Tight VNC… and NAT



  • Hi all,

    I have a network which is like that :

    internet –--- PFSENSE (192.168.0.1) ----- SWITCH ----- 192.168.0.15

    I want to access to the tight vnc server (into 192.168.0.15) (http port : 6969)

    I tried NAT port forward (proto tcp, port 6969, nat ip 192.168.0.15 (ext : my public ip), int port 6969) and I let of course the automatic creation of a FW rule.... But that's useless... what's going wrong ??

    Thanks ;)



  • Something that I find myself often forgetting is to open the Windows XP Firewall to the VNC Server. If you're using TightVNC Server I find that often the program isn't in the list of exceptions and that you have to browse to the program itself to allow it. Of course this is only a problem if you're using XP and have the firewall enabled. ;)



  • Check you firewallrules (order is important). Also check status>systemlogs, firewall to see if something is blocking. If the connections show up as blocked click the small icon in front of the line. It will tell you what rule caused the block.



  • Thanks for the help !!

    WAN  an_IP:some_Random_Port  my_IP:my_Single_Port  TCP

    The firewall blocks this…

    But in the wan tab in the firewall rules I put :

    TCP any source, any port, any destination, my_Single_Port, any gateway

    This normally let the connection enter but it's still blocked... here is the message when I click on the little red cross in the firewall's log :

    The rule that triggered this action is :
    @47 block drop in log quick all label "Default block all just to be sure."

    ??? ???



  • @agent007se:

    But in the wan tab in the firewall rules I put :
    TCP any source, any port, any destination, my_Single_Port, any gateway

    Entering from the WAN (from anywhere from the Internet) into your pFSense Box ?
    This is scary….. threated in many posts and as always concludes with a "don't".
    If you really have to so:

    • Try to limit the "From Source" (if you know the connecting IP) - or, at least it's range.
    • Use VPN or PPPTP to get in. (works great).
    • Use stuff like port knocking
    • Limit connection to a x per x seconds.
    • etc etc.

    The rule that triggered this action is :
    @47 block drop in log quick all label "Default block all just to be sure."

    This is the default final 'hidden' pfsense 'build in' rule that block all and everything that's new and comes from the 'evil outside' (you should permit with rules before this one - with the help of the GUI Firewall section) - this one pulls the plug on everything else.



  • And if I don't know the range of IP's ? In fact, I'd like to connect to my pc : 192.168.0.3 from the outside everywhere in the world to access to my computer trough Tight VNC…

    I've done some searches but I didn't find useful things... I'll try with VPN... that's a good idea :D ! Thanks ;)



  • The problem is not any source but the any destination that you have in your rule.


Locked