Need to allow access to DVR in the WAN network to LAN computers
-
Yeah your going to want too download that into say wireshark.. That is just not enough info to try and figure out what is going on. But I don't see any multicast. But if you limited to IP then you wouldn't see that.
-
Repeat with same host but instead of normal selected full detail
Output:
17:15:07.399030 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 26372, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.3.65355 > 192.168.0.99.99: Flags ~~, cksum 0x85d2 (correct), seq 3148123187, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:15:07.399482 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.99.99 > 192.168.0.3.65355: Flags [S.], cksum 0x8615 (correct), seq 769112275, ack 3148123188, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
17:15:07.399616 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26373, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.65355 > 192.168.0.99.99: Flags [.], cksum 0xfee9 (correct), seq 1, ack 1, win 256, length 0
17:15:07.399732 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 146: (tos 0x0, ttl 127, id 26374, offset 0, flags [DF], proto TCP (6), length 132)
192.168.0.3.65355 > 192.168.0.99.99: Flags [P.], cksum 0x629a (correct), seq 1:93, ack 1, win 256, length 92
17:15:07.400436 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33162, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.65355: Flags [.], cksum 0xe309 (correct), seq 1, ack 93, win 7300, length 0
17:15:07.449709 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 255: (tos 0x0, ttl 64, id 33163, offset 0, flags [DF], proto TCP (6), length 241)
192.168.0.99.99 > 192.168.0.3.65355: Flags [P.], cksum 0x83ce (correct), seq 1:202, ack 93, win 7300, length 201
17:15:07.452072 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 1051: (tos 0x0, ttl 64, id 33164, offset 0, flags [DF], proto TCP (6), length 1037)
192.168.0.99.99 > 192.168.0.3.65355: Flags [FP.], cksum 0xb8f8 (correct), seq 202:1199, ack 93, win 7300, length 997
17:15:07.452300 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26376, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.65355 > 192.168.0.99.99: Flags [.], cksum 0xf9e3 (correct), seq 93, ack 1200, win 251, length 0
17:15:07.452350 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26377, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.65355 > 192.168.0.99.99: Flags [F.], cksum 0xf9e2 (correct), seq 93, ack 1200, win 251, length 0
17:15:07.452542 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.65355: Flags [.], cksum 0xde59 (correct), seq 1200, ack 94, win 7300, length 0
17:15:07.496404 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 26386, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.3.15956 > 192.168.0.99.99: Flags ~~, cksum 0x2e9c (correct), seq 4130761167, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:15:07.496687 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.99.99 > 192.168.0.3.15956: Flags [S.], cksum 0x09fe (correct), seq 329906146, ack 4130761168, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
17:15:07.496819 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26387, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.15956 > 192.168.0.99.99: Flags [.], cksum 0x82d2 (correct), seq 1, ack 1, win 256, length 0
17:15:07.496870 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 126: (tos 0x0, ttl 127, id 26388, offset 0, flags [DF], proto TCP (6), length 112)
192.168.0.3.15956 > 192.168.0.99.99: Flags [P.], cksum 0xbc2d (correct), seq 1:73, ack 1, win 256, length 72
17:15:07.498456 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 52875, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.15956: Flags [.], cksum 0x6706 (correct), seq 1, ack 73, win 7300, length 0
17:15:07.512679 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 576: (tos 0x0, ttl 64, id 52876, offset 0, flags [DF], proto TCP (6), length 562)
192.168.0.99.99 > 192.168.0.3.15956: Flags [P.], cksum 0xf776 (correct), seq 1:523, ack 73, win 7300, length 522
17:15:07.513030 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 52877, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.15956: Flags [F.], cksum 0x64fb (correct), seq 523, ack 73, win 7300, length 0
17:15:07.513150 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26390, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.15956 > 192.168.0.99.99: Flags [.], cksum 0x8081 (correct), seq 73, ack 524, win 254, length 0
17:15:07.516451 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26391, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.15956 > 192.168.0.99.99: Flags [R.], cksum 0x817b (correct), seq 73, ack 524, win 0, length 0
