Need to allow access to DVR in the WAN network to LAN computers



  • My pfsense box is connected to a Cable Modem Router (CMR) with many ports.

    In the CMR there are other devices specifically a DVR.  The DVR get the IP 192.168.0.99.

    The WAN get the IP 192.168.0.3.

    The LAN subnet is 192.168.1.0/24

    I can ping from the LAN to IP 192.168.0.99.  I do not know if I can ping from a device in the WAN network to the LAN but I guess not.

    Even that I can ping the DVR I can't connect to it to receive its feed.

    So I think that I need to create a Firewall Rule to allow the communication.

    The Default Firewall rules are active.

    Any one could tell me what rule to add?



  • You've got a double-NAT situation.  pfSense can control access from WAN to LAN, but your DVR is on the same network as WAN so pfSense won't be able to do much about it.  You need to configure your CMR to port-forward the DVR.  You would be better off with your modem in bridge mode, with pfSense after that and a small switch with your DVR after that.  Then you could control everything via pfSense.



  • Before installing the pfsense they had a netgear wireless router working as firewall.  This device was working before while using that router.
    I guessed pfsense should be capable to be better or equal to that netgear.

    Maybe there is a way to turn off NATting between the DVR and the LAN subnet?


  • Rebel Alliance Global Moderator

    "Maybe there is a way to turn off NATting between the DVR and the LAN subnet?"

    Yes there is a way to do that, but your still going to have a asymmetrical routing issue, nat would actually be your friend here.

    The default lan rules are any any so that would allow your communication.  And pfsense should nat the connection to its wan IP so it would be like you were talking to the dvr from your pfsense wan IP..  So there should be no reason you shouldn't be able to connect to your dvr.



  • I dont know why is not working.

    I connected to the DVR web service and downloaded successfully an application from it.

    Went to IE using http://192.168.0.99:99 the DVR showed a Web Page to download its clients. (I downloaded the IE add-on successfully and the Windows client successfully.  It even asks for username/password which I entered and was accepted.

    But then the add-on and the windows client when try to get the feed from the DVR failed with some app error.

    Other clients that are connected directly to the CMR can get the feed without error so I know the DVR is giving the feed.


  • Rebel Alliance Global Moderator

    are you using proxy in pfsense?

    Without understanding how the client works it is hard to say what could be the problem.  Maybe the client reports its IP to the dvr, and the dvr is trying to get to that 192.168.1 address by talking to its gateway vs the IP that is natted by pfsense to be on the dvr network?

    Why are you putting pfsense downstream of your cable devices.

    Why don't you put your pfsense in front of ALL your devices.  Either put them all on the same network/vlan behind pfsense or put them on their own segments behind pfsense.  But pfsense because now the gateway/router for all your devices.

    Pfsense wan would be connected to your cable devices, I would even put them into bridge mode so pfsense wan gets actual public IPs.. Then all your devices should be behind pfsense.



  • Yes.  But I am testing the DVR client in the server which connects without proxy.  (I have Captive Portal to block direct access to the Internet but the server is allowed to pass)


  • Rebel Alliance Global Moderator

    Are you running any sort of ips, like snort or the other one?  Again without understanding how the client works its hard to guess what the problem is, clearly your saying you can access it via http.  But maybe the client uses multicast to stream shows or something?  Multicast is doesn't really work over a layer 3 route or nat - its designed to be on the same layer 2 network.

    You need to understand how the client works with the dvr to know what could be causing the problem.  But from a normal networking point of view, pfsense nats your client talking to dvr to look like its coming from pfsense WAN IP that is on the dvr network.

    Maybe it has something to do with the source port needing to be static or something?  Since pfsense would be doing napt and changing the sourceport of the connection.  There are lots of things that could break it from working correctly through a nat.

    I still do not understand why your putting pfsense downstream?  This is not a good setup.  Pfsense should be at the edge and can route between your multiple segments if you need/want them.



  • @johnpoz:

    Are you running any sort of ips, like snort or the other one?  Again without understanding how the client works its hard to guess what the problem is, clearly your saying you can access it via http.  But maybe the client uses multicast to stream shows or something?  Multicast is doesn't really work over a layer 3 route or nat - its designed to be on the same layer 2 network.

