IP Cameras
-
Hello, How do I properly allow an IP camera access which is connected to a Wi-Fi router (10.10.9.X WAN and 192.168.9.X LAN) behind my pfsense router (10.10.8.X WAN and 192.168.8.X LAN) from the internet?
The camera supports DDNS and when logging in I see that it shows "DDNS success" and "DDNS connected" status for the IP camera. I'm trying to set up my remote access to the camera from my Android phone with a 3rd party app and when using the assigned DDNS web URL it keeps timing out so I assumed that I needed to set the ports statically in the camera settings, then assign those ports in the pfsense under "port forwarding", then "alias ports" settings…I was wrong as that didn't correct the problem.
-
so your double natting with your wifi? Why do you not just use your wifi router as AP so all your devices are on pfsense lan.. or pfsense lan segments if you want to isolated wireless from wired, etc.
Your IPs you give make no sense.. Why would your wifi router have wan if used as AP, and that wan is not even pfsense lan?
Draw up how you have this stuff connected.
-
so your double natting with your wifi? Why do you not just use your wifi router as AP so all your devices are on pfsense lan.. or pfsense lan segments if you want to isolated wireless from wired, etc.
Your IPs you give make no sense.. Why would your wifi router have wan if used as AP, and that wan is not even pfsense lan?
Draw up how you have this stuff connected.
Ah yes, I did write my IPs wrong…thank you for pointing out...the truth is I don't know what they all are right now because when I was having problems with connecting to this IP camera, I removed static IP assignments from all network devices recently and re-enabled DHCP throughout my whole network so that I could see what IPs each router's DHCP server would give me automatically on each network segment. Once I connect to my IP Cameras from outside the network successfully, I will take the IPs I was given automatically by DHCP, then set everything throughout the network to a static IP address again.
IP Camera is connected to Wi-Fi router (in router mode/DHCP/NAT) that connects to pfsense router which connects to a broadband internet modem.
I am double NATing but when disabling the NAT on the Wi-Fi router, I still couldn't connect to the camera...
I hope to keep both routers in router mode versus putting my Wi-Fi router in bridge mode (I believe that's what you're referring to) and I don't mind the inefficiencies in configuring my network in this manner. I have access to the web throughout all my endpoints currently so I'm hoping that there is just something silly I'm missing such as port forwarding in pfsense or something similar (since I already tried port aliases)...thank you for helping
-
Why do you want your wifi router in nat mode?? Make no freaking sense to do that.. Please provide logic in this sort of setup..
Why would you not just use it as accesspoint and put it on a network segment directly connect to pfsense - what is the point of the routing/natting??
To use any wifi router as just accesspoint, or ok just leverage its wifi to wired bridge which is all an AP is. Turn off its dhcp server, give its lan an IP on network your going to put it so you can manage it and then connect it to the wired network via one of its lan ports vs the wan port there you go AP. Some models have a mode for this that actually adds the wan port to the bridge but I don't see a point of this unless your really really short on ports.
Now all you have to do is control forwarding at your pfsense, unless its wan is also private like you posted so your actually triple natting?? Or maybe your wifi router was in front of pfsense?? This is how a normal network would look using pfsense and wifi router as AP. Or even more typical is 2nd pic where you have AP on same network as your other devices.
If your going to have multiple routers and doing nat then you would have to port forward at every one..
On a side note vs putting your cameras out on the public net, why would you not just vpn in with your remote device and securely access your cameras..
-
Hello, thank you for helping, I appreciate it. I really like the idea of VPNing in to connect to the camera but I already have a VPN profile loaded on my Android phone and would not like to unload it every time I want to connect to my home network. That also creates security concerns for the instance in which I could lose the mobile device and the malicious entity would potentially have access to my home network until I get home to change everything around to block the VPN Cert Authority etc…
Right now my broadband modem connects to my pfsense router and WAN is a public IP and 192.168.9.X LAN. The pfsense router then connects to my Wi-Fi router with 192.168.8.X WAN and 10.10.9.X LAN and the camera is connected to this router with a 10.10.9.X address on port 5065.
I tried setting my android camera app to 10.10.9.X:5065 and then put in a firewall rule "port alias" of 5065 on my pfsense router...and it didn't work.
Should I also put a port forward rule in my Wi-Fi router even though the camera is connected to it?
-
pfsense router and WAN is a public IP and 192.168.9.X LAN. The pfsense router then connects to my Wi-Fi router with 192.168.8.X WAN and 10.10.9.X LAN and the camera is connected to this router with a 10.10.9.X address on port 5065.
Huh… How is it your wifi router wan on 192.168.8 while pfsense lan is 192.168.9.. How does that work.. Do you have another network on pfsense. Are you using a larger mask then /24 That makes no sense. But you have a double nat here if that was a typo and your wifi router wan is the pfsense lan or another network on pfsense.
Why are you leaving off the last octet here? These are rfc1918 addresses, they do not route on the internet. It is pointless to try and hide them or obfuscate them.
So if this is a typo and you have this
internet --- publicIP (wan) pfsense (lan) 192.168.9.1/24 --- 192.168.9.2/24 (wan) wifi router (lan) 10.10.9.1/24 --- 10.10.9.2/24:5065 IP Camera
Then you would need to forward 5065 on pfsense to 192.168.9.2 and on your wifi router you would need to forward 5065 to 10.10.9.2
But that is a double NAT and I again would suggest you just use your wifi router as AP so now you would only have to forward on pfsense.
As to vpn being less secure because someone might get your phone?? Really?? You can put a password on your vpn connection. So even if someone had the phone they would have to know the username and password even with the cert. I am talking a openvpn vpn.. What vpn on you using on your phone currently? If openvpn, you can have more than one profile and its clickity clickity to switch between them using the openvpn app.
