The pfSense Store

Author Topic: RDP to hostname.  (Read 255 times)

0 Members and 1 Guest are viewing this topic.

Offline Tempa

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
RDP to hostname.
« on: December 18, 2017, 10:04:07 pm »
Hello,

Im trying to configure my pfsense to allow me to rdp to multiple machines over the single 3389 port via different host names.. such as.. computer1.domain.com etc.
can someone advise me on how to configure as everything i tried so far is not working.

If you need more information please ask.

marjohh

  • Guest
Re: RDP to hostname.
« Reply #1 on: December 19, 2017, 06:16:57 am »
I THINK I understand what you are trying to do, I may be wrong but here goes.

If you have a single external WAN IP, you cannot forward to multiple LAN addresses using the same port if only using a single external WAN port. The FQDN only resolves the IP address, not the port number. For example, HTTP by default is port 80, if I had two webservers on my LAN I could not run them both on a single external IP that defaults to port 80.

RDP by default is 3389, so forward that port on the WAN to the primary server IP.

On the backup, change the RDP port, I will post a link below on how to do that, and forward that port on the WAN to the backup.

You can still use the different FQDN to get to each, but the WAN IP will be same in the authoritative DNS entry. Internally you can differentiate but remember the port number will be different also.

https://support.microsoft.com/en-us/help/306759/how-to-change-the-listening-port-for-remote-desktop

BTW  - I would not expose any machine to the WAN using RDP, I would use OpenVPN and access the servers through the VPN link, much safer.


« Last Edit: December 19, 2017, 06:22:55 am by marjohn56 »

Offline Tempa

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: RDP to hostname.
« Reply #2 on: December 19, 2017, 04:02:54 pm »
i got one Ext IP..
i thought you can use the sub domain name and allow PFsense to override it and transfer the ext ip to my int ip. or maybe use the server dns service. ?
I was informed that you have it as everything from e.g domain.com will contact my dns service and then finds that the sub domain is pointing to a server inside my lan.

i cant use open vpn at work thats why i need to rdp over wan.

i had the setup prior where i had different ext ports to map to 3389. but i wanted to tighten it down and only have one port open or something.

how about VIPS ?
« Last Edit: December 19, 2017, 04:22:53 pm by Tempa »

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2502
  • Karma: +150/-16
  • volunteer since 2006
    • View Profile
Re: RDP to hostname.
« Reply #3 on: December 19, 2017, 08:30:47 pm »
You cannot forward a single port to multiple destinations, doesn't work.

However, use a reverse proxy like ha-proxy (and I think squid in reverse mode can do it as well) to "resolve" the destination at the router (like host1.example.com, host2.example.com, ...) and forward accordingly.

Read more about it here  https://doc.pfsense.org/index.php/Haproxy_package
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.

Offline PiBa

  • Hero Member
  • *****
  • Posts: 819
  • Karma: +132/-1
  • PiBa-NL(on IRC)
    • View Profile
Re: RDP to hostname.
« Reply #4 on: December 20, 2017, 06:50:59 am »
Haproxy can do it for http / https / ssl traffic by means of the Host header or SNI servername in a ssl request. However for RDP or SSH and most other protocols this is not possible as they don't send the hostname they intend to connect to readable from the first data packet/bytes passing over the tcp connection where the client speaks first.

VIP's could work, but you must have multiple routed IP's from the ISP.. As you only have 1 public IP thats out the window as well..

A full Microsoft-Terminal-Server-gateway server can do it behind pfSense, with appropriate gateway configuration on the rdp client. Or connect a VPN first before connecting to the servers.
« Last Edit: December 20, 2017, 06:57:59 am by PiBa »

Offline KOM

  • Hero Member
  • *****
  • Posts: 5513
  • Karma: +681/-23
    • View Profile
Re: RDP to hostname.
« Reply #5 on: December 20, 2017, 08:17:09 am »
Use OpenVPN instead.  Connect via VPN and then RDP to any system on your network.  So much more secure.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21495
  • Karma: +1458/-26
    • View Profile
Re: RDP to hostname.
« Reply #6 on: December 21, 2017, 08:02:44 am »
Even if it were possible... Why would you want to expose multiple RDP services to the Internet? That's a bad idea in general. Use a VPN and your access problem disappears entirely, in addition to your security issues.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline GoldFish

  • Jr. Member
  • **
  • Posts: 49
  • Karma: +2/-0
    • View Profile
Re: RDP to hostname.
« Reply #7 on: December 21, 2017, 03:49:42 pm »
I agree with KOM and jimp. If you have a way to check the failed login attempts on 3389, you will be shocked. We got a few clients with 3389 exposed by their previous service provider. 12000+ login attempts every day.. OpenVPN -->>RDP is the best way to go specially when you have multiple hosts
* pfSense Enthusiast *

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2502
  • Karma: +150/-16
  • volunteer since 2006
    • View Profile
Re: RDP to hostname.
« Reply #8 on: December 21, 2017, 06:04:05 pm »
...don't send the hostname ... readable from the first data packet/bytes passing over the tcp connection where the client speaks first
Thanks, you learn something new every day.
Chris

The issue with IPv6 jokes is that almost no one understands them and no one is using them yet.