    I can install snort in the pfsense if you say that it could shed light to the problem.  Maybe the client does use multicast to stream I cant tell.

    @johnpoz:

    I still do not understand why your putting pfsense downstream?  This is not a good setup.  Pfsense should be at the edge and can route between your multiple segments if you need/want them.

    The network Admin has it that way.  I am just replacing the netgear by the pfsense to implement proxy and content filtering.  The netgear was reconfigured to act as a Wireless AP.

    Maybe I can convince the Net Admin to change the DVR to the internal network, then I will have to add a Port Forward to the DVR as they connect to it from the Internet by Cellular Apps.  If multicast is a problem in this method then I will have a unsatisfied Client.


  • Rebel Alliance Global Moderator

    If your netgear was just being a AP then it wasn't doing any sort of nat.. And wasn't routing or anything it was just an AP.

    No I would not suggest installing snort.  What I would suggest you could do is sniff on pfsense lan and wan and try and make a connection to see what is going on.



  • @johnpoz:

    If your netgear was just being a AP then it wasn't doing any sort of nat.. And wasn't routing or anything it was just an AP.

    It was converted to AP after pfsense installation, before pfsense it was the main Router/Firewall.

    @johnpoz:

    No I would not suggest installing snort.  What I would suggest you could do is sniff on pfsense lan and wan and try and make a connection to see what is going on.

    OK.  There is a sniff package?


  • Rebel Alliance Global Moderator

    no package just under diagnostics, packet capture or fro ma prompt or ssh to it you can do tcpdump





  • Run Diagnostic -> Packet Capture

    Set Host to 192.168.0.99
    Else left defaults.

    Output:

    17:10:04.638345 ARP, Request who-has 192.168.0.99 tell 192.168.0.3, length 28
    17:10:04.639323 ARP, Reply 192.168.0.99 is-at 00:17:4f:0c:3e:5c, length 46
    17:10:04.639332 IP 192.168.0.3.16730 > 192.168.0.99.99: tcp 0
    17:10:04.765719 IP 192.168.0.3.35783 > 192.168.0.99.99: tcp 0
    17:10:04.765982 IP 192.168.0.99.99 > 192.168.0.3.35783: tcp 0
    17:10:04.766120 IP 192.168.0.3.35783 > 192.168.0.99.99: tcp 0
    17:10:04.766265 IP 192.168.0.3.35783 > 192.168.0.99.99: tcp 259
    17:10:04.766602 IP 192.168.0.99.99 > 192.168.0.3.35783: tcp 0
    17:10:04.807060 IP 192.168.0.99.99 > 192.168.0.3.35783: tcp 999
    17:10:04.807116 IP 192.168.0.99.99 > 192.168.0.3.35783: tcp 0
    17:10:04.807222 IP 192.168.0.3.35783 > 192.168.0.99.99: tcp 0
    17:10:04.807622 IP 192.168.0.3.35783 > 192.168.0.99.99: tcp 0
    17:10:04.808025 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 0
    17:10:04.809060 IP 192.168.0.99.99 > 192.168.0.3.35783: tcp 0
    17:10:04.809262 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 0
    17:10:04.809378 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 0
    17:10:04.809915 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 298
    17:10:04.810486 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 0
    17:10:04.820361 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 17
    17:10:05.017506 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 0
    17:10:05.075790 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 1024
    17:10:05.084769 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 95
    17:10:05.084930 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 0
    17:10:05.089531 IP 192.168.0.3.18835 > 192.168.0.99.99: tcp 0
    17:10:05.089864 IP 192.168.0.99.99 > 192.168.0.3.18835: tcp 0
    17:10:05.236533 IP 192.168.0.3.33284 > 192.168.0.99.99: tcp 0
    17:10:05.236766 IP 192.168.0.99.99 > 192.168.0.3.33284: tcp 0
    17:10:05.236900 IP 192.168.0.3.33284 > 192.168.0.99.99: tcp 0
    17:10:05.236975 IP 192.168.0.3.33284 > 192.168.0.99.99: tcp 92
    17:10:05.237352 IP 192.168.0.99.99 > 192.168.0.3.33284: tcp 0
    17:10:05.253688 IP 192.168.0.99.99 > 192.168.0.3.33284: tcp 201
    17:10:05.254600 IP 192.168.0.99.99 > 192.168.0.3.33284: tcp 997
    17:10:05.254732 IP 192.168.0.3.33284 > 192.168.0.99.99: tcp 0
    17:10:05.254790 IP 192.168.0.3.33284 > 192.168.0.99.99: tcp 0
    17:10:05.255046 IP 192.168.0.99.99 > 192.168.0.3.33284: tcp 0
    17:10:05.356100 IP 192.168.0.3.10889 > 192.168.0.99.99: tcp 0
    17:10:05.356342 IP 192.168.0.99.99 > 192.168.0.3.10889: tcp 0
    17:10:05.356482 IP 192.168.0.3.10889 > 192.168.0.99.99: tcp 0
    17:10:05.356610 IP 192.168.0.3.10889 > 192.168.0.99.99: tcp 72
    17:10:05.356870 IP 192.168.0.99.99 > 192.168.0.3.10889: tcp 0
    17:10:05.366405 IP 192.168.0.99.99 > 192.168.0.3.10889: tcp 522
    17:10:05.366637 IP 192.168.0.99.99 > 192.168.0.3.10889: tcp 0
    17:10:05.366829 IP 192.168.0.3.10889 > 192.168.0.99.99: tcp 0
    17:10:05.370377 IP 192.168.0.3.10889 > 192.168.0.99.99: tcp 0
    17:10:05.370472 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
    17:10:05.371335 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 0
    17:10:05.371449 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
    17:10:05.371559 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 177
    17:10:05.371569 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 242
    17:10:05.372071 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 0
    17:10:05.372079 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 0
    17:10:48.857694 IP 192.168.0.3.62699 > 192.168.0.99.99: tcp 0
    17:10:48.858534 IP 192.168.0.99.99 > 192.168.0.3.62699: tcp 0
    17:10:48.858667 IP 192.168.0.3.62699 > 192.168.0.99.99: tcp 0
    17:10:48.858788 IP 192.168.0.3.62699 > 192.168.0.99.99: tcp 92
    17:10:48.859469 IP 192.168.0.99.99 > 192.168.0.3.62699: tcp 0
    17:10:48.905379 IP 192.168.0.99.99 > 192.168.0.3.62699: tcp 201
    17:10:48.911684 IP 192.168.0.99.99 > 192.168.0.3.62699: tcp 997
    17:10:48.911867 IP 192.168.0.3.62699 > 192.168.0.99.99: tcp 0
    17:10:48.911937 IP 192.168.0.3.62699 > 192.168.0.99.99: tcp 0
    17:10:48.912247 IP 192.168.0.99.99 > 192.168.0.3.62699: tcp 0
    17:10:48.959143 IP 192.168.0.3.20616 > 192.168.0.99.99: tcp 0
    17:10:48.960577 IP 192.168.0.99.99 > 192.168.0.3.20616: tcp 0
    17:10:48.960737 IP 192.168.0.3.20616 > 192.168.0.99.99: tcp 0
    17:10:48.960790 IP 192.168.0.3.20616 > 192.168.0.99.99: tcp 72
    17:10:48.961003 IP 192.168.0.99.99 > 192.168.0.3.20616: tcp 0
    17:10:48.966558 IP 192.168.0.99.99 > 192.168.0.3.20616: tcp 522
    17:10:48.966807 IP 192.168.0.99.99 > 192.168.0.3.20616: tcp 0
    17:10:48.966935 IP 192.168.0.3.20616 > 192.168.0.99.99: tcp 0
    17:10:48.970327 IP 192.168.0.3.20616 > 192.168.0.99.99: tcp 0
    17:10:48.970449 IP 192.168.0.3.46976 > 192.168.0.99.99: tcp 0
    17:10:48.971139 IP 192.168.0.99.99 > 192.168.0.3.46976: tcp 0
    17:10:48.971254 IP 192.168.0.3.46976 > 192.168.0.99.99: tcp 0
    17:10:48.971370 IP 192.168.0.3.46976 > 192.168.0.99.99: tcp 177
    17:10:48.971380 IP 192.168.0.3.46976 > 192.168.0.99.99: tcp 242
    17:10:48.971767 IP 192.168.0.99.99 > 192.168.0.3.46976: tcp 0
    17:10:48.971774 IP 192.168.0.99.99 > 192.168.0.3.46976: tcp 0
    17:10:49.086703 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1024
    17:10:49.086780 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
    17:10:49.086869 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
    17:10:49.086923 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
    17:10:49.087251 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 803
    17:10:49.087359 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
    17:10:49.103297 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 177
    17:10:49.103332 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 241
    17:10:49.103554 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 0
    17:10:49.103641 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 0
    17:10:49.117235 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1024
    17:10:49.117264 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
    17:10:49.117441 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
    17:10:49.117445 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
    17:10:49.117460 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
    17:10:49.117602 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
    17:10:49.117605 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
    17:10:49.117681 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
    17:10:49.117792 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1460
    17:10:49.117812 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
    17:10:49.118723 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 456
    17:10:49.118867 IP 192.168.0.3.10010 > 192.168.0.99.99: tcp 0
    17:10:49.122663 IP 192.168.0.99.99 > 192.168.0.3.10010: tcp 1024


