Reefcam
-
Hi there,
I'm new here and this is my first post. I tried searching the term reef but only got one result which I don't think has any relevance to my question, let me know if this is incorrect.I have PFSENSE setup and am having some issues with a reef cam. It's basically a webcam for aquariums. Basically I have it on my network, connected to WIFI and can connect to it on LAN BUT I cannot connect to it via it's UID (IE outside of the LAN, on 4G etc). I guess my question is, how do I go about troubleshooting this?
Some basic info below about cam:
Manufacturer WAVEREEF
Camera model SBT-IPC-01
Camera version IPC-01Some info about PFSENSE:
2.5.2-RELEASE (amd64)
built on Fri Jul 02 15:33:00 EDT 2021
FreeBSD 12.2-STABLEWhat I've tried so far:
I gave the unit a static IP and put in a firewall rule that allows it to ANY destination (appreciate this maybe insecure but I was just trying to get it to work).
Cam Unit has the latest firmwarePacket capture for source IP of cam:
21:57:34.498299 IP 10.10.11.5.44902 > 10.10.11.1.53: UDP, length 39
21:57:34.498370 IP 10.10.11.1.53 > 10.10.11.5.44902: UDP, length 125
21:57:34.529338 IP 10.10.11.5 > 3.226.20.50: ICMP echo request, id 9227, seq 0, length 64
21:57:35.604923 IP 10.10.11.5.35088 > 10.10.11.1.53: UDP, length 37
21:57:35.605013 IP 10.10.11.1.53 > 10.10.11.5.35088: UDP, length 53
21:57:35.608860 IP 10.10.11.5 > 50.19.254.134: ICMP echo request, id 9739, seq 0, length 64
21:57:36.208270 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 0
21:57:36.266199 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 0
21:57:36.269005 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 0
21:57:36.269382 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 523
21:57:36.272236 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 0
21:57:36.414396 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 303
21:57:36.416437 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 1460
21:57:36.416560 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 1460
21:57:36.417797 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 0
21:57:36.420499 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 386
21:57:36.422709 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 0
21:57:36.441665 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 5
21:57:36.489266 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 0
21:57:36.642398 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 5
21:57:36.643493 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 0
21:57:36.967537 IP 10.10.11.5.13854 > 115.28.190.70.10001: UDP, length 60
21:57:37.364897 IP 115.28.190.70 > 10.10.11.5: ICMP 115.28.190.70 udp port 10001 unreachable, length 96
21:57:38.447389 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 525
21:57:38.449173 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 0
21:57:38.582582 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 303
21:57:38.584211 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 1460
21:57:38.588839 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 0
21:57:38.592866 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 1460
21:57:38.593966 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 727
21:57:38.607520 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 0
21:57:38.609992 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 5
21:57:38.656083 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 0
21:57:39.437726 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 503
21:57:39.439491 IP 10.10.11.5.80 > 10.10.10.72.53756: tcp 0
21:57:49.447454 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 1
21:57:50.459569 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 1
21:57:51.470326 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 1
21:57:52.473808 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 1
21:57:53.482355 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 1
21:57:54.484442 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 1
21:57:55.492931 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 1
21:57:56.498831 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 1
21:57:57.504744 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 1
21:57:58.517090 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 1
