Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access to another private subnet => masquerade?

    Scheduled Pinned Locked Moved NAT
    6 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • QinnQ
      Qinn
      last edited by

      Hi there ,I could use some help on the following;

      Here I need to access an IPcam on another private subnet. This IPcam has some kind of firewall rule that seems to block any access from any other ip than from the same subnet (even a ping is blocked). Sadly the webgui from the IPcam has no option to change this and there is no telnet\SSH access, so I am out of options.

      I thought about address spoofing and that it might do the trick. So something like "iptables -t nat -A POSTROUTING -p icmp -j SNAT –to-source 192.168.1.X" came into mind, to test if a ping would be accepted, but I have no clue how to set this up in pfsense, as I am fairly new to it.

      Thanks for any help or advice in advance  ;)  btw maybe this Q should be in the NAT section?

      Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
      Firmware: Latest-stable-pfSense CE (amd64)
      Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Yes. It should be in NAT. Moved.

        It sounds like you need to do an outbound NAT entry for this camera if you can't coerce it to accept connections from outside/foreign subnets. (You did set its default gateway at pfSense LAN IP right?)

        This is usually done on WAN so all outbound connections appear to come from the same IP address. It can just as easily be done on a LAN interface so all connections to a specific LAN host from other subnets appear to come from the pfSense LAN interface address.

        Assumptions:
        pfSense Version: 2.3.1_1
        pfSense Interface Camera is on: LAN
        pfSense LAN address: 192.168.1.1/24
        Camera Address: 192.168.1.100

        Firewall > NAT, Outbound tab

        Select Hybrid Outbound NAT

        Create a new rule

        Interface: LAN
        Protocol: any
        Source: any
        Destination: Network, 192.168.1.100 /32
        Translation Address: Interface Address
        Port: empty

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • QinnQ
          Qinn
          last edited by

          Assumptions:

          pfSense Version: 2.3.1_1 Yes
          pfSense Interface Camera is on: LAN No in a sense that I need access from 192.168.1.X(LAN) to 192.168.2.X(WLAN), so from one private subnet to another.
          pfSense LAN address: 192.168.1.1/24 Yes
          Camera Address: 192.168.1.100 No 192.168.2.100

          I will try and modify the  settings you suggested corresponding to what I have mentioned above and report back

          Thanks for your quick reply ;)

          Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
          Firmware: Latest-stable-pfSense CE (amd64)
          Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

          1 Reply Last reply Reply Quote 0
          • QinnQ
            Qinn
            last edited by

            Thanks Derelict that worked like a charm. The only difference was I had to choose another interface (my mistake), as the IPcam is on the WLAN so:

            Interface: WLAN
            Protocol: any
            Source: any
            Destination: Network, 192.168.2.100 /32
            Translation Address: Interface Address
            Port: empty

            Just to be sure, am I to understand that when I change the mode from the default mode Automatic outbound NAT rule generation.
            (IPsec passthrough included)
            to Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below) the added rules become enabled?

            Here I have 2 automated rules. Why is the ISAKMP (IPSEC?) on port 500 created?
            WAN 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 192.168.5.0/24 * * 500 WAN address * Auto created rule for ISAKMP
            WAN 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 192.168.5.0/24 * * * WAN address * Auto created rule

            On my other firewall I had to use something like "iptables -t NAT -A POSTROUTING -j SNAT –to-source 192.168.2.88" to masq the ip address, using some ip from the other subnet. Can I see the pf rules like in iptables (iptables -vnL or iptables -t nat --list), I know there is a exec.php in pfsense?

            Thanks for you patience ;)

            Hardeware: Intel(R) Celeron(R) J4125 CPU @ 2.00GHz 102 GB mSATA SSD (ZFS)
            Firmware: Latest-stable-pfSense CE (amd64)
            Packages: pfBlockerNG devel-beta (beta tester) - Avahi - Notes - Ntopng - PIMD/udpbroadcastrelay - Service Watchdog - System Patches

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by

              Standard tool for inspecting the rules is pfctl. Use Diagnostics->Command Prompt to run this to show the nat and rdr rules:

              pfctl -sn
              

              For filter rules:

              pfctl -sr
              

              You can throw in -g and -v (can be repeated more than once) options to increase verbosity and amount of information reported.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Why is the ISAKMP (IPSEC?) on port 500 created?

                IPsec passthrough clients are much happier with static source ports.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.