How are you testing it? I thought my SMC router was not working until I found
a note on the SMC tech support page that said port forwarding from inside to
inside via the external address doesn't work. You have to test from an
external address.

HTH.

--
Michael

Hi Andrew,

I've configured two NetGear FVS318 routers for use with VNC. I'm not using
VPN. I added two services for each computer I want to be able to VNC --
one for the web interface (5800 + display #) and one for normal access
(5900 + display #). Both are type TCP. Then I enabled the ports in the
"Ports" setting. I'd be happy to answer any specific questions you have.

Finest regards,
Bill Root
Ascendis Software
http://www.ascendis.com/

Possibly the easiest way to test it is to startup a
web-browser on the VNC server and point it to www.GoToMyVNC.com
and run the scan there. If it can connect "from the outside",
then your firewall/router is setup correctly.

Hope this helps!

-Scott

A company I used to work at was founded by this guy who
was world-class in coming up with setups such as "if you could do
this one impossible thing, you could make a *ton* of money". :)
Perhaps it's both a great way for entrepreneurs to think of their
next company *and* for security-paranoid people to consider their
networks.
Which is to say...hijacking an arbitrary TCP connection
off of the Internet is galatically difficult. As I said in my post,
though, stealing packets off of a local network (or capturing a
local keyboard) is trivial, even if the data was encrypted across
the Internet with 256-bit AES.
See, I'm worried that this is misleading. Because even with
encryption, you can still be left with no security. I mean, what's
the point of 256-bit AES securing my VNC connection if my VNC server
has no AuthHosts setting, its password is just "password", and the
RPC vulnerability CERT announced last month hasn't been patched on my
server yet? Or as Chesnick and Bellovin put it in _Firewalls and
Internet Security_:

"But encryption is useless if you cannot trust one of the
endpoints. Indeed, it can be worse than useless: the untrusted
endpoint must be provided with your key, this compromising it."
A good rule of thumb here is that you should spend at least
as much time protecting your network assets as the Black Hats would
spend trying to steal them, and at least as much money as the assets
are worth. Part of that solution *of course* involves good encryption.
But IMO, encryption is a little like recycling: on its own, it's pretty
useless and pretty easy to delude yourself with. Nevertheless, it's
also a necessary part of a much larger, much more effective, overall
policy.

cheers,
Scott