Using custom incoming port for VNC rounting



  • I've set up a default NAT to transfer WAN traffic to a specific system's VPN and it works fine.  I now need to set up a custom external port to move to a different system's VPN.

    I set the ports up using 5905 on the outside to 5900 on the inside, but the connection just hangs.  I know that the system is responding since changing the IP address on the NAT rule that works allows that second system to connect as expected.

    ![Screen Shot 2015-11-24 at 11.55.58 AM.png](/public/imported_attachments/1/Screen Shot 2015-11-24 at 11.55.58 AM.png)
    ![Screen Shot 2015-11-24 at 11.55.58 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-11-24 at 11.55.58 AM.png_thumb)


  • LAYER 8 Global Moderator

    Where is 5905 on the outside.. That is source port.. That prob never going to work..

    Helps if you post headers of your columns.. You got dest ports the same, and why * for address??  That should be your wan ADDRESS not *..



  • Banned

    @tolistim:

    I set the ports up using 5905 on the outside to 5900 on the inside

    Well no, that's not what you have set up. Do NOT set up a source port.



  • I just found that in the troubleshooting and made the modification so that there is no source port.  I then modified the "Destination" port range to 5905 and saved / reloaded the rules.  Now, the connection attempt gets to the connecting message (was simply failing before), but the machine never responds.

    The new configuration:

    IFC: WAN
    Protocol: UDP/TCP
    Src Addr: *
    Src Ports: *
    Dest Addr: *
    Dest Ports: 5905
    NAT IP: MACHINE IP
    NAT Port: VNC (5900)


  • LAYER 8 Global Moderator

    5900 is a port your using for vpn?  Is it udp or tcp?  Why are you forwarding both? 5900 is default vnc port over java..  Is that what you consider a vpn?

    Are you trying to access this remotely or from a nat reflection?  Are you using upd or tcp?

    dest address of * is FAIL…


  • LAYER 8 Netgate

    IFC: WAN
    Protocol: UDP/TCP
    Src Addr: *
    Src Ports: *
    Dest Addr: WAN address
    Dest Ports: 5905
    NAT IP: MACHINE IP
    NAT Port: VNC (5900)

    (Port forwarding VNC from any is not a VPN)



  • I fat fingered that title because I've been tracking down the VPN links as well…  ::) - fixed now

    This is concerning the VNC NAT.

    I changed the Dest Addr: to WAN Address with no change.



  • @johnpoz:

    5900 is a port your using for vpn?  Is it udp or tcp?  Why are you forwarding both? 5900 is default vnc port over java..  Is that what you consider a vpn?

    Are you trying to access this remotely or from a nat reflection?  Are you using upd or tcp?

    dest address of * is FAIL…

    I fat fingered the VPN, I'm trying to sort some new VNC connections.


  • LAYER 8 Netgate

    Do you have automatic filter rules (filter rule association) for the port forward? Show us the rule for inside host in question:5900.

    If the rule is there, look at the destination host.

    Good list of things to check here. Please check them all.  Really. :

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • That document is where I uncovered the "Do not set a Source Port".

    The one thing that might be affecting the test is the "Testing from an internal net machine".  I'm setting up my Verizon hot spot to try again from outside.



  • That was the key - I had to take the test outside.  Still not sure why the default to the original machine works from in our out, but this one is now sorted.

    Now, back to the VPN issues …  :-\


  • LAYER 8 Global Moderator

    You have vnc on its default port open to the public net?  Shoot any port for that matter doesn't matter if default..  That is a really bad bad idea if you ask me!!

    Here are the hits just today on that port..  Why would you want that open??  Hope the vpn stuff you are working on is how to securely access your network via a vpn vs opening up vnc to the public internet ;)




  • Your concern is understood, The machines being connected to are actually behind another 2 tier authentication process using DH async keys, so aside from the normal port pings, we're not too concerned.

    However, having visited this in the realm of my VPN checks on this system, is there a good guide for setting up pfSense to allow proper VPN connections from stock OS X systems?


  • LAYER 8 Global Moderator

    Why does it have to be stock os X?  Just use the openvpn client – user click click and they have a vpn connection.  Tunnelbrick comes to mind as a no brainer os x client.  If you have aversion to free you could always go with viscosity.. Also no brainer and very reasonable priced.



  • Because OS X already offers a number of VPN options built-in.

    I'd rather not need to start adding software to the systems in use.

    I'll move this to a new thread.


  • LAYER 8 Global Moderator

    And what do they offer.. Ipsec - its sucks behind most nats, so its useless for most road warriors..  What else that isn't depreciated?  Openvpn uses 1 port, can bounce off a proxy even..  Is a no brainer to install and use.. Supported on ios and android devices with FREE client.  Has free client for every other OS out there, etc..

    That you want stock is pointless for the ease of use..

    For security you should be providing something to the client other than a username and password so your using 2 factor something for them to access your vpn..  This can be very simple give them a bundle of a client and the cert along with username and password to auth with, etc.



  • Pop over to this thread to continue the VPN discussion:

    https://forum.pfsense.org/index.php?topic=102977.0


Log in to reply