Firewall, Port forwarding Help
-
I'm still trying?
-
I've tried everything I can think of? Why is this so difficult?
-
does your camera even have a gateway? This is very common with these sorts of devices.. They have not gateway on them - so no you can not view them from outside your network without doing source nat..
Also its bad idea to allow access to camera's from outside your network.. Huge security concern.. And these cameras are terrible when it comes to security.. That is your port forward - where is the wan rules?
-
your wan rule is WRONG.. you wouldn't set a gateway on a wan rule.. Nor is the source ever going to be your wan address.. on your lan 2 rule.. This is really clickity clickty - when you create the port forward it will auto create your firewall rule for you - so its like impossible to make such nonsense rules..
Your lan 2 doesn't even need a rule if your just going to be answering inbound connections from internet.. And if you did not a rule the source for sure would not be the wan address..
Rules are evaluated top down, first rule to trigger wins no other rules evaluated. How would wan address be a source of inbound traffic to lan2 interface from the lan2 network?
edit: remove that any any rule on your wan!! Just let the port forward create the wan rule..
Is your camera have a gateway? This is #3 in common problems on the troubleshooting guide..
-
Hello Johnpoz
Yes, the camera has a gateway, it was working fine on my Netgear router before I switch to pfsense. The camrea is a private port I'm using with user interface log in.
I created a NAT rule, it created the WAN rule automatically.
Here's my NAT and WAN rules.
-
remove tht any any rule!!
So lets sniff the traffic - PM your public IP and I will hit it on that port.
You do not have anything in front of pfsense - pfsense has your wan… Lets see the sniff of your wan showing you hitting that IP from outside your network.. Your not trying to access this from inside your network hitting your public IP are you?
"The camrea is a private port I'm using with user interface log in."
Still bad idea - if you want to access stuff on your network, vpn in... Open up such devices to the public is just very bad idea!
I think your trying to hit your public IP from say you phone on your wifi network? So it would be nat reflection - you need to test this from outside.. Either PM your public IP, or use canyouseeme.org
-
ok, any traffic rules removed.
I'll send you PM
thank you
-
Not seeing any syn,ack back - lets see your wan sniff when I send traffic or you use your online checker or canyouseeme.org
Do you have any floating rules? There is no syn,ack back from syn I send to that port
10:44:12.574054 IP 64.53.xxx.xxx.37854 > 68.38.xxx.xxx.5160: tcp 0
10:44:12.824552 IP 64.53.xxx.xxx.54289 > 68.38.xxx.xxx.5160: tcp 0
10:44:15.571615 IP 64.53.xxx.xxx.37854 > 68.38.xxx.xxx.5160: tcp 0
10:44:15.823196 IP 64.53.xxx.xxx.54289 > 68.38.xxx.xxx.5160: tcp 0If the traffic is hitting your wan then sniff on your lan2 interface for that 5160…
-
Fixed… Wow what a mess that was...
vpn client pulling routes, outbound nat source natting to lan2 interface.. Working now.
If you want to use a vpn client and port forwarding inbound, then you have to correctly set that up - you can not force all traffic out your vpn by pulling routes and expect inbound traffic into your want to answer via your vpn.
And a downstream nat to boot ;)
-
Thank you so much for your support!!!
-
Your welcome - but the info about your vpn client and that you were double natting downstream of pfsense is helpful info.
I do not see why your downstream natting other than you are leverage some old router for something… Just use it as switch or AP, it makes no sense to double nat, etc. And for sure would make it a real pain to port forward to anything behind that downstream router.
