Routing Rules and creating a static RDP Route



  • Hidy ho everyone,

    I'm trying to do some more messing around with Pf sense today, and I have some questions for you all.

    I have a network consisting of 3 running virtual machines, all run through virtual box.  I have a pfsense router with 3 network interfaces.  The WAN interface is facing my local lan through a bridged interface.  Next, my second interface is facing a nic in a virtual network I'm calling "Network 2".  The third nic is facing another separate virtual network I'm calling "Network 3".  Now I have 1 windows 7 vm on network 2, and another on network 3.  Please note, these separate networks are all virtual, there is no physical infrastructure here.  Both virtual nics on networks 2&3, have the default allow all route to allow internet access.

    I have 2 goals today, my first is to create a static route from my bridged adapter to my machine on network 2.  Allowing me to use windows remote access program (RDP) to take control of that machine at will.

    My second is to try locking down both networks, to only allow traffic on certain ports.  Even better if I could limit the traffic on a given port.

    My problem is, I don't know how to go about doing this.  I'm honestly not sure what traffic should be allowed, and on what port.  Are there any links I could read up on regarding traffic limitations?

    Also, I can't seem to find a specific drop down menu option for the RDP protocol.  So, is there a way to limit that traffic in any way?



  • Ok, so i've been plugging away at this issue, and actually made progress.

    I found this guide: http://pc-addicts.com/building-ultimate-virtualbox-rdp-vms, and I was able to rdp through pfsense into a virtual machine.

    Now I'm trying to read over programs to see what ports they use.  And specifically open those ports, letting the auto block feature of pfsense, stop everything else.

    The programs I'm trying to keep open are windows update, microsoft dynamics RMS, and web browsers (specifically chome).  I don't use chrome on my personal machines, but most of my clients seem to prefer it, so I'm using it as a bit of practice.



  • For those who are looking at this thread, I'm still plugging away at this experiment of mine.

    I figured out all the ports to leave open, and put rules for them on the WAN interface.  Everything not covered by rules on that interface gets a deny, correct?

    Do I have to put these rules on the Lan interfaces as well?  Because right now, the only rules on that interface, are leaving ports 80 (http), 443 (https), and port 1433 (sql port).  As well as a forwarding rule that says anything coming in gets sent via rdp protocol to a specific machine.  But each lan interface has the default allow all rule (you guys helped me understand that rule, thanks again for that!).

    Edit: if I changed those rules on the wan interface, to floating rules.  Would those rules apply to everything the firewall does, instead of individual interfaces?