My Security Cams do not working

johnpoz

What are your rules you have on this vlan your trying to connect to the NVR from?

Forcing traffic out a gateway for sure cause the exact issue your describing.

am.steen

@johnpoz
Ok I add a new network Card same VLAN as NVR
I create a new firewall pass rule for by passing this VLAN 172.30.5.0 to
NVR 172.30.7.235 Vlan
But I Fail.

Can I have help about that rule please ??

JKnott

@am-steen

Does that NVR have 2 ports? If so, you're supposed to connect one to the same subnet as the cameras and the other to the rest of your network.

johnpoz

@am-steen said in My Security Cams do not working:

Can I have help about that rule please ??

Dude post a picture of your rules you created..

If you created a rule to allow the traffic then it would be allowed. Unless you are policy routing out some gateway or vpn. Sniff to validate the traffic going - maybe its just your nvr not answering..

am.steen

@jknott
NO I only have one network port on my NVR

am.steen

@johnpoz

This is new int. VLAN5 with IP from that vlan5

And this is the rule to access NVR on different VLAN7

And this is rule settings

NogBadTheBad

@am-steen Is the protocol correct ?

Try any, then if that work try tcp/udp.

You could do a packet capture on the host on the LAN or on the pfSense LAN interface to see what the requirements are if you don't know what protocol & ports.

johnpoz

That rule shows no hits 0/0 - you sure your source IP is correct to allow what your wanting to allow?

You say you can ping - well something else is going on then. Because your rule is tcp only - so no ping would be allowed.

edit: If you want some client to talk to to your NVR.. Then the rule would be on the interface the client is connected too. Not on the NVR interface.

Rules are evaluated as traffic enters pfsense from the network its attached to.. First rule to trigger wins no other rules are evaluated.

If you want something to talk to vlanX from Lan - then the rule would be on the lan interface. There would be no rules required on the vlanX interface to allow that to work.

What network is 172.30.7 and what network is 172.30.5? Putting a rule on 172.30.5 to allow something to talk to it from 173.30.7 is not correct. The rule would be on 172.30.7 interface to allow traffic to 172.30.5

am.steen

@johnpoz
Ok this is my last rule update

and this is firewall logs related to this pc

Any suggestions

johnpoz

And you have an asymmetrical problem.. Your seeing SA (syn,ack) not syn blocks.

How exactly do you have this wired?

So 5.245 tried to talk to 7.235, sends a syn to port 3761, then 7.235 answers back with syn,ack - but pfsense never saw the syn to open the state.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html

NogBadTheBad

Are both subnets directly connected to your pfSense router, just wanting to double check?

I notice from a prevoius post you have multiple routers:-

https://forum.netgate.com/topic/163325/can-not-forward-rdp-port-behind-a-router/3?_=1620123172825

"Public IP ==> CISCO ==> VLAN 2 ==>172.30.2.100 ==> Pfsense ==> VLAN7 ==> 172.30.7.245 ==> local PC ==> 172.30.7.60"

am.steen

@nogbadthebad
I modify everything since that post
Public IP ==> CISCO ==> VLAN 7 ==>192.168.60.100 ==> Pfsense ==> VLAN7 ==> 172.30.7.245 ==> local PC ==> another VLAN5 == >172.30.5.245

am.steen

@johnpoz
Very sorry as I am Beginner at pfsense so I can not understand asymmetrical problem,
How To solve this, known that I can ping 172.30.7.235 from the pc 172.30.5.245
Another info. I cannot connect to NVR with web interface.
What is the suitable firewall rule to fix this asymmetrical problem ??

johnpoz

@am-steen said in My Security Cams do not working:

What is the suitable firewall rule to fix this asymmetrical problem ??

That is not how you fix an asymmetrical problem.

How do you have this wired together.. If these were 2 vlans attached to pfsense - then it would be impossible to have an asymmetrical problem. Unless your vlans are not actually isolated..

You see a SA block, when pfsense never saw the SYN (S) to create the state.

am.steen

@johnpoz
Yes there are 2 VLANS connected to my pfsense and as you say are not actually isolated..
They have interconnecting through my cisco router.

johnpoz

@am-steen said in My Security Cams do not working:

They have interconnecting through my cisco router.

What? You need to draw how you have things actually connected if you want anyone to be able to help you.

am.steen

@johnpoz

Public IP ==> CISCO ==> VLAN 7 ==>192.168.60.100-LAN ==> Pfsense Vmachine ==> LAN-VLAN7 ==> 172.30.7.245 ==> VLAN5-local PC ==> == >172.30.5.245

johnpoz

That doesn't tell me anything.

From that I would assume vlan 7 and vlan 5 are directly connected to your pfsense machine. So how is there an interconnection?

Break out the crayons if need be and provide an actual diagram showing the L2/L3 connections.

Most common issue with asymmetrical traffic is trying to use a network with hosts on it as a transit. A network that attaches more than 1 router is a transit, you do not put hosts on a transit. Or yes you end up with asymmetrical issues. Unless you host route on every host in the transit, or you nat the downstream networks at the downstream router.

Is vlan 7 and lan-vlan7 the same L2? If so why does it look like you have two different L3s on it?

NollipfSense

@am-steen Create a bridge so 172.40.7.235 can ping 172.30.5.245 ... network 172.40.7.0 and network 172.30.5.0 or create a floating firewall rule.

johnpoz

@nollipfsense said in My Security Cams do not working:

Create a bridge so 172.40.7.235 can ping 172.30.5.245

NO!! That is not a solution - that is more of borked attempt at doing completely and utterly WRONG!

You don't bridge two different L3s together. If he wants to route from 1 router to 2nd router - then you do that with a transit network.

But your never going to get it to work - if you can not even draw up how you want it to work in the first place.

If he wants network A handing off router 1, and network B off router 2 - that is very simple and common to do.. You just create a transit network and setup routes at each router telling the router where to go to get to network X..

Draw up how you want it to be - and be more than happy to walk you through it.. The simple solution is to just use 1 router.. Unless you can explain why you want/need to use to routers then use just 1.. More than 1 router add complexity, and without a need to do it - why would anyone do that? In any sort of home setup, there is rarely a need to use more complex setup when there is a simpler less complex solution.