Cannot RDP out of network



  • OK, I have been hammering away at this for 4 days not and figured I'd reach out now. The problem I am having is that I cannot RDP out of my network.  I am not a firewall guy, but I'm trying to learn.  I have searched these forums and have stared at the Pfsense wiki like a deer caught in the headlights. I have googled it, Binged it, and even asked Mr jeeves, and I still, for the life of me cannot figure it out.

    The problem I have is that I cannot RDP out of my network. I have removed the PFsense box from the network and have verified that RDP is working. I have even created ( so I though) rules that would allow everything in and out of my network and it still does not work.  I understand that the firewall does not block out bound traffic and only inbound and even followed the guide ( https://doc.pfsense.org/index.php/Example_basic_configuration ) for a basic setup for my initial set up (excluding FTP and ports for mail).

    I went as far as gabbing a packet capture and did not see anything tell tail ( then again I dont full understand how to read them), and when I clear the logs and try to RDP noting is showing up in the logs.

    I'm learning and I do not have this actually on my primary internet, I have it on a separate LAN network segregated from my main network.

    I have attached a screen shot of my rules and NAT.

    Any help would be appreciated.







  • Netgate

    You've gotten pretty clicky-clicky with your stuff indicating a basic misunderstanding of what you're actually doing.

    What is the IP network of LAN?

    Why all the outbound NAT rules for OPT1.  Is that another WAN?

    Why are you limiting LAN to TCP/UDP only? That's certainly not the default config.

    Where are you trying to RDP to?  Are you sure it's not being blocked inbound there?

    Read and understand this.  Particularly the part about what interface rules should be placed on and that you are passing traffic coming INTO pfSense, not going out of it.

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting



  • Derelict, Your are right. I got to the point where I was clicking on everything trying to get it to work you should have seen it before I cleaned it up ;)

    The LAN network is 172.31.192.xxx

    OPT1 was going to be another WAN, but I have not go that far.

    I though I was allowing it for all when I made the rule  for TCP/UDP

    I am trying to RDP to a server at my office, but it appeared that across the LAN I cannot rdp to another PC

    I will print it out and read it now.

    Thank you.


  • Netgate

    You can do anything, including RDP, as long as the traffic is passed into LAN.

    How are you getting to the remote RDP?  Over the internet?  VPN?  Is there a port forwarded there or something?

    I'd bet your problem is there, not locally.



  • I am using RDP straight to the server. When I am out of my test environment I can connect both over the internet and when I connect with my  VPN, but when I am in my test environment I cannot connect either way. I am seeing DNS event ID 1014 ( see image) in the logs on my PC that I have not seen before, and I am not having a problem getting to the internet.



  • Netgate

    Where is the server?  What IP address?  What interface? I have no idea what your test environment is.  I am not a mindreader.  Draw a diagram.



  • My apologies.  Here is the set up including the server I am trying to RDP to.



  • Netgate

    On your LAN interface, disable all the rules you added and reenable the last one that you disabled.  Then post another screen shot.

    If you do that and you still can't RDP, then the problem is in one of the other routers or firewalls, not pfSense.



  • Ok, I did that and the same results. I cannot RDP to it.  I have verified that the port 3389 is open as well.

    ![open port.jpg](/public/imported_attachments/1/open port.jpg)
    ![open port.jpg_thumb](/public/imported_attachments/1/open port.jpg_thumb)
    ![lan diabled.jpg](/public/imported_attachments/1/lan diabled.jpg)
    ![lan diabled.jpg_thumb](/public/imported_attachments/1/lan diabled.jpg_thumb)


  • Netgate

    Your problem is elsewhere.

    Do a packet capture on pfSense WAN filtering on port 3389 and try a connection.  You will see it going out but not getting a reply.

    You have three other routers in the mix.  I don't know why you insist the problem is with the one with a pass any any any rule on it.



  • ok I will do the packet capture. The only reason I think it has to do with PFsense is because if I remove that and use my normal network I can RDP without a problem.  I do understand there is 2 additional routers in the mix, but assumed that if it worked outside of the network with the PFsense  it should work behind it as well. Or am I looking at it the wrong way?  Like I said I am not a firewall guy, I'm trying to learn it. The PFSense manual is on order.


  • Netgate

    I don't know.  Double NAT sucks.



  • ok. I set the comcast modem in bridge mode and still cannot RDP. I tried a packet capture and nothing was captured (no data) which I thought was odd.

    Im not even seeing anything blocked in the log files after I clear them and then try to connect.


  • Netgate

    No idea, dude.  There is nothing special about RDP.  It's just packets.

    Did you port forward both TCP and UDP?  If not, do that.


  • Netgate

    Why are you using the same LAN subnet in both locations?  Over NAT it shouldn't matter but maybe there's something in the RDP protocol that's jacking up somehow.



