Need some help with PFSense NAT.

C7J0yc3

[H]ard|Gawd
Joined
Dec 27, 2009
Messages
1,353
Ok so I finally got my firebox x700 working with PFSense (For those running them, 2.0 Beta 3 is MUCH more stable then 1.2.3).So far I love it and would have a hard time going back to DD-WRT. The only problem is I can't seem to wrap my head around the NAT and port forwarding rules. As a test I just wanted to setup a simple forward for RDP to get into my server at home from on the road.

I went to Firewall > NAT > New Policy and created a new rule using these settings

Interface: WAN
Protocol: TCP
Source: any
Source Port Range: From:Any To:Any
Destination: LAN Subnet
Destination Port Range: From:MS RDP To:MS RDP
Redirect target IP: 10.1.2.1
Redirect Target Port: MS RDP
Filter Rule Association: Rule NAT Server RDP

No XMLRPC Sync: unchecked
No RDR (NOT): unchecked

I applied them, verified that the firewall rule showed up, and then rebooted the firewall to ensure that they were loaded into the config. I am at the office, and I can remotely manage the firewall, but I can't connect to RDP. When I was running DD-WRT I was able to RDP to the server, but now I can't and only the firewall has changed
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
Did you verify the port is open? canyouseeme.org and choose port 3389
 

C7J0yc3

[H]ard|Gawd
Joined
Dec 27, 2009
Messages
1,353
No, doing a portscan for 3389 turns up no results, however port scanning 443 which is what I am using for remote firewall management comes back with a response.
 

aaronearles

[H]ard|Gawd
Joined
Aug 31, 2006
Messages
2,016
I haven't used 2.0, but in 1.2.3 there is a checkbox to also create a matching firewall rule, do you have a firewall rule in place to allow the traffic?

Also, I didn't realize you could NAT to the whole LAN subnet, doesn't that defeat the purpose?

edit - just looked, you cant create a nat rule to point to the whole subnet, but you can create a firewall rule like that. Are you sure you're not creating a firewall rule, instead of a nat rule that's set to also create a matching firewall rule? Otherwise I would ssh into pfsense and make sure you can ping the host or make a connection locally to 3389.
 

C7J0yc3

[H]ard|Gawd
Joined
Dec 27, 2009
Messages
1,353
Here is the edit screen for the NAT rule I am trying to setup.
rulesetup.jpg


And here is the matching firewall rule it automatically setup for me
firewallrule.jpg
 
Last edited:

Valnar

2[H]4U
Joined
Apr 3, 2001
Messages
3,977
I don't use pfSense 2.0 yet, but for the NAT screen, the destination should be a single host, not a /16 network.
 

C7J0yc3

[H]ard|Gawd
Joined
Dec 27, 2009
Messages
1,353
I don't use pfSense 2.0 yet, but for the NAT screen, the destination should be a single host, not a /16 network.

Thanks for the catch, it is now set to single host / alias, however still is unable to remote desktop.
 

Oline61

Gawd
Joined
Aug 8, 2005
Messages
869
Destination should be your WAN ip address/interface. This is the packets destination before the address is translated.
 

iGamer

[H]ard|Gawd
Joined
Jul 19, 2007
Messages
1,663
I can't help you on the nat, but I just upgraded to 2.0 beta 3 from 1.2.3 today, and I am liking the gui a lot better! I mainly upgraded because of the nat issues of bad company 2, that I heard were resolved in 2.0.
 

jadams

2[H]4U
Joined
Mar 14, 2010
Messages
4,086
what issues were u having w/ bc2? i have no ports forwarded for the game and i play it fine?
 

iGamer

[H]ard|Gawd
Joined
Jul 19, 2007
Messages
1,663
what issues were u having w/ bc2? i have no ports forwarded for the game and i play it fine?

this problem only showed at say a lan party, if two people were playing at the same time, but each on a different server, one user would always get kicked... if you are toe only one playing this issue never would come up... I have lan parties here all the time on a regular basis! :)
 
Top