How to Access IoT device VLAN
I'm hoping someone can confirm that my understanding of 1:1 NAT is correct and that I am applying it correctly. Here is what I am trying to accomplish:
I have an IP camera (10.10.30.10:6890) on my IoT VLAN (10.10.30.0/24) that only allows administration by a device on the same network.
I need to be able to administer this device from a PC on 10.10.50.0/24. (CORE)
If I create a 1:1 NAT as illustrated, will this allow me to connect to 10.10.50.250:6890 and have it map to the camera at 10.10.30.10:6890 and appear as if the remote pc is at 10.10.30.250?
Will this work? Is there a better way to accomplish this?
Devices in the IoT VLAN (10.10.30.0/24) should not be able to initiate connections to the CORE VLAN (10.10.50.0/24), only respond to connections from the CORE VLAN, otherwise it defeats the purpose of the isolation IoT VLAN.
Where should I apply these firewall rules? Do they need to be floating rules?
You only need an outbound NAT rule for that. Firewall > NAT > Outbound
If your outbound NAT is in automatic mode switch to hybrid first. Then add a rule:
Destination: 10.10.30.10 (the cam)
Translation address: Interface address.
Rules to allow access have to to be add to the interface where the connections come into pfSense, here it is the core.