  • I appreciate all the time you spent with me today. Its still not working after changing the scope to 192.168.1.0

    I might just blow the whole install away and start from scratch.

    Thanks again.


  • Netgate

    Can you simply browse the internet?  If so, it's not pfSense.



  • I can that's what did not make sense and why I reached out here.

    If your saying the rules I had were fine, ill blow it away and start again.


  • Netgate

    If it was the firewall blocking RDP there would be firewall logentries.  But if you want to start over, I'd backup your config first so maybe if that works and you feel like it you can restore it and find out why.



  • Good plan. I will do that and we'll see what happens.



  • I did get a capture.  Not sure if this tells you anything.

    17:01:48.652290 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 75: (tos 0x0, ttl 128, id 7846, offset 0, flags [none], proto UDP (17), length 61)
        192.168.1.2.50427 > 8.8.8.8.53: [udp sum ok] 8475+ A? www.pfsense.org. (33)
    17:01:48.652555 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 128, id 7845, offset 0, flags [none], proto UDP (17), length 74)
        192.168.1.2.65419 > 8.8.8.8.53: [udp sum ok] 8872+ A? www.electricsheepfencing.com. (46)
    17:01:48.680257 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 91: (tos 0x20, ttl 45, id 28817, offset 0, flags [none], proto UDP (17), length 77, bad cksum 0 (->4b35)!)
        8.8.8.8.53 > 192.168.1.2.50427: [udp sum ok] 8475 q: A? www.pfsense.org. 1/0/0 www.pfsense.org. A 208.123.73.69 (49)
    17:01:48.716860 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 118: (tos 0x20, ttl 45, id 41368, offset 0, flags [none], proto UDP (17), length 104, bad cksum 0 (->1a13)!)
        8.8.8.8.53 > 192.168.1.2.65419: [udp sum ok] 8872 q: A? www.electricsheepfencing.com. 2/0/0 www.electricsheepfencing.com. CNAME electricsheepfencing.com., electricsheepfencing.com. A 208.123.73.69 (76)
    17:01:50.300695 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30916, offset 0, flags [none], proto UDP (17), length 44)
        192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
    17:01:55.515485 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30917, offset 0, flags [none], proto UDP (17), length 44)
        192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
    17:01:56.166321 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30918, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0x9a8b (correct), seq 638309427, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    17:01:58.545163 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 9279, offset 0, flags [DF], proto TCP (6), length 41)
        192.168.1.2.54517 > 192.168.1.1.80: Flags [.], cksum 0xe0a9 (correct), seq 480782460:480782461, ack 2381554296, win 256, length 1
    17:01:58.545823 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 57770, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->d5d1)!)
        192.168.1.1.80 > 192.168.1.2.54517: Flags [.], cksum 0xdfa8 (correct), seq 1, ack 1, win 513, length 0
    17:01:59.166111 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30919, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0x9a8b (correct), seq 638309427, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    17:02:00.500873 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 103: (tos 0x0, ttl 128, id 29952, offset 0, flags [none], proto UDP (17), length 89)
        192.168.1.2.60572 > 157.56.106.184.3544: [udp sum ok] UDP, length 61
    17:02:00.545108 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 151: (tos 0x20, ttl 45, id 31372, offset 0, flags [none], proto UDP (17), length 137, bad cksum 0 (->491d)!)
        157.56.106.184.3544 > 192.168.1.2.60572: [udp sum ok] UDP, length 109
    17:02:00.728467 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30920, offset 0, flags [none], proto UDP (17), length 44)
        192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
    17:02:05.165127 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 30921, offset 0, flags [DF], proto TCP (6), length 48)
        192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0xae9a (correct), seq 638309427, win 8192, options [mss 1460,nop,nop,sackOK], length 0
    17:02:05.268329 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.1.1 (00:0d:b9:1b:05:f6) tell 192.168.1.2, length 46
    17:02:05.268369 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Reply 192.168.1.1 is-at 00:0d:b9:1b:05:f6, length 46
    17:02:05.944083 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30922, offset 0, flags [none], proto UDP (17), length 44)
        192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
    17:02:08.546450 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 9280, offset 0, flags [DF], proto TCP (6), length 41)
        192.168.1.2.54517 > 192.168.1.1.80: Flags [.], cksum 0xe0a9 (correct), seq 0:1, ack 1, win 256, length 1
    17:02:08.547114 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 48216, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->fb23)!)
        192.168.1.1.80 > 192.168.1.2.54517: Flags [.], cksum 0xdfa8 (correct), seq 1, ack 1, win 513, length 0
    17:02:10.761866 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30923, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.2.54520 > 70.89.208.13.80: Flags , cksum 0x1487 (correct), seq 2543449493, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    17:02:10.762820 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 33822, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->de94)!)
