Redirect IP camera from MAN(outside) network to VLAN network

mateusscheper · Sep 20, 2018, 5:03 PM

Hi!

I'm having a newbie problem... here it is:

In a MAN network in another city, we have an IP camera with the IP 192.168.194.253.
In my pfSense, I have my WAN interface set with an external IP.
To access the camera, I talked to another guy and we created a VLAN network and my pfSense got the IP 172.17.1.2 and after that, we set a route from 172.17.1.1 to the camera IP.
From now on, I can ping the IP camera from my firewall.
The problem is, I don't know how to make my machines inside my LAN Network to be able to access the camera too. My LAN is 192.168.0.0/24.

I realise this is a noob question, but I just can't see how I can make my LAN Network comunicate with 192.168.194.253 (IP Camera).

Any ideas?

Thank you already.

johnpoz · Sep 20, 2018, 7:03 PM

@mateusscheper said in Redirect IP camera from MAN(outside) network to VLAN network:

created a VLAN network and my pfSense

Huh?? So your connected to the same man and your just running a different layer 3 on the same layer 2?

Did you mean vpn and not vlan?

mateusscheper · Sep 20, 2018, 9:23 PM

I'm sorry, I don't have any experience with MAN nor VLAN, so I don't know exactly how it works. All I know is what I've been searching on Google for the past two days.
Someone requested me to create a VLAN 100 and set the IPv4 in my firewall as 172.17.1.2/32. After that, the other person connected somehow the IP Camera to 172.17.1.1 and set it's IP as 192.168.194.253.
From this, I can ping the camera from pfSense.

johnpoz · Sep 21, 2018, 10:18 AM

No would never in a million years do it that way..

And I doubt your pinging anything to be honest. You say this MAN is in another city.. And your connected to it how exactly?

If you where in the same city, say the same few blocks I would say your on the same MAN.. And then use you could use that to connect to each other. But you can't just make up vlan IDs and use that.. For starters anyone on the MAN can view that traffic..

JKnott · Sep 21, 2018, 11:48 AM

@johnpoz said in Redirect IP camera from MAN(outside) network to VLAN network:

If you where in the same city, say the same few blocks I would say your on the same MAN.. And then use you could use that to connect to each other. But you can't just make up vlan IDs and use that.. For starters anyone on the MAN can view that traffic..

Also, VLANs wouldn't make it through a router, unless it was configured to use them. VLANs are a layer 2 function and IP, layer 3.

mateusscheper · Sep 21, 2018, 11:48 AM

@johnpoz said in Redirect IP camera from MAN(outside) network to VLAN network:

No would never in a million years do it that way..

And I doubt your pinging anything to be honest. You say this MAN is in another city.. And your connected to it how exactly?

If you where in the same city, say the same few blocks I would say your on the same MAN.. And then use you could use that to connect to each other. But you can't just make up vlan IDs and use that.. For starters anyone on the MAN can view that traffic..

I don't know how they made all the connections before me. All I know is that I have a few gateways and one of them is connected to a ISP (they are the clients, not me), which is in another city. That's probably how this MAN network exists.

BTW, I asked to redirect the camera to an external port, but they won't listen to me.
Now I have this weird thing to do, but I have no idea how, since I never did anything related to VLAN/routing.

And I doubt your pinging anything to be honest.

IDK how it works (as I said before), but I can ping it from the firewall.

# ping 192.168.194.253
PING 192.168.194.253 (192.168.194.253): 56 data bytes
64 bytes from 192.168.194.253: icmp_seq=0 ttl=63 time=7.475 ms
64 bytes from 192.168.194.253: icmp_seq=1 ttl=63 time=2.588 ms
^C

johnpoz · Oct 1, 2018, 1:47 PM

@mateusscheper said in Redirect IP camera from MAN(outside) network to VLAN network:

64 bytes from 192.168.194.253: icmp_seq=1 ttl=63 time=2.588 ms

Your in another CITY and seeing less than 3ms response time.. So you mean when you say other city, like the neighborhood next door? Like SoHo and Tribeca?

I would love to help you - but your going to need to give some more details. Are you saying this MAN your connected to is just 1 large L2? What is the distance between your locations. For example a MAN doesn't reach Chicago to NYC.. But yeah if your Connected to the same MAN you could for sure run multiple L3 on the same L2 - but its in no way whatever so ever secure at all.. Be it you add vlan tags to your interface or not.

mateusscheper · Oct 1, 2018, 2:36 PM

@johnpoz said in Redirect IP camera from MAN(outside) network to VLAN network:

@mateusscheper said in Redirect IP camera from MAN(outside) network to VLAN network:

64 bytes from 192.168.194.253: icmp_seq=1 ttl=63 time=2.588 ms

Your in another CITY and seeing less than 3ms response time.. So you mean when you say other city, like the neighborhood next door? Like SoHo and Tribeca?

