How to Configure NAT & Port Forward on Pfsense for Remote Desktop?

Featured Image Pfsense Port Forwarding.Tekgru.com

Whenever we need to expose a device from our internal network to wan or internet then this is done by the use of NAT in conjunction with Pfsense Port forwarding, in this post, we will understand what these concepts are? and how to enable them on pfsense with the help of some common examples.

Understanding Pfsense NAT and PORT Forwarding?

NAT is short for Network Address Translation, which means that mapping our device IP address to our Network’s Public IP Address, Nat is very common, for e.g, we use Nat whenever we try to browse something over the Internet, because it maps our device’s IP address to our Network’s Public IP Address and hence our local IP Address is translated to a Public IP Address.

Reverse NAT

But whenever we want traffic from remote wan or internet to reach our internal network device, then, in that case, reverse NAT is used. In such case traffic from the internet will reach our Pfsense WAN IP, and then Pfsense will translate or Map our WAN IP to our Local Machine IP.

Reverse Port Forwarding

Port forwarding is also called PAT, which is port address translation, it is basically the mapping of our local machine port to a public port (ports used by our pfsense wan address to send local traffic to the internet).

In order to access a local service from remote, we need to allow reverse Nat along with reverse Port forwarding, on Pfsense firewall, for e.g if we want to take a remote desktop of our windows machine from remote wan or internet then we will initiate an RDP connection (remote desktop protocol) using TCP port 3389 with our pfsense wan address as the destination public IP. This traffic (containing the destination wan IP and destination wan port )will reach our local pfsense wan, which will then use reverse nat and reverse port forward (to translate public port to local machine port say 3389) to successfully complete the connection.

Is Port Forwarding Risky?

Well, for a short answer it depends on the local security firewall rules, If proper rules are configured on pfsense then there is no harm even if? a compromised external host tries to send malicious traffic to our internal network as this traffic will be interpreted and stopped by Snort, Which is an (IDS & IPS ) Intrusion Detection and Prevention System.

Things we need to know before starting !

By default in a freshly installed pfsense box, the inbound traffic is blocked, which means that an outside host cannot initiate sending traffic to our internal network.

While enabling external access to the local services we need to avoid overlapped configurations for e.g a newly configured web server uses the same port as our pfsense web interface which results in failed access to our pfsense web GUI.

NAT Port Forwarding Example for Remote Desktop (MS RDP)

There can be a used case in which you would like to access a windows machine on your internal network to be accessed from the internet, then in this case you need to enable port forwarding for MS Rdp (Microsoft Remote Desktop Protocol) on your pfsense.

But first you need to make sure that your local machine firewall rules don’t stop RDP connection to this device . So you may need to enable it depending on your windows version. See how to enable MS RDP Connection on Windows.

Once the firewall allows the machine to offer remote desktop connection to the outside host then its time to configure Nat port forward rule on the Pfsense.

For this log into your pfsense web interface and from the top menu select Firewall then NAT and then on the Port Forward Tab select Add button as shown below.

select add button from pfsense port forward tab.

Here is a sample configuration for you that enables Nat port forward for MS RDP on my network.

Pfsense sample configuration for Nat port forward remote desktop.
Pfsense Example configuration for Nat port forward remote desktop.

As you can see I have configured the required text fields as follows :

  • Interface: As my Wan interface.
  • Protocol: TCP (MS RDP protocol uses port type TCP).
  • Source: Let it to be set at default settings which is type Any.
  • Destination: You will choose WAN IP/Address for your Wan Interface.
  • Destination Port Range: Choose MS RDP from the List (which is 3389 by Default but you may choose a custom port here).
  • Redirect Target IP: This is the IP of your local desktop or PC for which you want to enable port forwarding.
  • Redirect Target Port: This must be MS RDP chosen from the list.
  • Description: Enter a good logical Description.
  • Filter rule association: Let it be at its default.
  • Click Save Button.

After this Apply changes and your new rule is ready.

Pfsense: apply changes for rule confirmation.

Now its time to verify and test your newly created rule, for this open the following website in your browser canyouseeme.org and enter your MS RDP Port 3389 while it picks up your wan address automatically and then click Check port.

If your configuration is a success then it will show you that it can see your from outside else it will generate an error.

You may like to use a different remote desktop client that may imply to forward different UDP or TCP ports, In this case you like to find out port numbers to forward here is a list for your convenience Wiki Ports.

It is very important to restrict the outside access to only few devices in case of port forwarding SSH or MS RDP or any other Sensitive Traffic type, in such case employ the use of ALIAS in Source Section. But if its a web server you may not need to apply this security perimeter.

Reverse Nat Port Forward Multiple MS RDP (Remote Desktop) Connections to Single Wan Pfsense

There may be a case when you have a pfsense box with a single wan IP address and you may like to enable remote desktop access for many machines from the internet or a remote wan address. Here the problem is that all remote windows machines, by default, use TCP port 3389 for their remote desktop connection and in the light of the above example, you can only use or map one wan IP against one local Machine IP. To address the solution better, let us understand through an example:

Let’s say you have 2 windows machines with IP addresses 10.1.1.1 and 10.1.1.2 and you want to enable remote desktop forwarding on pfsense for these machines, and yet you have one Public IP address 122.129.77.1.

You may be able to complete the configuration for the first machine 10.1.1.1 in light of the above mentioned configuration while choosing Destination as Wan Public IP and Destination Port as MS RDP while choosing Redirect Target IP as 10.1.1.1 and Redirect Target Port as MS RDP (3389).

But what about the second machine 10.1.1.2, you may choose to keep the same configuration as in the case of the first machine but you cannot choose the same Destination Port (MS RDP-3389). So in this case, a simple solution would be to choose any random port you may like, let’s say port 33890 chosen as Destination Port to solve the problem. So once’s these settings are made your pfsense box then you will be able to take remote desktop for the second machine 10.1.1.2 at 122.127.77.1:33890. The following screenshot how to take the remote desktop for the second machine 10.1.1.2.

Port forwarding Multiple MS RDP Connections for single wan Pfsense
Port forwarding Multiple MS RDP Connections for single wan Pfsense

I hope this explanation makes sense to you.

NAT Port Forwarding Example For HTTP Web Server

If you have a basic understanding that how port forwarding works in pfsense then enabling it for an HTTP web server that resides on you local network should be a piece of cake.

To start, from the top menu choose Firewall then NAT and on the Port Forward Tab choose to Add. After this add the following configuration as shown below:

Pfsense sample configuration for nat port forward web server.
Pfsense Example configuration for Reverse Nat port forwarding an HTTP web server.
  • Interface: As my Wan Interface.
  • Protocol: TCP (HTTP protocol uses port type TCP).
  • Source: Let it to be set at default settings which is type Any.
  • Destination: You will choose WAN IP/Address for your Wan Interface.
  • Destination Port Range: Choose HTTP from the List (which is 80 by Default but you may choose a custom port here).
  • Redirect Target IP: This is the IP of your local desktop or PC for which you want to enable port forwarding.
  • Redirect Target Port: This must be HTTP chosen from the list.
  • Description: Enter a good logical Description.
  • Filter rule association: Let it be at its default.
  • Click Save Button.

After this Apply changes and your new rule is ready.

Now its time to verify and test your newly created rule, for this open the following website in your browser canyouseeme.org and enter your HTTP Port 80 while it picks up your wan address automatically and then click Check port.

If your configuration is a success then it will show you that it can see your from outside else it will generate an error.

NEXT TOPIC:

Was This Post Helpful ?

Sharing is Caring :)

Leave a Reply

Your email address will not be published. Required fields are marked *