Access to another private subnet => masquerade?



  • Hi there ,I could use some help on the following;

    Here I need to access an IPcam on another private subnet. This IPcam has some kind of firewall rule that seems to block any access from any other ip than from the same subnet (even a ping is blocked). Sadly the webgui from the IPcam has no option to change this and there is no telnet\SSH access, so I am out of options.

    I thought about address spoofing and that it might do the trick. So something like "iptables -t nat -A POSTROUTING -p icmp -j SNAT –to-source 192.168.1.X" came into mind, to test if a ping would be accepted, but I have no clue how to set this up in pfsense, as I am fairly new to it.

    Thanks for any help or advice in advance  ;)  btw maybe this Q should be in the NAT section?


  • Netgate

    Yes. It should be in NAT. Moved.

    It sounds like you need to do an outbound NAT entry for this camera if you can't coerce it to accept connections from outside/foreign subnets. (You did set its default gateway at pfSense LAN IP right?)

    This is usually done on WAN so all outbound connections appear to come from the same IP address. It can just as easily be done on a LAN interface so all connections to a specific LAN host from other subnets appear to come from the pfSense LAN interface address.

    Assumptions:
    pfSense Version: 2.3.1_1
    pfSense Interface Camera is on: LAN
    pfSense LAN address: 192.168.1.1/24
    Camera Address: 192.168.1.100

    Firewall > NAT, Outbound tab

    Select Hybrid Outbound NAT

    Create a new rule

    Interface: LAN
    Protocol: any
    Source: any
    Destination: Network, 192.168.1.100 /32
    Translation Address: Interface Address
    Port: empty



  • Assumptions:

    pfSense Version: 2.3.1_1 Yes
    pfSense Interface Camera is on: LAN No in a sense that I need access from 192.168.1.X(LAN) to 192.168.2.X(WLAN), so from one private subnet to another.
    pfSense LAN address: 192.168.1.1/24 Yes
    Camera Address: 192.168.1.100 No 192.168.2.100

    I will try and modify the  settings you suggested corresponding to what I have mentioned above and report back

    Thanks for your quick reply ;)



  • Thanks Derelict that worked like a charm. The only difference was I had to choose another interface (my mistake), as the IPcam is on the WLAN so:

    Interface: WLAN
    Protocol: any
    Source: any
    Destination: Network, 192.168.2.100 /32
    Translation Address: Interface Address
    Port: empty

    Just to be sure, am I to understand that when I change the mode from the default mode Automatic outbound NAT rule generation.
    (IPsec passthrough included)
    to Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below) the added rules become enabled?

    Here I have 2 automated rules. Why is the ISAKMP (IPSEC?) on port 500 created?
    WAN 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 192.168.5.0/24 * * 500 WAN address * Auto created rule for ISAKMP
    WAN 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 192.168.5.0/24 * * * WAN address * Auto created rule

    On my other firewall I had to use something like "iptables -t NAT -A POSTROUTING -j SNAT –to-source 192.168.2.88" to masq the ip address, using some ip from the other subnet. Can I see the pf rules like in iptables (iptables -vnL or iptables -t nat --list), I know there is a exec.php in pfsense?

    Thanks for you patience ;)



  • Standard tool for inspecting the rules is pfctl. Use Diagnostics->Command Prompt to run this to show the nat and rdr rules:

    pfctl -sn
    

    For filter rules:

    pfctl -sr
    

    You can throw in -g and -v (can be repeated more than once) options to increase verbosity and amount of information reported.


  • Netgate

    Why is the ISAKMP (IPSEC?) on port 500 created?

    IPsec passthrough clients are much happier with static source ports.