Firewall Blocking for some reason



  • Good Afternoon all,

    I have a small issue with pfSense firewall

    I have an ipsec tunnel between 2 sites, one site a there is a CCTV Recorder and in Site B there is an IP Camera. The camera uses RTSP

    CCTV Recorder address (via LAN Port) is 192.168.0.5
    CCTV Camera via IPSEC is 10.10.1.27

    I have set on both LAN and IPSEC Firewall rules to allow all IPv4 Traffic yet the firewall logs present:-
    Block Oct 18 16:13:23 LAN   192.168.0.5:58548   10.10.1.27:554 TCP:RA

    I can use my mobile no problems from Site A or Site B to link to the Camera, but the NVR on 192.168.0.5 gets blcoked - No idea why

    The Rules for both LAN and IPSEC are

    IPv4 * * * * *

    Can any of you guys help?

    Cheers
    Mark



  • https://doc.pfsense.org/index.php/Why_do_my_logs_show_"blocked"_for_traffic_from_a_legitimate_connection

    Out of state traffic being blocked.  Completely normal.  pfSense sends a RST and closes the connection.  The client end responds with RST ACK, but by that time the connection is already closed, so pfSense thinks the client is trying to open a new connection.  This is what's being blocked.



  • "but the NVR on 192.168.0.5 gets blcoked"
    Completely blocked or only showing some of these random blocks in the log? Random blocks that are otherwise not detected other than they show in the log, would fall under what KOM said.



  • Good Morning,

    Thank you for help so far - 192.168.0.5 gets blocked completely when taking to 10.10.1.27 - All other services on this server work fine. When talking to this camera on port 80 it works fine from 192.168.0.5 - only when it is the NVR software talking to the camera everything fails. I can talk to the camera locally (on the 10.10.1.x/24 network) no problems. I am certain it is around the RTSP (554) and associated ports that are causing the problem.

    Your help is much appreciated

    Mark



  • Just to test things and make a simpler environment I am using VLC Player on 192.168.0.5 to read the stream from the camera on 10.10.1.27 - it cannot connect at all

    Pinging etc from 192.168.0.5 to 10.10.1.27 works fine



  • Provide details of the interfaces involved and the firewall rules for each.



  • BT Infinity to Cisco Router (Bridge Mode) –--- PFSense ---- LAN --- Cisco (Thats the 192.168.0.0/24 network) pfSense is on a SoHo Blue dual NIC PC.

    IPSEC to a Fortigate 60D (10.10.1.0/24 Network)

    Both the IPSEC and LAN interface on the pfSense box has a rule to allow all IPv4 traffic - any protocol - any port. Everything works fine except RTSP. This is being shown in the Firewall Log as being blocked by the default deny rule, but I dont understand why, when both the IPSEC and LAN has allow all traffic regardless of protocol or port (IPv4)

    The 10.10.1.0/24 network and the 192.168.0.0/24 network is connected together using IPSEC

    Hope this helps.



  • And do I understand that everything else on LAN has successful access to the CCTV except the NVR?