VNC Connection to DMZ through pfSense

Joined
Jun 24, 2016
Messages
8
Hi All,

New to these forums, so hopefully I've got the correct subforum! :)

I'm running pfSense at home to protect my Personal network (which connects via AirVPN for the internet).
However on the other side of this firewall is my family's home network, in which is a windows machine running TightVNC server.

I need to poke a hole from my Personal network, through the pfSense box and straight to this server, I suspect some of the routing might need tweaking too.

My Personal Network (LAN) is on : 192.168.1.0/24
My Family's Network (DMZ) is on : 192.168.0.0/24
The TightVNC server static IP is: 192.168.0.10
pfSense LAN (Personal Network) IP: 192.168.1.252
pfSense WAN (Family Network) IP: 192.168.0.252
ISP Gateway (Family Network) IP: 192.168.0.253

At the moment, pfSense is routing all valid traffic that is not on my Personal Network out over the VPN. There are rules in place to stop things going out that shouldn't.

upload_2016-6-24_19-43-52.png


upload_2016-6-24_19-35-34.png

upload_2016-6-24_19-38-58.png


Could someone more knowledgeable than I, advise what I need to change (at the moment I can't even ping the VNC server) in order to get this to work?

Many Thanks

Jon
 
Joined
Jun 24, 2016
Messages
8
Just for clarification, I've attached a pic of my network setup.
I can't ping or otherwise access anything in the DMZ from the LAN (except strangely my Internet GW box - both ping and the webui)

I'm obviously missing a pass rule somewhere but it's eluding me.

Cheers

Jon
 

Attachments

  • MyNetwork1.png
    MyNetwork1.png
    87.8 KB · Views: 185

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,815
I don't actually see a rule in any of that which would allow it to work.

If you're going from anything internal to anything else internal, you are probably not using NAT. So none of those outbound NAT rules mean anything for what you are trying to accomplish.

The only thing you need to do to make this work, is add another rule under firewall > Rules > LAN. You want a rule that says your source address of LAN Net (meaning lan subnet) can talk from any source port (since it's randomized) to a destination of the DMZ IP address of that server, on port 5900. Off the top of my head I can't remember if that's TCP or UDP, so when it doubt I just use both.

It should look something like this:

a0gidu.jpg


I chose 192.168.0.10 as the single host that the rule allows traffic to flow to, but you can pick any IP that you need.

The config screen should look like this:

t0qjbq.jpg


(Ignore the comment for OPT1, in your case that will be DMZ)



FYI that still won't let ping work, but you can put in another rule that says source LAN Net, destination DMZ Net, and Protocol ICMP. That will allow any PC in the Lan subnet to ping any PC in the DMZ subnet, but not the other way around.
 
Joined
Jun 24, 2016
Messages
8
Thanks bman,

I added the rule as suggested (makes sense to me), but still can't connect.
I tried broadening the rule so anything on LAN could see anything on the DMZ;

upload_2016-6-26_12-42-45.png


This didn't work, I have 0 access to the DMZ apart from the GW.
Something else is missing I think.

Edit: More accurate network diagram below (not that it really changes anything)

MyNetwork1.png


Cheers

Jon
 
Last edited:

Dawizman

Gawd
Joined
Jul 9, 2003
Messages
888
Is the pfsense box the default gateway for the devices on your family's network?

If not, you will need either a static route in either their router, or their devices, or you will have to setup an outbound NAT rule.
 
Joined
Jun 24, 2016
Messages
8
Thanks Dawizman,

These are my current outbound NAT rules;

upload_2016-6-26_17-26-58.png


So if I'm understanding correctly, I need a new rule on the LAN interface allowing traffic from LAN net to DMZ net? (restricting to port 5900 for VNC if needed?)
Would that be in conjunction with the LAN rule I created earlier or instead of it?

Cheers

Jon
 
Joined
Jun 24, 2016
Messages
8
Yep, adding the Outbound NAT rule for 192.168.1.0/24 to 192.168.0.0/24 on the DMZ interface did the trick.

Thanks guys for you help!

Jon
 
Top