Dropcam can't connect to internet, everything else can

kitzy · Jan 3, 2015, 8:55 PM

So I've recently purchased a Dropcam, and I can't get it to connect to the internet. I'm not blocking any outbound traffic as far as I can tell, and everything else on my network can connect out no problem.

The only weird thing is that when I try to connect the camera to my network, I see a few blocked connections in the firewall log, but I don't know if they're related. Dropcam support tells me that their camera doesn't use the port in question. I also can't sort out why these attempts are being blocked since it looks to me like I have outbound traffic wide open.

Here are the logs I mentioned: https://www.dropbox.com/s/eqgradt4qkhi5uy/Screenshot%202015-01-03%2014.22.56.png?dl=0

Here are my WAN firewall rules: https://www.dropbox.com/s/qsn0z0wcfsnrerj/Screenshot%202015-01-02%2023.07.33.png?dl=0

Here are my LAN firewall rules: https://www.dropbox.com/s/0r0gszvaw639cl6/Screenshot%202015-01-02%2023.07.46.png?dl=0

Does anyone have any ideas?

chpalmer · Jan 3, 2015, 8:42 PM

Logs show IPv6 (link local) traffic which I see no firewall rules for. Are your cameras working through the firewall?

kitzy · Jan 3, 2015, 8:52 PM

Thanks for your reply, chpalmer.

I'm not sure I follow you here. In my VLAN10 (the VLAN the camera is on) rules, I'm allowing all IPV6 traffic from that VLAN to any destination (see the 3rd link in my post).

As for the camera working through the firewall, when I try to connect the camera to the network, I get the error "A wireless connection was established but could not connect to the Dropcam servers."

chpalmer · Jan 3, 2015, 9:00 PM

ah yea- missed that.

Still its link local traffic.

Do your cameras actually have IPv6 addresses?

kitzy · Jan 3, 2015, 9:04 PM

As far as I can tell, and from what Dropcam support can tell me, they're supposed to have IPV4 addresses (although their support didn't seem to know what IPV6 actually was).

I can tell you that I don't have any IPV6 addressing turned on in my DHCP server, so if the camera is getting an IPV6 address, it must be self assigned.

kitzy · Jan 3, 2015, 10:36 PM

So I've made some progress. I got the MAC address of the Dropcam and assigned it a static IP. It looks like the firewall is blocking the DNS requests from the camera (see screenshot).

https://www.dropbox.com/s/ginb5ijmcxntfbe/Screenshot%202015-01-03%2016.16.48.png?dl=0

How can I tell my firewall to allow this traffic?

I've tried adding these rules, but the traffic still seems to be blocked: https://www.dropbox.com/s/h5a8rm41xtyg6mm/Screenshot%202015-01-03%2016.31.04.png?dl=0

EDIT: Nevermind, I'm reading that wrong. It's allowing the traffic, not blocking it. I'm still stumped.

wildfrog · Jan 4, 2015, 12:44 AM

When you set the static IP of the Dropcam, what are you telling it to use for DNS? Google's or the pfSense box?

chpalmer · Jan 4, 2015, 2:59 AM

I just drove to a site today and did an upgrade to 2.2RC from 2.1.5 and am now seeing many link local IPv6 addresses in the logs that were not there before. Im not getting this in other sites we care for so something here (at this site) is obviously generating them. This site in fact is Comcast and is using IPv6. Ill have to do some looking and see what is generating the traffic.

Im betting you can just treat it as spam. As long as your cams are reachable you should be fine. Maybe make a block rule and see if that stops them.

kitzy · Jan 4, 2015, 10:00 PM

wildfrog - I've tried it both ways - Google's DNS and the pfSense box. Same results either way.

chpalmer - That's the thing, the camera ISN'T working. The way these cameras work is they send video to a cloud service, and when they're behind my pfSense box, they can't connect to that cloud service.

An interesting update - I tried plugging a basic router (Airport Extreme) into my pfSense box, but had it set up to do DHCP and NAT (creating a double NAT configuration) and broadcast a different SSID than my main network, and the Dropcam has no trouble connecting from that SSID. So something in my pfSense configuration is definitely preventing the camera from connecting that doesn't affect it if the camera is behind another layer of NAT, but I can't sort out what.

chpalmer · Jan 4, 2015, 10:26 PM

I betcha the pfsense changing the port number is getting you.

Setup the camera for static port. Its in outbound NAT

https://doc.pfsense.org/index.php/Static_Port

kitzy · Jan 5, 2015, 12:12 AM

chpalmer - Thank for the idea! Unfortunately that didn't seem to solve the issue. Any other ideas?

chpalmer · Jan 5, 2015, 3:39 AM

@kitzy:

chpalmer - Thank for the idea! Unfortunately that didn't seem to solve the issue. Any other ideas?

What do your states show for the cams IP?

Create a LAN rule for the camera. Put it on top of any other LAN rules. Make that rule log so you can watch the logs for new connections.

Did you clear states after you created the static port rule?

johnpoz · Jan 10, 2015, 3:42 PM

So he lan rule is any any.. And you say when you put the cab behind another wireless router it works.. Sounds like to me the issue is your wireless network its connecting to and nothing to do with pfsense.

Since you now know what the IP of the camera is - why don't you just sniff on pfsense and see what happens? Under diag, packet capture - put in ip of camera, change from 100 packets to 0.. And let it run for awhile.. You should see your dns query go out and get answered since we saw that traffic logged and passed to googledns.

Lets see where its trying to talk that its having issues with, etc.. When you say you connected it to a different AP and it works, how would pfsense be an issue - since all you did was hide the same traffic behind a different IP.. The wifi routers wan IP.

you have a ANY ANY rule - if something is not working on the camera from this latest info it seems more like an issue with the wireless connection it was using before. Can you wire the camera to your network?