17:15:07.516539 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 26392, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.3.1278 > 192.168.0.99.99: Flags ~~, cksum 0x8c3b (correct), seq 1103755763, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:15:07.518703 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
192.168.0.99.99 > 192.168.0.3.1278: Flags [S.], cksum 0xd1a7 (correct), seq 138385730, ack 1103755764, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
17:15:07.518848 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26393, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.1278 > 192.168.0.99.99: Flags [.], cksum 0x4a7c (correct), seq 1, ack 1, win 256, length 0
17:15:07.518959 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 231: (tos 0x0, ttl 127, id 26394, offset 0, flags [DF], proto TCP (6), length 217)
192.168.0.3.1278 > 192.168.0.99.99: Flags [P.], cksum 0x0b3d (correct), seq 1:178, ack 1, win 256, length 177
17:15:07.518969 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 296: (tos 0x0, ttl 127, id 26395, offset 0, flags [DF], proto TCP (6), length 282)
192.168.0.3.1278 > 192.168.0.99.99: Flags [P.], cksum 0x140b (correct), seq 178:420, ack 1, win 256, length 242
17:15:07.519914 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 41001, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.1278: Flags [.], cksum 0x2e47 (correct), seq 1, ack 178, win 7300, length 0
17:15:07.520037 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 41002, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.99.99 > 192.168.0.3.1278: Flags [.], cksum 0x2d55 (correct), seq 1, ack 420, win 7300, length 0
17:16:13.271446 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 29332, offset 0, flags [DF], proto TCP (6), length 40)
192.168.0.3.1278 > 192.168.0.99.99: Flags [R.], cksum 0x49d5 (correct), seq 420, ack 1, win 0, length 0Something in the output make it stricke with a line.~~~~~~
-
Change .cap to .txt to be able to download.
-
Yeah your going to want too download that into say wireshark.. That is just not enough info to try and figure out what is going on. But I don't see any multicast. But if you limited to IP then you wouldn't see that.
I dont have wireshark and has never use it before. I guess I can download if it is free, but use it is other story.
-
https://www.wireshark.org/
Yes it is free (v2.2.1 was just released), and there are a lot of tutorials online as to how to use it. Everyone who is responsible for maintaining a routing firewall should be familiar with packet capture and analysis. There are several books on Wireshark and you can even get training:
http://www.wiresharktraining.com/
-
Found some threads about RSTP but I think this are pertinent for devices in the internal network serving streaming to the external network or Internet:
https://www.mail-archive.com/support@pfsense.com/msg17749.html
https://www.mail-archive.com/support@pfsense.com/msg17758.htmlhttps://doc.pfsense.org/index.php/Static_Port
http://www.selectedintelligence.com/post/46429611973/pfsense-rtsp-and-rtpBut my case is inverted the source and destination, as the RSTP device is in the external network and the clients are in the internal network.
If this is pertinent to my problem could you explain to me in basic terms.
-
But I don't see any multicast. But if you limited to IP then you wouldn't see that.
Why wouldn't you see it? It's still IP.
FWIW, I can see multicast on my network.
-
I tried a capture again but selecting UDP only with the device IP.
Tried against LAN and WAN interface but did not capture anything UDP related. So either the firewall is blocking all UDP to/from the device or there was in fact none.
-
^^^^
One thing I did recently was buy a cheap 5 port managed switch, which I configured for port mirroring. This allows me to insert the switch between 2 devices and use Wireshark to monitor the traffic. With that, you could insert the switch between the DVR & pfSense box to see what's there, with far more info than the pfSense packet capture provides. You can also watch in real time. -
"with far more info than the pfSense packet capture provides. "
How is that exactly.. Why would the packet capture in pfsense not see what that the switch would, when pfsense is 1/2 of that conversation anyway??
Clearly your getting a 401 error saying your NOT Authorized…
As to seeing if limiting to IP, I meant if he was limiting his sniff to a specific IP he would not see multicast traffic since it would be to the multicast address not his specific IP like 192.168.0.3 etc..
