How do I allow VNC from one subnet to another?

johnpoz · Dec 10, 2018, 10:49 AM

Your server is multihomed - it has a connection in the 10.. As I stated doing such a thing leads to problems - especially if you do not fully understand how the protocol works and will not be coming to a device on the 10 from another direction.

You do understand that if its directly connected then there is a ROUTE!!!!

You hit the server and tell the server hey, send this to 192.168.10.X

Server - sure directly connected to that network, and hey I arp for X and its here on this network... Let me throw that SYN out to it for you..

10.X sees that SYN from 192.168.0.50... Say hey yeah I listen on that 5900 port, let me move that traffic up the stack for you hey... Hey it says yeah lets talk,, he sent me this syn,ack he wants me to send back to you.. Oh lets see 192.168.0.50... hmmm I don't know how to get there.. Let me send that to my friendly default gateway pfsense at 192.168.10.1 - he will know how to get it to the 0 network..

Pfsense - says sees the SA... Sorry bud NO state.. Dropped!!!

Mastiff · Dec 10, 2018, 10:54 AM

I do know that. And I too think that's what happening. The thing is that what's a route locally on the server and what's a route on Routing and Remote Access, dealt out to the clients of the server, at least in theory should be two different things. That's why there are totally different route tables for RRAS and Route print on a server. So the clients shouldn't even be able to go through the 10.4 NIC as long as that's blocked in RRAS.

But I will check the cabling, and I'll see if I can find out if RRAS routes and local server routes are to be totally separate, and that it may be a configuration mistake on my server. I have put in a question about that on a server forum. This is something new for me, even after almost 20 years of running "indows server (from 2000 Advanced Server) at my home and my cabin.

johnpoz · Dec 10, 2018, 11:06 AM

Dude we stopped using RRAS like 20 some years ago... I have supported "server" since NT 3.51 days... Got my MCSE back on NT 4 and 2k..

There are much easier ways to route traffic then using windows that is for damn sure.. For starters your using one - pfsense..

Not sure what you think putting device behind windows is getting you other then more complexity?

Mastiff · Dec 10, 2018, 11:11 AM

Somebody forgot to tell Micro$ft and some tens of milliones customers about that... My server is a combination of RRAS, DHCP, DNS, VM host, storage host, media host, media server and several special programs for work and automation that can't run on anything but a physical Windows computer. If I didn't do it this way, I'd have to use at least three boxes.

johnpoz · Dec 10, 2018, 11:13 AM

Sorry I have been supporting 100's if not 1000's of customers over the years.. NOBODY still uses RRAS but the smallest of smallest SMBs -- sorry nobody uses it in real networking ;)

All of those services for sure can run on your windows Box.. Just that there is ZERO use for it to be doing RRAS..

Mastiff · Dec 10, 2018, 11:23 AM

I know you are as superior in this as I probably am to you (and to Google Translate!) in English to Norwegian translations (which is my job). But this small SMB still use it. Of course there's a lot of the old "since I have been using this with almost no problems for 20 years, there's no need to start learning something completely different". Also I have been running M0n0wall before pfSense since forever, so I have never been hacked either.

This stuff is the first real problem I've had for as long as I can remember, so it has been very low maintainance for me. So I figure it's worth seeing if I can find out anything on the server forum. If not I can probably live with using VNC indirectly.

johnpoz · Dec 10, 2018, 11:30 AM

@mastiff said in How do I allow VNC from one subnet to another?:

If not I can probably live with using VNC indirectly.

That is just moronic to be honest.. Fix your ASYMMETRICAL routing... Why is this server even multi homed?

Mastiff · Dec 10, 2018, 11:39 AM

As I said before in another thread, where I managed to get fixed the then problem (slow to stopping file transfers), to isolate Airplay and automation devices completely from the 0 network while keeping them directly connected to the server for 100 % stable access no matter what goes down, as long as it isn't the server itself (which honestly doesn't happen with Windows Servers without a serious hardware problem since Windows Server 2003 R2 in 2005). And the Airplay devices can't be isolated from the client network if I use the addon to send Airplay from the 192.168.1.x segment to the 10.x segment. As for moronic, probably. But as long as it doesn't give me practical problems, I'm good with it. Just like my Honda Blackbird still does 200+ mph and 0-60 in less than 2.5 seconds even if there are a few scratches on it.

johnpoz · Dec 10, 2018, 11:59 AM

So your multihoming incase your ROUTER goes down pfsense?? So your issues is 110% self inflicted nonsense then... If your that worried about router going down.

I take it all your switches that connect everything are dual with multiple power supplies and every client has 2 connections?

If your worried about your router/firewall going down then run it HA...

Mastiff · Dec 10, 2018, 12:04 PM

As I said that's half of it, the other half is the Airplay thing. probably more than haf, 2/3 isolation and 1/3 safeguard.

The PI clients have both wifi and wired connection, yes. And no, it isn't just the router, there are some dumb switches that do not have a UPS setup (my server and main setup has a dual car battery setup for 8 hour UPS) that connects the Pis to the main technical room. And they are spread out because this house has some brick walls that blocks 433 mHz signals.

johnpoz · Dec 10, 2018, 12:06 PM

You bring up security and then you multihome a server - which bypasses all firewalls and is HUGE SECURITY issue!!!

Mastiff · Dec 10, 2018, 12:16 PM

Oh, not at all! The 10.x segment I'm multihoming is coming directly FROM the pfSense firewall, and it's blocked for the Internet except for one port, SMTP (sending warning mails if someting stalls). The only possible vector is the wifi, and that has a very long passphrase in Norwegian that isn't possible to do wit brute force for a few million years. So yeah, there is the WPA-2 vulnerability, but they would have to be very close to the house to access, and my mastiff would probably start barking then.