Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense rules to allow vnc over ssh tunnel

    General pfSense Questions
    2
    4
    95
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      noenthu last edited by

      I'm having issues establishing a vnc connection over an ssh tunnel (testing in a local environment not over actual WAN)

      My Desktop ip 192.168.1.2

      ESXI 6.7 host with pfsense and a ubuntu 20.04 vm.
      PFsense IP - 192.168.1.15 (Wan IP)
      Ubutnu VM IP - 192.168.2.2 (Lan IP from PfSense)

      I have a firewall rule to allow Any Source Address on WAN and any port on Wan to my ubuntu VM 192.168.2.2 Port 22 for SSH.
      I have a NAT port forwarding rule to allow Destination Wan Address Port 22 to redirect to host 192.168.2.2 port 22 for ssh

      I am able to establish SSH connection from my desktop to the Ubuntu vm with this setup.

      What I want to do is use SSH tunneling to connect vncviewer from my desktop to the ubuntu vm.
      I setup a tunnel for port 5900 over ssh but am unable to get vncviewer to connect to the vm.

      When I try to connect I see the following
      LAN tcp 192.168.2.2:43970 -> 192.168.1.15:5900 CLOSED:SYN_SENT 3 / 0 180 B / 0 B

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        There shouldn't be anything special required in pfSense to pass that if SSH is working.

        Check the logs in Ubuntu.

        Steve

        N 1 Reply Last reply Reply Quote 0
        • N
          noenthu @stephenw10 last edited by

          @stephenw10 this may have been an issue with my incomplete understanding of ssh tunnels.

          Since I am using port forwarding from the pfsense router (lab environment) 22 to ubuntu vm port 22.

          When I establish an ssh connection from my desktop, I am using the wan ip of the pfsense router 192.168.1.15.
          Creating a tunnel, I was trying to map 5900:192.168.1.15:5900. This caused the Ubuntu vm to try to establish a connection to port 5900 on 192.168.1.15 which would fail.

          If I instead create a tunnel as 5900:127.0.0.1:5900, the vm will create a tunnel to its localhost port 5900 and I am able to proceed.

          Please let me know if this is the appropriate way to perform tunneling

          ssh -L 5900:127.0.0.1:5900 192.168.1.15 (assuming it would also work with ssh -L 5900:192.168.2.2:5900 192.168.1.15)

          originally, I was doing
          ssh -L 5900:192.168.1.15:5900 192.168.1.15

          1 Reply Last reply Reply Quote 0
          • stephenw10
            stephenw10 Netgate Administrator last edited by

            Yes exactly if you are trying to connect to a sercice on the Ubuntu server you would use localhost there, or some IP on the Ubuntu box listening on that port. Not the pfSense IP.

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense Plus
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy