PfSense stopping my IP security camera from working correctly :(
-
Is the Linksys AP an actual AP or a router that you are using as an AP?
-
It's a WRT that only has the switch LAN ports used which serves as an AP. I flashed it a few times with different firmware, but the linksys stock connected to my RADIUS server to run WPA2 enterprises does the trick for me.
-
Are you absolutely sure the dhcp server on it is shut off?
-
110% sure it's turned off. Plus the only dhcp services are on my window server AND the camera is set with a static IP. Trust me I wish it was something that simple :(
-
We had a Dlink we used this way. The DHCP server would turn on by itself sometimes for no reason… So alway gotta ask. If it gave something else on the network the .200 address then things would be a mess..
-
I don't know if its significant to the problem under discussion, but it in the second trace it appears the camera pings the specified gateway. (Perhaps you told it to, but you didn't say that.)
In the first trace the camera issues an ARP request to find the MAC address of the gateway and gets no response.
If you didn't tell the camera to ping the gateway then it might be worth adding a firewall rule to pfSense to block ping requests from the camera to see if that makes a difference. If blocking the ping requests make a difference then I think it would be worth heavily leaning on the camera tech support for an explanation.
The second trace shows an alive TCP connection between the camera http server (port 80) and 192.168.5.147 which doesn't seem to appear in your diagram. What is that system? Should it be sending something back?
-
The camera system log reports a probe attempt on the gateway - perhaps that ping I mentioned earlier is significant.
The camera log also reports use of iptables which, if I recall correctly, is one type of Linux firewall. Is there something strange about those rules?
What is the version of pfSense you are using? You mention 1.2.2 which I presume is what you mean by "the current version". Do you see different behaviour with one of the 1.2.3 snapshot builds?
-
Do you have pfSense set to suppress arp broadcasts?
System = Advanced = Shared Physical Network (This will suppress ARP messages when interfaces share the same physical network)
-
Ok after reading the posts these are the results from my testing this morning:
Info:
192.168.5.147 is just the dhcp IP assigned to my test machine that I am attempting to access the camera with. The appearance of that IP in the trace is just me trying to see if the camera loads in my browser on the test machine. iptables is/was an older linux firewall that I believe was replaced by ipchains. The camera is built onto of BusyBox which is a tiny linux distro for embed systems and sadly I do not have any access to the shell to check or change any of the system stuff like the firewall. It seems that it configures some iptables rules based on what it finds when it starts up. I have to assume it is finding something it does not like when it talk to pfSense and makes a rule blocking port 80 which makes NO! sense at all…
I spoke to the tech support people that are 100% useless and know less than I do about their own product. They only have trouble shooting docs for small home setups with a single linksys/dlink/whatever home router. When I explained my network details they just seemed to get very confused. The only solutions they offered was to downgrade the firmware which would work, but I would lose the features I want. Or I could Return the camera and they could care less since they plan on getting out of camera business in the next year or so. Looks Like they have no clue wtf their device is doing or how it works with the new firmware I am on my own over here :(1. Loaded the snapshot of 1.2.3 VM into my server and it did not resolve my issue. I could not see any difference in the way it was dealing with the camera from the packet capture.
2. Suppress arp broadcasts was not enable and turning it on does not appear to resolve the issue.
3. Attempt to block the ping from the camera to the router:
This seems like it should work, but I seem to be having problems with setting the rule. I went to Firewall -> Rules -> Lan and added a rule to block all ICMP traffic from 192.168.5.200 to anything device... Hell I even made a 2nd rule block all ICMP from 192.168.5.1 TO 192.168.5.200. I also tried rebooting the router after applying the rules... but it still seems to be replying back and I can't figure out what I am doing wrong. Here is the capture:11:20:02.638895 arp who-has 192.168.5.1 (ff:ff:ff:ff:ff:ff) tell 192.168.5.200
11:20:02.638953 arp reply 192.168.5.1 is-at 00:0c:29:a8:ac:0e
11:20:03.999850 IP 192.168.5.200 > 192.168.5.1: ICMP echo request, id 58880, seq 0, length 84
11:20:03.999976 IP 192.168.5.1 > 192.168.5.200: ICMP echo reply, id 58880, seq 0, length 84
11:20:09.152778 IP 192.168.5.200 > 224.0.0.22: igmp
11:20:09.235169 IP 192.168.5.200.1025 > 239.255.255.250.1900: UDP, length 137
11:20:09.416343 IP 192.168.5.200.5353 > 224.0.0.251.5353: UDP, length 145
11:20:09.681894 IP 192.168.5.200.5353 > 224.0.0.251.5353: UDP, length 145
11:20:09.954680 IP 192.168.5.200.5353 > 224.0.0.251.5353: UDP, length 145
11:20:10.387143 IP 192.168.5.200.5353 > 224.0.0.251.5353: UDP, length 283
11:20:11.243418 IP 192.168.5.200.1025 > 239.255.255.250.1900: UDP, length 132
11:20:11.407955 IP 192.168.5.200.5353 > 224.0.0.251.5353: UDP, length 283What am I doing wrong to not correctly block the ping?
-
From the look of your network diagram, pfSense doesn't have exclusive use of the LAN interface. It looks as if it is shared with Windows. MAYBE Windows is answering the ping. (I have no knowledge of the workings of the Windows VM host.) To check this you could do a trace on pfSense and see if the pings show up. (The trace is done BEFORE application of firewall rules.)
I haven't tried to block pings with pfSense firewall rules. I'd be surprised if pfSense didn't allow that.
Oh, and just to check all the details: the MAC address in the ARP response for 192.168.5.1 is the correct MAC address?
-
I will have to mess with trying to find a way to block that ping. I use VMware server and the way my server is configured pfSense has 100% unfiltered control over that network card and windows does not really even see it as a working card. The MAC address is correct and I am still scratching my head over here :(
The only thing that I could try is to match the hardware MAC (true mac address) with the virtual mac address since pfSense does not share the interface with any other OS. But, seriously I want to choke the tech support people because it worked perfect until they changed the firmware to do something funky at startup… no fun :(