  • Rebel Alliance Global Moderator

    Yeah your going to want too download that into say wireshark.. That is just not enough info to try and figure out what is going on.  But I don't see any multicast.  But if you limited to IP then you wouldn't see that.



  • Repeat with same host but instead of normal selected full detail

    Output:

    17:15:07.399030 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 26372, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.0.3.65355 > 192.168.0.99.99: Flags ~~, cksum 0x85d2 (correct), seq 3148123187, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    17:15:07.399482 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.0.99.99 > 192.168.0.3.65355: Flags [S.], cksum 0x8615 (correct), seq 769112275, ack 3148123188, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
    17:15:07.399616 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26373, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.3.65355 > 192.168.0.99.99: Flags [.], cksum 0xfee9 (correct), seq 1, ack 1, win 256, length 0
    17:15:07.399732 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 146: (tos 0x0, ttl 127, id 26374, offset 0, flags [DF], proto TCP (6), length 132)
        192.168.0.3.65355 > 192.168.0.99.99: Flags [P.], cksum 0x629a (correct), seq 1:93, ack 1, win 256, length 92
    17:15:07.400436 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 33162, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.99.99 > 192.168.0.3.65355: Flags [.], cksum 0xe309 (correct), seq 1, ack 93, win 7300, length 0
    17:15:07.449709 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 255: (tos 0x0, ttl 64, id 33163, offset 0, flags [DF], proto TCP (6), length 241)
        192.168.0.99.99 > 192.168.0.3.65355: Flags [P.], cksum 0x83ce (correct), seq 1:202, ack 93, win 7300, length 201
    17:15:07.452072 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 1051: (tos 0x0, ttl 64, id 33164, offset 0, flags [DF], proto TCP (6), length 1037)
        192.168.0.99.99 > 192.168.0.3.65355: Flags [FP.], cksum 0xb8f8 (correct), seq 202:1199, ack 93, win 7300, length 997
    17:15:07.452300 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26376, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.3.65355 > 192.168.0.99.99: Flags [.], cksum 0xf9e3 (correct), seq 93, ack 1200, win 251, length 0
    17:15:07.452350 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26377, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.3.65355 > 192.168.0.99.99: Flags [F.], cksum 0xf9e2 (correct), seq 93, ack 1200, win 251, length 0
    17:15:07.452542 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.99.99 > 192.168.0.3.65355: Flags [.], cksum 0xde59 (correct), seq 1200, ack 94, win 7300, length 0
    17:15:07.496404 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 26386, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.0.3.15956 > 192.168.0.99.99: Flags ~~, cksum 0x2e9c (correct), seq 4130761167, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    17:15:07.496687 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.0.99.99 > 192.168.0.3.15956: Flags [S.], cksum 0x09fe (correct), seq 329906146, ack 4130761168, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
    17:15:07.496819 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26387, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.3.15956 > 192.168.0.99.99: Flags [.], cksum 0x82d2 (correct), seq 1, ack 1, win 256, length 0
    17:15:07.496870 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 126: (tos 0x0, ttl 127, id 26388, offset 0, flags [DF], proto TCP (6), length 112)
        192.168.0.3.15956 > 192.168.0.99.99: Flags [P.], cksum 0xbc2d (correct), seq 1:73, ack 1, win 256, length 72
    17:15:07.498456 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 52875, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.99.99 > 192.168.0.3.15956: Flags [.], cksum 0x6706 (correct), seq 1, ack 73, win 7300, length 0
    17:15:07.512679 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 576: (tos 0x0, ttl 64, id 52876, offset 0, flags [DF], proto TCP (6), length 562)
        192.168.0.99.99 > 192.168.0.3.15956: Flags [P.], cksum 0xf776 (correct), seq 1:523, ack 73, win 7300, length 522
    17:15:07.513030 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 52877, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.99.99 > 192.168.0.3.15956: Flags [F.], cksum 0x64fb (correct), seq 523, ack 73, win 7300, length 0
    17:15:07.513150 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26390, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.3.15956 > 192.168.0.99.99: Flags [.], cksum 0x8081 (correct), seq 73, ack 524, win 254, length 0
    17:15:07.516451 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26391, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.3.15956 > 192.168.0.99.99: Flags [R.], cksum 0x817b (correct), seq 73, ack 524, win 0, length 0
    17:15:07.516539 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 127, id 26392, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.0.3.1278 > 192.168.0.99.99: Flags ~~, cksum 0x8c3b (correct), seq 1103755763, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    17:15:07.518703 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)
        192.168.0.99.99 > 192.168.0.3.1278: Flags [S.], cksum 0xd1a7 (correct), seq 138385730, ack 1103755764, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
    17:15:07.518848 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 26393, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.3.1278 > 192.168.0.99.99: Flags [.], cksum 0x4a7c (correct), seq 1, ack 1, win 256, length 0
    17:15:07.518959 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 231: (tos 0x0, ttl 127, id 26394, offset 0, flags [DF], proto TCP (6), length 217)
        192.168.0.3.1278 > 192.168.0.99.99: Flags [P.], cksum 0x0b3d (correct), seq 1:178, ack 1, win 256, length 177
    17:15:07.518969 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 296: (tos 0x0, ttl 127, id 26395, offset 0, flags [DF], proto TCP (6), length 282)
        192.168.0.3.1278 > 192.168.0.99.99: Flags [P.], cksum 0x140b (correct), seq 178:420, ack 1, win 256, length 242
    17:15:07.519914 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 41001, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.99.99 > 192.168.0.3.1278: Flags [.], cksum 0x2e47 (correct), seq 1, ack 178, win 7300, length 0
    17:15:07.520037 00:17:4f:0c:3e:5c > 00:0c:29:87:39:2f, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 41002, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.99.99 > 192.168.0.3.1278: Flags [.], cksum 0x2d55 (correct), seq 1, ack 420, win 7300, length 0
    17:16:13.271446 00:0c:29:87:39:2f > 00:17:4f:0c:3e:5c, ethertype IPv4 (0x0800), length 54: (tos 0x0, ttl 127, id 29332, offset 0, flags [DF], proto TCP (6), length 40)
        192.168.0.3.1278 > 192.168.0.99.99: Flags [R.], cksum 0x49d5 (correct), seq 420, ack 1, win 0, length 0

