Blue Iris Remote access?
-
For reference, I'm facing nearly the exact issue discussed here: https://forum.netgate.com/topic/158883/trouble-with-firewall-nat-to-allow-remote-blue-iris-access/15
The difference in my case is that I don't have any IPv6 rules in place, and my BI server is running in a VM.
Otherwise, it's pretty much the same situation.
I can access my BI server from my LAN with no issues.
I've tried running the BI remote access wizard, and all goes well, up until the port forwarding step, where it says it can't see port 81 from outside. Okay, that's expected, so I go into PF to resolve that.
About an hour later, the closest I've been able to get is that when I try to browse to the web UI on my phone (on cellular) I now get a "<WAN ip address> took too long to respond" message, rather than the "connection refused" message I was getting before I added the NAT entry.
Speaking of - I've added a NAT entry on WAN interface, from 'any' to "WAN address", TCP, port 81 for destination. Denied - or, more accurately, timed out.
I've read through the troubleshooting guide, and the parts I understood of it seem to be in order.
I've done a packet capture, and I see this:
22:27:16.922210 IP 174.203.212.230.7451 > 174.19.24.xx.81: tcp 0
22:27:16.922352 IP 174.203.212.230.7438 > 174.19.24.xx.81: tcp 0
22:27:16.992728 IP 174.203.212.230.7433 > 174.19.24.xx.81: tcp 0
22:27:17.792484 IP 174.203.212.230.7438 > 174.19.24.xx.81: tcp 0
22:27:17.792700 IP 174.203.212.230.7451 > 174.19.24.xx.81: tcp 0
22:27:18.032738 IP 174.203.212.230.7433 > 174.19.24.xx.81: tcp 0
22:27:18.462974 IP 174.203.212.230.7454 > 174.19.24.xx.81: tcp 0Not sure where to go from here...
-
@elmojo what are your firewall rules set up like?
Looks like you need TCP Port 81 open -
@rcoleman-netgate said in Blue Iris Remote access?:
@elmojo what are your firewall rules set up like?
Looks like you need TCP Port 81 openUmm...yes? That's kinda the whole point of this thread. lol
I'm trying to open port 81, but I can't get it to work.
As I mentioned above, I've added a NAT entry (and the associated rule) to open port 81, but all that does is change the error on my browser from "connection refused" to "connection timed out".
Maybe (definitely) I'm doing something wrong, I just don't know what that thing would be. -
@elmojo The computer that has BlueIris running is most likely blocking with its firewall.
Windows computers will not allow any address outside its own subnet to access it. You have to go in and allow it.
-
@elmojo 174.203.212.230 and 174.19.24.xx.81 are not private space addresses. These are not your internal LAN addresses are they?
-
@chpalmer The Blue Iris remote access wizard took care of that step, and reports that the firewall has been correctly configured. Besides, I can connect to the UI over my LAN, and that would be blocked if the firewall hadn't been configured properly, since it didn't work before I ran the wizard initially.
-
@chpalmer Of course not. Those are the WAN addresses (obfuscated) of my cell phone and the external IP of my gateway, respectively.
-
@elmojo Believing that wizard is your first mistake.
I repeat.. Windows computers will not allow any address outside its own subnet to access it.
If the subnet is 172.25.100.0/24 then only addresses 172.25.100.1 to 172.25.100.254 will be able to access it unless the Windows firewall is properly configured. You need to verify verify verify!
-
@chpalmer Ok, I believe you. How would I go about doing that?
-
@elmojo Try just turning off the Windows firewall first. That will help to verify it is or is not the problem.
-
https://www.interserver.net/tips/kb/add-ip-address-windows-firewall/
-
@chpalmer Thanks, but I don't see any change. There was already a rule in the Windows firewall (I added a new one also) to allow Traffic for BI. The existing one was for the BI program specifically. I added a new one for port 81 on all IPs. I still get a timeout error when trying to connect.
Notice, it's a timeout, not a connection refusal. This tells me that something is getting at least partway through, since before I added the NAT entry to pfsense, I got a flat "connection refused" message.
I no option to disable the Windows firewall. I'll keep looking.... -
Okay, I found out how to disable the Windows Defender firewall, but it made no difference.
It still reports that port 81 "connection timed out" when I check it with either yougetsignal or canyouseeme.
It seems to be something in PFsense, or could it be a configuration thing with my server, since this is a VM? The VM running BI is bridged directly to my external network, and it's using my pfsense box as its gateway, so I wouldn't think so, but anything's possible I guess. -
@elmojo Post a screenshot of your firewall rules.
-
Did you do a packet capture on your LAN port? You do have a NAT forwarding rule??
The WAN firewall rule should have the BI address as the destination address..
-
@chpalmer I did, as noted in the OP, please see above for output.
Do you mean it should be the BI LAN address for destination? That's not what the BI documentation says, but I'm willing to give it a try. Or do you mean it should be my external IP (WAN) address? That's what I have in there now, that doesn't work. My WAN for BI and for everything else is the same, it's all on the same physical network. Maybe I'm not understanding you properly, sorry. :/ -
I'm doing all this under NAT. Is that wrong? Should I just be adding a firewall rule directly? All the documentation I've found says to add the NAT entry, and let it populate the rule, but that screenshot you posted kinda looks like the rule screen....
Does this help?
-
Destination should be "WAN Address".
Is your Blue Iris setup to use port 81 on the host computer? otherwise Redirect Target Port should be 80.
-
-
@chpalmer said in Blue Iris Remote access?:
Destination should be "WAN Address".
Is your Blue Iris setup to use port 81 on the host computer? otherwise Redirect Target Port should be 80.I had it set to WAN address previously, but I changed it based on the image you posted, which didn't seem to make any difference.
Yes, port 81 is the correct port for BI remote access.
Using the settings you show in the image above, I'm back to "connection refused" when I check port 81.
