Can't pass traffic from Cam VLAN to a single Client on the LAN
-
I've created a couple VLAN's and have hit a snag on at least one of them (I think it's the same issue so I'll start with focusing on just the one). I created a VLAN for just my IP Cams. Everything works as expected: Clients on the Cam VLAN cannot access the internet, but can access each other; LAN clients are able to access the Cam VLAN but not vice versa. However my Blue Iris pc is currently on my LAN so I need clients on the Cam VLAN to be able to access just this device. Here is my firewall rule for the Cam VLAN:
When I connect a PC to the Cam VLAN I am able to ping various other clients on the Cam VLAN and NOT the VLAN or the internet (which is great) but I also can't ping 10.10.10.7 which i need to be able to.
I don't think I need a NAT rule to fix this but please correct me if that's wrong (some advice on inputting that rule would be appreciated as well). Please let me know if further info/screenshots would be helpful but here's a few i believe to be pertinent:
-
@RickyBaker First, why not put the BI pc on the cam net? Kinda where it belongs.
Disable to top rule and see if it makes a difference. You don't list what the alias is so it may be blocking a needed port.
-
What does the firewall log say, ie. when you ping that blue iris server , from a PC connected to the Cam Vlan ?
And - To me it seems like you are allowing "anyone on the Cam Vlan to access the Internet , via the last rule
I don't see anything permitting DNS , could that be cheating you ?? (Re: Internet access)
Most setup's would use the pfSense as DNS server, and then you'd need to allow DNS access to the firewall lan ip (TCP/UDP 53)
/Bingo
-
@Jarhead said in Can't pass traffic from Cam VLAN to a single Client on the LAN:
@RickyBaker First, why not put the BI pc on the cam net? Kinda where it belongs.
this is a great question and one I actually spent some time on. Blue Iris needs internet access and does long term backup on the unraid server that resides on the LAN. It's already set up and working on the LAN. So I was thinking I either allow access from the Cam VLAN to the Blue Iris pc or put the BI pc on the Cam VLAN and give Blue Iris access to the internet and the LAN. Felt like 6 of one half dozen of another, but happy to be told differently.
Disable to top rule and see if it makes a difference. You don't list what the alias is so it may be blocking a needed port.
I tried and was still blocked from accessing 10.10.10.7 from Cam VLAN
-
@bingo600 said in Can't pass traffic from Cam VLAN to a single Client on the LAN
What does the firewall log say, ie. when you ping that blue iris server , from a PC connected to the Cam Vlan ?
I don't see anything permitting DNS , could that be cheating you ?? (Re: Internet access)
It could! thank you for the suggestion!
Most setup's would use the pfSense as DNS server, and then you'd need to allow DNS access to the firewall lan ip (TCP/UDP 53)
So insert this after the first rule? Something like this:
-
My response to your comment about the last rule being too broad keeps getting flagged as spam...
@bingo600 wrote: And - To me it seems like you are allowing "anyone on the Cam Vlan to access the Internet , via the last rule"
I don't currently have access to the internet on the Cam VLAN but maybe that's because i don't have a NAT rule on that interface. Should i change this destination to Cam VLAN?
-
As Bingo : we don't know.
If a cam on the CAMS network plays nicely, and uses DHCP to obtain a IP, DNS, gateway etc, it will know how to go to the internet, and where to go to find DNS.
If the cams are using static IP settings : go check them again ?Last image :
For clarity, the second rule, the 'permit DNS', should be placed on top. I would also include other ports, like 123 (NTP)
Then, for the reminder 'firewall destination' ports, on the second place, a block rule. No alias needed, as all ports can be blocked.The third rule : if 10.10.10.7 is a device on your LAN, then all traffic with 10.10.10.7 will go to that device. No NAT or whatever needed.
Something to check : the 10.10.10.7 : does it accept traffic ? It's often een it accepts only traffic from devices on it's own network, 10.10.10.x - and nothing else. Activate the 'from everywhere'.
You can also use the Diagnostics > Packet Capture tool.
Select LAN as an interface.
And 10.10.10.7 as the destination.
And ICMP as the protocol.
Now ping from your cams net to 10.10.10.7. I bet you see the packets arrive at the LAN, and this knock on 10.10.10.7. -
Sorry for the delay, my daughter "graduated" kindergarten and it was surprisingly involved :)
@Gertjan said in Can't pass traffic from Cam VLAN to a single Client on the LAN:
If a cam on the CAMS network plays nicely, and uses DHCP to obtain a IP, DNS, gateway etc, it will know how to go to the internet, and where to go to find DNS.
