Camera VLAN - Firewall rules

  • Hi everyone. I think this might be my first post here ever. Been using pfsense for a few years now but currently am banging my head against the wall trying to figure out why my camera VLAN (99) with the same exact rule implement is not working the same as my IOT VLAN (69).

    My network is as follows:
    Pfsense for:

    • WAN

    • LAN TRUNK (LAGG) -> Unifi 24 port managed switch (also carrying wireless VLAN20, IOT VLAN 69 and Camera VLAN99)

    • NASLAGG -> FreeNAS (on own .30 subnet via separate dual nic)

    • 2 spare ports with a .1 and .2 assignment respectively.

    • I am running 2 unifi APs carrying the .20 and .69 networks.

    • The .99 is carried via wired ports from the unifi switch to the 3 cameras and 1 NVR.

    I have previously implemented an IOT VLAN (69) which works exactly as it should. I have my my lan (.10), secure wifi (vlan20) and freenas (.30) all in an alias. See image. 0_1549157618428_IOT Firewall.png

    To get started on VLAN99 I copied the firewall rule from VLAN69 and edited it for the correct interface however I cannot replicate the behavior I see on VLAN69 with VLAN99.
    0_1549158017993_SecCams Firewall.png

    I can ping anything on the .69 network from the .10 network and I cannot ping .10, .20 or .30 from the .69 network (expected). With the same firewall rule implemented on .99 I can ping individual cameras on the .99 subnet from .10 but oddly cannot ping the NVR at it's own .99 address. The .99 NVR cannot ping .10, .20, .30 but has not problem getting to the internet.

    0_1549158838474_dot10 pings.png

    0_1549158846418_dot99 ping.png

    The only thing different between the .69 network and the .99 network is that the cameras that I can ping from .10 have static addresses. Could that be causing this confusion?

    Does anyone have any thoughts? This is driving me crazy. Almost an entire afternoon trying to troubleshoot.

    **Please note, this is not intended to be the final implementation of my firewall rules for the .99 VLAN. The cameras will eventually be blocked from the internet and the NVR will only have access to the internet and a FreeNAS share for storage on .30

    Thank to anyone who can provide some guidance!

    **Edit: I need to add that my NVR is actually a VM on FreeNAS running BlueIris. So of the 4 network ports on the FreeNAS MB I have 2 in a LAGG directly to the pfsense box on the .30 segment and I have 1 connected to the ubiquiti switch where it only sees the VLAN99 segment (what the VM uses for it's connection). I do not have the interface assigned via freenas in it's own network configuration. It's only set to use the VM itself. Could that be making things wonky? As the rules show right now, the VM cannot see the SMB share that it uses as it's storage location.

  • OK, nevermind. I sorted through this. Took getting another computer up and onto the camera network to make sure things were working the way I wanted and took a bit to wrap my head around the rules for the camera interface as this was a bit more involved than my IOT implementation.

Log in to reply