Port 5900 (vnc) to a pc with different gateway



  • hello
    I have this situation:

    pfsense:
    lan: 192.168.60.1 netmask 255.255.0.0
    wan: 79.x.x.x netmask 255.255.255.248 gateway 79.xx.xx.ZZ

    I have a pc with ip 192.168.0.75 netmask 255.255.0.0 and gateway 192.168.0.1 with vnc server

    so the gateway of the pc is different than pfsense ip

    What I want to do is this: when someone connect to 79.x.x.x port 5900, I want that the connection will be redirected to 192.168.0.75:5900

    I think that the source IP should be translated to something like 192.168.xx.xx so that 192.168.0.75 reply to it directly without its gateway

    please let me know if pfsense can help me setting up this type of forwarding port

    I can't touch routing configuration on 192.168.0.75 and on 192.168.0.1



  • @tonysud:

    What I want to do is this: when someone connect to 79.x.x.x port 5900, I want that the connection will be redirected to 192.168.0.75:5900

    That's a simple port forwarding rule in pfSense. Firewall > NAT > Port Forward

    @tonysud:

    I think that the source IP should be translated to something like 192.168.xx.xx so that 192.168.0.75 reply to it directly without its gateway

    Translating the source address would be the only option here, otherwise response packets from 192.168.0.75 are directed to its default gateway.

    To do so, switch the pfSense Outbound NAT to Hybrid mode. Firewall > NAT > Outbound
    Add a rule:
    Interface: LAN (or which is facing to 192.168.0.75)
    Protocol: TCP
    source: any
    destination: Network - 192.168.0.75/32 port 5900
    Translation: Interface address


  • LAYER 8 Global Moderator

    Opening up vnc to the public internet is a bad idea all the way around.. Can you atleast lock down the source IP of who is going to be using this port forward?  You really should vpn into your network to access this sort of thing from outside your network.



  • @johnpoz:

    Can you atleast lock down the source IP of who is going to be using this port forward?

    No, I can't. Client has dynamic internet address

    @johnpoz:

    You really should vpn into your network to access this sort of thing from outside your network.

    client is too lazy to make a vpn before connecting to vnc and I don't want him in my lan


  • LAYER 8 Global Moderator

    and from the vnc to that box, what stops him from going where ever he wants in that lan?

    Client too lazy to do something correctly shouldn't be allowed access - that is the best solution.

    If your going to open up something like that to the public, I would make sure its locked down where that box is isolated and can not do anything other than what he needs to do with it.  And make it hard for him to vnc to it - leave the rule disabled unless he calls and sets up time..



  • @johnpoz:

    and from the vnc to that box, what stops him from going where ever he wants in that lan?

    The client that connects to vnc server call us, and we see what he does with the pc
    no problem for this

    Translating the source address would be the only option here, otherwise response packets from 192.168.0.75 are directed to its default gateway.

    To do so, switch the pfSense Outbound NAT to Hybrid mode. Firewall > NAT > Outbound
    Add a rule:
    Interface: LAN (or which is facing to 192.168.0.75)
    Protocol: TCP
    source: any
    destination: Network - 192.168.0.75/32 port 5900
    Translation: Interface address

    I have tried, and it seems to work
    Infact I see on vnc server: connection from the pfsense lan ip
    but I noticed that randomly, I loose connection, and I can't login to web interface of pfsense machine
    If I reboot the machine, it start working again


  • LAYER 8 Global Moderator

    "The client that connects to vnc server call us, and we see what he does with the pc"

    Ok so the rule on pfsense is disabled until he calls, and vnc is not even running on pc until he calls.  That is something.

    "but I noticed that randomly, I loose connection, and I can't login to web interface of pfsense machine"

    That seems unrelated to your vnc ?  Port forwarding traffic would have nothing to do with having to reboot pfsense because you can not access its web gui.  Does ssh work, can you ping pfsense.  Is traffic flowing through pfsense for other users, dns working, etc. etc.



  • Ok so the rule on pfsense is disabled until he calls, and vnc is not even running on pc until he calls.  That is something.

    No, the rule is always enabled, but vnc server is always disabled, until the client call, so we start vnc server and he connect to pfsense WANIP:5900

    That seems unrelated to your vnc ?  Port forwarding traffic would have nothing to do with having to reboot pfsense because you can not access its web gui.  Does ssh work, can you ping pfsense.  Is traffic flowing through pfsense for other users, dns working, etc. etc.

    I don't know, I have installed pfsense on a pc only to make this redirect to vnc server, I haven't other users using this pfsense machine


  • LAYER 8 Global Moderator

    seems odd that you would need pfsense to allow access to vnc if vnc is not even using pfsense as its gateway and you have some other connection in and out of your network.

    So you don't know if you can ssh or ping pfsense when you can not access its gui?

    Could you draw up your network and how you have pfsense deployed in it, etc.



  • I'm testing vnc through pfsense and it seems working very well now
    probably I did some mistakes when I set up rules

    the problem with the vnc server was this: I have as gateway of that pc a router that has dynamic ip address, but I wanted to give access to that pc using a static ip address, so I set up pfsense with static ip address, and through pfsense vnc server is always reachable without dynamic dns issues


  • LAYER 8 Global Moderator

    That makes no sense - so pfsense is behind your other router, or on same isp connection but static?  Or a different isp?

    pfsense has a public IP on it, ie not rf1918 (10.x.x.x, 192.168.x.x, 172.16-31.x.x) on its wan?  And this is the same ISP that your other router is dynamic wan IP?



  • we have 8 internet connections with different ISP (two lines of them are of the same ISP), with different speed, some with dynamic IP via PPPOE, some with static IP
    we also have a /29 subnet.. one of those IP I have used on wan interface of pfsense

    pfsense has a public IP on it, ie not rf1918 (10.x.x.x, 192.168.x.x, 172.16-31.x.x) on its wan?

    yes

    And this is the same ISP that your other router is dynamic wan IP?

    no


Log in to reply