able to RDP (standard port 3389) into the network of my 2nd home.  I can TeamViewer into the network fine but not RDP.  I was under the impression that outbound traffic was pretty much unrestricted by default.  Is there something I'm missing?

    LAN: 192.168.x.0/24
    WAN:  Public IP via DHCP



  • Assuming you've set up the firewall without making any changes to the default ruleset then yes, it ought to work. However, are you sure the firewall at your second home is set up correctly? For instance, is the remote (second-home) firewall set to accept RDP traffic only from a particular address or address range? Could the address on your local pfSense firewall have changed, given it's WAN address is obtained via DHCP? When you say you 'no longer' can RDP onto your remote server, what was the situation before when you could? Were you coming in from a different location or was the firewall different?



  • Yeah - Like Mr. Muse Well said, there are several points of failure available here.  For sure its not that pfsense breaks it.  Check and recheck at rules at both routers and both PC firewalls. 
    The issue is most likely your fingers so check and see what they did or didn't do.

    Teamviewer will function under horribly broken conditions (like skype) so thats no indication.


  • LAYER 8 Global Moderator

    why anyone would want to allow rdp over the public internet to their 2nd home is another question..  Do you have it locked down to your first homes wan IP?  Did that IP change?

    Do you have pfsense at your 2nd home or something else?  If you changed your router to pfsense, this would be a different mac than what you had before and your isp should of given you a different public IP.  If your 2nd home firewall was locking down access to rdp to your first homes public IP - this will have to be updated your new IP.

    Personally I would vpn and then rdp, this is more secure.



  • I agree totally.  VPN is the best way to secure RDP but some people love to do silly things…  Like expose RDP to the open net.

    Pfsense is perfectly capable of doing that, if thats the sort of thing you are in to  :P



  • @muswellhillbilly:

    Assuming you've set up the firewall without making any changes to the default ruleset then yes, it ought to work. However, are you sure the firewall at your second home is set up correctly? For instance, is the remote (second-home) firewall set to accept RDP traffic only from a particular address or address range? Could the address on your local pfSense firewall have changed, given it's WAN address is obtained via DHCP? When you say you 'no longer' can RDP onto your remote server, what was the situation before when you could? Were you coming in from a different location or was the firewall different?

    I had DD-WRT routers at both locations and I'm replacing both with pfSense boxes.  Nothing has changed on the router at site #2. l It just has a standard port forward for RDP to it's public IP (Dynamic DNS hostname).

    @johnpoz:

    why anyone would want to allow rdp over the public internet to their 2nd home is another question..  Do you have it locked down to your first homes wan IP?  Did that IP change?

    Do you have pfsense at your 2nd home or something else?  If you changed your router to pfsense, this would be a different mac than what you had before and your isp should of given you a different public IP.  If your 2nd home firewall was locking down access to rdp to your first homes public IP - this will have to be updated your new IP.

    Personally I would vpn and then rdp, this is more secure.

    The plan was to replace both my DD-WRT routers for the very purpose of setting up a high speed (150Mbps) site-to-site VPN between my two sites.  This was the first one I did and I will be doing my second site this weekend.  However I'd still like to be able to access site #2 remotely in the meantime.



  • Ok, so you've answered one question (what's changed?). How about the rest of it? Does the DD-WRT at site 2 have any filtering in place to prevent all but one/some IP addresses from accessing RDP (I would have guessed yes if security is at least a passing consideration). Has the IP address at site 1 changed since you put the pfSense system in place?



  • @muswellhillbilly:

    Ok, so you've answered one question (what's changed?). How about the rest of it? Does the DD-WRT at site 2 have any filtering in place to prevent all but one/some IP addresses from accessing RDP (I would have guessed yes if security is at least a passing consideration). Has the IP address at site 1 changed since you put the pfSense system in place?

    The DD-WRT router at Site #2 has the firewall enabled with just a few ports forwarded to certain hosts.  That is all that has ever been configured on it.  The IP may have changed but I've got DynamicDNS configured at both sites and I've tried connecting both by IP address and hostname to no avail.

    EDIT:  Wow, turned out to be my dynamicDNS stopped working at site #2 so the IP it has been reporting was indeed changed.  Thank you for pointing me towards the obvious.  :-[



  • If you install pfsense at bothe ends, you can run VPN servers at both ends.  Problem solved.

    Problem solved for RDP, FTP, whatever.  Its not even difficult.  No need to open a bunch of ports.



  • @kejianshi:

    If you install pfsense at bothe ends, you can run VPN servers at both ends.  Problem solved.

    Problem solved for RDP, FTP, whatever.  Its not even difficult.  No need to open a bunch of ports.

    Yup thats been the plan all along.  I've got a pfSense box at site #1 now that I just installed yesterday.  At site #2 I have a VM server with 3 spare NICs and I'm going to try running pfSense in a VM on that first.  I just have to see if the Xeon X3 I have will handle my Media Server plus the site to site VPN at the same time without any hiccups.  That will be an experiment.  But whether that works or I have to build a standalone box for site #2 as well, the plan is to create a site-to-site VPN.  Just not sure whether I'm going to go with IPsec or OpenVPN yet.



  • Whats the current CPU load on the media server (average and max)?

    Its unlikely that pfsense will cause much additional load.



  • @kejianshi:

    Whats the current CPU load on the media server (average and max)?

    Its unlikely that pfsense will cause much additional load.

    It's hard to say because I don't believe vSphere keeps performance logs by default (and I never setup any) other than what you can see is currently happening over a one hour span.  However I know that my media serve at night will often have 4-5 files transcoding at the same time.

    The main purpose for me setting up the site-to-site VPN is the secure all transmissions between the two sites which will start including daily/weekly backups of my media server.  So that could be something like 5-10GB per night or 50+GB per week.  The VPN's stress on the CPU was the reason I went with the Avaton 2558 in my current pfSense box.


Log in to reply