Dynamic DNS on surf soho for webserver & VNC behind ISP router

So to connect to VNC on your MAC, you’ll need to tell VNC viewer to use the xxx.202.53.79 IP of the fusionhub and then the non standard port of 40555 instead of 5900. Is that what you tried? If that doesn’t work, the most likely issue are your firewall rules. You have blocked everything inbound.

Yes this is fine. Your Fusionhub is connected to a very different WAN network than your SOHO’s WAN so its normal for them to have very different IP ranges and subnets.

This setting sends all traffic from any LAN device via the VPN connection so it breaks out at the Fusionhub. Effectively you are tunneling all your internet traffic out via your hosting provider.

There are pros and cons to this. The pro is that since the traffic is encrypted - nothing on the WAN of the SOHO can see or know what your traffic is or which websites you are visiting. It gives you privacy. It also means that even f you moved your SOHO to a different building or country, the IP address you are using to access the internet doesn’t change (since its the one in your hosting provider).

You are using a SOHO. On the Balance and MAX routers there is a concept of outbound policies where you can identify specific traffic types and IP addresses and send them over specific WANs and/or VPN connections. For the SOHO is either all or nothing.

Yes thats exactly what you want, and with the port forwarding setup that’s what you should get - you shouldn’t need to forward all traffic or specifically your VNC traffic yourself manually.

1 Like

Well happy new years everyone! I’ve got some new years nerd needs in getting this to work!

At the end of the day , I think i’ve spent over 75 hours, with weeks of trial and error trying to get this to work, and i think its time that I ask for some serious baby step walkthroughs or even a readymade config file from someone. The trial and error (with some minor successes, but temporary), has seemed so patternless, that I am starting to think that I might have a hardware problem.

As it is, I am barely getting any luck or consistency, just starting at the bare setup of connecting my instance to incontrol2, let alone the glitchiness of trying to get it to connect to PepVPN. Those two things alone literally took me an entire all-nighter… but something tells me it really shouldn’t be this difficult.

Now, So far, the only real consistent (partial) success that I am getting, is setting the pepvpn option to route all traffic through pepVPN to the instance. THAT, is literally the only thing that makes me feel sane, because it always works. When I hit the button, it always changes my ip address to the vultr ip address. WONDERFUL! Except… I don’t want it to route ALL my traffic. As we discussed, I just need it to route a single IP, or even VLan (so i cloud just hardwire my server to a Lan Eth port), and getting this to actually work, has proven to be one of the most difficult computer challenges I have faced. The amount of times I have gotten locked out of either my instance or surf soho because either a glitch breaking something, or a misconfigured setting would keep your head spinning for months!

So, lets assume that I have my pepvpn working (i don’t know what mode the vpn is in) with my instance and surf soho (because it actually is working right now, WOW!), how in the heck do I configure the following:

  1. The Firewall on the instance & the firewall on the Surf Soho

  2. An outbound policy to forward traffic from my server IP to the instance, without using the “Route all traffic to pepvpn” button.

3)Forward ports properly and open the firewall for those ports properly.

My trial and errors have consisted of using the VNC client on my phone, over and over and over again, to attempt connections to my mac, after every minor change has been made to a configuration on either the surf, or the vultr instance. Starting with the loosest security settings (no firwalls, all ports forwarded, etc. etc.), to then slowly tightening them up inch by inch, until the VNC client can no longer connect, and then trying to trace the most recent setting change back to the cause of why my VNC can’t connect with seeming normal firewall rules or forwarded ports. This has proven quite tedious. However, through this process, there are a few things that I think I have discovered in which I require an explanation, and/or elaboration on.

After a lot of trial and error, A few things that I “Thought” i had an understanding with,are now causing me to second guess the solidity of my knowledge. The First thing one of these things is:

1a) It was my understanding that not only do i forward ports from the Instance WAN IP address, directly to the local Mac IP, but I also wanted to open up the same ports from the same WAN IP in my firewall, so it allows external traffic into my network. However, the interesting part that I figured out, is that while it is true my ports need to be forwarded from my instance WAN IP, in order for the VNC client to work, I have learning that it is NOT True, that the firewall open ports also from the instance WAN IP. Instead, I have learned, that with the firewall on my instance completely open on all fronts, external traffic is still being blocked from accessing my instance, and thus, the forwarded ports on my Vultr WAN IP. Interestingly enough, I figured out that the only way to allow access from my phone’s vnc client to my surf soho, through my instance via pepvpn, is to track down my PHONES WAN ip (by going to whatsmyip.org), and entering the ip address of my phone into my incoming firewalls allow settings.

