Wireless Webcam Access to Wired NAS
-
I don’t know that much about networking; more theory than practical application. I have a question about routing data from one network interface to another network interface. I currently have a fresh install of pfSense 2.3.2-RELEASE-p1 (amd64).
My wired lan is on an interface configured with a 192.168.1 network.
My wireless lan is on an interface configured with a 192.168.2 network.I have a wired NAS on the 192.168.1 network.
I have a wireless webcam on the 192.168.2 network.I would like to have the wireless webcam record to a path on my wired NAS; yes, the wireless webcam has this functionality.
Even though the NAS and webcam are configured with static IPs, I’ve also set DHCP Static Mappings, I guess you might call them DHCP reservations, for the devices as well. (I read it in a post somewhere to do this).
From the Firewall | Rules | WLAN section, I created a rule to-
Action: Pass
Disabled: unchecked
Interface: WLAN (wireless lan)
Address Family: IPv4
Protocol: Any
Source: Single host or alias, 192.168.2.100
Destination: Single host or alias, 192.168.1.130From the Firewall | Rules | LAN section, I created a rule to-
Action: Pass
Disabled: unchecked
Interface: LAN (wired lan)
Address Family: IPv4
Protocol: Any
Source: Single host or alias, 192.168.2.100
Destination: Single host or alias, 192.168.1.130I’ve checked and re-checked the NAS path including the username and password. There is no data being recorded to the NAS.
Obviously I have something configured incorrectly. Anyone have any ideas? Any suggestions would be helpful. Thanks.
-
Even though the NAS and webcam are configured with static IPs, I’ve also set DHCP Static Mappings, I guess you might call them DHCP reservations, for the devices as well. (I read it in a post somewhere to do this).
This seems strange and duplicative to me. It's one or the other, although I'm no network engineer either. Personally, I would never do both DHCP and static. The first thing I would do in your shoes is get rid of the static DHCP mappings.
From the Firewall | Rules | WLAN section, I created a rule to-
Action: Pass
Disabled: unchecked
Interface: WLAN (wireless lan)
Address Family: IPv4
Protocol: Any
Source: Single host or alias, 192.168.2.100
Destination: Single host or alias, 192.168.1.130This looks good to me. It allows all IPv4 traffic from the webcam (2.100) to the NAS (1.130), which should work. (Could potentially tighten it down further if you know the Destination Port the NAS is listening on. Whatever the CIFS/SAMBA port is… But it's too early to tighten this rule down until everything is working.)
In the future if you have more than one webcam you can create an alias (Firewall | Aliases) called "Webcams" and add all the static IP addresses of the webcams. Then in your firewall rule (like above), you can change the Source to the new "Webcams" alias instead of 192.168.2.100.
Anyways, the thing I would double check with the above rule is make sure Logging is enabled at least until everything works. You can also look at the firewall logs and see if any traffic is being blocked coming from your webcam. If there's no traffic coming from your webcam, then that helps you narrow down the issue.
From the Firewall | Rules | LAN section, I created a rule to-
Action: Pass
Disabled: unchecked
Interface: LAN (wired lan)
Address Family: IPv4
Protocol: Any
Source: Single host or alias, 192.168.2.100
Destination: Single host or alias, 192.168.1.130I don't think this rule is necessary (it's kind of backwards). Any traffic from 192.168.2.* will be physically going through your WAP, which is physically connected to the WLAN interface (192.168.2.1), so that's where the rule should be.
I’ve checked and re-checked the NAS path including the username and password. There is no data being recorded to the NAS.
Obviously I have something configured incorrectly. Anyone have any ideas? Any suggestions would be helpful. Thanks.
What really helps me when troubleshooting a new firewall rule is I turn on "Logging" for the rule, at least so I can test it and watch if the rule triggers. If it does, then the rule works, and I can turn off Logging if I don't want to see it.
-
There might be another issue going on that's not related to the firewall. Either on the NAS side or the webcam side. Is there a way you can connect your webcam using Ethernet to the LAN interface (at least a switch on the LAN interface) and see if it can talk to the NAS directly? That eliminates the middleman.
-
Is the NAS protocol set up? Usually CIFS/SAMBA, Apple, and some others like FTP or SSH/SFTP.
-
It could also be a share or permissions error on the NAS, or a typo in the username/password entered on the webcam config. I know you said you checked the username/password is typed correctly in the webcam, but have you tested that username/password from your computer to see if that account has permissions?
-
It could be a DNS issue. Like, on the webcam, there's probably somewhere you have to type a UNC or FQDN path to the NAS share, so if you put "\NAS\Security Cams" or whatever the folder is, maybe the webcam has no clue how to resolve the "NAS" hostname because it doesn't know where the DNS server is (192.168.2.1) or the gateway (192.168.2.1).
-
Are the static IP settings on both the NAS and webcam perfect? Subnet mask listed as /24 or 255.255.255.0 (or whatever). The DNS/gateway IP addresses are different, too. The LAN's gateway and DNS server is probably 192.168.1.1, and the WLAN gateway and DNS server is probably 192.168.2.1.
-
The NAS path could be in the wrong format. Instead of NAS\Folder maybe it needs \NAS\Folder. Also, sometimes spaces aren't parsed correctly, so quotation marks may be necessary. So \NAS\My Folder should be "\NAS\My Folder". Also, sometimes the format is something like smb://NAS/Folder or cifs://NAS/Folder.
-
Some webcam firmwares may be crappy and not understand symbols in the password. So if your password is fl$oP4%, it won't work. Also, some firmwares may have a hidden password length limit that they don't tell you about, so if your password is like 16 characters and the webcam can only secretly handle 10 characters, it'll truncate and just not tell you about it.
-
Also, in your Services | DNS Forwarder or Services | DNS Resolver settings (whichever one you're using), make sure the checkboxes are checked for:
– "DHCP Registration" Register DHCP leases in DNS forwarder
-- "Static DHCP" Register DHCP static mappings in DNS forwarder -
Also in your DNS Settings, make sure where it says "Interfaces" that both LAN and WLAN are selected (unless "All" is already selected). Maybe when you made the custom WLAN interface, the DNS settings weren't updated to listen to DNS requests coming from your WLAN devices.
-
Yet more DNS stuff, but maybe the webcam doesn't append your domain to the hostname, so if your NAS is called "NAS" for instance, it really needs to say "NAS.localdomain" in the folder path that you put in the webcam settings. So something like "\NAS.localdomain\My Folder".
-
-
What are your webcam IP and your nas IP?
Your lan default is any any.. If your webcam is creating the connection to send data to the nas, which would seem logical. You need a rule on your wireless lan to allow that. So what is the IP of the nas? 192.168.1.130
What other rules do you have on your wireless? I don't see any rules to allow for dns? Does the webcam find the nas via IP?
And your rule lan is backwards anyway..
Rules are evaluated on the interface traffic inters the firewall, top down first rule to trigger wins. In no scenario would traffic inter your lan interface from a source of 192.168.2
Why don't you just make your rules on your wireless any any like your lan.. You can then lock it down after you know its working at all.
-
I’ve also set DHCP Static Mappings, I guess you might call them DHCP reservations, for the devices as well. (I read it in a post somewhere to do this).
The normal practice when using a static address is to use one outside of the DHCP pool, to avoid conflict. There are mechanisms to ensure a DHCP server doesn't hand out an address that's already in use, but it's still best to keep things separate. Mapping an address will keep the DHCP server from handing out that address to another device.
-
Finger79 - Thank you for the in-depth response. I appreciate your time.
- I felt the same way when I read in another post, I can’t remember where, why I should be setting a DHCP Static Mapping when my devices already have a static IP address set in the devices themselves and those addresses are outside of any DHCP pool. I will remove the LAN and WLAN static mappings.
- The reason I set a Protocol of any on the WLAN was an attempt to find what protocol the cam will use to access/record data to the NAS so that I could set just that protocol.
- Thanks for the direction on the Firewall | Aliases. Great idea since I will be adding more webcams. Very useful! Interestingly though, I created an alias for Webcams adding the host’s IP addresses in the IP tab. When I go to Firewall | Rules | WLAN | Add, I don’t see the Webcams alias in the Source dropdown. Any ideas?
- Where would I enable logging at and find the log?
- I’ve removed the wired LAN rule as you suggested.
- I will check all of the NAS and webcam settings again using your suggestions.
- In the Services | DNS Resolver settings, I’ve checked both entries you suggest. As well, the Network Interfaces and Outgoing Network Interfaces are set to All.
johnpoz - Thank you for the response too.
