Using custom incoming port for VNC rounting
-
I've set up a default NAT to transfer WAN traffic to a specific system's VPN and it works fine. I now need to set up a custom external port to move to a different system's VPN.
I set the ports up using 5905 on the outside to 5900 on the inside, but the connection just hangs. I know that the system is responding since changing the IP address on the NAT rule that works allows that second system to connect as expected.
 -
Where is 5905 on the outside.. That is source port.. That prob never going to work..
Helps if you post headers of your columns.. You got dest ports the same, and why * for address?? That should be your wan ADDRESS not *..
-
I set the ports up using 5905 on the outside to 5900 on the inside
Well no, that's not what you have set up. Do NOT set up a source port.
-
I just found that in the troubleshooting and made the modification so that there is no source port. I then modified the "Destination" port range to 5905 and saved / reloaded the rules. Now, the connection attempt gets to the connecting message (was simply failing before), but the machine never responds.
The new configuration:
IFC: WAN
Protocol: UDP/TCP
Src Addr: *
Src Ports: *
Dest Addr: *
Dest Ports: 5905
NAT IP: MACHINE IP
NAT Port: VNC (5900) -
5900 is a port your using for vpn? Is it udp or tcp? Why are you forwarding both? 5900 is default vnc port over java.. Is that what you consider a vpn?
Are you trying to access this remotely or from a nat reflection? Are you using upd or tcp?
dest address of * is FAIL…
-
IFC: WAN
Protocol: UDP/TCP
Src Addr: *
Src Ports: *
Dest Addr: WAN address
Dest Ports: 5905
NAT IP: MACHINE IP
NAT Port: VNC (5900)(Port forwarding VNC from any is not a VPN)
-
I fat fingered that title because I've been tracking down the VPN links as well… ::) - fixed now
This is concerning the VNC NAT.
I changed the Dest Addr: to WAN Address with no change.
-
5900 is a port your using for vpn? Is it udp or tcp? Why are you forwarding both? 5900 is default vnc port over java.. Is that what you consider a vpn?
Are you trying to access this remotely or from a nat reflection? Are you using upd or tcp?
dest address of * is FAIL…
I fat fingered the VPN, I'm trying to sort some new VNC connections.
-
Do you have automatic filter rules (filter rule association) for the port forward? Show us the rule for inside host in question:5900.
If the rule is there, look at the destination host.
Good list of things to check here. Please check them all. Really. :
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
That document is where I uncovered the "Do not set a Source Port".
The one thing that might be affecting the test is the "Testing from an internal net machine". I'm setting up my Verizon hot spot to try again from outside.
-
That was the key - I had to take the test outside. Still not sure why the default to the original machine works from in our out, but this one is now sorted.
Now, back to the VPN issues … :-\
-
You have vnc on its default port open to the public net? Shoot any port for that matter doesn't matter if default.. That is a really bad bad idea if you ask me!!
Here are the hits just today on that port.. Why would you want that open?? Hope the vpn stuff you are working on is how to securely access your network via a vpn vs opening up vnc to the public internet ;)
-
Your concern is understood, The machines being connected to are actually behind another 2 tier authentication process using DH async keys, so aside from the normal port pings, we're not too concerned.
However, having visited this in the realm of my VPN checks on this system, is there a good guide for setting up pfSense to allow proper VPN connections from stock OS X systems?
-
Why does it have to be stock os X? Just use the openvpn client – user click click and they have a vpn connection. Tunnelbrick comes to mind as a no brainer os x client. If you have aversion to free you could always go with viscosity.. Also no brainer and very reasonable priced.
-
Because OS X already offers a number of VPN options built-in.
I'd rather not need to start adding software to the systems in use.
I'll move this to a new thread.
-
And what do they offer.. Ipsec - its sucks behind most nats, so its useless for most road warriors.. What else that isn't depreciated? Openvpn uses 1 port, can bounce off a proxy even.. Is a no brainer to install and use.. Supported on ios and android devices with FREE client. Has free client for every other OS out there, etc..
That you want stock is pointless for the ease of use..
For security you should be providing something to the client other than a username and password so your using 2 factor something for them to access your vpn.. This can be very simple give them a bundle of a client and the cert along with username and password to auth with, etc.
-
Pop over to this thread to continue the VPN discussion:
https://forum.pfsense.org/index.php?topic=102977.0
