Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense stopping my IP security camera from working correctly :(

    Scheduled Pinned Locked Moved General pfSense Questions
    18 Posts 4 Posters 13.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • chpalmerC
      chpalmer
      last edited by

      Is the Linksys AP an actual AP or a router that you are using as an AP?

      Triggering snowflakes one by one..
      Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

      1 Reply Last reply Reply Quote 0
      • B
        BrannFenix
        last edited by

        It's a WRT that only has the switch LAN ports used which serves as an AP.  I flashed it a few times with different firmware, but the linksys stock connected to my RADIUS server to run WPA2 enterprises does the trick for me.

        1 Reply Last reply Reply Quote 0
        • chpalmerC
          chpalmer
          last edited by

          Are you absolutely sure the dhcp server on it is shut off?

          Triggering snowflakes one by one..
          Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

          1 Reply Last reply Reply Quote 0
          • B
            BrannFenix
            last edited by

            110% sure it's turned off.  Plus the only dhcp services are on my window server AND the camera is set with a static IP.  Trust me I wish it was something that simple :(

            1 Reply Last reply Reply Quote 0
            • chpalmerC
              chpalmer
              last edited by

              We had a Dlink we used this way. The DHCP server would turn on by itself sometimes for no reason…  So alway gotta ask. If it gave something else on the network the .200 address then things would be a mess..

              Triggering snowflakes one by one..
              Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

              1 Reply Last reply Reply Quote 0
              • W
                wallabybob
                last edited by

                I don't know if its significant to the problem under discussion, but it in the second trace it appears the camera pings the specified gateway. (Perhaps you told it to, but you didn't say that.)

                In the first trace the camera issues an ARP request to find the MAC address of the gateway and gets no response.

                If you didn't tell the camera to ping the gateway then it might be worth adding a firewall rule to pfSense to block ping requests from the camera to see if that makes a difference. If blocking the ping requests make a difference then I think it would be worth heavily leaning on the camera tech support for an explanation.

                The second trace shows an alive TCP connection between the camera http server (port 80) and 192.168.5.147 which doesn't seem to appear in your diagram. What is that system? Should it be sending something back?

                1 Reply Last reply Reply Quote 0
                • W
                  wallabybob
                  last edited by

                  The camera system log reports a probe attempt on the gateway - perhaps that ping I mentioned earlier is significant.

                  The camera log also reports use of iptables which, if I recall correctly, is one type of Linux firewall. Is there something strange about those rules?

                  What is the version of pfSense you are using? You mention 1.2.2 which I presume is what you mean by "the current version". Do you see different behaviour with one of the 1.2.3 snapshot builds?

                  1 Reply Last reply Reply Quote 0
                  • chpalmerC
                    chpalmer
                    last edited by

                    Do you have pfSense set to suppress arp broadcasts?

                    System = Advanced = Shared Physical Network (This will suppress ARP messages when interfaces share the same physical network)

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    1 Reply Last reply Reply Quote 0
                    • B
                      BrannFenix
                      last edited by

                      Ok after reading the posts these are the results from my testing this morning:

                      Info:
                      192.168.5.147 is just the dhcp IP assigned to my test machine that I am attempting to access the camera with.  The appearance of that IP in the trace is just me trying to see if the camera loads in my browser on the test machine.  iptables is/was an older linux firewall that I believe was replaced by ipchains.  The camera is built onto of BusyBox which is a tiny linux distro for embed systems and sadly I do not have any access to the shell to check or change any of the system stuff like the firewall.  It seems that it configures some iptables rules based on what it finds when it starts up.  I have to assume it is finding something it does not like when it talk to pfSense and makes a rule blocking port 80 which makes NO! sense at all… 
                      I spoke to the tech support people that are 100% useless and know less than I do about their own product.  They only have trouble shooting docs for small home setups with a single linksys/dlink/whatever home router.  When I explained my network details they just seemed to get very confused.  The only solutions they offered was to downgrade the firmware which would work, but I would lose the features I want.  Or I could Return the camera and they could care less since they plan on getting out of camera business in the next year or so.  Looks Like they have no clue wtf their device is doing or how it works with the new firmware I am on my own over here :(

                      1.  Loaded the snapshot of 1.2.3 VM into my server and it did not resolve my issue.  I could not see any difference in the way it was dealing with the camera from the packet capture.

                      2.  Suppress arp broadcasts was not enable and turning it on does not appear to resolve the issue.

                      3.  Attempt to block the ping from the camera to the router:
                      This seems like it should work, but I seem to be having problems with setting the rule.  I went to Firewall -> Rules -> Lan and added a rule to block all ICMP traffic from 192.168.5.200 to anything device... Hell I even made a 2nd rule block all ICMP  from 192.168.5.1 TO 192.168.5.200.  I also tried rebooting the router after applying the rules... but it still seems to be replying back and  I can't figure out what I am doing wrong.  Here is the capture:

                      11:20:02.638895 arp who-has 192.168.5.1 (ff:ff:ff:ff:ff:ff) tell 192.168.5.200
                      11:20:02.638953 arp reply 192.168.5.1 is-at 00:0c:29:a8:ac:0e
                      11:20:03.999850 IP 192.168.5.200 > 192.168.5.1: ICMP echo request, id 58880, seq 0, length 84
                      11:20:03.999976 IP 192.168.5.1 > 192.168.5.200: ICMP echo reply, id 58880, seq 0, length 84
                      11:20:09.152778 IP 192.168.5.200 > 224.0.0.22: igmp
                      11:20:09.235169 IP 192.168.5.200.1025 > 239.255.255.250.1900: UDP, length 137
                      11:20:09.416343 IP 192.168.5.200.5353 > 224.0.0.251.5353: UDP, length 145
                      11:20:09.681894 IP 192.168.5.200.5353 > 224.0.0.251.5353: UDP, length 145
                      11:20:09.954680 IP 192.168.5.200.5353 > 224.0.0.251.5353: UDP, length 145
                      11:20:10.387143 IP 192.168.5.200.5353 > 224.0.0.251.5353: UDP, length 283
                      11:20:11.243418 IP 192.168.5.200.1025 > 239.255.255.250.1900: UDP, length 132
                      11:20:11.407955 IP 192.168.5.200.5353 > 224.0.0.251.5353: UDP, length 283

                      What am I doing wrong to not correctly block the ping?

                      1 Reply Last reply Reply Quote 0
                      • W
                        wallabybob
                        last edited by

                        From the look of your network diagram, pfSense doesn't have exclusive use of the LAN interface. It looks as if it is shared with Windows. MAYBE Windows is answering the ping. (I have no knowledge of the workings of the Windows VM host.) To check this you could do a trace on pfSense and see if the pings show up. (The trace is done BEFORE application of firewall rules.)

                        I haven't tried to block pings with pfSense firewall rules. I'd be surprised if pfSense didn't allow that.

                        Oh, and just to check all the details: the MAC address in the ARP response for 192.168.5.1 is the correct MAC address?

                        1 Reply Last reply Reply Quote 0
                        • B
                          BrannFenix
                          last edited by

                          I will have to mess with trying to find a way to block that ping.  I use VMware server and the way my server is configured pfSense has 100% unfiltered control over that network card and windows does not really even see it as a working card.  The MAC address is correct and I am still scratching my head over here :(

                          The only thing that I could try is to match the hardware MAC (true mac address) with the virtual mac address since pfSense does not share the interface with any other OS.  But, seriously I want to choke the tech support people because it worked perfect until they changed the firmware to do something funky at startup… no fun :(

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.