Please help to get everything to work to OPT1, DHCP works static does not.
-
Good Day All
Please need help with getting traffic to work from WAN\LAN – OPT1 and please forgive me as I am a complete newbieI have pfsense setup with 3 adapters, WAN, LAN and OPT1;
WAN is connected to a DSL router and is working fine
LAN is running fine and using DHCP
OPT1 is used for a hikvision camera setup.
Both OPT1 and LAN has internet access fine.The thing I’m struggling with is to get everything to work going to OPT1.
If I setup DHCP to run on OPT1 then I can get to all machines on the OPT1 network. I can for example, using pfsense ping a PC and ping the hikvison camera NVR.
However if I set OPT1 to be static I can no longer ping the NVR but I can ping the computer.
I have tried using multiple network subnets on OPT1 and also checked a number of times that the static has right IP and gateway on the NVR
EG
OPT1 on DHCP - PC on DHCP - NVR on DHCP
Result - Can ping the PC and can ping the NVROPT1 on Static - PC on Static - NVR on Static
Result - Can ping the PC, but cannot ping the NVRWAN adapter 10.0.0.2 (DSL router 10.0.0.1)
LAN 192.168.1.1 /24
OPT 192.168.2.1 /24
On the firewall i have completely opened for TCP UDP and ICMP for all three adapter.Please help me understand what im doing wrong
-
Newbie or not, we won't be able to understand neither :
@kdes:However if I set OPT1 to be static I can no longer ping the NVR but I can ping the computer.
Do just say "static", say
NVR :
IP 192.168.2.2
Mask 255.255.255.0
DNS 192.168.2.1
Gateway 192.168.2.1 for devices running on OPT1.Btw : I have a LAN like you :
pfSense LAN:
IP 192.168.1.1
Mask 255.255.255.0
pfSense is running a DHCP server on LANSame thing for my OPT1:
192.168.2.1 /24
DHCP server running on OPT.
Gateway 192.168.2.1 for devices on OPT1.I can ping devices from my PC on LAN (my PC 192.168.1.2 to a device on OPT1 (an AP) : 192.168.2.4 (is static btw):
C:\Documents and Settings\Gertjan.BUREAU>ping 192.168.2.4 Envoi d'une requête 'ping' sur 192.168.2.4 avec 32 octets de données : Réponse de 192.168.2.4 : octets=32 temps=3 ms TTL=63 Réponse de 192.168.2.4 : octets=32 temps<1ms TTL=63 Réponse de 192.168.2.4 : octets=32 temps<1ms TTL=63 Réponse de 192.168.2.4 : octets=32 temps<1ms TTL=63 Statistiques Ping pour 192.168.2.4: Paquets : envoyés = 4, reçus = 4, perdus = 0 (perte 0%), Durée approximative des boucles en millisecondes : Minimum = 0ms, Maximum = 3ms, Moyenne = 0ms C:\Documents and Settings\Gertjan.BUREAU> I have a PC on my LAN, it obtained a IP from pfSense : 192.168.1.2 andOf course, firewall rules on LAN and OPT are important (one rule on each interface will do if well chosen).
-
Newbie or not, we won't be able to understand neither :
Sorry if i did not make sense, ill try re-word or show in another way.
WAN network 10.0.0.0
LAN network 192.168.1.0/24
OPT1 network 192.168.2.0/24OPT1 DHCP Server ON (192.168.2.0/24)
NVR gets IP from DHCP (192.168.2.254)
Test Computer is on static IP (192.168.2.106)
Using PFsense for pinging
OPT source ping 192.168.2.106 -> get reply
OPT source ping 192.168.2.254 -> get reply
LAN source ping 192.168.2.106 -> get reply
LAN source ping 192.168.2.254 -> get replyOPT1 DHCP server is OFF (192.168.2.0/24)
NVR is on static IP (192.168.2.254)
Test Computer is on static IP (192.168.2.106)
Using PFsense for pinging
OPT source ping 192.168.2.106 -> get reply
OPT source ping 192.168.2.254 -> get reply
LAN source ping 192.168.2.106 -> get reply
LAN source ping 192.168.2.254 -> do not get reply
However i can ping the NVR from the Test computer.Why can i not get to the NVR from LAN. When OPT1 is not using DHCP server and the NVR is set to static?
-
When you set "NVR" to static (192.168.2.254), what do you set as Mask, DNS and Gateway ?
-
Pfsense OPT1 adapter is set to 192.168.2.1
The NVR
Address = 192.168.2.254
Mask = 255.255.255.0
Gateway = 192.168.2.1
DNS1 = 192.168.2.1 -
It happened to be that the NVR has an internal network card and a LAN card. (Two network cards, one for its own use for the IP cams and another for LAN connecting)
The internal network card range was the same LAN range as the LAN range on pfsense causing all sorts of problems.If you are using hikvision check the internal network range is not the same as any other range on your pfsense box.
