Firewall/NAT

Hi everyone, this is my first post here at the m0n0wall forums.  I have m0n0wall running on an old dell optiplex at home as a router for my family while I am away at school.  I used to have an old crappy D-Link, but it couldn't handle many concurrent connections and it would randomly crash.  Anyway, enough background.

The reason I am posting is because I have UltraVNC setup on my family's computer which allows me to log in and help them if they are having computer problems.  I had this system setup with the old D-Link router and it worked fine.  I have VNC setup to run on port 6900 for data and 6800 for HTTP.  In m0n0wall, I created a new NAT rule to forward ports 6800-6900 (TCP/UDP) to the machine (192.168.1.101).  As you can see from the other firewall rule, I setup NAT for the web interface on 443 and it works fine.  Also, when I was home I setup NAT for a bittorrent port and that worked fine too.  First off, I know VNC is setup right, because that setup didn't change, only the router.  When I connect to it, there are no firewall entries showing that the port was blocked.  If I try to connect on the standard 5900 VNC port, the firewall shows it was blocked (so I know the logging is working correctly).  I tried running a port scan on my home IP remotely and it shows only port 443 open, 6800 and 6900 remain closed.

Any ideas why this isn't working? See the attached screenshots for information on the NAT/Firewall setup.
http://img189.imageshack.us/img189/4271/39747508.png
http://img257.imageshack.us/img257/8208/55693620.png

Thanks for your help.
--Matt

Two comments for you.

If you only need two ports open, 6800 and 6900, you really don't need to open a large range of 6800-6900. It would be cleaner and safer if you just opened the two ports needed.

There is a very good program called Teamviewer. It's probably a better choice for what you are wanting to do and doesn't need any firewall changes to work. You should consider it.

http://www.teamviewer.com/index.aspx

Two comments for you.

If you only need two ports open, 6800 and 6900, you really don't need to open a large range of 6800-6900. It would be cleaner and safer if you just opened the two ports needed.

There is a very good program called Teamviewer. It's probably a better choice for what you are wanting to do and doesn't need any firewall changes to work. You should consider it.

http://www.teamviewer.com/index.aspx

I originally had the two ports setup with NAT and the firewall individually, but when that didn't work I forwarded the range of ports to try and simplify the rules that would affect the issue, but it still didn't work for me.  I thought about using LogMeIn (or as you suggested -- Teamviewer), but I would like to try and get VNC working as it was before.  (also, I have no physical access to the machine, so I can't install any programs ATM.  VNC is already setup and running though.  I can't seem to wrap my head around why something as simple as forwarding 2 ports isn't working.  

--Matt

IIRC, the default port for VNC is TCP 5900. Are you sure your VNC implementation is running on the port you think it is?

Also, it's possible to use Teamviewer without installing it.

IIRC, the default port for VNC is TCP 5900. Are you sure your VNC implementation is running on the port you think it is?

Also, it's possible to use Teamviewer without installing it.

Yeah, the reason it is on 6900 is because sometimes i have my computer on the network using 5900.  I know that it works on 6900 too because like I said, the old D-Link had port 6900 forwarded and it works fine.  Also, from inside the network I can access that machine on port 6900.

--Matt

Hello,

I've had quite the same trouble with RDP via m0n0. I had two gateways while playing around with m0n0, and forgot to change the main gateway of my server to my m0n0walls IP address. Check whether you did the same.

Depending on the VNC program you have, it can be quite tricky changing automatically ports (RealVNC did that for no reason). Check out UltraVNC or TightVNC, worked well for me.

Last question, what kind of modem do you have on m0n0's WAN port ? Does it include a NAT/Firewall too ? Does it lie in a Class A/B/C address space ? If so, do not block RFC1918 networks in your WAN.

Cheers.

Hello,

I've had quite the same trouble with RDP via m0n0. I had two gateways while playing around with m0n0, and forgot to change the main gateway of my server to my m0n0walls IP address. Check whether you did the same.

Depending on the VNC program you have, it can be quite tricky changing automatically ports (RealVNC did that for no reason). Check out UltraVNC or TightVNC, worked well for me.

Last question, what kind of modem do you have on m0n0's WAN port ? Does it include a NAT/Firewall too ? Does it lie in a Class A/B/C address space ? If so, do not block RFC1918 networks in your WAN.

Cheers.

I am running UltraVNC and it is definitely setup correctly, because as I said, it worked with the old router.  I simply took it out, and replaced it with a m0n0wall setup.  The computer running VNC's IP's are still the same, and i can still connect inside the LAN over port 6900 (so there's no shouldn't be any config issues there).  (Really, with UltraVNC there isn't much to setup).

I am running an old Westell 3100 DSL modem, which does have a gateway setting, but that has been disabled since the first 5 minutes I took it out of the box.  I tried allowing RFC networks, but still nothing. 


Since everyone seems to want to suggest that VNC is the problem, lets try another example.  I have a wireless access point with a web GUI on port 80 with the LAN ip of 192.168.1.3.  If i try to connect remotely to my WAN IP address on port 8080, I see a firewall block in the log.  When I setup NAT to map TCP 80 on 192.168.1.3 to external port 8080, and try to connect again, the firewall shows blocked traffic this time to 192.168.1.3:80 (So the NAT knows where the traffic should be going.)  When I create a firewall rule to allow that traffic, the log shows that it is now allowed (not blocked), and while I get no errors in m0n0wall, I still have no connection remotely. 

Something is bogus here.  The NAT just isn't working right, for no reason I can see.  It seems like I have the same problem as this guy: http://forum.m0n0.ch/index.php?topic=780.0  Is there something wrong with m0n0wall? 

--Matt

it's really a big security risk to open any ports for VNC when it's so easy to PPTP into your m0n0wall and VNC directly to your PC (192.168.1.101).

Roy...

Can you post a traceroute to lets say, google from your computer that has VNC installed ?
And a partial dump of your config.xml file ? (remove your ssh keys and IP)

it's really a big security risk to open any ports for VNC when it's so easy to PPTP into your m0n0wall and VNC directly to your PC (192.168.1.101).

Roy...

Roy,

You are not focused on problem.
Dude have problem to forward some traffic based on port number. Later he can close all unnecessary ports.
I have the same problem with remote desktop, someone else with some other service...
I think that we need one "for Dummies" explanation, later all other cases will be just port swapping.

cheers