Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Port 5900 (vnc) to a pc with different gateway

    NAT
    3
    12
    2506
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tonysud last edited by

      hello
      I have this situation:

      pfsense:
      lan: 192.168.60.1 netmask 255.255.0.0
      wan: 79.x.x.x netmask 255.255.255.248 gateway 79.xx.xx.ZZ

      I have a pc with ip 192.168.0.75 netmask 255.255.0.0 and gateway 192.168.0.1 with vnc server

      so the gateway of the pc is different than pfsense ip

      What I want to do is this: when someone connect to 79.x.x.x port 5900, I want that the connection will be redirected to 192.168.0.75:5900

      I think that the source IP should be translated to something like 192.168.xx.xx so that 192.168.0.75 reply to it directly without its gateway

      please let me know if pfsense can help me setting up this type of forwarding port

      I can't touch routing configuration on 192.168.0.75 and on 192.168.0.1

      1 Reply Last reply Reply Quote 0
      • V
        viragomann last edited by

        @tonysud:

        What I want to do is this: when someone connect to 79.x.x.x port 5900, I want that the connection will be redirected to 192.168.0.75:5900

        That's a simple port forwarding rule in pfSense. Firewall > NAT > Port Forward

        @tonysud:

        I think that the source IP should be translated to something like 192.168.xx.xx so that 192.168.0.75 reply to it directly without its gateway

        Translating the source address would be the only option here, otherwise response packets from 192.168.0.75 are directed to its default gateway.

        To do so, switch the pfSense Outbound NAT to Hybrid mode. Firewall > NAT > Outbound
        Add a rule:
        Interface: LAN (or which is facing to 192.168.0.75)
        Protocol: TCP
        source: any
        destination: Network - 192.168.0.75/32 port 5900
        Translation: Interface address

        1 Reply Last reply Reply Quote 0
        • johnpoz
          johnpoz LAYER 8 Global Moderator last edited by

          Opening up vnc to the public internet is a bad idea all the way around.. Can you atleast lock down the source IP of who is going to be using this port forward?  You really should vpn into your network to access this sort of thing from outside your network.

          1 Reply Last reply Reply Quote 0
          • T
            tonysud last edited by

            @johnpoz:

            Can you atleast lock down the source IP of who is going to be using this port forward?

            No, I can't. Client has dynamic internet address

            @johnpoz:

            You really should vpn into your network to access this sort of thing from outside your network.

            client is too lazy to make a vpn before connecting to vnc and I don't want him in my lan

            1 Reply Last reply Reply Quote 0
            • johnpoz
              johnpoz LAYER 8 Global Moderator last edited by

              and from the vnc to that box, what stops him from going where ever he wants in that lan?

              Client too lazy to do something correctly shouldn't be allowed access - that is the best solution.

              If your going to open up something like that to the public, I would make sure its locked down where that box is isolated and can not do anything other than what he needs to do with it.  And make it hard for him to vnc to it - leave the rule disabled unless he calls and sets up time..

              1 Reply Last reply Reply Quote 0
              • T
                tonysud last edited by

                @johnpoz:

                and from the vnc to that box, what stops him from going where ever he wants in that lan?

                The client that connects to vnc server call us, and we see what he does with the pc
                no problem for this

                Translating the source address would be the only option here, otherwise response packets from 192.168.0.75 are directed to its default gateway.

                To do so, switch the pfSense Outbound NAT to Hybrid mode. Firewall > NAT > Outbound
                Add a rule:
                Interface: LAN (or which is facing to 192.168.0.75)
                Protocol: TCP
                source: any
                destination: Network - 192.168.0.75/32 port 5900
                Translation: Interface address

                I have tried, and it seems to work
                Infact I see on vnc server: connection from the pfsense lan ip
                but I noticed that randomly, I loose connection, and I can't login to web interface of pfsense machine
                If I reboot the machine, it start working again

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  "The client that connects to vnc server call us, and we see what he does with the pc"

                  Ok so the rule on pfsense is disabled until he calls, and vnc is not even running on pc until he calls.  That is something.

                  "but I noticed that randomly, I loose connection, and I can't login to web interface of pfsense machine"

                  That seems unrelated to your vnc ?  Port forwarding traffic would have nothing to do with having to reboot pfsense because you can not access its web gui.  Does ssh work, can you ping pfsense.  Is traffic flowing through pfsense for other users, dns working, etc. etc.

                  1 Reply Last reply Reply Quote 0
                  • T
                    tonysud last edited by

                    Ok so the rule on pfsense is disabled until he calls, and vnc is not even running on pc until he calls.  That is something.

                    No, the rule is always enabled, but vnc server is always disabled, until the client call, so we start vnc server and he connect to pfsense WANIP:5900

                    That seems unrelated to your vnc ?  Port forwarding traffic would have nothing to do with having to reboot pfsense because you can not access its web gui.  Does ssh work, can you ping pfsense.  Is traffic flowing through pfsense for other users, dns working, etc. etc.

                    I don't know, I have installed pfsense on a pc only to make this redirect to vnc server, I haven't other users using this pfsense machine

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      seems odd that you would need pfsense to allow access to vnc if vnc is not even using pfsense as its gateway and you have some other connection in and out of your network.

                      So you don't know if you can ssh or ping pfsense when you can not access its gui?

                      Could you draw up your network and how you have pfsense deployed in it, etc.

                      1 Reply Last reply Reply Quote 0
                      • T
                        tonysud last edited by

                        I'm testing vnc through pfsense and it seems working very well now
                        probably I did some mistakes when I set up rules

                        the problem with the vnc server was this: I have as gateway of that pc a router that has dynamic ip address, but I wanted to give access to that pc using a static ip address, so I set up pfsense with static ip address, and through pfsense vnc server is always reachable without dynamic dns issues

                        1 Reply Last reply Reply Quote 0
                        • johnpoz
                          johnpoz LAYER 8 Global Moderator last edited by

                          That makes no sense - so pfsense is behind your other router, or on same isp connection but static?  Or a different isp?

                          pfsense has a public IP on it, ie not rf1918 (10.x.x.x, 192.168.x.x, 172.16-31.x.x) on its wan?  And this is the same ISP that your other router is dynamic wan IP?

                          1 Reply Last reply Reply Quote 0
                          • T
                            tonysud last edited by

                            we have 8 internet connections with different ISP (two lines of them are of the same ISP), with different speed, some with dynamic IP via PPPOE, some with static IP
                            we also have a /29 subnet.. one of those IP I have used on wan interface of pfsense

                            pfsense has a public IP on it, ie not rf1918 (10.x.x.x, 192.168.x.x, 172.16-31.x.x) on its wan?

                            yes

                            And this is the same ISP that your other router is dynamic wan IP?

                            no

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy