Solved

How to setup Real VNC to access PC's running behind a 2Wire gateway

Posted on 2006-06-10
31
31,103 Views
Last Modified: 2013-11-16
I have setup and used VNC successfully on multiple systems using Linksys or Netgear routers. Here is my problem:

Example:
Client has 2 PC's in their office, sharing internet and networked together using SBC/ATT DSL on a 2Wire Gateway, model # 2700HG-B. I have setup the firewall on the 2Wire using tips from www.portforward.com:

http://portforward.com/english/routers/port_forwarding/2wire/2700HG-D/VNC.htm

If I connect my laptop (using the VNC Viewer) directly to this private network I can connect using the 192.168.1.X IP's of the 2 PC's (Running the VNC Server service)without any issues.

But if I enter the public IP say 66.64.20.X of the 2Wire, which is setup in the firewall settings of the gateway to forward to the specific ports on the specific PC, I can't access any of the PC's. I have checked all firewall settings, port 5900 is excluded from being blocked and so is the VNC Server service.

Per the portforward.com setup procedure, I made sure ports 5500, 5800 and 5900 are open for both UDP and TCP. This doesn't make sense since I can access my PC's remotely which are setup behind a linksys router and the only port I opened up is 5900.

Any ideas would be appreciated.

I need setup to allow access to any VNC server I setup running on all supported windows platforms (win 9x, win NT, win 2K, win2k3 server, win XP, win Vista Beta (not as important as others).

I only seem to have this port forwarding/setup problem when clients use any model of teh 2Wire Gateway. The setup is goofy and confusing.
0
Comment
Question by:kcham44
  • 14
  • 9
  • 4
  • +4
31 Comments
 
LVL 30

Expert Comment

by:callrs
Comment Utility
Using your public IP within your LAN doesn't work -- It doesn't work for Apache web server either.
I know of no way around this. (I doubt there is a way, unless maybe by proxy?)
To access VNC within your LAN, you need to enter the local IP address of the VNC server, not the public IP address.
0
 
LVL 30

Expert Comment

by:callrs
Comment Utility
Connecting through a different network -- from a different public IP address -- outta work though. Have you tested this to see if it does?
0
 

Author Comment

by:kcham44
Comment Utility
I need to access PC1 (192.168.1.XX1) behind the 2 Wire. I am connecting to this 2Wire right now wirelessly with my laptop so am physically on the same private network as PC1. My laptop is assigned 192.168.1.XX2

I can acess my server from PC1 using VNC viewer. TEST OK
I can access my server from my laptop VNC viewer. TEST OK
so...I tried this to see if my server can view PC1

I used my laptop to connect to my server (remote server, using a different external IP at my office).
From that connection I opened the viewer and input the 2 Wire's public IP which is set to forward port 5900 to PC1.

and I got nothing!

I also see a setting on the 2 Wire advanced settings (not sure if this would affect it):

Check ENABLE to allow broadband IP addresses to be used on the local network.
 Broadband Network: XX.230.80.XXX / 255.255.254.0
 Subnet Mask:   BLANK

I enabled it and set the Subnet to 255.255.255.0

but still nothing.
0
 

Author Comment

by:kcham44
Comment Utility
"To access VNC within your LAN, you need to enter the local IP address of the VNC server, not the public IP address."

I know this works fine.

"Connecting through a different network -- from a different public IP address -- outta work though. Have you tested this to see if it does?"

I tried from my office earlier today, different public IP, and now as I stated above, connect to my server and tried to connect from there to PC 1 and no luck.

I'll keep trying anything and everything, keep sending ideas please.

I'm sure there must be a way, as I stated this works fine for every other router/gateway I have tried...except for this stupid 2Wire.
0
 
LVL 12

Expert Comment

by:GinEric
Comment Utility
Two points here:

01.)  you did not define your acronym, therefore, the question is confused
02.)  authoritative sources disagree on what "VNC" means

These links will help you:

VNC=Virtual Network Channel
http://www.microsoft.com/resources/satech/cer/GettingStartedMNU.asp

VNC may also refer to Virtual Network Computing, although it's doubtful that this software group has any right to claim the acronym as original
http://en.wikipedia.org/wiki/Virtual_Network_Computing

which shows that even Bell Labs and WikiPedia are not so scholarly as they may think.  I believe Microsoft has the orginal and correct meaning.  And for AT&T and Bell Labs information, VNC goes back before the 1960's.  This:

"RealVNC is a UK company founded in 2002 by the team that invented VNC."

from http://www.realvnc.com/index.html is an outright lie.  They did not invent "VNC" they created a "Virtual Network Computing" program.  Programs can't be "invented" they can only be created.  Apparently, these guys and Bell Labs and AT&T don't know the difference between an invention and a creation, patent law and copyright law.

Will newspeak never cease to amaze me from the scholarly academics . . .

VNC, the first acronym, the real acronym, works like this:

Private IP Address <-->Unique Public Static IP Address <--Internet--> Second Unique Public Static IP Address <--> Private IP Address

All forwarders post encryption, pre decryption, must be pass through, that is, no translation, so, you can't put things like NAT and PPPoE translators in-between the public routes.  Between Private and Public, outgoing is NAT first, then encryption, and incoming is decryption first, then NAT.  Any other translation in the path will break the cypher [encryption/decryption].

You do not need VNC, either kind, with Apache when you use https because https is VNC.

And on the link you gave, about setting it up, portforward.com seems to be playing games like "Age of Empires" and others over VNC; now there is a real waste of bandwidth!  I would suspect that if the site doesn't know you don't use VNC for games, they don't know much about setting up VNC either.

Why do you even need VNC within your LAN?  Is there that much surveillance inside the private network or is someone remote observing users there?

Lastly, most people get confused on VNC and the use of VPN [Virtual Private Network].  That's actually the cyphered one, while VNC may or may not be cyphered, but it has come to pass that most are, thanks to things like selling Virtual Network Computing as VPN, which it is not.

But most people, even some experts, think of VPN when they see VNC.  It's the undefined acronyms that have made this mess.

True VNC does not require cyphers at all, and perhaps that is what the gamers are talking about here, a simple locked down static type routing pipe for gameplay.
0
 

Author Comment

by:kcham44
Comment Utility
wow, that's a lot of info.

Let me define my question and the prupose of the resolution I seek.

1)By Real VNC I meant the program used for remotely accessing other networked computers.
2)I need to use VNC to remotely support clients behind their firewall. Nothing complicated, just basic access. I use Real VNC because it works and does the job I need. This is where my question starts...

How do I make make VNC play nice with the 2Wire's port forwarding to be able to access any private networked PC, behind any 2Wire device, from my laptop no matter where I happen to be...either in another country, down the block or sitting right next to the user on their private network connecting to a 192.XX.XX.XX IP.

Please, I am not interested in the history behind all this, although interesting and insightful. All I need is help in setting up the 2Wire Gateway to allow remote access.

Thank you for taking the time to answer my question. I am off to read about VNC at the links you provided until someone can answer this.

Don't take my comments as sarcastic or ungrateful. It's 2 AM in California and I need to sleep.
0
 

Author Comment

by:kcham44
Comment Utility
FYI, The 2Wire gateway, in this case, uses a dynamic IP acquired using : Connection Type: PPPoE .

Does this help?
0
 
LVL 30

Expert Comment

by:callrs
Comment Utility
"Accessing more than one computer  
 
If you have more than one computer behind your router, you will need to assign each one a different external port. For example, if you want to access computers A and B, which are behind the same router, you could configure your router to forward port 5900 to A:5900 and port 5901 to B:5900. Some routers do not allow the external and internal port numbers to be different; in this case you would have to reconfigure the VNC Server running on B to accept connections on port 5901 and configure your router to forward port 5901 to B:5901.

From outside your LAN, you can connect to A using router-ip:0 (or just router-ip) and to B using router-ip:1, where router-ip is the IP address of your router, as determined in the previous section. "
 
from: http://www.realvnc.com/support/portforward.html
0
 
LVL 30

Expert Comment

by:callrs
Comment Utility
Basically, if you have more than one VNC server on the same network, you have to work with ports 5900,5901, 5902...     and 5800,5801,5802...
Then to access the VNC server, you need a colon & a number after the ip: 66.64.20.X:0, 66.64.20.X:1 ...  etc. or 192.168.1.X:1  etc.
0
 
LVL 30

Expert Comment

by:callrs
Comment Utility
oops, make that 66.64.20.X:5900   66.64.20.X:5901 ...
0
 

Author Comment

by:kcham44
Comment Utility
I understand what you are syaing, but my problem is not with ports. The 2Wire Gateway is somehow not able to support it from an external IP, since internally, it forwards port 5900 correctly to PC1.

Real VNC server service is started, set to accept incoming connections on port 5900.

The 2Wire was setup this way per the portforward link from my original post.

http://portforward.com/english/routers/port_forwarding/2wire/2700HG-D/VNC.htm

If you read the info there. I set up the 2Wire port forwarding the way they recommended (VNC1-VNC6, for ports 5500, 5800 and 5900 for TCP and UDP)

Oringally I had setup only port 5900/TCP to be forwarded to PC 1. The 2Wire unlike standard routers does not have an option to manually enter the IP you want to forward to, it just lists the PC's connected to it in a drop down and you choose the PC. See the image at this link. So I added my VNC1-VNC6 and added them to the "HOSTED APPS" on right side and saved. Presto...everything should work...but NO SOUP!

The problem is the 2 Wire or the way it handles forwarding or as you said the PPPoE in the middle screwing up the translation.

And like I have already mentioned, I know I always use port 5900 TCP on any other router (LINKSYS, NETGEAR, etc) and this works fine.

Can you explain or answer the problem with the 2Wire...that is all I need!

Thanks!
0
 

Author Comment

by:kcham44
Comment Utility
0
 
LVL 30

Expert Comment

by:callrs
Comment Utility
OK working on your problem...
This is what I found so far:
- For REALVNC you only need to forward ports 5900 TCP & UDP See http://www.portforward.com/english/routers/port_forwarding/2wire/2700hg/RealVNC.htm. This shouldn't matter though, but you can try removing the other ports that you forwarded.

- Now, you said there's two client PCs. Do both have RealVNC server? Try, for now, disconnect one computer from the network (or turn computer off) & see if you can connect to the other computer at least.

-Now here's what's confusing me: If you are forwarding to ONE computer, I dont see how you will be able to connect to the OTHER from outside the LAN. From my viewpoint, you can only connect to one. Read the quote, in my post above, about port forwarding very analytically...  But this aside, just try to connect to the one computer that DOES have port forwarded to it. it should work!
0
 
LVL 30

Expert Comment

by:callrs
Comment Utility
Re: Dynamic Ip
You of course would need the current IP. Sometimes IP addresses changes every few minutes!
Heres log of when it changed recently: Changed AT LEAST every 10 mitunes, since my script only checks it at 10-minute intervals:
   2006-06-11  05.24.16
   2006-06-11  05.34.19
   2006-06-11  05.44.16
   2006-06-11  06.04.16
   2006-06-11  06.14.16
4) Have you heard of dynamic DNS clients & giving a name to your IP (e.g. free at www.dnsmadeeasy.com ) ? If not, look these up later, since they are essential for accessing computers with dynamic IPs.

5) Also, when you type in the IP from outside the LAN, I do you follow it with ":5900" for computer A, and ":5901" for computer B? I haven't used VNC in some months, but I think that would be right...

6) Finally, have you done a VNC setup before with more than one VNC computer on the LAN? I ask to gauge how much info I need to supply to you. Thanks.
0
 

Author Comment

by:kcham44
Comment Utility
Correct in this case. I am only connecting to 1 PC (PC1), running windows XP. VNC server is running on this PC behind the 2 wire. I have set up port forwarding for the 6 different ones suggested by portforward.com, originally I had only 5900/TCP setup to point to PC1 and the firewall settings on PC are setup to exclude blocking port 5900/TCP, and also the VNC server service (this same setup works fine on NON 2Wire routers.

I have tried for 2 weeks, does not work. My father in-law also has a 2wire, and I have tried setting up his gateway and can't access it from any PC using the viewer from ANY outside IP...but internally works fine (192.xx.xx.xx).

I know about connecting from an external IP to a private network and accessing multiple PC's since I have a anotehr client using a LINKSYS 8 port VPN router...I use 5900 for main server, then all the other PC's are 5910-5930 (1 port for each PC and each PC is running the VNC server corresponding to it's speific port.

This 2Wire thing has me baffled.

I see another 2 settings in the gateway, not sure how that can affect me ( i think it may have something to do with the external IP of the 2Wire router. Here is a breakdown to clear up some facts, let me know if you need anything else:

2Wire settings(assume 69.230.59.XXX is the 2Wires external IP, verified on www.whatismyip.com):

***********************
A)The Private network:

 192.168.1.0 / 255.255.255.0 (default)

B)Public Network:
Check ENABLE to create a route from the Internet to the public network specified below.
 Router Address:  
 
 Subnet Mask:  

this is disabled

C)Bridge Network:
 it lists: Broadband Network: 69.230.59.XXX / 255.255.255.224

Bridge is disabled!
**********************
Now Current Settings:

Private Network
Router Address: 192.168.1.254
Subnet Mask: 255.255.255.0
DHCP Range: 192.168.1.64 - 192.168.1.253
 Allocated: 2
 Available: 188
 
Device List
  PC1: 192.168.1.100 (I had this as the static IP and now it picked it up DHCP, will likely get .64 or .66 on reboot)
  MyLaptop: 192.168.1.65

************************

Internet Connection Details
Connection Type: PPPoE
Username: XXXXXXXXXXX@sbcglobal.net
Internet Address: 69.230.59.XXX
Subnet Mask: 255.255.255.255
Default Gateway: 69.230.63.254
Primary Domain Name Server: 68.94.156.1
Secondary Domain Name Server: 68.94.157.1
Domain:  
Maximum Transmission Unit (MTU): 1492
Gateway Ping: Successful
DNS Communication: Successful
Configuration Server Post: Successful
*****************************

Now I see 3 different subnet masks:

Bridge Option:255.255.255.224
ISP:255.255.255.255
private network:255.255.255.0

could this and/or the PPPoE be the cause?

By the way what router /gateway do you use if any?





0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:kcham44
Comment Utility
I'm going fishing...will return tonight around 10PM PST...thanks for all your help so far...I know we can figure this out. I will try ATT support as well and see if I can email VNC support, not sure if free version gets any support...hehe. Best place is still EE though.

have a great Sunday. I'll post some pics of any fish I catch.

:-)
0
 
LVL 30

Expert Comment

by:callrs
Comment Utility
I use a wired Netgear, but it lacks "trigger ports" which are helpful to avoid keeping certain ports open all the time. My next router hopefully will have the trigger-port capability :)
Is your router a 2002 model? The prices have gone way down while the quality has gone way up for new routers. If you can afford to spend $50, it may well be worth it to get a newer model.

In the mean time, I'm quite interested in resolving this issue. But if there's no resolution, then read the store fliers, or shop online like at BestBuy etc. to fetch a new router at half price when it goes on sale...

------
Re: "are setup to exclude blocking port 5900/TCP" --> What about UDP? ( I doubt it will matter though. )

------
New info. I downloaded the 2Wire 2000-series manual (http://www.2wire.com/?p=266). It has this to say:
Remove or Disable Conflicting Applications

Internet sharing software and PC based firewall applications typically interfere with the 2Wire gateway, and should be removed or disabled before you install the gateway. The 2Wire gateway provides the same features as the products listed below. If you have any of the following (or similar) applications installed on your computers, remove or disable them according to the manufacturer’s instructions before proceeding.

Internet Sharing Applications: Microsoft Internet Connection Sharing, Intel Anypoint ISS, 3Com HomeClick
Proxy Software: Wingate Sygate
Security Software: Norton Internet Security, Black Ice,  Zone Alarm
0
 
LVL 30

Expert Comment

by:callrs
Comment Utility
Fish have feelings too...I was nice to you, wanted to help you. Fish don't hurt anyone, why hurt them ?
0
 
LVL 20

Expert Comment

by:masnrock
Comment Utility
The author has two machines set for forwarding. You'll notice he set the forwarding of the ports twice (VNC1-3, VNC4-6). Port 5500 is for the server initiated connections (where the viewer side runs VNC in listen mode). But indeed 5900+N is what you use for normal incoming. 5800+N is for outgoing traffic.

What mode is the router operating in? Bridging or routing? I've seen issues arise with forwarding at times. Other than that though, your settings look good.

GinEric - RealVNC was started *after* AT&T shutdown the lab that he VNC program at (which mind you was NOT Bell Labs). However, that's not the important thing here, as much as resolving the issue at hand. However, based on port numbers alone, it stands out that it's the VNC that AT&T had created.
0
 

Author Comment

by:kcham44
Comment Utility
NO software based firewalls. The reason I don't go buy a new router is the clients already purchased the 2wire (DSL MODEM/GATEWAY/ROUTER). This was supplied by SBC/ATT for their DSL service.

Here is the other thing that makes no sense. In the list of supported APPS to setup, VNC is listed with port 5900/TCP. This is on the 2Wire. I tried selecting that as well, no VNC connection from remote.

I must find the answer, either positive or negative. The 2Wire is set in Routing mode. Not sure of the model but it matches the pictures in the manual.

I will attempt support with VNC, ATT and 2Wire and list my findings.

THank you so much.

by the way, I went fishing, but did not actually catch any fish...best part was spending time with family at the lake.
0
 
LVL 1

Expert Comment

by:tommoran
Comment Utility
Don't need any of that stuff.  Just use this.  www.helpdeskvnc.com
0
 
LVL 12

Expert Comment

by:GinEric
Comment Utility
kcham44, sorry about your fishing trip; we just got back with a cooler full of Black Sea Bass [dinner for a few days this week!]

Yeah, it's what they call RealVNC;  I got that.

Okay, the pictures you showed, kcahm44, showed the NetBIOS name being preferred over the IP Address for configuration, ewwww,  a really bad idea, and may be the cause.
0
 

Author Comment

by:kcham44
Comment Utility
Eric,

Where do yu see that? the netBIOS preference?
0
 

Author Comment

by:kcham44
Comment Utility
Eric,

Can you please explain what you meant, your explanation was sort of unclear, not sure where you see that.

Does anyone else have any suggestions?
0
 
LVL 12

Accepted Solution

by:
GinEric earned 500 total points
Comment Utility
Generally, NetBIOS over TCP/IP will get the NetBIOS [Window's] name and information first, rather than the DNS name and information.

If you do a "ping -a" on an IP Address and you get only a NetBIOS name, then the DNS name is not seen as a Fully Qualified Domain Name host.

In the link you provided, http://portforward.com/english/routers/port_forwarding/2wire/2700HG-D/VNC.htm, it basically shows the machines as their NetBIOS name, and not the full hostname.domain.tld, look at the "Edit Firewall Settings" and see that the name appears to be flasher-zx1znpx for the computer hosting through the Firewall.  I'm just suggesting that the 2wire NOLOGON-D is using NetBIOS names, which will probably not work over remote connections.  And if it's dependent upon NetBIOS, it would seem to be strictly for LAN connections, not remote ones.  If it can translate and forward, yes, it might work, but DNS across the Internet is not going to find your machine by NetBIOS name.

If this is true, you may not be able to accomplish it.
0
 

Author Comment

by:kcham44
Comment Utility
Thanks I will verify this with ATT and or 2Wire. That would stink.
0
 

Author Comment

by:kcham44
Comment Utility
Thank GinEric,

I will just disable the 2wires firewall and add another router to achieve what I need.

Thanks again.
0
 
LVL 12

Expert Comment

by:GinEric
Comment Utility
Welcome.
0
 
LVL 7

Expert Comment

by:aktharchowdhury
Comment Utility
Take a look at this document for vnc port forwarding on the 2wire router.

http://portforward.com/english/routers/port_forwarding/2wire/2700HG-D/VNC.htm
0
 

Author Comment

by:kcham44
Comment Utility
that link was in my original question.
0
 

Expert Comment

by:fabEng
Comment Utility
My SBC global 2 wire router is a 3600HGV-B model.

I was having about the same problems. I used Settings -> Firewall and -> Applications, Pinholes and DMZ's section to select my desried computer inside the router's local network, then set up a user defined application "VNC" for some ports 5900-5901 but then using the program at  http://www.canyouseeme.org/ to ping a port I tried pinging 5900 but got "Connection refused"

But when I looked at the log at sbc 2 wire router Settings -> Logs, Filter for firewall. I saw the router was letting 5900 in by but the VNC server on my target computer on the local side of the firewall was itself rejecting 5900. I tried 5901 and then "canuseeme.org" ping said "accepted" So my "tight VNC" server on my linux box wanted to see 5901 and by the way the ip for this one is just the global ip provided by sbc plus a colon and a 1 (the 1 is for 5901)

So it worked and I got in !

Regards,
fabEng
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Resolve DNS query failed errors for Exchange
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now