1b) Can someone please verify that this is normal, and if so, please explain why? It seems odd that with my firewall wide open, i still need to enter custom entries for external IP’s in order to allow devices into my network. Isn’t the whole idea of an external firewall to block or allow any ip’s on specified ports, but only for the WAN ip address? Why must I create a custom entry specifying each external devices WAN ip address? With all firewalls down, should that by default, let any traffic into my network regardless of weather or not it’s ip is specifically entered in the the “Allow” settings of the firewall? Any explanation would be greatly appreciated!

  1. I have barely. narrowed down my firewall rules to anything close to minimizing all attack vectors, but never the less, I have narrowed it down a little bit. In doing so, there are also a few odd quirks that made me question my understanding of the firewall.

a)It seems that with my vnc, the only way to get it working is to allow it to enter any port once it passes the Wan firewall. For some reason, the VNC is obfuscating its port path upon entering the router. In other words, I can’t forward port 5900 directly from the wan IP, to the mac’s LAN Ip. I can’t go from 5900 to -p 5900. Once the vnc reaches the inside of the router, it seems to constantly change ports, at which it enters the Lan VNC. So there is really no understood way for me to narrow down what internal ports it is actually using in order to close off all the ports it isn’t using. Instead, I just have this wide gap of open internal ports just to allow a vnc to use a single port that it randomly selects for some reason. Is there a way to identify what ports it is using, and a way to instruct it to not obfuscate its internal path?

b)Furthermore, it also seems as though the VNC Does not use the same port (5900) when exiting from the server to the client. Once again, it’s port path is unpredictable, and thus, I must “Allow all” ports going from the lan IP back out to the vultr instance IP. Why in the world is this acting this way, and how do i identify and tackle this problem?

This isn’t really an intact or polished post, as I have left quite a bit out, because well, I’m just exhausted and too tired to keep my head in this game today. But I wanted to get something out there in hopes that I might get some helpful responses, or even a gold mine of some professional config files that are already set up to utilize the illustrated configuration properly.

Any guidance and help is highly appreciated, and once again, sorry for the delay in my posts. Theres just only so much of this debugging that I can take in large doses.

Also, Sorry if i sound a little bitchy or irritated. I’m just very frustrated and my bloodshot eyes are encouraging me to give up! So if i came off negatively at all, I appologize!

Thanks everyone!

Might anyone have a follow up or some suggestions regarding this? Thanks everyone!!

It might be helpful if you drew a network diagram with ports, (representative) IP addresses and precisely stated objectives.

W.r.t. the VNC setup:

Martin described it earlier, but to recap:

  • On the fusionhub, set up a port forwarding rule from xx.202.53.79:5900 to (with portmapping for good measure if you want that obfuscation)
  • On the SOHO: Do nothing.

For the firewall: Set it up at the entry, i.e. the fusionhub. So, open your VNC port there, and nothing else. Your inbound rules on the SOHO should not affect VPN traffic - you can make them block everything (i.e., external traffic arriving via the WAN rather than the VPN).

W.r.t. traffic routing: Since your VNC sessions commence from a device accessing the fusionhub xx.202.53.79 address, that traffic will be across the VPN. Everything originating from the LAN will go out the regular WAN. Don’t touch the box on the SOHO for sending all traffic across the VPN.

Routers can be complex - random experiments are unlikely to yield success.

Have fun.

1 Like

Please consult section 10.1 (in the PepVPN chapter) of the FW7 manual. It may be a bit out-of-date (the current FW is 7.1.2).

Happy to help.


1 Like

One of my team members set up an apple remote desktop service via a fusionhub instance on vultr as an exercise. Works as advertised (incl. the port obfuscation):

↔ internet
↔ fusionhub (fixed IP) with port forwarding 59001-> [IP]:5900; 32831 → [IP]:3283,
where [IP] is the internal IP address of the desktop server server on the (remote) LAN.
↔ pepVPN across Verizon cellular
↔ Max HD2 (where [IP] is on the LAN)
↔ Mac remote desktop server at [IP].

If you are using Apple’s Remote Desktop then recall that two ports are required (forwarded/mapped): 5900 and 3283.



1 Like