    Something in the output make it stricke with a line.~~~~~~



  • Change .cap to .txt to be able to download.

    packetcapture.txt



  • @johnpoz:

    Yeah your going to want too download that into say wireshark.. That is just not enough info to try and figure out what is going on.  But I don't see any multicast.  But if you limited to IP then you wouldn't see that.

    I dont have wireshark and has never use it before.  I guess I can download if it is free, but use it is other story.



  • https://www.wireshark.org/

    Yes it is free (v2.2.1 was just released), and there are a lot of tutorials online as to how to use it.  Everyone who is responsible for maintaining a routing firewall should be familiar with packet capture and analysis.  There are several books on Wireshark and you can even get training:

    http://www.wiresharktraining.com/



  • Found some threads about RSTP but I think this are pertinent for devices in the internal network serving streaming to the external network or Internet:

    https://www.mail-archive.com/support@pfsense.com/msg17749.html
    https://www.mail-archive.com/support@pfsense.com/msg17758.html

    https://doc.pfsense.org/index.php/Static_Port
    http://www.selectedintelligence.com/post/46429611973/pfsense-rtsp-and-rtp

    But my case is inverted the source and destination, as the RSTP device is in the external network and the clients are in the internal network.

    If this is pertinent to my problem could you explain to me in basic terms.