-
@kdes
I had similar problem with my set up:
LAN has dhcp on, laptop on pfsense static ip and lives here - 192.168.1.0 (laptop = 192.168.1.10)
OPT1 has dhcp on, NVR on pfsense static ip and lives here - 192.168.2.0 (NVR = 192.168.2.10)ping from laptop to NVR has no connection, but ping from pfsense to NVR via LAN does... both LAN/OPT1 have allow-all-LAN rule set up (Lan-net to any on LAN, and Opt1-net to any on OPT1)
what is missing in order to achieve laptop to NVR connection?
thank you in advance!
-
When you ping from pfSense and set LAN as the source it does not actually go through the LAN rules since the traffic is already inside the firewall. So it's almost certainly a firewall rule problem on LAN. Perhaps you are policy routing traffic on LAN? If so you would need a more specific rule without a gateway set above that.
Steve
-
@stephenw10
not quite understanding what you said above... could you perhaps give an example of what i might need to do?since i already have this set of rules on in opt1, what else might i need?
on LAN the allow LAN to any rule is also in place... -
And no gateway is set on the LAN rules?
-
Why does the top rule have the "wheel" ??
Usually means you did something "advanced"
Like @stephenw10 mentionedAnd for a later discussion ... Your "Rule 2" would make "Rule 1" redundant.
/Bingo
-
Probably has logging enabled. It doesn't have a gateway set there on OPT.
If there is a gateway set on LAN though it would fit the symptoms exactly. -
On my boxes logging is the "lines icon"
I get the wheel if i fiddle with "flags" or GW (But gw would be visible on the rule)
-
Yup, my mistake. Not enough coffee!
So what advanced setting do you have there @wufwuf? And is it also on LAN?
-
@stephenw10
Thank you for your ideas ...the first of the 2 rules above was attempt to increase access specific to NVR and ip cams,
deleting it has not changed - ping still times out on both the printer and nvr (and even dhcp)! in LAN there is now only anti-lockout rule and the 2nd rule from above now active, so what else is amiss?
this is getting quite frustrating, as spent better part of day to try nail it down without success
-
Let's see your LAN rules.
What was the advanced setting you had there on the OPT rules?
Rules on the OPT interface would only allow traffic out from the NVR (or other devices) on there.
DHCP is allowed by default if it's enabled on the interface.Those devices clearly are connected and have a route since you said you were able to ping them from pfSense using LAN as source?
Do you see anything blocked in the firewall logs?
Steve
-
@stephenw10
the lan fw rules:
opt1 rules:
i know the nvr is connected and working as it can view the ipcams and these are all connected to the pfsense box via a switch... it is just that i can't connect to nvr or cams directly (now all on dhcp from pfsense) from browsers on the laptop...
same thing happens with the printer also on opt1, laptop unable to print to it, but it is on opt1 as fixed ip entry in pfsense - child's pc can print to the printer but not mine, how could this be!
i can confirm double checked the child rules where only its pcs are on alias (but these rules are disabled anyway)
the only lan side firewall logs of interest seem to be this one:
I am sure we are close to the truth... and again, grateful for looking into this...
-
@wufwuf said:
ping from laptop to NVR has no connection, but ping from pfsense to NVR via LAN does...
That rule on LAN will definitely allow that ping to pass. So if you are pinging the NVR IP directly it should work as long as it is able to respond.
How exactly are you pinging in each of those cases?The NVR might be blocking traffic from outside it's own subnet. But that would apply to all LAN clients and you say you have another laptop on LAN that can access it?
The NVR might have a bad default route and be unable to respond but that would also prevent it replying to any LAN client.Steve
-
@stephenw10
Just re-read the full thread ...Does wufwuf have a hikvision ?
Didn't the OP , not the Latest Poster.Mention that that the hikvision had an internal 192.168.1.x network , causing all kinds of grief if you used the same net on the pfSense ??
@wufwuf
What networks are present on your NVR ?/Bingo
-
@wufwuf Something to keep in mind - you have to make sure that your aliases that you have listed on both LAN and OPT1 have IP addresses in the appropriate subnets. I'm not saying this is your problem, but might be part of other problems you maybe haven't found yet.
I have a couple installations like this - a main LAN network with trusted devices, and a GUEST network with other stuff. Often times, users will jump between the networks, or rather their devices (I'm looking at you chrome books and cell phones with private wifi addresses - I hate you!!!) will jump for them, and my alias from one subnet won't match their addresses on the other subnet.
You technically have to set them up 2 (or more) times, if they can jump networks like that. Then your alias lists, and more importantly your firewall rules, will all work properly.
