Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Using custom incoming port for VNC rounting

    Scheduled Pinned Locked Moved NAT
    17 Posts 4 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      Where is 5905 on the outside.. That is source port.. That prob never going to work..

      Helps if you post headers of your columns.. You got dest ports the same, and why * for address??  That should be your wan ADDRESS not *..

      portforward.png
      portforward.png_thumb

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        @tolistim:

        I set the ports up using 5905 on the outside to 5900 on the inside

        Well no, that's not what you have set up. Do NOT set up a source port.

        1 Reply Last reply Reply Quote 0
        • T
          tolistim
          last edited by

          I just found that in the troubleshooting and made the modification so that there is no source port.  I then modified the "Destination" port range to 5905 and saved / reloaded the rules.  Now, the connection attempt gets to the connecting message (was simply failing before), but the machine never responds.

          The new configuration:

          IFC: WAN
          Protocol: UDP/TCP
          Src Addr: *
          Src Ports: *
          Dest Addr: *
          Dest Ports: 5905
          NAT IP: MACHINE IP
          NAT Port: VNC (5900)

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            5900 is a port your using for vpn?  Is it udp or tcp?  Why are you forwarding both? 5900 is default vnc port over java..  Is that what you consider a vpn?

            Are you trying to access this remotely or from a nat reflection?  Are you using upd or tcp?

            dest address of * is FAIL…

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              IFC: WAN
              Protocol: UDP/TCP
              Src Addr: *
              Src Ports: *
              Dest Addr: WAN address
              Dest Ports: 5905
              NAT IP: MACHINE IP
              NAT Port: VNC (5900)

              (Port forwarding VNC from any is not a VPN)

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • T
                tolistim
                last edited by

                I fat fingered that title because I've been tracking down the VPN links as well…  ::) - fixed now

                This is concerning the VNC NAT.

                I changed the Dest Addr: to WAN Address with no change.

                1 Reply Last reply Reply Quote 0
                • T
                  tolistim
                  last edited by

                  @johnpoz:

                  5900 is a port your using for vpn?  Is it udp or tcp?  Why are you forwarding both? 5900 is default vnc port over java..  Is that what you consider a vpn?

                  Are you trying to access this remotely or from a nat reflection?  Are you using upd or tcp?

                  dest address of * is FAIL…

                  I fat fingered the VPN, I'm trying to sort some new VNC connections.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Do you have automatic filter rules (filter rule association) for the port forward? Show us the rule for inside host in question:5900.

                    If the rule is there, look at the destination host.

                    Good list of things to check here. Please check them all.  Really. :

                    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • T
                      tolistim
                      last edited by

                      That document is where I uncovered the "Do not set a Source Port".

                      The one thing that might be affecting the test is the "Testing from an internal net machine".  I'm setting up my Verizon hot spot to try again from outside.

                      1 Reply Last reply Reply Quote 0
                      • T
                        tolistim
                        last edited by

                        That was the key - I had to take the test outside.  Still not sure why the default to the original machine works from in our out, but this one is now sorted.

                        Now, back to the VPN issues …  :-\

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          You have vnc on its default port open to the public net?  Shoot any port for that matter doesn't matter if default..  That is a really bad bad idea if you ask me!!

                          Here are the hits just today on that port..  Why would you want that open??  Hope the vpn stuff you are working on is how to securely access your network via a vpn vs opening up vnc to the public internet ;)

                          vnchits.png
                          vnchits.png_thumb

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • T
                            tolistim
                            last edited by

                            Your concern is understood, The machines being connected to are actually behind another 2 tier authentication process using DH async keys, so aside from the normal port pings, we're not too concerned.

                            However, having visited this in the realm of my VPN checks on this system, is there a good guide for setting up pfSense to allow proper VPN connections from stock OS X systems?

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Why does it have to be stock os X?  Just use the openvpn client – user click click and they have a vpn connection.  Tunnelbrick comes to mind as a no brainer os x client.  If you have aversion to free you could always go with viscosity.. Also no brainer and very reasonable priced.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • T
                                tolistim
                                last edited by

                                Because OS X already offers a number of VPN options built-in.

                                I'd rather not need to start adding software to the systems in use.

                                I'll move this to a new thread.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  And what do they offer.. Ipsec - its sucks behind most nats, so its useless for most road warriors..  What else that isn't depreciated?  Openvpn uses 1 port, can bounce off a proxy even..  Is a no brainer to install and use.. Supported on ios and android devices with FREE client.  Has free client for every other OS out there, etc..

                                  That you want stock is pointless for the ease of use..

                                  For security you should be providing something to the client other than a username and password so your using 2 factor something for them to access your vpn..  This can be very simple give them a bundle of a client and the cert along with username and password to auth with, etc.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tolistim
                                    last edited by

                                    Pop over to this thread to continue the VPN discussion:

                                    https://forum.pfsense.org/index.php?topic=102977.0

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.