Wez, Thanks for your mail. I have managed to isolate one specific change which causes the problem. First let me try to explain how the network is set up and why.
The VNC server is running on a client PC at a site with a standard UK ADSL connection. The PC has an IP address in the 10.x.x.x range. A standard (netgear) ADSL router/modem is plugged into the phone line. The router has an internal IP address of 192.168.0.1. The router has a built in 4 port hub. The linux firewall has two network cards - one on 10.x.x.x one on 192.168.0.253. The linux box is the network gateway server for the PC, so all outbound PC traffic goes through the linux box. The PC and both of the linux firewall cards are plugged into the router's hub. Why is it set up like this? (1) having the linux box act as a firewall allows me to do more by way of intrusion detection, monitoring etc than I could do with a simple ADSL router firewall. (2) the linux box also acts as the termination point for SSH sessions. (3) it's all plugged into the same hub to minimise the need for extra kit and if the linux box dies, all the client PC needs to do is change IP settings to 192.168.0.x and it can still use the net (albeit with slightly less security). I can (so far) totally reliably stop the problem from occurring if I split the LAN into two segments - ie linux box 192.168.x.x card is plugged into ADSL hub and 10.x.x.x card is plugged into a separate hub along with the PC. (I also tried it on a Draytek ADSL router which lets me separate LAN segments on the one router/hub with the same result). So, the good news is I have a workaround. The bad news is I really don't want to have an extra hub in the picture. Any idea why sharing the 'public' (192.168.x.x) and the private (10.x.x.x) traffic on the same LAN should cause this problem? Of where I should look? It might not be perfect from a security point of view, but it doesn't seem to be causing any other problems. Thanks mark. On 6/13/05, James Weatherall <[EMAIL PROTECTED]> wrote: > Mark, > > I'm afraid I really don't understand your network setup! You have a NAT > router, so you don't need a separate firewall, but you do have a separate > firewall, but the things connected to it see also to be connected directly > to the router and so the firewall isn't actually firewalling. I'm also not > sure what you mean by "public as far as SSH is concerned" since SSH doesn't > have any concept of IP addresses being public or private and is not involved > in firewalling. You originally stated that you had a problem with VNC > Viewer, which you've since stated only occurs if you use a machine's > direct-to-ADSL address rather than its via-Linux-PC address, but you've then > said that you only added the direct-to-ADSL address because you had problems > with VNC, so I'm not sure what setup it is that you're actually having > problems with. > > I wondered whether when you said "Linux firewall", you actually just mean > "Linux SSH server", but that wouldn't explain why you have two distinct sets > of IP addresses. > > :( > > Wez @ RealVNC Ltd. > > > > > -----Original Message----- > > From: Mark [mailto:[EMAIL PROTECTED] > > Sent: 13 June 2005 16:13 > > To: James Weatherall > > Cc: [email protected]; [EMAIL PROTECTED]; > > [EMAIL PROTECTED] > > Subject: Re: Screen freezing in VNC4.1.1 over SSH > > > > Wez, > > > > If everything was working fine, the VNC server would have only one IP > > address in th 10.0.0.x range and one NIC. I tried it on the > > 192.168.0.x (ie public as far as the linux SSH server is concerned, > > but still behind the ADSL router NAT) range just to see if it made any > > difference. As I had a machine with 2 network cards, I set it up so I > > could switch from one to the other with no other changes to make > > testing easier. > > > > In this test setup, both 192.168.0.x and 10.0.0.x interfaces of both > > the Linux firewall and the VNC server are plugged into the same hub > > (though I will try separating to see if that makes a difference). > > > > Normally the ADSL router acts as a hub for the local network (ie there > > is both 192.168.0.x traffic and 10.0.0.x traffic on the one hub), so > > yes there are potentially other things connected to the ADSL