Topic: Port forwarding is not working

[mheymann]

I have a fully upgraded 7.X SME server and I am having a problem with my port forwarding
4 days ago we changed ISP's and changed the IP address of the server.
There have been several minor modifications to get differnet system to work as before
and yesterday they were.  Today they are not.  I hope the follow explaination will help

Network setup as follows
1) Line from ISP into router which has 14 static IP Addresses and does not do NAT or DHCP
2) Line from router into 8 port 10/100 ethernet hub
3) Line from hub to SME server in server/gateway mode and
    Lines from hub to 3 Win 2000 system that each have a static public IP address
4) Line from SME server to rest of network.
5) the 3 Win 2000 systems and 2 Win 2000 systems wit internal stacic IP addresses behind the SME sever
    that have VNC installed on them for remote connections
6) port Forwarding rules setup on the SME server for the 2 internal systems

I can connect to the 3 external systems with no problem.
I can connect to the the 2 internal systems from another internal system using
the static internal IP address
I can not connect to the 2 internal system using an external IP address

Some generic numbers to demonstrate

IP range from ISP  = 100.100.100.101 - 100.100.100.114 

router ip address = 100.100.100.101
SME server external address = 100.100.100.102
SME server Internal address = 192.168.100.5
SME server DHCP range = 195.168.100.10 -192.168.100.150

IP address of External System 1 = 100.100.100.103
IP address of External System 2 = 100.100.100.104
IP address of Externa Systeml 3 = 100.100.100.105

IP address of Internal System 1 = 192.168.100.200
IP address of Internal System 2 = 192.168.100.201

My internal test connection IP address is 192.168.100.15

SME server has the two port forwarding rules configured
 TCP     5945     192.168.100.200     5945
 TCP     5955     192.168.100.201     5955

From Web browser on test connection
100.100.100.103:5942 = good connection
100.100.100.104:5943 = good connection
100.100.100.105:5944 = good connection
100.100.100.102:5945 = bad connection (to SME then forward)
100.100.100.102:5955 = bad connection (to SME then forward)
192.168.100.200:5645 = good connection
192.168.100.200:5655 = good connection

For the bad connections the I get a message box that the server is taking too long to respond
It would seem that since the external system can be connected to the problem is not with the router
And since the internal systems can be connected by another internal system via an internal address
but not via an external address, the problem is most likely with the SME server
But I admit I don't really know and need help.

Mike

[JoshuaR]

SME server has the two port forwarding rules configured
 TCP     5945     192.168.100.200     5945
 TCP     5955     192.168.100.201     5955

I assume you made sure that something is listening on those ports on the internal PCs?  Also you've made sure that there are no firewalls or anything on the internal PCs that might be blocking? 

100.100.100.102:5945 = bad connection (to SME then forward)
100.100.100.102:5955 = bad connection (to SME then forward)

Is that the VNC viewer that is coming up with that?  If it is make sure the VNC server on the internal machine is set to listen on the correct port, and that widows firewall is turned off or the port that you are using is opened.

I made those bits bold 'cause I can't stress 'em enough. 

You might also consider forwarding the UDP ports of the same number to the same destination.

[CharlieBrady]

I assume you made sure that something is listening on those ports on the internal PCs?  Also you've made sure that there are no firewalls or anything on the internal PCs that might be blocking? 

Probably the most common cause of "port forwarding doesn't work" complaints is incorrect setting of default route on the machines being forwarded to. The default route on those machines must point back to the SME server.

[mmccarn]

Slightly off-topic - if you're using "virgin" VNC, you're sending lots of login info &c over the internet in plain text, as VNC does not encrypt data by default.

You can eliminate the need for port forwarding, and increase your security, by using an SSH tunnel to get your VNC data to all 5 servers.

If you download 'putty.exe' and put it in c:\windows on your remote system, you can get to all 5 systems at once using one putty command that would look like this:
- Start, Run
- putty -l root -L 5942:100.100.100.103:5942 -L 5943:100.100.100.104:5943 -L 5944:100.100.100.105:5944 -L 5945:192.168.100.200:5945 -L 5955:192.168.100.201:5955
(above command should all go in the "Open:" box on one line)
- now connect to each system at "localhost":
  - localhost:5942
  - localhost:5943
  - localhost:5944
  - localhost:5945
  - localhost:5955

[JoshuaR]

On the slightly off topic note, wouldn't it just be simpler to set up a couple of accounts with vpn access on SME, and then just have people conecct the vpn and use the local IP of the machine with VNC? That would be secure an not as much work...