Problem Forwarding Ports



  • Hi Guys,

    I have spent the last 2 days scanning through the forums and PF sense setup guide trying to get my head around why I can't seem to get my ports forwarded.

    I have Technicolour TG797n modem IP: 10.0.0.38 (the ip was 192.168.0.1 but I gave it to the PF sense box).
    PF Sense box (Psychical PC, not virtual) IP: 192.168.0.1
    SBS2007 Server IP: 192.168.0.2 Also DHCP and DNS Server.
    RDP / Terminal Server (VM inside of SBS server) IP: 192.168.0.4

    Before setting up the PF sense box I used port 3391 for RDP to the RDP / Terminal Server and port 3390 for RDP to the SBS box.

    In the technicolor modem I have these ports forwarded to the PF sense box 192.168.0.1 and have also tried to remove forwarded ports completely but can't get a connection through,

    I have the ports in NAT set as WAN interface / TCP protocol  / Source Port Any / Destination Port From 3391 too  3391 /  Redirect Target IP 192.168.0.4 / Target Port 3391.
    And the same settings for 3390 & 192.168.0.2.

    The only thing I can think of is to uncheck the "block private network" option which I have not done but think I might have to as my LAN network is all 192.xxx.xxx.xxx except for the modem.

    Sorry to be a pain, anyone have any suggestions or ideas of what to look at next?


  • LAYER 8 Global Moderator

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Have you verified that pfsense is seeing the traffic and then forwarding?  Simple sniff all of 30 seconds.. How exactly are you testing??  From wan or you trying to do a nat loopback?

    I have to question the sanity in opening up RDP to the public internet in the first place to be honest.  What about your host firewalls, can tell you for sure the out of the box windows firewall is going to block that from a network different than the one they are on that is for sure..



  • I have not tested that it is seeing the traffic, I will look into that as I have not done any form of test except for forwarding the ports and trying to connect from an external connection.

    I did not think that opening RDP to public was a security risk, it was setup like that when I first seen the network and the server has always been open using the out of the box modem from Telstra from memory the SBS box is running an AVG file server AV.


  • LAYER 8 Global Moderator

    Your exposing a machine to public internet with user name and password as only protection.. Let me guess Administrator - so now the script kiddies can bang on it all day long trying passwords..

    Do you have this rdp limited to specific source IPs in the firewall?

    I don't have it open, but show in the last day 27 hits to 3389..  If it was open, then they would try and log in.. Or some other exploit to the remote desktop service.. If you need remote access to your network then vpn into it.

    Opening ANYTHING to the public net is a security risk!!




  • Makes sense, I was not aware having RDP internet facing was a problem, I would have thought there would be other security measures like limiting login attempts?

    However, from what you have said I will advise the owner to not use RDP and setup a VN instead.

    I will still need to forward ports 25 & 995 for mail and 443 for OWA, after more research it seems like my problem may come from not having bridge mode or DMZ on the technicolor modem and double nat can cause problems?


  • LAYER 8 Global Moderator

    yes if your behind a nat then you would have to forward whatever ports you want pfsense to forward to pfsense.  Or you would have to put pfsense in the dmz of your router.

    Administrator account doesn't lock out, and if it did you would want random brute force attempts to lock out your admin account??



  • Turned out double nating was the culplit, no matter how I tried to set it up I could not get the modem to forward the ports to the PFsense box, in the end I put the modem into bridge mode and all my problems were solved!

    Thanks  :D



  • If you have the ability to switch it to bridged then that's the preferred solution over double-NAT anyway.


Log in to reply