Please help to get everything to work to OPT1, DHCP works static does not.
-
When you set "NVR" to static (192.168.2.254), what do you set as Mask, DNS and Gateway ?
-
Pfsense OPT1 adapter is set to 192.168.2.1
The NVR
Address = 192.168.2.254
Mask = 255.255.255.0
Gateway = 192.168.2.1
DNS1 = 192.168.2.1 -
It happened to be that the NVR has an internal network card and a LAN card. (Two network cards, one for its own use for the IP cams and another for LAN connecting)
The internal network card range was the same LAN range as the LAN range on pfsense causing all sorts of problems.If you are using hikvision check the internal network range is not the same as any other range on your pfsense box.
-
@kdes
I had similar problem with my set up:
LAN has dhcp on, laptop on pfsense static ip and lives here - 192.168.1.0 (laptop = 192.168.1.10)
OPT1 has dhcp on, NVR on pfsense static ip and lives here - 192.168.2.0 (NVR = 192.168.2.10)ping from laptop to NVR has no connection, but ping from pfsense to NVR via LAN does... both LAN/OPT1 have allow-all-LAN rule set up (Lan-net to any on LAN, and Opt1-net to any on OPT1)
what is missing in order to achieve laptop to NVR connection?
thank you in advance!
-
When you ping from pfSense and set LAN as the source it does not actually go through the LAN rules since the traffic is already inside the firewall. So it's almost certainly a firewall rule problem on LAN. Perhaps you are policy routing traffic on LAN? If so you would need a more specific rule without a gateway set above that.
Steve
-
@stephenw10
not quite understanding what you said above... could you perhaps give an example of what i might need to do?since i already have this set of rules on in opt1, what else might i need?
on LAN the allow LAN to any rule is also in place... -
And no gateway is set on the LAN rules?
-
Why does the top rule have the "wheel" ??
Usually means you did something "advanced"
Like @stephenw10 mentionedAnd for a later discussion ... Your "Rule 2" would make "Rule 1" redundant.
/Bingo
-
Probably has logging enabled. It doesn't have a gateway set there on OPT.
If there is a gateway set on LAN though it would fit the symptoms exactly. -
On my boxes logging is the "lines icon"
I get the wheel if i fiddle with "flags" or GW (But gw would be visible on the rule)
-
Yup, my mistake. Not enough coffee!
So what advanced setting do you have there @wufwuf? And is it also on LAN?
-
@stephenw10
Thank you for your ideas ...the first of the 2 rules above was attempt to increase access specific to NVR and ip cams,
deleting it has not changed - ping still times out on both the printer and nvr (and even dhcp)! in LAN there is now only anti-lockout rule and the 2nd rule from above now active, so what else is amiss?
this is getting quite frustrating, as spent better part of day to try nail it down without success
-
Let's see your LAN rules.
What was the advanced setting you had there on the OPT rules?
Rules on the OPT interface would only allow traffic out from the NVR (or other devices) on there.
DHCP is allowed by default if it's enabled on the interface.Those devices clearly are connected and have a route since you said you were able to ping them from pfSense using LAN as source?
Do you see anything blocked in the firewall logs?
Steve
-
@stephenw10
the lan fw rules:
opt1 rules:
i know the nvr is connected and working as it can view the ipcams and these are all connected to the pfsense box via a switch... it is just that i can't connect to nvr or cams directly (now all on dhcp from pfsense) from browsers on the laptop...
same thing happens with the printer also on opt1, laptop unable to print to it, but it is on opt1 as fixed ip entry in pfsense - child's pc can print to the printer but not mine, how could this be!
i can confirm double checked the child rules where only its pcs are on alias (but these rules are disabled anyway)
the only lan side firewall logs of interest seem to be this one:
I am sure we are close to the truth... and again, grateful for looking into this...
-
@wufwuf said:
ping from laptop to NVR has no connection, but ping from pfsense to NVR via LAN does...
That rule on LAN will definitely allow that ping to pass. So if you are pinging the NVR IP directly it should work as long as it is able to respond.
How exactly are you pinging in each of those cases?The NVR might be blocking traffic from outside it's own subnet. But that would apply to all LAN clients and you say you have another laptop on LAN that can access it?
The NVR might have a bad default route and be unable to respond but that would also prevent it replying to any LAN client.Steve
-
@stephenw10
Just re-read the full thread ...Does wufwuf have a hikvision ?
Didn't the OP , not the Latest Poster.Mention that that the hikvision had an internal 192.168.1.x network , causing all kinds of grief if you used the same net on the pfSense ??
@wufwuf
What networks are present on your NVR ?/Bingo
-
@wufwuf Something to keep in mind - you have to make sure that your aliases that you have listed on both LAN and OPT1 have IP addresses in the appropriate subnets. I'm not saying this is your problem, but might be part of other problems you maybe haven't found yet.
I have a couple installations like this - a main LAN network with trusted devices, and a GUEST network with other stuff. Often times, users will jump between the networks, or rather their devices (I'm looking at you chrome books and cell phones with private wifi addresses - I hate you!!!) will jump for them, and my alias from one subnet won't match their addresses on the other subnet.
You technically have to set them up 2 (or more) times, if they can jump networks like that. Then your alias lists, and more importantly your firewall rules, will all work properly.
-
@bingo600
thank you for raising this point - the situation is like this:
NVR - brand is Dahua (probably same tech ask hikvision? also big chinese brand)
NVR - now on DHCP from pfsense, and so are a bunch of cams formerly on fixed ip via NVR
not on site with problem till 3 days later, but will look into switching all remaining cams to DHCP via pfsense to see if that will 'disable' the nvr function
looked into the NVR network settings - it has a bunch of port settings that seem to be active, and disabling virtual network (?) setting did not work, nor are there further internal network menus that allows me to meddle with now NVR is also on DHCPonly issue given the 192.168.1.x issue is pfsense has both 192.168.1.x (LAN) and also 192.168.2.x (OPT1 on which NVR lives) - reluctant to change away from 192.168.1.x on pfsense since so much other settings are already on that basis...
-
To confirm though, you said you were able to access the NVR from a different laptop that was also in the LAN subnet?
If that's true this is not conflict in the NVR or any sport of routing problem there.Steve
-
to be clear:
-
different laptop on 192.168.2.x can print to printer on same subnet, but not main laptop from 192.168.1.x
-
not tried using 2nd laptop to access nvr yet so will do that (in 2 days' time when have access to it) and report
-