- LAN Interface: 192.168.1.1/24
- WLAN Interface: 192.168.2.1/24
- Wireless access point: 192.168.2.2 (static)
- webcam IP: 192.168.2.100 (static)
- NAS IP: 192.168.1.130 (static)
- The only other rule on the WLAN is:
Action: Pass
Disabled: unchecked
Interface: WLAN
Address Family: IPv4
Protocol: any
Source: WLAN net
Destination: any - The wired LAN rules are now just the default pfSense installation rules. I just deleted the LAN rule for the wireless.
- I’ll try the any any rule on WLAN as you suggested.
- I do know the webcam is authenticating to the wireless access point as I’m receiving emails from motion triggered events.
JKnott - Thank you for the response as well.
- When I initially created a Static Mapping, the IPs for my devices were outside the DHCP pool. Those static mappings are now deleted.
-
- Thanks for the direction on the Firewall | Aliases. Great idea since I will be adding more webcams. Very useful! Interestingly though, I created an alias for Webcams adding the host’s IP addresses in the IP tab. When I go to Firewall | Rules | WLAN | Add, I don’t see the Webcams alias in the Source dropdown. Any ideas?
In the firewall rule, the Source is still "Single host or alias" then in the Source Address field, just start typing the name of the alias. It'll then populate with all the possible choices.
- Where would I enable logging at and find the log?
There's a section called "Extra Options" in every firewall rule. Check the checkbox for "Log packets that are handled by this rule."
-
Well if your getting emails.. Then seems more like a issue with access to your nas vs any sort of firewall rule. Why don't you just sniff and see if the webcam even tries to talk to your nas?
Since you setup your IP static, you sure you setup your gateway correct on both devices. What happens if use a laptop on your wlan and try and access your nas?
-
Finger79 - I was able to find my Webcams alias in the firewall rules with your directions. Very nice. I was also able to find how to log the packets as well. Thank you.
johnpoz -
- The gateway for my LAN is 192.168.1.1 which I have set in the NAS.
- The gateway for my WLAN is 192.168.2.1 which I have set in the webcam and also as the primary DNS server IP address in the webcam.
- I'm able to get to my NAS by wired LAN.
- I tried connecting to my NAS with my laptop on my WLAN and wasn't able to reach it or ping it.
- I was able to ping my pfSense WLAN interface/gateway of 192.168.2.1 from my WLAN connected laptop.
- I was able to ping my pfSense LAN interface/gateway of 192.168.1.1 from my WLAN connected laptop.
-
Post up PICTURES of your wlan rules!!
Can the nas ping stuff on your wlan network that is either wired or wireless? Also keep in mind any software firewalls running on nas or laptop that prevents connectivity from outside local network.
-
- I attached a pic of my WLAN rules as you requested.
- I will have to SSH into my NAS to be able to ping out to the WLAN.
- I was able to ping from my LAN computers to my WLAN Roku. Nothing blocking there.
![firewall - rules - wlan.jpg](/public/imported_attachments/1/firewall - rules - wlan.jpg)
![firewall - rules - wlan.jpg_thumb](/public/imported_attachments/1/firewall - rules - wlan.jpg_thumb) -
johnpoz -
- After a bit of testing, I was able to confirm that I can ping from my NAS to the wireless webcam with no issues.
- Should the gateway setting in the wireless webcam be 192.168.2.1 or 192.168.1.1? I have it set to 192.168.2.1.
-
You do understand your allowing to .130 is completely pointless since you have a any any rule on your wlan..
As to your gateway. How could the webcam gateway be 192.168.1.1 if its in the 192.168.2 network…
Dude pfsense is not doing anything with your writing files to your nas.. Why don't you sniff on pfsense and see what is happening, is it even trying to write the files - is it getting access denied, etc..
-
@jimen85 you're posting in a thread that's playing dead for 2 years now .... that like : subject closed.
Also : If you understand that "the Webcam with ip can only be used from the PC" why are you asking if the same webcalm can be accessed from "mobile phone or other device as a tablet".
If the webcam can only be accessed from the "PC", then that's it : only that PC, not the tablet or mobile phone.If things are not clear : open a your own post, detail your situation and the forum members will reply.
-
This post is deleted!