I would love to help you - but your going to need to give some more details. Are you saying this MAN your connected to is just 1 large L2? What is the distance between your locations. For example a MAN doesn't reach Chicago to NYC.. But yeah if your Connected to the same MAN you could for sure run multiple L3 on the same L2 - but its in no way whatever so ever secure at all.. Be it you add vlan tags to your interface or not.

Hi! It's just 56km (34,8 miles). I imagine they call it a MAN because they are an internet provider and the ping is so low because it's optical fiber.

Anyway, I think I'll just leave this all behind for now. I'll see if the other guy can just install that camera in a LAN and make a NAT so I can access it from outside (which would be a lot better if he wasn't so stubborn).

Thank you a lot for trying to help me. I would give you a cookie if I could.
If I need this again, I'll post it here on the forum.

Cya!

johnpoz · Oct 1, 2018, 3:12 PM

If you have a common L2 to use as a transit then what your asking for is quite simple... But you assigning IPs to it amounts to just running a different L3 on this common L2.. But its simple enough to do with basic routing.. Your tags you are putting on it seem kind of pointless in the process.

Here is a drawing..

login-to-view

So your router on left would say
to get to 192.168.1/24 172.16.0.2
On right you would have route
to get to 192.168.0/24 172.16.0.1

You would not do any nat outbound nat on this man interface. You would just create a gateway using your man interface, just like any other downstream router in your own network.. This 172.16/30 becomes your transit. Be it a vlan or just another L3 over the same L2.. This is not secure, unless you are doing ssl/tls connection.

It really is that simple as long as your 2 pfsense/routers/firewalls can talk to each other over this common L2 network. And as long as the devices on either local network are using pfsense as their gateway, etc.

mateusscheper · Oct 1, 2018, 4:58 PM

Well, from my firewall I can ping 172.17.1.1 (which I imagine it's the pfSense on the other side) and even ping the cam itself (192.168.194.253), but from the IPs inside LAN I can only ping 172.17.1.2 (not 172.17.1.1 and not 192.168.194.253). What should I do to access the camera from the LAN IPs?

johnpoz · Oct 1, 2018, 5:18 PM

Well lets see your lan rules.. You forcing traffic out a gateway?

Does the other side have a route back to your lan network? If not you would have to nat it to your man IP address via outbound nat

mateusscheper · Oct 1, 2018, 5:36 PM

@johnpoz said in Redirect IP camera from MAN(outside) network to VLAN network:

Well lets see your lan rules.. You forcing traffic out a gateway?

My LAN rules are allowing everything from inside to outside.

Does the other side have a route back to your lan network? If not you would have to nat it to your man IP address via outbound nat

How would I do that? I'm not sure how to configure outbound NATs.

johnpoz · Oct 3, 2018, 7:45 PM

Did you set a gateway on these rules? There should be no gateway... Are you saying your lan rules are any any the default.. You did not edit them in any way?

You configure outbound nat by clicking the outbound nat tab and changing it to hybrid or manual and creating the needed nat.

jahonix · Oct 3, 2018, 8:39 PM

@mateusscheper said in Redirect IP camera from MAN(outside) network to VLAN network:

install that camera in a LAN and make a NAT so I can access it from outside (which would be a lot better if he wasn't so stubborn).

Hell NO!
Without further action everyone would be able to access the camera and/or watch the stream. Both are security nightmares.
Never put a device like that (or any IoT gear) on the internet for everyone to see and tinker with it. Never ever!
Only use a VPN to access devices remotely, make no exceptions. Your devices will end as members of a botnet otherwise. If that happens to an ISP then he's done.

mateusscheper · Oct 5, 2018, 8:42 PM

@jahonix said in Redirect IP camera from MAN(outside) network to VLAN network:

@mateusscheper said in Redirect IP camera from MAN(outside) network to VLAN network:

install that camera in a LAN and make a NAT so I can access it from outside (which would be a lot better if he wasn't so stubborn).

Hell NO!
Without further action everyone would be able to access the camera and/or watch the stream. Both are security nightmares.
Never put a device like that (or any IoT gear) on the internet for everyone to see and tinker with it. Never ever!
Only use a VPN to access devices remotely, make no exceptions. Your devices will end as members of a botnet otherwise. If that happens to an ISP then he's done.

Hm? "Without further action" is the key: It wouldn't be exposed because it would only've been allowed to a single external IP and inside the network of this single IP only one machine would be allowed to access that camera IP/port.

@johnpoz said in Redirect IP camera from MAN(outside) network to VLAN network:

Did you set a gateway on these rules? There should be no gateway... Are you saying your lan rules are any any the default.. You did not edit them in any way?

You configure outbound nat by clicking the outbound nat tab and changing it to hybrid or manual and creating the needed nat.

Ok, I did it. I set Outbound NAT to Hybrid and added the needed NAT there.
I'm sorry for any inconvenience and thank you very much for your time.

johnpoz · Oct 6, 2018, 10:04 AM

Natting your IP to your MAN ip not really the best way to do it to be honest. Both sides should just use the man as transit network. But if the other side not going to create the route then sure you can nat.