In the first part of the sniff your client ask for a manifest of something - and you get that just fine.
But then after that you just get 401.. Why have no idea, not sure what exactly your trying to do, other than dvr is giving you 401, and then your client gets something from the dvr. So there are 3 different conversations here all started by your client 192.168.0.3. First one he gets a manifest of something and that conversation is closed with your normal fin,ack , then he starts another conversation gets told 401, and he closes the conversation with RST, then he gets some other info profile.xml and then again he closes the conversation with RST
So that is a bad conversation, or is that a good conversation that works? Where is a good conversation where you start viewing video, since maybe that is sent in a different protocol?? Either way I wouldn't think you would want to see 401 errors.. Do you have to log in or something?? Do devices have to be authed before hand??
-
"with far more info than the pfSense packet capture provides. "
How is that exactly.. Why would the packet capture in pfsense not see what that the switch would, when pfsense is 1/2 of that conversation anyway??
Perhaps I should clarify. In an earlier post, packet capture as used in pfSense was listed. This does not show as much detail as you'd see in Wireshark. In order to see that level of detail, you have to download the cap file and then use something like Wireshark to view it.
I use Wireshark frequently and find that between the capture and display filters, it's a lot easier to isolate what you're looking for. You can also watch in real time and click on any frame to examine it's contents while the capture continues.
Back when I was using Linux for my firewall, I had Wireshark available on it. Since moving to pfSense, I bought a managed switch, which I can insert to monitor traffic.
-
"You can also watch in real time and click on any frame to examine it's contents while the capture continues."
This is very true!! If your sniffing with wireshark off a say a spanned port then sure you can watch traffic live. This should also be possible right off pfsense just use say tcpdump sending to your wireshark running on your pc.. you could do this with a windows machine via plink.exe or via ssh if you have it installed to ssh to the pfsense box, start the tcpdump, etc.
I thought we had gone over that before, but if not can for sure post up an example of how to do it.
That might be a good thing to add to the wiki, if not already there?
-
^^^^
One issue with sending tcpdump or even Wireshark over the wire is you could be affecting the traffic you're trying to monitor. That may or may not be an problem, depending on what you're looking for. When I had a Linux firewall, I could switch my KVM to the firewall computer, start up the desktop and then Wireshark. That computer did not normally have a desktop running, an option you don't get with Windows. However, I now have a managed switch that's small enough to keep in my notebook computer bag, so it's handy when I need it. In fact, I store it in ThinkPad floppy drive case. ;) -
"you could be affecting the traffic you're trying to monitor."
How so? Just don't capture the traffic your using to make the remote connection if capturing the interface your hitting pfsense on, etc.
While I agree with you that having a small switch with the ability to span ports is a great addition to your tool bag. And with gig smart switches beings so cheap now a days its a great thing to have and affordable for even the home enthusiast helping out their buddies, etc.
In this scenario.. Doing a packet capture on pfsense or if want real time via remote, etc. I don't see what that buys us exactly. How does it answer his 401 error problem?
-
"with far more info than the pfSense packet capture provides. "
How is that exactly.. Why would the packet capture in pfsense not see what that the switch would, when pfsense is 1/2 of that conversation anyway??
Clearly your getting a 401 error saying your NOT Authorized…
As to seeing if limiting to IP, I meant if he was limiting his sniff to a specific IP he would not see multicast traffic since it would be to the multicast address not his specific IP like 192.168.0.3 etc..
In the first part of the sniff your client ask for a manifest of something - and you get that just fine.
But then after that you just get 401.. Why have no idea, not sure what exactly your trying to do, other than dvr is giving you 401, and then your client gets something from the dvr. So there are 3 different conversations here all started by your client 192.168.0.3. First one he gets a manifest of something and that conversation is closed with your normal fin,ack , then he starts another conversation gets told 401, and he closes the conversation with RST, then he gets some other info profile.xml and then again he closes the conversation with RST
So that is a bad conversation, or is that a good conversation that works? Where is a good conversation where you start viewing video, since maybe that is sent in a different protocol?? Either way I wouldn't think you would want to see 401 errors.. Do you have to log in or something?? Do devices have to be authed before hand??