  • But I don't see any multicast.  But if you limited to IP then you wouldn't see that.

    Why wouldn't you see it?  It's still IP.

    FWIW, I can see multicast on my network.



  • I tried a capture again but selecting UDP only with the device IP.

    Tried against LAN and WAN interface but did not capture anything UDP related.  So either the firewall is blocking all UDP  to/from the device or there was in fact none.



  • ^^^^
    One thing I did recently was buy a cheap 5 port managed switch, which I configured for port mirroring.  This allows me to insert the switch between 2 devices and use Wireshark to monitor the traffic.  With that, you could insert the switch between the DVR & pfSense box to see what's there, with far more info than the pfSense packet capture provides.  You can also watch in real time.


  • Rebel Alliance Global Moderator

    "with far more info than the pfSense packet capture provides. "

    How is that exactly..  Why would the packet capture in pfsense not see what that the switch would, when pfsense is 1/2 of that conversation anyway??

    Clearly your getting a 401 error saying your NOT Authorized…

    As to seeing if limiting to IP, I meant if he was limiting his sniff to a specific IP he would not see multicast traffic since it would be to the multicast address not his specific IP like 192.168.0.3 etc..

    In the first part of the sniff your client ask for a manifest of something - and you get that just fine.

    But then after that you just get 401.. Why have no idea, not sure what exactly your trying to do, other than dvr is giving you 401, and then your client gets something from the dvr.  So there are 3 different conversations here all started by your client 192.168.0.3. First one he gets a manifest of something and that conversation is closed with your normal fin,ack , then he starts another conversation gets told 401, and he closes the conversation with RST, then he gets some other info profile.xml and then again he closes the conversation with RST

    So that is a bad conversation, or is that a good conversation that works?  Where is a good conversation where you start viewing video, since maybe that is sent in a different protocol??  Either way I wouldn't think you would want to see 401 errors..  Do you have to log in or something??  Do devices have to be authed before hand??










  • "with far more info than the pfSense packet capture provides. "

    How is that exactly..  Why would the packet capture in pfsense not see what that the switch would, when pfsense is 1/2 of that conversation anyway??

    Perhaps I should clarify.  In an earlier post, packet capture as used in pfSense was listed.  This does not show as much detail as you'd see in Wireshark.  In order to see that level of detail, you have to download the cap file and then use something like Wireshark to view it.

    I use Wireshark frequently and find that between the capture and display filters, it's a lot easier to isolate what you're looking for.  You can also watch in real time and click on any frame to examine it's contents while the capture continues.

    Back when I was using Linux for my firewall, I had Wireshark available on it.  Since moving to pfSense, I bought a managed switch, which I can insert to monitor traffic.


  • Rebel Alliance Global Moderator

    "You can also watch in real time and click on any frame to examine it's contents while the capture continues."

    This is very true!!  If your sniffing with wireshark off a say a spanned port then sure you can watch traffic live.  This should also be possible right off pfsense just use say tcpdump sending to your wireshark running on your pc..  you could do this with a windows machine via plink.exe or via ssh if you have it installed to ssh to the pfsense box, start the tcpdump, etc.

    I thought we had gone over that before, but if not can for sure post up an example of how to do it.

    That might be a good thing to add to the wiki, if not already there?



  • ^^^^
    One issue with sending tcpdump or even Wireshark over the wire is you could be affecting the traffic you're trying to monitor.  That may or may not be an problem, depending on what you're looking for.  When I had a Linux firewall, I could switch my KVM to the firewall computer, start up the desktop and then Wireshark.  That computer did not normally have a desktop running, an option you don't get with Windows.  However, I now have a managed switch that's small enough to keep in my notebook computer bag, so it's handy when I need it.  In fact, I store it in ThinkPad floppy drive case.  ;)


  • Rebel Alliance Global Moderator

    "you could be affecting the traffic you're trying to monitor."

    How so?  Just don't capture the traffic your using to make the remote connection if capturing the interface your hitting pfsense on, etc.

    While I agree with you that having a small switch with the ability to span ports is a great addition to your tool bag.  And with gig smart switches beings so cheap now a days its a great thing to have and affordable for even the home enthusiast helping out their buddies, etc.

