The pfSense Store

Author Topic: How do I setup rules to enable RDP on multiple servers behind pfSense with NAT?  (Read 8501 times)

0 Members and 1 Guest are viewing this topic.

Offline Assar

  • Jr. Member
  • **
  • Posts: 35
    • View Profile

I'm planing to replace my old Netgear router with a PC based pfSense fw.
My external IP range is 82.xx.xx.0 / 26 which means 61 unique IP:s to use.
Inside LAN I have a couple of servers and some workstations, all configured with local NAT IP.
When I'm at home I want to administrate my servers via RDP and therefore each server has its own external IP.

I imagine rule should look like this:
Destination: 82.xx.xx.3
Port: MS RDP

And then...???

  // Martin

Offline Seth

  • Full Member
  • ***
  • Posts: 109
    • View Profile
I wouldn't setup 1 to 1 relationships exposing your internal devices to the world akin to sitting in front of the keyboard.

Consider VPN client to site or site to site with pfsense.

Or build an SSL VPN box from 3SP SSL-Explorer.  Go as far as to place this box in the DMZ with restrictive FireWall rules to the protected LAN.

Offline GruensFroeschli

  • Green Frog
  • Global Moderator
  • Hero Member
  • *****
  • Posts: 5060
  • No i will not fix your computer!
    • View Profile
    • FFXI related
Seth: this is not true.
Only if You create a rule that allows everything in.
The "normal" way is to only allow the ports you use.
--> The 1:1 NAT approach is viable.

@Assar: You create on the WAN a VIP for each Server you have. Then use the VIP in a 1:1 NAT mapping.
After that create a rule on the WAN for each server you want access allowed.

Alternatively you could forward just single ports from the VIP's
--> "normal" forwarding of ports and not 1:1
We do what we must, because we can.
(Except when you PM me to help you directly - DONT: keep your issues in the forum)

Offline Seth

  • Full Member
  • ***
  • Posts: 109
    • View Profile
Assar your correct that this is viable and I agree with your approach.  My assertion was to allow access security from many location not limiting to just one or a few.  Tunneling the RDP stream isn't a bad idea ether even though your not currently able to decode RDP.

Offline Assar

  • Jr. Member
  • **
  • Posts: 35
    • View Profile
You set me on track about VIP.
I searched more on forum and found out that this q should be placed in NAT part.
Found a good post there:,6965.msg39493.html#msg39493

You are so right about the bad part in exposing RDP to the world, but this is the way things are done right now.
The goal at the moment is to repace an old Netgear router with the same functionality.
(Excluding the builtin random dying function in Netgear)

Offline fastcon68

  • Sr. Member
  • ****
  • Posts: 593
    • View Profile
I have also had this as a challenge and here is what I did to fix it.  I move terminal servicess to a different port because we where using Citrix.  I have 4 different servers and could connect to any of them from the outside by using a different TS port on each server.

Offline gbelanger

  • Jr. Member
  • **
  • Posts: 47
  • It's better to be a pirate than to join the Navy.
    • View Profile
Your best bet is probably, like mentioned above, to assign a different port and do port-based dnat (port forwarding) to your internal servers based on their ports.


Map 3389 to your Internal server (
      3390 to another machine (
     3391 to another machine ... etc..

Then, using MSTSC, you can specify an alternate port by using the WAN_IP:port syntax (

But it would be considered a better practice to open these ports through a VPN (PPTP works well) or at the very least, limit access to a given source IP address.

Guillaume Bélanger