My Security Cams do not working
-
I have Security Cams behind pfsense and it works from internet after port forward, now from my LAN I can ping it but fail to connect to NVR.
I try direct without pfsense and it connect.
I try to add LAN firewall rule for it but I fail.
My cams NVR: 172.30.7.235
My cams gateway: 172.30.7.245 ( pfsense Lan )
Client pc with NVR software on different subnet: 172.30.5.0/24
Client pc Can ping NVR IP But fail to connect to NVR.Please help
-
@am-steen said in My Security Cams do not working:
Client pc with NVR software on different subnet: 172.30.5.0/24
There is no route to that different subnet. How do you expects to connect! Read: https://docs.netgate.com/pfsense/en/latest/config/factory-defaults.html
Then here: https://docs.netgate.com/pfsense/en/latest/firewall/best-practices.html
-
@nollipfsense
If there is no routes then how I could ping NVR from these vlans.
I can ping but I fail to connect to NVR -
What are your rules you have on this vlan your trying to connect to the NVR from?
Forcing traffic out a gateway for sure cause the exact issue your describing.
-
@johnpoz
Ok I add a new network Card same VLAN as NVR
I create a new firewall pass rule for by passing this VLAN 172.30.5.0 to
NVR 172.30.7.235 Vlan
But I Fail.Can I have help about that rule please ??
-
@am-steen
Does that NVR have 2 ports? If so, you're supposed to connect one to the same subnet as the cameras and the other to the rest of your network.
-
@am-steen said in My Security Cams do not working:
Can I have help about that rule please ??
Dude post a picture of your rules you created..
If you created a rule to allow the traffic then it would be allowed. Unless you are policy routing out some gateway or vpn. Sniff to validate the traffic going - maybe its just your nvr not answering..
-
@jknott
NO I only have one network port on my NVR -
This is new int. VLAN5 with IP from that vlan5
And this is the rule to access NVR on different VLAN7
And this is rule settings
-
@am-steen Is the protocol correct ?
Try any, then if that work try tcp/udp.
You could do a packet capture on the host on the LAN or on the pfSense LAN interface to see what the requirements are if you don't know what protocol & ports.
-
That rule shows no hits 0/0 - you sure your source IP is correct to allow what your wanting to allow?
You say you can ping - well something else is going on then. Because your rule is tcp only - so no ping would be allowed.
edit: If you want some client to talk to to your NVR.. Then the rule would be on the interface the client is connected too. Not on the NVR interface.
Rules are evaluated as traffic enters pfsense from the network its attached to.. First rule to trigger wins no other rules are evaluated.
If you want something to talk to vlanX from Lan - then the rule would be on the lan interface. There would be no rules required on the vlanX interface to allow that to work.
What network is 172.30.7 and what network is 172.30.5? Putting a rule on 172.30.5 to allow something to talk to it from 173.30.7 is not correct. The rule would be on 172.30.7 interface to allow traffic to 172.30.5
-
@johnpoz
Ok this is my last rule update
and this is firewall logs related to this pc
Any suggestions
-
And you have an asymmetrical problem.. Your seeing SA (syn,ack) not syn blocks.
How exactly do you have this wired?
So 5.245 tried to talk to 7.235, sends a syn to port 3761, then 7.235 answers back with syn,ack - but pfsense never saw the syn to open the state.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/log-filter-blocked.html
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
Are both subnets directly connected to your pfSense router, just wanting to double check?
I notice from a prevoius post you have multiple routers:-
https://forum.netgate.com/topic/163325/can-not-forward-rdp-port-behind-a-router/3?_=1620123172825
"Public IP ==> CISCO ==> VLAN 2 ==>172.30.2.100 ==> Pfsense ==> VLAN7 ==> 172.30.7.245 ==> local PC ==> 172.30.7.60"
-
@nogbadthebad
I modify everything since that post
Public IP ==> CISCO ==> VLAN 7 ==>192.168.60.100 ==> Pfsense ==> VLAN7 ==> 172.30.7.245 ==> local PC ==> another VLAN5 == >172.30.5.245 -
@johnpoz
Very sorry as I am Beginner at pfsense so I can not understand asymmetrical problem,
How To solve this, known that I can ping 172.30.7.235 from the pc 172.30.5.245
Another info. I cannot connect to NVR with web interface.
What is the suitable firewall rule to fix this asymmetrical problem ?? -
@am-steen said in My Security Cams do not working:
What is the suitable firewall rule to fix this asymmetrical problem ??
That is not how you fix an asymmetrical problem.
How do you have this wired together.. If these were 2 vlans attached to pfsense - then it would be impossible to have an asymmetrical problem. Unless your vlans are not actually isolated..
You see a SA block, when pfsense never saw the SYN (S) to create the state.
-
@johnpoz
Yes there are 2 VLANS connected to my pfsense and as you say are not actually isolated..
They have interconnecting through my cisco router. -
@am-steen said in My Security Cams do not working:
They have interconnecting through my cisco router.
What? You need to draw how you have things actually connected if you want anyone to be able to help you.
-
Public IP ==> CISCO ==> VLAN 7 ==>192.168.60.100-LAN ==> Pfsense Vmachine ==> LAN-VLAN7 ==> 172.30.7.245 ==> VLAN5-local PC ==> == >172.30.5.245
