Allow Single IP Through Firewall
-
@nosenseatall You should add a pass rule on your LAN network for the specific IP address of the compuoter to the specific IP address of the Time Capsule device on the VLAN network. Don't use any ports, and simply pass the traffic from one device to the other device. I'm not sure what that VLAN rule is where you use source = 10.10.50.104 into the LAN network destination. Is that your Time Capsule device?
Keep in mind, all this might not work, because I'm pretty sure Time Machine uses the bonjour network service to find the backup drives. This service doesn't cross subnets, but instead looks for the backup drive(s) in the same network as the computers.
You might also be able to connect to the backup drive via IP address in the Finder, but I've never tried it like that...
https://discussions.apple.com/thread/4668619
https://discussions.apple.com/thread/1749362
https://discussions.apple.com/thread/7871458
-
@akuma1x Thank you. Yes, 10.10.50.104 is the IP address for the Time Capsule. I added the rule that you suggested, as well as tried connecting to it though Finder, both were unsuccessful.
-
@nosenseatall One of the suggestions in the links above it to get the Tima Machine drive on the SAME subnet (network), make a single backup, then move the drive/machine to the other network.
I've never tried that method either, sorry.
-
@nosenseatall Is there a specific reason why the Timecapsule is on a different vlan?
I'd advise having them on the same vlan as it uses Bonjour / mdns.
Also you need to move your allow rule above the block rule on VLAN_50_IOT.
-
The question :
@nosenseatall said in Allow Single IP Through Firewall:
My desktop is on the LAN and my backup drive (Time Capsule) is on the VLAN.
So the desktop device is on the LAN network - and the backup drive (Time Capsule) is on the other LAN (VLAN_50_IOT) network.
More details :
Now lets presume that the second rule using the pfBlockerNG alias doesn't contain any RFC1918 (and it shouldn't and it doesn't), this second rule won't match.
The third rule is the default "everything from the LAN network can go everywhere (all other local networks and all Internet).I tend to conclude : pfSense is not blocking your capsule access on the VLAN_50_IOT network.
So, this :
@akuma1x said in Allow Single IP Through Firewall:
You should add a pass rule on your LAN network for the specific IP address of the compuoter to the specific IP address of the Time Capsule device on the VLAN network.
isn't needed to make it work right now.
The third rule in place already passes traffic to "whatever", and that includes "10.10.50.104" if this IP is part of the Time Capsule on the VLAN_50_IOT.Does this "VLAN_50_IOT" drive has a web interface ?
http://10.10.50.104 or https://10.10.50.104 should work.You should be able to ping 10.10.50.104 from your desktop PC.
That is, if the Time caspule is told to to answer on ping.This :
@akuma1x said in Allow Single IP Through Firewall:
get the Tima Machine drive on the SAME subnet (network)
could be true. Apple's Time Machine documenation should be able top to tell you this.
Network discovering devices, as what happens in Explorer under Windows, only shows devices in the local network, not the other networks, where "other networks" could be other local networks, or the entire internet for that matter. (as Internet is just a special case of "other networks").A NAS can, of course, be place don any network, local or where ever.
Use the domain name if one has been set up, or the IP address.Double check that there isn't a setting in the Time Machine that 'protects' it by accepting only connections from it's own local network == 10.10.50.0/24 which maens it won't accept requests from your LAN network. Again : go doc.
-
@nogbadthebad Thank you. I moved the rule up, but unfortunately that did not work. The reason I have the Time Capsule on a different VLAN is because I have one IOT device that will not connect to my Unifi AP, but will connect to the Time Capsule (wireless), so I just put it in it's own little world.
Also, I did move it back over to the LAN side and it works fine.
-
@nosenseatall Are you trying to use the Time Machine software or just access your time capsule over SMB or AFP?
If the time machine is the feature you want you will need to install the AVAHI package and configure the mDNS to pass over both interfaces -- Apple's Time Machine doesn't rely on IP traffic to discover systems but mDNS (which is a blessing that it finds devices with no or wrong IPs but a curse that it cannot find anything that isn't in the same Layer 2 network).
-
@gertjan Thank you.
I don't believe there is a web interface for Time Capsules. Access is usually done through the Airport Utility.
Also, I moved it back over to the LAN side and it works fine.
-
@rcoleman-netgate Thank you - I'll give that a try.
-
-
@nosenseatall You should select all the interfaces you want it to run on -- you only have LAN but you mentioned earlier that your TC is on VLAN_50.
-
@nosenseatall Tried creating an additional 2.4 Ghz only SSSID on your Unifi AP, I had similar problems with a Lyric Thermostat.
-
@nogbadthebad I tried that. I usually run it with both 2.5 & 5Ghz selected. I switched it over to 2.4 only and it still won't connect.
-
@rcoleman-netgate I have corrected the interfaces to include both LAN and VLAN_50_IOT, but for some reason it still won't find the TC. I also tried adjusting my firewall rule so that it was using LAN net and VLAN_50_IOT net, and no luck with that either.
-
@nosenseatall WPA3 enabled ?
-
@nogbadthebad should I uncheck these?
-
@nosenseatall Give it a go, it could be the device doesn't support WPA3.
-
@rcoleman-netgate Any other suggestions on why the TC is not being seen on the VLAN_50_IOT side after modifying AVAHI settings? As mentioned earlier, I have the LAN and VLAN_50_IOT interfaces selected, and played with different firewall rules, but still no luck seeing the TC.
Thanks!
-
@nosenseatall what does the Firewall Log show? Anything at all? Filter by the IP addresses of the involved devices. Do a PCAP on the interfaces looking for those device IPs, etc.