If the cams are using static IP settings : go check them again ?you're speaking here about my question about why my Cam VLAN doesn't have access to the internet but seems to have a wide open rule? I found with both this and the IoT VLAN that internet access didn't work without a NAT rule. Not sure why but that was the fix when troubleshooting the opposite issue with the IoT VLAN so I simply didn't create a NAT rule for the Cam VLAN and i'm def not able to ping outside on the WAN as it stands now. I'm only pinging the ip address that I know it's gotten but that I've statically assigned through the DHCP server. However, when i connect to the Cam VLAN network on my pc it gets a IP assigned from the Dynamic pool of the DHCP server. I'm not 100% sure how to test "DNS, Gateway etc" but i know it doesn't get out to the internet and everything is working outside of being able to access 10.10.10.7 by ip at least.
@Gertjan said in Can't pass traffic from Cam VLAN to a single Client on the LAN:
Last image :
For clarity, the second rule, the 'permit DNS', should be placed on top. I would also include other ports, like 123 (NTP)
so port 53 and 123, anything else? Seems I need to make an alias with all the, let's call it, Firewall_Allow_Ports so i want to add them all. And I think i'll leave the Firewall_Service_Ports alias in there since it seems to be working (contains just 24/SSH and 443/WebUI), but tell me please if that's inadvisable
Then, for the reminder 'firewall destination' ports, on the second place, a block rule. No alias needed, as all ports can be blocked.OK, i'll move it up and test, but to be clear, i'm not using network names, just the local IPs. and i'm still unable to ping a local IP when connected to Cam VLAN.
What do you mean by no alias needed? just block every port in the new second rule to "This Firewall" (all ports remaining after the first rule)?
@Gertjan said in Can't pass traffic from Cam VLAN to a single Client on the LAN:
The third rule : if 10.10.10.7 is a device on your LAN, then all traffic with 10.10.10.7 will go to that device. No NAT or whatever needed.
Something to check : the 10.10.10.7 : does it accept traffic ? It's often een it accepts only traffic from devices on it's own network, 10.10.10.x - and nothing else. Activate the 'from everywhere'.This makes sense, I suppose I've never actually tested whether I was able to ping it from ANY other VLAN before, cause this is my first non-mDNS attempt at cross VLAN communication. I can access it when connected through VPN if that matters to diagnosing. Where exactly am I enacting "from everywhere"? In windows on the Blue Iris PC or...?
Is the next 4 lines starting with the reference of the Packet Capture took describing how I can test if it's open to accepting connections from outside its home network (the LAN)? I'll need to try when I'm able to connect to the Cam VLAN.
-
As @Gertjan said , the CamBox on lan could have some blocking if packet arrives from another subnet.
I'd prob. temporarily allow something else (on Lan) to be ping'ed from CamLan to Lan.
Ie. a linux or windows (w icmp allowed).
And try to ping that one from CamLan.If that works , then you know it's the CamBox on Lan, that doesn't answer.
/Bingo
-
@bingo600 said in Can't pass traffic from Cam VLAN to a single Client on the LAN:
I'd prob. temporarily allow something else (on Lan) to be ping'ed from CamLan to Lan.
ahhh shoot i didn't get a notification that there was a response. I plan on a host of troubleshooting attempts tonight, then will report back...
-
I believe you were right! 
I haven't fully looked at the packet capture but I copied my rule that (doesn't) allow access to the blue iris pc and changed the IP to my unraid box and was able to ping it when i switched my PC to the Cam VLAN. Soooo it's something inside Windows 10 interface?
-
Does anyone have any suggestions for allowing the entirety of the Cam VLAN to my Blue Iris box? the instructions i've found online seem to imply i need to pick an app to allow through when I don't know how (nor currently want) to be that specific.
edit: completely disabling the windows firewall on the Blue Iris PC allowed me to finally ping it from Cam VLAN, so it's almost certainly the culprit, but disabling seems like overkill...
-
@RickyBaker said in Can't pass traffic from Cam VLAN to a single Client on the LAN:
completely disabling the windows firewall on the Blue Iris PC allowed me
I assume you have already allowed incoming on ports 80, 81 on the Blue Iris PC Windows firewall. May also need to disable "Lan only" access in Blue Iris
-
@Patch I have not, tbh i've never really done any editing of the Windows Firewall and when i tried i got pretty intimidated. What exactly am I allowing?
edit: for instance, is this even where I should be? What would i put in for program et al? I just want to allow everything from the Cam VLAN into this particular PC
-
@RickyBaker
How you do it will depend what Antivirus / firewall you run on that PC but the underlying mechanism is likely ultimately to be the Windows firewall
Open the ports to start with.
You can make it more specific by limiting it to the Blue Iris exe later if you wantThis post has a more general view of the ports used https://ipcamtalk.com/threads/whitelist-firewall-settings-for-blueiris.48058/
-
@Patch thanks for the link. I'll check it out. If the Blue Iris PC never leaves my LAN/House and is always behind pfsense, is it still irresponsible to simply disable the Windows firewall for private networks?
-
@RickyBaker said in Can't pass traffic from Cam VLAN to a single Client on the LAN:
is it still irresponsible to simply disable the Windows firewall
Your device firewall is part of your Anti Virus protection. People have different ideas on the value of AV. I do no disable the AV on my computers