router, > > though I have reproduced the problem with nothing else connected. I > > realise running both ranges on one hub isn't perfect from a security > > point of view, but it's adequate for what I need security wise. > > > > Thanks, > > > > mark. > > > > On 6/13/05, James Weatherall <[EMAIL PROTECTED]> wrote: > > > Mark, > > > > > > I don't understand your network configuration. Why does > > your "VNC server > > > machine" have two IP addresses? Are both of its network > > cards connected to > > > the linux firewall? Is anything on your network connected > > directly to the > > > ADSL router? > > > > > > Wez @ RealVNC Ltd. > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Mark > > > > Sent: 13 June 2005 11:36 > > > > To: James Weatherall > > > > Cc: [email protected]; [EMAIL PROTECTED]; > > > > [EMAIL PROTECTED] > > > > Subject: Re: Screen freezing in VNC4.1.1 over SSH > > > > > > > > I have investigated further and have found a scenario > > where one change > > > > makes the problem appear. The test setup is as follows:- > > > > > > > > VNC viewer/PuTTY SSH tunnel > > > > | > > > > Linux firewall, ADSL router > > > > | > > > > <internet> > > > > | > > > > ADSL router - NAT 192.168.0.x > > > > | > > > > Linux Firewall, terminating SSH session > > > > external IP 192.168.0.254 > > > > internal IP 10.0.0.1 (separate physical ethernet card, same > > > > LAN segment) > > > > NAT -> 10.0.0.x > > > > | > > > > VNC server machine > > > > IP 192.168.0.13 > > > > IP 10.0.0.23 > > > > (I have 2 separate cards in the machine, though the > > result is the same > > > > if I change the IP and only use 1) > > > > > > > > Result: > > > > If I port forward to the 192.168.0.13 IP address the VNC > > > > connection is stable. > > > > If I port forward to the 10.0.0.23 IP address, the VNC > > > > session hangs as before > > > > > > > > The only difference between these two sessions is that > > the Linux box > > > > terminating the SSH connection is forwarding to a 'public' address > > > > (from it's point of view) in one case and to a private > > address in the > > > > other. > > > > > > > > I suppose the next steps would be to try segmenting the > > LAN properly > > > > and swapping the ethernet cards on the SSH terminating > > linux server. > > > > I'll report back once I have done that. > > > > > > > > Any other suggestions on what could be going on here? > > > > > > > > Thanks > > > > > > > > mark. > > > > > > > > > > > > On 6/10/05, James Weatherall <[EMAIL PROTECTED]> wrote: > > > > > Mark, > > > > > > > > > > The "bad" log indicates that VNC Viewer is seeing the > > > > connection close and > > > > > is then exiting. The only obvious difference between the > > > > two logs is that > > > > > the second session involves a change to the clipboard, > > > > which will result in > > > > > data being transmitted to the server if the clipboard > > > > contents are text. If > > > > > the contents were a large amount of text then this could > > > > conceivably cause > > > > > the viewer to appear to hang while it was being transferred > > > > to the server. > > > > > > > > > > Regards, > > > > > > > > > > Wez @ RealVNC Ltd. > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > From: Mark [mailto:[EMAIL PROTECTED] > > > > > > Sent: 10 June 2005 17:21 > > > > > > To: James Weatherall > > > > > > Cc: [email protected]; [EMAIL PROTECTED]; > > > > > > [EMAIL PROTECTED] > > > > > > Subject: Re: Screen freezing in VNC4.1.1 over SSH > > > > > > > > > > > > Here are the full logs of a good and a bad session. To > > > > make things as > > > > > > close as possible, I minimised and unminimised it after a > > > > few seconds > > > > > > - ie before anything froze. > > > > > > > > > > > > FYI, on the bad session I minimised vncviewer at 17:09:52 and > > > > > > unminimised it at 17:15:11. > > > > > > > > > > > > Thanks > > > > > > > > > > > > mark. > > > > _______________________________________________ > > > > VNC-List mailing list > > > > [email protected] > > > > To remove yourself from the list visit: > > > > http://www.realvnc.com/mailman/listinfo/vnc-list _______________________________________________ VNC-List mailing list [email protected] To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
