Need some help with PFSense NAT.

[C7J0yc3]

Ok so I finally got my firebox x700 working with PFSense (For those running them, 2.0 Beta 3 is MUCH more stable then 1.2.3).So far I love it and would have a hard time going back to DD-WRT. The only problem is I can't seem to wrap my head around the NAT and port forwarding rules. As a test I just wanted to setup a simple forward for RDP to get into my server at home from on the road.

I went to Firewall > NAT > New Policy and created a new rule using these settings

Interface: WAN
Protocol: TCP
Source: any
Source Port Range: From:Any To:Any
Destination: LAN Subnet
Destination Port Range: From:MS RDP To:MS RDP
Redirect target IP: 10.1.2.1
Redirect Target Port: MS RDP
Filter Rule Association: Rule NAT Server RDP

No XMLRPC Sync: unchecked
No RDR (NOT): unchecked

I applied them, verified that the firewall rule showed up, and then rebooted the firewall to ensure that they were loaded into the config. I am at the office, and I can remotely manage the firewall, but I can't connect to RDP. When I was running DD-WRT I was able to RDP to the server, but now I can't and only the firewall has changed

 

[jadams]

Did you verify the port is open? canyouseeme.org and choose port 3389

 

[C7J0yc3]

No, doing a portscan for 3389 turns up no results, however port scanning 443 which is what I am using for remote firewall management comes back with a response.

 

[aaronearles]

I haven't used 2.0, but in 1.2.3 there is a checkbox to also create a matching firewall rule, do you have a firewall rule in place to allow the traffic?

Also, I didn't realize you could NAT to the whole LAN subnet, doesn't that defeat the purpose?

edit - just looked, you cant create a nat rule to point to the whole subnet, but you can create a firewall rule like that. Are you sure you're not creating a firewall rule, instead of a nat rule that's set to also create a matching firewall rule? Otherwise I would ssh into pfsense and make sure you can ping the host or make a connection locally to 3389.

 

[C7J0yc3]

Here is the edit screen for the NAT rule I am trying to setup.

And here is the matching firewall rule it automatically setup for me

 

[Valnar]

I don't use pfSense 2.0 yet, but for the NAT screen, the destination should be a single host, not a /16 network.

 

[C7J0yc3]

I don't use pfSense 2.0 yet, but for the NAT screen, the destination should be a single host, not a /16 network.

Thanks for the catch, it is now set to single host / alias, however still is unable to remote desktop.

 

[Oline61]

Destination should be your WAN ip address/interface. This is the packets destination before the address is translated.

 

[iGamer]

I can't help you on the nat, but I just upgraded to 2.0 beta 3 from 1.2.3 today, and I am liking the gui a lot better! I mainly upgraded because of the nat issues of bad company 2, that I heard were resolved in 2.0.

 

[jadams]

what issues were u having w/ bc2? i have no ports forwarded for the game and i play it fine?

 

[C7J0yc3]

FIXED IT!

The fix was to set the destination to LAN address.

 

[iGamer]

what issues were u having w/ bc2? i have no ports forwarded for the game and i play it fine?

this problem only showed at say a lan party, if two people were playing at the same time, but each on a different server, one user would always get kicked... if you are toe only one playing this issue never would come up... I have lan parties here all the time on a regular basis!