SOLVED Use jail to Nat traffic from VPN to specific machine

[Grinas]

Hey,

So i have a machine on my network that i have limited control over this VNC machine only allows access to it on its local subnet. The problem is when im out and about i can access my environment over VPN but i can not access this.

I want to be able to configure a jail to Nat the connect to the machine so the VNC machine thinks the traffic is coming from my local network and not my VPN network. the only port i really needed NAT'd is vnc port 5900

so here is what i am trying to achieve using info i found on other threads
Vpn network 10.99.8.0/24 ---> Jail 192.168.0.63 Nat traffic ---> VNC Machines 192.168.0.85

I have tired messing out with the IPFW rules but so far had no joy.

here is what i have i my /etc/rc.conf

Code:

# Enable Firewall
firewall_enable="YES"
firewall_script="/usr/local/etc/ipfw.rules"

and here is the contents of /usr/local/etc/ipfw.rules

Code:

#!/bin/sh
ipfw -q -f flush
ipfw add 100 nat 500 ip4 from 10.99.8.0/24 to 192.168.0.85 out via epair0b
ipfw add 101 nat 501 ip4 from any to any in via epair0b

any help would be much appreciated.

 

[sretalla]

Sounds like you could just run nginx and reverse proxy a TCP stream of port 5900...

 

[Grinas]

Sounds like you could just run nginx and reverse proxy a TCP stream of port 5900...

is it not possible to do this with IPFW so?

 

[sretalla]

If you search the forum for IPFW, you'll probably find a bunch of posts saying that it's not a good idea to use IPFW. I agree with those.

A reverse proxy will do the job well.

Your nginx config would be as simple as:

Code:

stream {
 
  upstream vncserver {
    server 10.0.0.1:5900;
  }

  server {
     listen      5900;
     proxy pass vncserver;
  }   
}

 

[Grinas]

i wasnt aware of that.

I managed to figure out how to do it with my firewall it was a lot easier than i expected in the end.

Thanks for the help.