Netgate SG-1000 microFirewall

Author Topic: Tight VNC... and NAT  (Read 11642 times)

0 Members and 1 Guest are viewing this topic.

Offline agent007se

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Tight VNC... and NAT
« on: August 20, 2006, 01:43:04 pm »
Hi all,

I have a network which is like that :

internet ----- PFSENSE (192.168.0.1) ----- SWITCH ----- 192.168.0.15

I want to access to the tight vnc server (into 192.168.0.15) (http port : 6969)

I tried NAT port forward (proto tcp, port 6969, nat ip 192.168.0.15 (ext : my public ip), int port 6969) and I let of course the automatic creation of a FW rule.... But that's useless... what's going wrong ??

Thanks ;)

Offline Superman

  • Full Member
  • ***
  • Posts: 137
  • Karma: +0/-0
    • View Profile
Re: Tight VNC... and NAT
« Reply #1 on: August 20, 2006, 04:16:26 pm »
Something that I find myself often forgetting is to open the Windows XP Firewall to the VNC Server. If you're using TightVNC Server I find that often the program isn't in the list of exceptions and that you have to browse to the program itself to allow it. Of course this is only a problem if you're using XP and have the firewall enabled. ;)

Offline hoba

  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +8/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Tight VNC... and NAT
« Reply #2 on: August 20, 2006, 06:23:45 pm »
Check you firewallrules (order is important). Also check status>systemlogs, firewall to see if something is blocking. If the connections show up as blocked click the small icon in front of the line. It will tell you what rule caused the block.

Offline agent007se

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Tight VNC... and NAT
« Reply #3 on: August 24, 2006, 02:41:39 am »
Thanks for the help !!

WAN     an_IP:some_Random_Port     my_IP:my_Single_Port     TCP

The firewall blocks this...

But in the wan tab in the firewall rules I put :

TCP any source, any port, any destination, my_Single_Port, any gateway

This normally let the connection enter but it's still blocked... here is the message when I click on the little red cross in the firewall's log :

Quote
The rule that triggered this action is :
@47 block drop in log quick all label "Default block all just to be sure."

 ??? ???

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2587
  • Karma: +208/-9
    • View Profile
Re: Tight VNC... and NAT
« Reply #4 on: August 24, 2006, 03:17:11 am »
But in the wan tab in the firewall rules I put :
TCP any source, any port, any destination, my_Single_Port, any gateway

Entering from the WAN (from anywhere from the Internet) into your pFSense Box ?
This is scary..... threated in many posts and as always concludes with a "don't".
If you really have to so:
- Try to limit the "From Source" (if you know the connecting IP) - or, at least it's range.
- Use VPN or PPPTP to get in. (works great).
- Use stuff like port knocking
- Limit connection to a x per x seconds.
- etc etc.


Quote
The rule that triggered this action is :
@47 block drop in log quick all label "Default block all just to be sure."

This is the default final 'hidden' pfsense 'build in' rule that block all and everything that's new and comes from the 'evil outside' (you should permit with rules before this one - with the help of the GUI Firewall section) - this one pulls the plug on everything else.
Quote

Offline agent007se

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Tight VNC... and NAT
« Reply #5 on: August 24, 2006, 07:49:51 am »
And if I don't know the range of IP's ? In fact, I'd like to connect to my pc : 192.168.0.3 from the outside everywhere in the world to access to my computer trough Tight VNC...

I've done some searches but I didn't find useful things... I'll try with VPN... that's a good idea :D ! Thanks ;)

Offline hoba

  • Hero Member
  • *****
  • Posts: 5837
  • Karma: +8/-0
  • What was the problem to this solution again?
    • View Profile
    • pfSense
Re: Tight VNC... and NAT
« Reply #6 on: August 24, 2006, 09:22:43 am »
The problem is not any source but the any destination that you have in your rule.