Access to another private subnet => masquerade?

Qinn

Hi there ,I could use some help on the following;

Here I need to access an IPcam on another private subnet. This IPcam has some kind of firewall rule that seems to block any access from any other ip than from the same subnet (even a ping is blocked). Sadly the webgui from the IPcam has no option to change this and there is no telnet\SSH access, so I am out of options.

I thought about address spoofing and that it might do the trick. So something like "iptables -t nat -A POSTROUTING -p icmp -j SNAT –to-source 192.168.1.X" came into mind, to test if a ping would be accepted, but I have no clue how to set this up in pfsense, as I am fairly new to it.

Thanks for any help or advice in advance  ;)  btw maybe this Q should be in the NAT section?

Derelict

Yes. It should be in NAT. Moved.

It sounds like you need to do an outbound NAT entry for this camera if you can't coerce it to accept connections from outside/foreign subnets. (You did set its default gateway at pfSense LAN IP right?)

This is usually done on WAN so all outbound connections appear to come from the same IP address. It can just as easily be done on a LAN interface so all connections to a specific LAN host from other subnets appear to come from the pfSense LAN interface address.

Assumptions:
pfSense Version: 2.3.1_1
pfSense Interface Camera is on: LAN
pfSense LAN address: 192.168.1.1/24
Camera Address: 192.168.1.100

Firewall > NAT, Outbound tab

Select Hybrid Outbound NAT

Create a new rule

Interface: LAN
Protocol: any
Source: any
Destination: Network, 192.168.1.100 /32
Translation Address: Interface Address
Port: empty

Qinn

Assumptions:

pfSense Version: 2.3.1_1 Yes
pfSense Interface Camera is on: LAN No in a sense that I need access from 192.168.1.X(LAN) to 192.168.2.X(WLAN), so from one private subnet to another.
pfSense LAN address: 192.168.1.1/24 Yes
Camera Address: 192.168.1.100 No 192.168.2.100

I will try and modify the  settings you suggested corresponding to what I have mentioned above and report back

Thanks for your quick reply ;)

Qinn

Thanks Derelict that worked like a charm. The only difference was I had to choose another interface (my mistake), as the IPcam is on the WLAN so:

Interface: WLAN
Protocol: any
Source: any
Destination: Network, 192.168.2.100 /32
Translation Address: Interface Address
Port: empty

Just to be sure, am I to understand that when I change the mode from the default mode Automatic outbound NAT rule generation.
(IPsec passthrough included) to Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below) the added rules become enabled?

Here I have 2 automated rules. Why is the ISAKMP (IPSEC?) on port 500 created?
WAN 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 192.168.5.0/24 * * 500 WAN address * Auto created rule for ISAKMP
WAN 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 192.168.5.0/24 * * * WAN address * Auto created rule

On my other firewall I had to use something like "iptables -t NAT -A POSTROUTING -j SNAT –to-source 192.168.2.88" to masq the ip address, using some ip from the other subnet. Can I see the pf rules like in iptables (iptables -vnL or iptables -t nat --list), I know there is a exec.php in pfsense?

Thanks for you patience ;)

kpa

Standard tool for inspecting the rules is pfctl. Use Diagnostics->Command Prompt to run this to show the nat and rdr rules:

pfctl -sn

For filter rules:

pfctl -sr

You can throw in -g and -v (can be repeated more than once) options to increase verbosity and amount of information reported.

Derelict

Why is the ISAKMP (IPSEC?) on port 500 created?

IPsec passthrough clients are much happier with static source ports.