Setting Source Address

  • I'm trying to set my firewall rules to allow only three specific external IPs to connect to services running behind my pfSense firewall. RDP can be accessed by any IP.

    RDP works without issue, but the services which are restricted by Source Address are inaccessible. I made sure they are actually running, and that I'm actually trying to connect from one of the whitelisted IPs. My port forward rules look like this.

    I have one complication in my network, which is that I have an ADSL modem which doesn't support bridge mode (it's a Fritzbox). pfSense is in the DMZ of the modem. In the Firewall logs, I'm only seeing WAN=OUT rules passing from my external whitelisted IP, but nothing else.

    At this point I'm lost, but I'm sure it's something easy I'm overlooking… :o

  • I can't see the port-forward rules - did you forget the screen shot?

    The DMZ thing should work (and it obviously works for your RDP) - I have a few front-end devices where I do that, for those sort of low-end devices the "DMZ IP address" usually really means "the place to do a 1:1 port forward to", and everything arriving on the real WAN gets directed straight through to the inside pfSense WAN IP.

    For RDP or other interactive user things, IMHO it is better to have a road-warrior (Open)VPN server and get the remote users to connect by VPN and then do RDP or whatever once they are logically on the intranet. The road warrior VPN can be made more secure (certificate plus username/password). But that is your design decision, not directly the subject of your post.

Log in to reply