        70.89.208.13.80 > 192.168.1.2.54520: Flags [S.], cksum 0x979c (correct), seq 1887383183, ack 2543449494, win 65228, options [mss 1460,nop,wscale 7,sackOK,eol], length 0
    17:02:10.763399 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30924, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.1.2.54520 > 70.89.208.13.80: Flags [.], cksum 0xd53a (correct), seq 1, ack 1, win 256, length 0
    17:02:10.763686 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 256: (tos 0x0, ttl 128, id 30925, offset 0, flags [DF], proto TCP (6), length 242)
        192.168.1.2.54520 > 70.89.208.13.80: Flags [P.], cksum 0x94a1 (correct), seq 1:203, ack 1, win 256, length 202
    17:02:10.763787 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 32040, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->e596)!)
        70.89.208.13.80 > 192.168.1.2.54520: Flags [.], cksum 0xd371 (correct), seq 1, ack 203, win 511, length 0
    17:02:10.764296 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 566: (tos 0x0, ttl 128, id 30926, offset 0, flags [DF], proto TCP (6), length 552)
        192.168.1.2.54520 > 70.89.208.13.80: Flags [P.], cksum 0x8cfa (correct), seq 203:715, ack 1, win 256, length 512
    17:02:10.764383 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 5998, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->4b51)!)
        70.89.208.13.80 > 192.168.1.2.54520: Flags [.], cksum 0xd173 (correct), seq 1, ack 715, win 509, length 0
    17:02:10.764998 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 552: (tos 0x0, ttl 64, id 52474, offset 0, flags [DF], proto TCP (6), length 538, bad cksum 0 (->93d2)!)
        70.89.208.13.80 > 192.168.1.2.54520: Flags [P.], cksum 0x22fa (correct), seq 1:499, ack 715, win 513, length 498
    17:02:10.765233 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 31505, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->e7ad)!)
        70.89.208.13.80 > 192.168.1.2.54520: Flags [F.], cksum 0xcf7c (correct), seq 499, ack 715, win 513, length 0
    17:02:10.766114 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30927, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.1.2.54520 > 70.89.208.13.80: Flags [F.], cksum 0xd07f (correct), seq 715, ack 499, win 254, length 0
    17:02:10.766229 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 22690, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->a1d)!)
        70.89.208.13.80 > 192.168.1.2.54520: Flags [F.], cksum 0xcf7b (correct), seq 499, ack 716, win 513, length 0
    17:02:11.005964 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 58058, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->7ff4)!)
        70.89.208.13.80 > 192.168.1.2.54520: Flags [F.], cksum 0xcf7b (correct), seq 499, ack 716, win 513, length 0
    17:02:11.006387 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30928, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.1.2.54520 > 70.89.208.13.80: Flags [.], cksum 0xd17c (correct), seq 716, ack 500, win 0, length 0
    17:02:11.159887 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 128, id 30929, offset 0, flags [none], proto UDP (17), length 44)
        192.168.1.2.64602 > 70.89.208.13.75: [udp sum ok] UDP, length 16
    17:02:13.385739 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 694: (tos 0x0, ttl 128, id 9281, offset 0, flags [DF], proto TCP (6), length 680)
        192.168.1.2.54517 > 192.168.1.1.80: Flags [P.], cksum 0x91f3 (correct), seq 1:641, ack 1, win 256, length 640
    17:02:13.386430 00:0d:b9:1b:05:f6 > 2c:27:d7:7f:fc:eb, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 55382, offset 0, flags [DF], proto TCP (6), length 40, bad cksum 0 (->df25)!)
        192.168.1.1.80 > 192.168.1.2.54517: Flags [.], cksum 0xdd2d (correct), seq 1, ack 641, win 508, length 0


  • Netgate

    Yeah.  Three connection attempts from 192.168.1.2 to 70.89.208.13:3389 with nothing coming back.

    17:01:56.166321 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30918, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0x9a8b (correct), seq 638309427, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    17:01:59.166111 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 128, id 30919, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0x9a8b (correct), seq 638309427, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    17:02:05.165127 2c:27:d7:7f:fc:eb > 00:0d:b9:1b:05:f6, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 30921, offset 0, flags [DF], proto TCP (6), length 48)
        192.168.1.2.54519 > 70.89.208.13.3389: Flags , cksum 0xae9a (correct), seq 638309427, win 8192, options [mss 1460,nop,nop,sackOK], length 0

    What interface is that capture from?  Looks like LAN.  Do it on WAN and try again.  Put 3389 in the port field before you start it please.

    I'm making some assumptions because your log is mangled.  Post your captures inor attach them since the brackets are being interpreted as formatting codes.



  • unbelievable. I killed 3 days on this thing and wasted your time. I blew it away and left everything at default and now it works. Just kill me.  I apologize for wasting your time.

    I did save the old config so I can do as you said.

    Thank you again for responding and trying to help me out. I really appreciate it.

    ~ Michael


  • Netgate

    Glad you got it working.