[Fwd: RE: HELP! Router/Firewall with VNC Question]

Jerome R. Westrick jerry "at" westrick.com
Mon Apr 5 09:01:01 2004

-----Forwarded Message-----
From: Jerome R. Westrick <jerry "at" mail.genotec.ch>
To: vnc-list "at" realvnc.com
Subject: RE: HELP! Router/Firewall with VNC Question
Date: Sun, 04 Apr 2004 17:07:27 +0200

On Sun, 2004-04-04 at 14:38, David wrote:
> Hey,
> I have some more info on my Router/VNC problem.  I must be missing an easy
> concept here about routers and the VNC program but here goes.

Okay Dave....

I think you are right...
you are missing an easy part of the concept...
Basically, each connection has it's on adddress.  Namely
you router has 2 addresses and "External" (internet address)
and an "Internal" (local net).

So I'll help you out there....

In the following setup you got a nat/router which 
has a valid internet address (w.x.y.z).  and On the
internal network is has the address
192.168.x.y are often used by routers because thoose 
numbers are reserved for local usage.  (They are not 
allowed on the internet, and therefor can be used again
and again at diferent locations!)  Now in my drawing 
you will see that there are 3 internal Pc's, also 
starting with "192.168.1".  In fact every machine 
connected to a cable which is connected to the 
"internal" connector of the router starts with 
"192.168.1".  This is called a network.

I\                               +-------------+ Pc 1 |
N|         +--------+            |             +------+
T|  w.x.y.z|        | |  192.168.1.y+------+
E+---------+ Router +------------+-------------+ Pc 2 |
N|         |        |            |             +------+
E|         +--------+            |  192.168.1.z+------+
T/                               +-------------+ Pc 3 |
And now to your questions:

On Sun, 2004-04-04 at 14:38, David wrote:
> My routers
> LAN IP was the default which basically every consumer router is.

okay...  That is the internal network address...
also in my drawing...

> My IP addy from the internet is different than that so if I go to
> myipaddress.com it will show my real IP addy not the 192.168.x.x one.

Yes , that is the "extenal address", w.x.y.z in my drawing...

> Anyway, I changed the router settings (specifically the LAN IP) to be the
> same as my real IP address 

This will not work.  When both the internal and external IP addresses
are the same, the Router no longer knows where to send it's packages...

The router in the above drawing knows that if an IP address starts with 
"192.168.1" then it sends it to the "internal" connection, other wise it
sends it to the external...

> and when I tried VNC on different computers it
> worked!  I thought everything was fixed b/c I could use http/java to log
> into VNC as well as a VNC viewer on another PC to access it.

If I understood you correctly, the Pc's mentioned above are both on the
internal network, and therefore did not use the router at all!

> I could still log into the router to change settings if I didn't do the :5800/:5900 port
> so everything appeared fine.  

Here the router was only using the internal port.

> However, on my client/host computer that the
> router is hooked up to, I no longer had internet service :(  

So your router got confused as soon as it tried to use both connections!

> So I changed the LAN IP back to 192.168... 

Good, now the router is no longer confused and should route to the 

> and now I have internet again 


> but the VNC
> doesn't work 

I beg to differ, this entire discussion is NOT about VNC.  VNC
works. The discussion is about your TCP network,. shich does not work!  
That is one the conceptual problems you mentioned at the begining.  8-)

> b/c the icon in the taskbar shows the 192.168 IP addy instead
> of my real addy like when I changed it.

This is correct, the problem is that the router has not been told 
that when someone on the internet wants to connect to the router 
(ie. w.x.y.z), with vnc (ie TCP port 5900), that the person really
wants to connect to PC1, so would the router please be so kind as to
forward the request on to PC1?

> So what is the workaround and I must be missing something b/c this is
>  probably like this on every single
> router - you have an IP from the internet and the router masks it and gives
> out it's own IP's to each computers (which happen to be 192.168.x.x for most
> routers) and you can port forward but VNC still thinks your IP is the
> 192.168 which you obviously can't log into from a different computer.  So
> what do I do?

You need to find out how to tell your router how to forward TCP 5900
(and ALSO TCP 5800; the Java stuff needs BOTH) to PC1.  That is all you
are missing!