    In this scenario.. Doing a packet capture on pfsense or if want real time via remote, etc.  I don't see what that buys us exactly.  How does it answer his 401 error problem?



  • @johnpoz:

    "with far more info than the pfSense packet capture provides. "

    How is that exactly..  Why would the packet capture in pfsense not see what that the switch would, when pfsense is 1/2 of that conversation anyway??

    Clearly your getting a 401 error saying your NOT Authorized…

    As to seeing if limiting to IP, I meant if he was limiting his sniff to a specific IP he would not see multicast traffic since it would be to the multicast address not his specific IP like 192.168.0.3 etc..

    In the first part of the sniff your client ask for a manifest of something - and you get that just fine.

    But then after that you just get 401.. Why have no idea, not sure what exactly your trying to do, other than dvr is giving you 401, and then your client gets something from the dvr.  So there are 3 different conversations here all started by your client 192.168.0.3. First one he gets a manifest of something and that conversation is closed with your normal fin,ack , then he starts another conversation gets told 401, and he closes the conversation with RST, then he gets some other info profile.xml and then again he closes the conversation with RST

    So that is a bad conversation, or is that a good conversation that works?  Where is a good conversation where you start viewing video, since maybe that is sent in a different protocol??  Either way I wouldn't think you would want to see 401 errors..  Do you have to log in or something??  Do devices have to be authed before hand??

    Thank you for your interest.

    I will have to ask the DVR provider if its need to pre authorized the client, but I suspect that it does not.

    I know that have to enter a user/pass combination to connect to the DVR.  But that is entered in the client program and I know that its get accepted because if I enter a wrong one the application returns a credentials error.  In the case of the packet capture I posted I used the correct user/pass.  Also when I connect to the DVR using Internet Explorer I also have to enter the credentials and get accepted.

    In IE there is an option to see the stream per channel in jpeg mode.  When I select that option I can see each channel in a set of jpegs stream really nice.

    The application is to show all channels at the same time probably in full streaming instead of jpegs.  Once the credentials are accepted the application starts a loading phase which fails.



  • How so?  Just don't capture the traffic your using to make the remote connection if capturing the interface your hitting pfsense on, etc.

    If you're running into congestion/timing issues etc.  Not common, but possible.  As for your traffic, that's one more thing to filter.  On my systems, I actually have a button on the display filter bar for a display filter, to not show traffic containing the MAC of the computer I'm running Wireshark on.

    How does it answer his 401 error problem?

    Problem?  What problem???  ;)

    Actually, this thread shows how traffic monitoring can be used to help identify a problem.  However, that not authorized error indicates the problem is likely not in pfSense.



  • @JKnott:

    How so?  Just don't capture the traffic your using to make the remote connection if capturing the interface your hitting pfsense on, etc.

    If you're running into congestion/timing issues etc.  Not common, but possible.  As for your traffic, that's one more thing to filter.  On my systems, I actually have a button on the display filter bar for a display filter, to not show traffic containing the MAC of the computer I'm running Wireshark on.

    How does it answer his 401 error problem?

    Problem?  What problem???  ;)

    Actually, this thread shows how traffic monitoring can be used to help identify a problem.  However, that not authorized error indicates the problem is likely not in pfSense.

    There is a problem related to the pfsense.

    The network and the computers were able to connect to the DVR via the iWatch application before pfsense was implemented.

    The previous Router/Firewall was a Netgear Wirelless device with 4/8 ports.  I took out the Netgear and replace it by the pfsense.  Now computers can not connect to the DVR via iWatch.  Clearly there is something that pfsense does that Netgear dont or viceversa.


  • Rebel Alliance Global Moderator

    Dude how exactly is pfsense even involved in conversation between 192.168.0.3 and 192.168.0.99

    I would assume these IPs on on the same network 192.168.0/24

    Your computers can not connect from WHERE??  They are on the wan side of pfsense..  Is pfsense NATTING?  The sniff you gave was 2 devices on the same network it would seem to me.

    If your iwatch is running on device A on network ??  Sniff on that interface of pfsense.  If dvr is on network B, also sniff on that interface of pfsense..  Your sniff shows 2 devices which unless you have some odd mask set are on the same network.  Are your bridging in pfsense?  Pfsense should not have even seen that traffic.

    Please draw up your network and what networks are where and where are the devices and are you natting between these networks and or doing any port forwarding, etc.

