Please help to get everything to work to OPT1, DHCP works static does not.
-
Probably has logging enabled. It doesn't have a gateway set there on OPT.
If there is a gateway set on LAN though it would fit the symptoms exactly. -
On my boxes logging is the "lines icon"
I get the wheel if i fiddle with "flags" or GW (But gw would be visible on the rule)
-
Yup, my mistake. Not enough coffee!
So what advanced setting do you have there @wufwuf? And is it also on LAN?
-
@stephenw10
Thank you for your ideas ...the first of the 2 rules above was attempt to increase access specific to NVR and ip cams,
deleting it has not changed - ping still times out on both the printer and nvr (and even dhcp)! in LAN there is now only anti-lockout rule and the 2nd rule from above now active, so what else is amiss?
this is getting quite frustrating, as spent better part of day to try nail it down without success
-
Let's see your LAN rules.
What was the advanced setting you had there on the OPT rules?
Rules on the OPT interface would only allow traffic out from the NVR (or other devices) on there.
DHCP is allowed by default if it's enabled on the interface.Those devices clearly are connected and have a route since you said you were able to ping them from pfSense using LAN as source?
Do you see anything blocked in the firewall logs?
Steve
-
@stephenw10
the lan fw rules:
opt1 rules:
i know the nvr is connected and working as it can view the ipcams and these are all connected to the pfsense box via a switch... it is just that i can't connect to nvr or cams directly (now all on dhcp from pfsense) from browsers on the laptop...
same thing happens with the printer also on opt1, laptop unable to print to it, but it is on opt1 as fixed ip entry in pfsense - child's pc can print to the printer but not mine, how could this be!
i can confirm double checked the child rules where only its pcs are on alias (but these rules are disabled anyway)
the only lan side firewall logs of interest seem to be this one:
I am sure we are close to the truth... and again, grateful for looking into this...
-
@wufwuf said:
ping from laptop to NVR has no connection, but ping from pfsense to NVR via LAN does...
That rule on LAN will definitely allow that ping to pass. So if you are pinging the NVR IP directly it should work as long as it is able to respond.
How exactly are you pinging in each of those cases?The NVR might be blocking traffic from outside it's own subnet. But that would apply to all LAN clients and you say you have another laptop on LAN that can access it?
The NVR might have a bad default route and be unable to respond but that would also prevent it replying to any LAN client.Steve
-
@stephenw10
Just re-read the full thread ...Does wufwuf have a hikvision ?
Didn't the OP , not the Latest Poster.Mention that that the hikvision had an internal 192.168.1.x network , causing all kinds of grief if you used the same net on the pfSense ??
@wufwuf
What networks are present on your NVR ?/Bingo
-
@wufwuf Something to keep in mind - you have to make sure that your aliases that you have listed on both LAN and OPT1 have IP addresses in the appropriate subnets. I'm not saying this is your problem, but might be part of other problems you maybe haven't found yet.
I have a couple installations like this - a main LAN network with trusted devices, and a GUEST network with other stuff. Often times, users will jump between the networks, or rather their devices (I'm looking at you chrome books and cell phones with private wifi addresses - I hate you!!!) will jump for them, and my alias from one subnet won't match their addresses on the other subnet.
You technically have to set them up 2 (or more) times, if they can jump networks like that. Then your alias lists, and more importantly your firewall rules, will all work properly.
-
@bingo600
thank you for raising this point - the situation is like this:
NVR - brand is Dahua (probably same tech ask hikvision? also big chinese brand)
NVR - now on DHCP from pfsense, and so are a bunch of cams formerly on fixed ip via NVR
not on site with problem till 3 days later, but will look into switching all remaining cams to DHCP via pfsense to see if that will 'disable' the nvr function
looked into the NVR network settings - it has a bunch of port settings that seem to be active, and disabling virtual network (?) setting did not work, nor are there further internal network menus that allows me to meddle with now NVR is also on DHCPonly issue given the 192.168.1.x issue is pfsense has both 192.168.1.x (LAN) and also 192.168.2.x (OPT1 on which NVR lives) - reluctant to change away from 192.168.1.x on pfsense since so much other settings are already on that basis...
-
To confirm though, you said you were able to access the NVR from a different laptop that was also in the LAN subnet?
If that's true this is not conflict in the NVR or any sport of routing problem there.Steve
-
to be clear:
-
different laptop on 192.168.2.x can print to printer on same subnet, but not main laptop from 192.168.1.x
-
not tried using 2nd laptop to access nvr yet so will do that (in 2 days' time when have access to it) and report
-
-
Ok, so a laptop in the same subnet can. Inside the same subnet traffic is not routed and doesn't go through pfSense so nothing is required. Almost everything will responds to requests from something inside it's own subnet and device discovery will work.
If you are not connecting to the printer by IP then it will probably not appear as available in Windows from the LAN subnet.Start a continuous ping from the laptop in LAN to the NVR.
Check Diag > States for the states created. You should see a state on LAN and one on OPTIf both are there and there are packets shown on both then the NVR is not responding and you need to look there.
Steve
-
@stephenw10 said in Please help to get everything to work to OPT1, DHCP works static does not.:
rything will respo
back at the pfsense box, and pinged both printer and nvr - both 100% lost packets...
what bothers me is how come with lan to any and opt1 to any rules, we still can't access the x.x.2.0 subnet from x.x.1.0 (the main laptop)?
strangely, ping from within pfsense-lan (under diag>ping) to nvr (on x.x.2.0) has no lost packets!
-
@wufwuf
tried on another laptop on x.x.2.0 and was able to access NVR interface...so that means it is all down to LAN vs OPT1 issue, unless NVR internally blocks access that is not coming from its own subnet?
-
@stephenw10
tried from main laptop on x.x.1.0 to ping x.x.2.0 and x.x.2.1 (pfsense gateway), but no response... perhaps we are getting close to the problem?set up is like this:
pfsense (Wan) => modem
pfsense (Lan) => switch 1 => main laptop (192.168.1.x)
pfsense (opt1) => switch 2 => printer / nvr (192.168.2.x) -
@wufwuf said in Please help to get everything to work to OPT1, DHCP works static does not.:
strangely, ping from within pfsense-lan (under diag>ping) to nvr (on x.x.2.0) has no lost packets!
What if you set the source to LAN there? That will prove the NVR does respond to requests from outside it's subnet.
With those rules on LAN you should definitely be able to ping the pfSense OPT interface IP (192.168.2.1) from the laptop.
If that fails the laptop may have a bad or conflicting route locally.Did you check the state table whilst running a continuous ping?
Steve
-
@wufwuf said in Please help to get everything to work to OPT1, DHCP works static does not.:
perhaps we are getting close to the problem
Re do the test, and packet capture the ICMP stuff on the OPT1 interface.
You should see ICMP packets, the one coming out of the OPT1 interface, originating from your a device on your LAN, going to the NVR.
If the NVR doesn't answer, you know that it only replies to devices from it's 'local' network (== 192.168.2.0/24).
Go have a 'talk' with your NVR ;) -
@gertjan
thank you guys... much appreciated - away at work so need to test over weekend, will report back!
