Access to another private subnet => masquerade?
-
Hi there ,I could use some help on the following;
Here I need to access an IPcam on another private subnet. This IPcam has some kind of firewall rule that seems to block any access from any other ip than from the same subnet (even a ping is blocked). Sadly the webgui from the IPcam has no option to change this and there is no telnet\SSH access, so I am out of options.
I thought about address spoofing and that it might do the trick. So something like "iptables -t nat -A POSTROUTING -p icmp -j SNAT –to-source 192.168.1.X" came into mind, to test if a ping would be accepted, but I have no clue how to set this up in pfsense, as I am fairly new to it.
Thanks for any help or advice in advance ;) btw maybe this Q should be in the NAT section?
-
Yes. It should be in NAT. Moved.
It sounds like you need to do an outbound NAT entry for this camera if you can't coerce it to accept connections from outside/foreign subnets. (You did set its default gateway at pfSense LAN IP right?)
This is usually done on WAN so all outbound connections appear to come from the same IP address. It can just as easily be done on a LAN interface so all connections to a specific LAN host from other subnets appear to come from the pfSense LAN interface address.
Assumptions:
pfSense Version: 2.3.1_1
pfSense Interface Camera is on: LAN
pfSense LAN address: 192.168.1.1/24
Camera Address: 192.168.1.100Firewall > NAT, Outbound tab
Select Hybrid Outbound NAT
Create a new rule
Interface: LAN
Protocol: any
Source: any
Destination: Network, 192.168.1.100 /32
Translation Address: Interface Address
Port: empty -
Assumptions:
pfSense Version: 2.3.1_1 Yes
pfSense Interface Camera is on: LAN No in a sense that I need access from 192.168.1.X(LAN) to 192.168.2.X(WLAN), so from one private subnet to another.
pfSense LAN address: 192.168.1.1/24 Yes
Camera Address: 192.168.1.100 No 192.168.2.100I will try and modify the settings you suggested corresponding to what I have mentioned above and report back
Thanks for your quick reply ;)
-
Thanks Derelict that worked like a charm. The only difference was I had to choose another interface (my mistake), as the IPcam is on the WLAN so:
Interface: WLAN
Protocol: any
Source: any
Destination: Network, 192.168.2.100 /32
Translation Address: Interface Address
Port: emptyJust to be sure, am I to understand that when I change the mode from the default mode Automatic outbound NAT rule generation.
(IPsec passthrough included) to Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below) the added rules become enabled?Here I have 2 automated rules. Why is the ISAKMP (IPSEC?) on port 500 created?
WAN 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 192.168.5.0/24 * * 500 WAN address * Auto created rule for ISAKMP
WAN 127.0.0.0/8 192.168.1.0/24 192.168.2.0/24 192.168.5.0/24 * * * WAN address * Auto created ruleOn my other firewall I had to use something like "iptables -t NAT -A POSTROUTING -j SNAT –to-source 192.168.2.88" to masq the ip address, using some ip from the other subnet. Can I see the pf rules like in iptables (iptables -vnL or iptables -t nat --list), I know there is a exec.php in pfsense?
Thanks for you patience ;)
-
Standard tool for inspecting the rules is pfctl. Use Diagnostics->Command Prompt to run this to show the nat and rdr rules:
pfctl -sn
For filter rules:
pfctl -sr
You can throw in -g and -v (can be repeated more than once) options to increase verbosity and amount of information reported.
-
Why is the ISAKMP (IPSEC?) on port 500 created?
IPsec passthrough clients are much happier with static source ports.