    Is 192.168.0.99 pfsense WAN ip?? And your port forwarding into your dvr behind pfsense on some other network?  If so do the sniff on the LAN interface of pfsense.  If your dvr is trying to send something to the client on your wan via multicast then no your client would never see that traffic nor would pfsense show it on a sniff on the wan interface.



  • This has become a long thread.  I am going to refresh the network structure.

    Cable Modem  ->  Switch1
                              |      |      |
                              |      |      |
                            D1  D2  F1
                                            |
                                            |
                                      Switch2 -> LAN

    D1 = DVR - 192.168.0.99 - Static IP
    D2 = President Computer
    F1 = Router/Firewall - 192.168.0.3 DHCP Assign by Cable Modem

    F1 now is the pfsense, before was a Netgear Wireless Router

    LAN - 192.168.1.0/24

    Computers in LAN want to connect to DVR.  With Netgear was successful, with pfsense is not



  • Recalling the problem. 
    LAN computers connect to the DVR via IE successfully and can see one channel at a time in jpeg mode.
    LAN computers fail to connect to IE to see the full stream with all channels at the same time.
    LAN computers fail to connect to the DVR via iWatch which provide all the channels streams at same time.



  • In the captures where you get the unauthorized errors, I see http.  Is that what the DVR uses?  Should it be https?  The fact that you're getting that error indicates you're reaching the DVR.  This is where Wireshark can come in handy, running on the computer you're trying to reach the DVR with.  See what's going out and coming back with the Netgear.  Then compare with pfSense.  Without that, we're just guessing.



  • @JKnott:

    In the captures where you get the unauthorized errors, I see http.  Is that what the DVR uses?  Should it be https?  The fact that you're getting that error indicates you're reaching the DVR.  This is where Wireshark can come in handy, running on the computer you're trying to reach the DVR with.  See what's going out and coming back with the Netgear.  Then compare with pfSense.  Without that, we're just guessing.

    I can not test with the Netgear anymore it was converted to a AP mode Wireless router.  Maybe what I could do is installing Wireshark in  the President computer and capture from that one to the DVR.  That is going to take some time.



  • Any chance you could get that Netgear back, at least temporarily?  It would help to have a comparison.  Also, according to your diagram, the president's computer doesn't connect through the pfSense computer.  If the problem is on the LAN, then you have to test from there.


  • Rebel Alliance Global Moderator

    So are you natting between your 192.168.0/24 network and your lan network 192.168.1/24 – I Have to assume so since your sniff which had to have been done on pfsense wan only showed the 192.168.0.3 address of pfsense..

    So what does a good sniff look like from D2 with wireshark when talking to the dvr doing what they want.
    And what does a sniff look like on both the wan and lan of pfsense when it doesn't work.

    All I can tell you is there were RST sent and a 401 error.  There was no video in that conversation at all.. So have no idea how video actually gets passed.  Is quite possible the client says hey send me data to 192.168.1.x which your dvr would send to your cable router since that would be its gateway.

    How did you have your previous router setup.. My guess it you were just using it as AP and dvr and client were on the same layer 2 network via either wifi or plugged into the switch ports on your wifi router.  Or you were all behind the netgear and not split like this.

    Why do you not do this??

    cablemodem -- pfsense -- switches... All your other devices!! dvr and clients and even any AP.

    So they are all on the same layer 2 network.

    How your setup now your devices are not on the same layer 2, so multicast is not going to work.  Broadcasting for names or such not going to work.  Your natting between devices, and if not natting you would have a asymmetrical routing problem between devices on wan of pfsense and lan of pfsense.

    What exactly is this split setup getting you?



  • @JKnott:

    Any chance you could get that Netgear back, at least temporarily?  It would help to have a comparison.

    Unlikely.  This is a live system.  Taking the pfsense out to put the Netgear will require for my team to be at the client site a Sunday when they are not working.



  • Following on what johnpoz says, did this work on the LAN through the Netgear?  While multicasts can pass through a router, it may be necessary for configuration to allow for it.  Broadcasts are generally not passed through a router at all.  This means that things that work on a flat network might not when passing through a router.

    While many of us here are quite familiar with IP and firewalls, we're not likely to be familiar with that DVR, so we need accurate info.