Port 5900 (vnc) to a pc with different gateway
-
hello
I have this situation:pfsense:
lan: 192.168.60.1 netmask 255.255.0.0
wan: 79.x.x.x netmask 255.255.255.248 gateway 79.xx.xx.ZZI have a pc with ip 192.168.0.75 netmask 255.255.0.0 and gateway 192.168.0.1 with vnc server
so the gateway of the pc is different than pfsense ip
What I want to do is this: when someone connect to 79.x.x.x port 5900, I want that the connection will be redirected to 192.168.0.75:5900
I think that the source IP should be translated to something like 192.168.xx.xx so that 192.168.0.75 reply to it directly without its gateway
please let me know if pfsense can help me setting up this type of forwarding port
I can't touch routing configuration on 192.168.0.75 and on 192.168.0.1
-
What I want to do is this: when someone connect to 79.x.x.x port 5900, I want that the connection will be redirected to 192.168.0.75:5900
That's a simple port forwarding rule in pfSense. Firewall > NAT > Port Forward
I think that the source IP should be translated to something like 192.168.xx.xx so that 192.168.0.75 reply to it directly without its gateway
Translating the source address would be the only option here, otherwise response packets from 192.168.0.75 are directed to its default gateway.
To do so, switch the pfSense Outbound NAT to Hybrid mode. Firewall > NAT > Outbound
Add a rule:
Interface: LAN (or which is facing to 192.168.0.75)
Protocol: TCP
source: any
destination: Network - 192.168.0.75/32 port 5900
Translation: Interface address -
Opening up vnc to the public internet is a bad idea all the way around.. Can you atleast lock down the source IP of who is going to be using this port forward? You really should vpn into your network to access this sort of thing from outside your network.
-
Can you atleast lock down the source IP of who is going to be using this port forward?
No, I can't. Client has dynamic internet address
You really should vpn into your network to access this sort of thing from outside your network.
client is too lazy to make a vpn before connecting to vnc and I don't want him in my lan
-
and from the vnc to that box, what stops him from going where ever he wants in that lan?
Client too lazy to do something correctly shouldn't be allowed access - that is the best solution.
If your going to open up something like that to the public, I would make sure its locked down where that box is isolated and can not do anything other than what he needs to do with it. And make it hard for him to vnc to it - leave the rule disabled unless he calls and sets up time..
-
and from the vnc to that box, what stops him from going where ever he wants in that lan?
The client that connects to vnc server call us, and we see what he does with the pc
no problem for thisTranslating the source address would be the only option here, otherwise response packets from 192.168.0.75 are directed to its default gateway.
To do so, switch the pfSense Outbound NAT to Hybrid mode. Firewall > NAT > Outbound
Add a rule:
Interface: LAN (or which is facing to 192.168.0.75)
Protocol: TCP
source: any
destination: Network - 192.168.0.75/32 port 5900
Translation: Interface addressI have tried, and it seems to work
Infact I see on vnc server: connection from the pfsense lan ip
but I noticed that randomly, I loose connection, and I can't login to web interface of pfsense machine
If I reboot the machine, it start working again -
"The client that connects to vnc server call us, and we see what he does with the pc"
Ok so the rule on pfsense is disabled until he calls, and vnc is not even running on pc until he calls. That is something.
"but I noticed that randomly, I loose connection, and I can't login to web interface of pfsense machine"
That seems unrelated to your vnc ? Port forwarding traffic would have nothing to do with having to reboot pfsense because you can not access its web gui. Does ssh work, can you ping pfsense. Is traffic flowing through pfsense for other users, dns working, etc. etc.
-
Ok so the rule on pfsense is disabled until he calls, and vnc is not even running on pc until he calls. That is something.
No, the rule is always enabled, but vnc server is always disabled, until the client call, so we start vnc server and he connect to pfsense WANIP:5900
That seems unrelated to your vnc ? Port forwarding traffic would have nothing to do with having to reboot pfsense because you can not access its web gui. Does ssh work, can you ping pfsense. Is traffic flowing through pfsense for other users, dns working, etc. etc.
I don't know, I have installed pfsense on a pc only to make this redirect to vnc server, I haven't other users using this pfsense machine
-
seems odd that you would need pfsense to allow access to vnc if vnc is not even using pfsense as its gateway and you have some other connection in and out of your network.
So you don't know if you can ssh or ping pfsense when you can not access its gui?
Could you draw up your network and how you have pfsense deployed in it, etc.
-
I'm testing vnc through pfsense and it seems working very well now
probably I did some mistakes when I set up rulesthe problem with the vnc server was this: I have as gateway of that pc a router that has dynamic ip address, but I wanted to give access to that pc using a static ip address, so I set up pfsense with static ip address, and through pfsense vnc server is always reachable without dynamic dns issues
-
That makes no sense - so pfsense is behind your other router, or on same isp connection but static? Or a different isp?
pfsense has a public IP on it, ie not rf1918 (10.x.x.x, 192.168.x.x, 172.16-31.x.x) on its wan? And this is the same ISP that your other router is dynamic wan IP?
-
we have 8 internet connections with different ISP (two lines of them are of the same ISP), with different speed, some with dynamic IP via PPPOE, some with static IP
we also have a /29 subnet.. one of those IP I have used on wan interface of pfsensepfsense has a public IP on it, ie not rf1918 (10.x.x.x, 192.168.x.x, 172.16-31.x.x) on its wan?
yes
And this is the same ISP that your other router is dynamic wan IP?
no
