What would you recommend system security wise? I just changed the way the firewall was, which fixed the wan issue. There really isn't more I can see that has to be done. Ports are closed from the outside other than HTTP, HTTPS, and DNS. Any other recommendations?
Also, do I need to have the PPTP port open on the WAN firewall if I'm using the built in PPTP with pfSense or is that automatically opened?
On PPTP, yes, you need to allow PPTP port on WAN. Also, the appropriate subnet assigned to PPTP clients need to have another set of rules to allow it access to your LAN(s).
As for systems security, you can start by disable automatic file shares in windows. Make sure all file shares require a username & password to mount. Also, this means that all computer user accounts should have unique passwords assigned.
Even common fileshares should have a fixed password/ username to ensure that unauthorized users don't gain access. Only users who need access to the fileshares will hold the password.
Alternatively, if you had set unique usernames and passwords for all clients, set the explicit sharing permissions and add each user account manually to be allowed to read/ write/ execute on the share.
If you have a Domain and AD server, customized security can be loaded upon logon. If not, registry scripts and vbscripts are a good way to securing the systems by blacklisting what the clients can access.
Your PPTP rule on WAN is incorrect. In this instance, the remote computer is the client. Hence, the rule should have the destination port as PPTP. Not the source port.
You need to understand some basic networking concepts. Basically, if you have a client and server hosting certain services, this is how the data flow occurs:Source ----> Destination format
client (random port: 49152) --sends request for data--> server (service port: 80)
server (service port: 80) --returns requested data--> client (random port: 49152)
So you see, the server's port doesn't change.
Data returns from the same port that it is requested from. Since your PPTP server is the pfsense box, then remote clients will connect to the pfsense as the destination and the service port of 1723. Similarly, your pfsense to send data back to the clients with the source port of 1723.