Access to CCTV with different lan interfaces

deivison90

Good afternoon to the Forum friends.

I already searched the internet and even the forum and I could not solve my doubt that I believe to be basic and decided to cry out for help here, lol …

I have a pfsense with 4 interfaces

Wan1 -
Wan2 -
LanDevices --- 192.168.35.1
LanCorp --- 192.169.36.1

Each lan interface is connected to a different switch. So I split the networks and the only connection between them is via router (pfsense)

However, there was a need to visualize the lanDevices interface cameras through the lanCorp interface. The ips drip, but the doors are locked. I've tried to release it in several possible ways, but I believe I'm doing the wrong thing. And I think it's the same principle, but I have the same problem with the clock and the digital PABX, both connected on different interfaces and I can not connect to them.

Someone could throw a light on me in this situation.

Thank you all right away ....

Thank you

chpalmer

What firewall rules do you have on both LAN interfaces?

deivison90

Now nothing. I erase all configuration and only rest Nat working

phil.davis

If you have the default "pass all" rule on LAN then devices on LAN will be able to reach devices on the other "LAN2".
e.g. if LanCorp is the interface with the "pass all" rule, then device on LanCorp can reach devices in LanDevices.

a) You can just add a rule at the top of LanCorp to pass source LanCorpNet, destination LanDevicesNet - that will make sure that this traffic passes.

b) If you want to access LanDevices by name (rather than directly using their IP addresses) then you will need some DNS that know the names. e.g. you can make each device have a fixed IP address (in the device itself, or a static mapping in the pfSense DHCP server) and add a host override in pfSense DNS server.

c) In order to know how to reply, each device needs to have a default route (gateway) back to the pfSense LanDevices IP address. That way the device will send a response back and pfSense can deliver it to the LanCorp client.

deivison90

Thanks for the reply, but unfortunately it does not work.

I got some printscreen attached for you.

img1.PNG_thumb

deivison90

Even in another interface this rule does not work….. in the top also no

phil.davis

The rule must go on the interface where the first traffic is initiated. So you need to put a Pass rule on CENTRALLAN with source CENTRALLANnet, destination DEVICESLAN and do not put any gateway. Traffic commencing from some CENTRALLAN device to access a camera on DEVICESLAN will be passed, and so will the reply traffic from the camera (automagically).
The rule on CENTRALLAN must go before any rule(s) that direct other traffic to some gateway or gateway group. You do not want the local traffic to be forced out a WAN.

f you want to also do the reverse - a camera on DEVICESLAN to initiate a connection back to CENTRALLAN, then you have to put a similar rule on DEVICESLAN, source DEVICESLANnet, destination CENTRALLANnet. And put that rule before the rules that have a gateway or gateway group.

deivison90

;D ;D ;D ;D ;D ;D ;D ;D ;D

Thanks God for your life…..

Works perfect.

rather than set for all devicesLan I've got to a single host and it works perfect man... so now, i have to do many entrys here for other hosts...

thank yoy very much...