If your other vpn is some ipsec vpn you could prob tunnel through that to your home openvpn.
The slight inconvenience of switching or enabling a vpn connecting on your phone is going to be way more secure than opening up your cameras to the public net that is for sure.. You do understand you could limit the vpn connection to only your camera(s) IPs and ports if that is what you wanted to do. So even if someone got your phone all they could do would be to access your cameras. But I would think there is way much more stuff on your phone that I would be worried about vs possible access to your network until you had time to revoke the cert on the vpn connection. All your contacts, all your pictures, etc. etc. Do you not lock your phone?? Someone would have to actually swipe mine out of my hand while using it to get it in an unlocked state that they would have access to anything. If I set it down its locked, if I put it in my pocket its locked.. If I happen to forget to lock it on purpose it locks in a few minutes so even if set it down on a bar for example in a few minutes it would lock on its own so there would only be a very short window that someone could grabbed it and access anything.
-
…a Wi-Fi router (10.10.9.X WAN and 192.168.9.X LAN) behind my pfsense router (10.10.8.X WAN and 192.168.8.X LAN) ...
This sounds like you're triple-natting? All segments here are private IP.
Can you show / draw a diagram of your current network setup, so it's all a bit clearer for us?
-
Hello john and moikerz,
I'd hoped to take the route outlined above where port forwarding was at least an option although not the best one…alas it still didn't work after double-checking my pfsense port forwarding firewall NAT rule for 5056 to the Wi-Fi WAN IP address and setting the Wi-Fi router to forward 5056 to the camera IP address.
Did I do something wrong on the pfsense side because the packets still don't get to the Wi-Fi router when looking at the incoming logs...??? I tried setting the Firewall/NAT/Port Forwarding pass rule to any source, any protocol, destination of the camera's IP address, port 5056. Nothing passed through to the Wi-Fi router according to it's incoming logs. I also set a WAN interface rule to pass port 5056 traffic to the camera's IP address and made sure the rule was listed at the top of the other rules and that didn't work either...
I've created a network diagram after documenting everything last night since everything had changed after enabling DHCP throughout the network a few nights back.
-
so does your cameras have a gateway set?? If device doesn't have gateway then you can not talk to them outside that network..
As to your drawing.. That makes no sense so your saying your "modem" has a public IP of x.x.x.1 and pfsense wan has public IP x.x.x.2 ?? Yeah I don't think so..
Dude what is public IP of pfsense start with?? 10.x, 192.168.x or 172.16-31.x if any of those then its NOT public and rfc1918..
And how is it its gateway is x.3 ??? And your wan on your wifi router shows its gateway is .11 when pfsense IP on the lan network is .1 ?? Dude it doesn't work that way!!!
-
so does your cameras have a gateway set?? If device doesn't have gateway then you can not talk to them outside that network..
As to your drawing.. That makes no sense so your saying your "modem" has a public IP of x.x.x.1 and pfsense wan has public IP x.x.x.2 ?? Yeah I don't think so..
Dude what is public IP of pfsense start with?? 10.x, 192.168.x or 172.16-31.x if any of those then its NOT public and rfc1918..
And how is it its gateway is x.3 ??? And your wan on your wifi router shows its gateway is .11 when pfsense IP on the lan network is .1 ?? Dude it doesn't work that way!!!
My camera has the default gateway of the Wi-Fi router as shown in the attachment.
I can't tell the whole world what my ISP is by specifying what the public IP address begins with…I'm only protecting my security and privacy but I assure you it is the public IP as shown, which I then double-verified using google "what is my IP". The public IP ends with .1 and my pfsense router is on the same net as the public IP address, ends with .2, and has a subnet of 255.255.254.0 which confuses me too since the entire rest of my network is 255.255.255.0...I did make the mistake with the pfsense default gateway though...its the same IP address as the broadband modem with .1.
I admit I hardly know anything at all about networking...but I believe I have all this confusing crap with different IPs all over the place and different gateways etc because I have NAT enabled on both these routers. I want it that way even though it isn't efficient at all.
-
so your worried that the internet knows what ISP your on? Really??
While ok that might be an issue if isp served up say a cul-de-sac in 1 specific tiny city.. So my public IP is 24.13.x.x
So that tells you I have comcast, most likely somewhere on east side of the US.. What does that get you exactly?? Someone going to hack me now?? ROFL?? While I completely agree I would not suggest you go posting up your full public IP address.. Giving out the first or first couple of octets is going to tell someone at most you have ISP XYZ.. Which unless your on some ma and pop isp that has 14 clients you might get what region of the globe your on ;)
Oh my gawd… 24.13 - you know I am in IL... Oh shit the helicopters will be coming for me now ;) ROFL....
NetRange: 24.12.0.0 - 24.15.255.255
CIDR: 24.12.0.0/14
NetName: ILLINOIS-14So when you use a whats my IP address you get something that ends in .1 while if you look in pfsense it ends in .2 ?? That points to using a proxy.. If the world sees your IP as something other than pfsense when you go to a website, your either behind a NAT or your using a proxy..
As to a mask of 255.255.254 or /23 yeah that is kind of small actually for many isps... I have a /21 on my public IP..
Lets see if the traffic even gets to you.. Go to say canyouseeme.org and put in your port to the IP it shows.. Is that IP the same as what pfsense says its public IP is?? And before you send your test to 5065 start a packet capture on the same port on your wan interface..
So for example see my test..
So I started packet capture listening for only this 5065 port.. I then went to canyouseeme.org and started a test to that same port. Now clearly its going to say that its closed for me because I did not forward it, etc. But I then stop the capture and see that those packets actually got to my wan interface..
if your not seeing this traffic with your packet capture and test from canyouseeme then the traffic is NOT getting to you.. And no amount of port forwarding will ever work..