IP Camera connected by WiFi not accessible with Static IP Address

koosh42

I have just switched from a DD-WRT router to my own custom pfSense router using pfSense 2.5.2 on an 8th gen Core i3 with 4 GB RAM and dual NICs. My network includes six IP cameras, three of which connect to the network via ethernet through an unmanaged switch and the other three via WiFi (all connected via an access point separate from the router). In order to make the IP cameras accessible from outside of my network I use static IPs with freedns.

When I set up my new router I chose to use private addresses in the 17.xx.xx.xx/24 range mainly because I like 17. I copied the MACs in use for each of the 6 IP cameras to create static IP addresses. I then configured the DHCP server to use a range of 17.xx.xx.21 to 17.xx.xx.200 for dynamic leases allowing me to use 17.xx.xx.2 to 17.xx.xx.20 and 17.xx.xx.201 to 17.xx.xx.255 for static leases. I then assigned each IP camera MAC to 17.xx.xx.11 thorugh 17.xx.xx.16 (I assigned the earlier IP addresses to access points and desktop computers).

After switching to my new router, only 1 of the IP cameras was showing up in the DHCP leases as online. I figured out that several of them had been configured with a fixed IP address from my old 192.168.xx.xx range. By plugging each one into ethernet I was able to reconfigure all of them to be sure they were getting their IP addresses from DHCP. Once I made this change, all six IP cameras are now showing up as online in the list of DHCP leases. However, despite all of them displaying as "online" the only three that are accessible through the network are the ones connected by cat5e and the ones connected by WiFi are unreachable. Every other device that connects via WiFi (using dynamic leases) are operating normally.

Each static IP address was set up with MAC, designated IP address, and description of device. I did not designate a hostname for any of them.

Any thoughts about why the WiFi IP cameras with static leases would not be reachable?

On a side note, the three working cameras are accessible with DDNS using my subdomain from freedns.afraid.org and the port forwards I created, but they are only accessible from OUTSIDE of my network when previously I could access the cameras using the same port forwards from inside my network (i.e. I could use xxxx.mooo.com:xxxx from inside or outside of my network to access the cameras and now the only way to access a camera from inside of my network is to use 17.xx.xx.xx:xxxx). Any thoughts on what would cause this difference from my DD-WRT router?

johnpoz

@koosh42 said in IP Camera connected by WiFi not accessible with Static IP Address:

way to access a camera from inside of my network is to use 17.xx.xx.xx:xxxx)

Your using 17.something internally - public space?

Your ddwrt router prob had nat reflection enabled - if you want to access your internal IPs (which all should be rfc1918) unless you own public space or have public space routed to your connection via your isp.

You could enable nat reflection.. But why not just setup internal fqdn that point to your cameras and use those names.

I personally wouldn't in a million years enable outside public access to camera's - unless I could lock those down to known trusted source IPs to connect to my public IP.

If wanted to view videos of my internal cameras while remote - I would vpn into my network, or would via the video via what the camera's upload to some service.

Camera firmware is some of the worse there is from a security point of view - exposing that to the public is not a good idea.. Have you not seen all the issues with camera's being part of bot nets, etc.

Google a bit for security issues with cameras
https://www.securityweek.com/serious-vulnerabilities-found-firmware-used-many-ip-camera-vendors

AndyRH

@johnpoz is correct. Cameras are a common target, easy to take and there are lots of them.
Try one of these address spaces and do not let cameras talk to the internet.
Class A: 10.0. 0.0 to 10.255. 255.255.
Class B: 172.16. 0.0 to 172.31. 255.255.
Class C: 192.168. 0.0 to 192.168. 255.255.

koosh42

Thanks for the feedback so far. I did mean to use 172.xx.xx.xx all along but accidentally lost the "2." I have fixed this now and will try doing NAT reflection on all of them unless DNS splitting seems like a better idea. Interestingly only one of the wifi cameras is now unreachable. I will go back into its settings and try to figure out if there is still something configured poorly for it. I will update later.
Thanks.

plfinch

What is your WAP device? Check your WAP configs and make sure there isn’t a setting enabled to prevent devices from accessing and being accessed by the LAN or from/to private IP space. On my Unifi WAPs this setting is called “Device Isolation”.

Peter