Thank you for your interest.
I will have to ask the DVR provider if its need to pre authorized the client, but I suspect that it does not.
I know that have to enter a user/pass combination to connect to the DVR. But that is entered in the client program and I know that its get accepted because if I enter a wrong one the application returns a credentials error. In the case of the packet capture I posted I used the correct user/pass. Also when I connect to the DVR using Internet Explorer I also have to enter the credentials and get accepted.
In IE there is an option to see the stream per channel in jpeg mode. When I select that option I can see each channel in a set of jpegs stream really nice.
The application is to show all channels at the same time probably in full streaming instead of jpegs. Once the credentials are accepted the application starts a loading phase which fails.
-
How so? Just don't capture the traffic your using to make the remote connection if capturing the interface your hitting pfsense on, etc.
If you're running into congestion/timing issues etc. Not common, but possible. As for your traffic, that's one more thing to filter. On my systems, I actually have a button on the display filter bar for a display filter, to not show traffic containing the MAC of the computer I'm running Wireshark on.
How does it answer his 401 error problem?
Problem? What problem??? ;)
Actually, this thread shows how traffic monitoring can be used to help identify a problem. However, that not authorized error indicates the problem is likely not in pfSense.
-
How so? Just don't capture the traffic your using to make the remote connection if capturing the interface your hitting pfsense on, etc.
If you're running into congestion/timing issues etc. Not common, but possible. As for your traffic, that's one more thing to filter. On my systems, I actually have a button on the display filter bar for a display filter, to not show traffic containing the MAC of the computer I'm running Wireshark on.
How does it answer his 401 error problem?
Problem? What problem??? ;)
Actually, this thread shows how traffic monitoring can be used to help identify a problem. However, that not authorized error indicates the problem is likely not in pfSense.
There is a problem related to the pfsense.
The network and the computers were able to connect to the DVR via the iWatch application before pfsense was implemented.
The previous Router/Firewall was a Netgear Wirelless device with 4/8 ports. I took out the Netgear and replace it by the pfsense. Now computers can not connect to the DVR via iWatch. Clearly there is something that pfsense does that Netgear dont or viceversa.
-
Dude how exactly is pfsense even involved in conversation between 192.168.0.3 and 192.168.0.99
I would assume these IPs on on the same network 192.168.0/24
Your computers can not connect from WHERE?? They are on the wan side of pfsense.. Is pfsense NATTING? The sniff you gave was 2 devices on the same network it would seem to me.
If your iwatch is running on device A on network ?? Sniff on that interface of pfsense. If dvr is on network B, also sniff on that interface of pfsense.. Your sniff shows 2 devices which unless you have some odd mask set are on the same network. Are your bridging in pfsense? Pfsense should not have even seen that traffic.
Please draw up your network and what networks are where and where are the devices and are you natting between these networks and or doing any port forwarding, etc.
Is 192.168.0.99 pfsense WAN ip?? And your port forwarding into your dvr behind pfsense on some other network? If so do the sniff on the LAN interface of pfsense. If your dvr is trying to send something to the client on your wan via multicast then no your client would never see that traffic nor would pfsense show it on a sniff on the wan interface.
-
This has become a long thread. I am going to refresh the network structure.
Cable Modem -> Switch1
| | |
| | |
D1 D2 F1
|
|
Switch2 -> LAND1 = DVR - 192.168.0.99 - Static IP
D2 = President Computer
F1 = Router/Firewall - 192.168.0.3 DHCP Assign by Cable ModemF1 now is the pfsense, before was a Netgear Wireless Router
LAN - 192.168.1.0/24
Computers in LAN want to connect to DVR. With Netgear was successful, with pfsense is not
-
Recalling the problem.
LAN computers connect to the DVR via IE successfully and can see one channel at a time in jpeg mode.
LAN computers fail to connect to IE to see the full stream with all channels at the same time.
LAN computers fail to connect to the DVR via iWatch which provide all the channels streams at same time.