21:57:59.532528 IP 10.10.10.72.53756 > 10.10.11.5.80: tcp 0
21:57:59.532578 IP 10.10.10.72.53785 > 10.10.11.5.80: tcp 0
21:57:59.790850 IP 10.10.10.72.53786 > 10.10.11.5.80: tcp 0
21:58:00.535703 IP 10.10.10.72.53785 > 10.10.11.5.80: tcp 0
21:58:00.804114 IP 10.10.10.72.53786 > 10.10.11.5.80: tcp 0
21:58:02.537615 IP 10.10.10.72.53785 > 10.10.11.5.80: tcp 0
21:58:02.806043 IP 10.10.10.72.53786 > 10.10.11.5.80: tcp 0
21:58:04.804619 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 0
21:58:05.810764 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 0
21:58:06.548587 IP 10.10.10.72.53785 > 10.10.11.5.80: tcp 0
21:58:07.821332 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 0
21:58:10.348933 IP 10.10.11.1.67 > 10.10.11.5.68: UDP, length 300
21:58:10.355054 IP 10.10.11.1.67 > 10.10.11.5.68: UDP, length 300
21:58:10.979557 IP 10.10.11.5.35120 > 239.255.255.250.1900: UDP, length 372
21:58:11.005125 IP 10.10.11.5.35120 > 239.255.255.250.1900: UDP, length 444
21:58:11.832148 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 0
21:58:11.852362 IP 10.10.11.5.80 > 10.10.10.72.53792: tcp 0
21:58:11.854427 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 0
21:58:11.861763 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 503
21:58:11.905986 IP 10.10.11.5.80 > 10.10.10.72.53792: tcp 0
21:58:13.924175 IP 10.10.11.5.39235 > 10.10.11.1.53: UDP, length 37
21:58:13.924227 IP 10.10.11.1.53 > 10.10.11.5.39235: UDP, length 53
21:58:13.939026 IP 10.10.11.5 > 50.19.254.134: ICMP echo request, id 14594, seq 0, length 64
21:58:14.450160 IP 10.10.11.5.34485 > 10.10.11.1.53: UDP, length 39
21:58:14.510248 IP 10.10.11.1.53 > 10.10.11.5.34485: UDP, length 125
21:58:14.552887 IP 10.10.10.72.53785 > 10.10.11.5.80: tcp 0
21:58:17.196002 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 0
21:58:17.209216 IP 10.10.10.72.53808 > 10.10.11.5.80: tcp 0
21:58:17.473680 IP 10.10.10.72.53809 > 10.10.11.5.80: tcp 0
21:58:17.502748 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 0
21:58:18.105259 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 0
21:58:18.214390 IP 10.10.10.72.53808 > 10.10.11.5.80: tcp 0
21:58:18.478928 IP 10.10.10.72.53809 > 10.10.11.5.80: tcp 0
21:58:19.312192 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 0
21:58:20.222830 IP 10.10.10.72.53808 > 10.10.11.5.80: tcp 0
21:58:20.489753 IP 10.10.10.72.53809 > 10.10.11.5.80: tcp 0
21:58:20.566872 IP 10.10.10.72.53813 > 10.10.11.5.80: tcp 0
21:58:21.573152 IP 10.10.10.72.53813 > 10.10.11.5.80: tcp 0
21:58:21.712978 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 0
21:58:21.917190 IP 10.10.10.72.53792 > 10.10.11.5.80: tcp 1I guess I'm just not sure where to go from here really, so any help would be appreciated.
Redhammer999 -
How are you trying to connect to it? Via some app?
What do the camera instructions tell you to do?
If you don't add a port forward you would need to connect via a cloud server of some sort.
Steve
-
@stephenw10 said in Reefcam:
How are you trying to connect to it? Via some app?
What do the camera instructions tell you to do?
If you don't add a port forward you would need to connect via a cloud server of some sort.
Steve
Hi Steve,
Thanks very much for the reply.
It's via the reef-cam app (iphone).
I've followed camera instructions etc. Gotten to the end of that.Basically it has a UID which connects to a cloud service (I think). As in the videos, you connect to your internet connection (wired/wireless) and the red light should go green (on the reef-cam box, which is connected to camera via USB). Mine stays red when connected.
The basic idea is, you can setup your reef-cam on internet access, it connects to cloud service and then your friends can use the reefcam by just scanning the barcode using their phone (or typing in the UID code) and set it up remotely with just UID, Camera name and password.I can connect to the camera over local wifi (IE, my phone/camera on same wireless subnet) but over 4G etc it's not reachable. I can login via web browser from my laptop directly to the IP to see more options etc also.
Hope that helps?
Thanks
-
@redhammer999 said in Reefcam:
21:58:10.979557 IP 10.10.11.5.35120 > 239.255.255.250.1900: UDP, length 372
21:58:11.005125 IP 10.10.11.5.35120 > 239.255.255.250.1900: UDP, length 444The cam is at 10.10.11.5?
That looks like UPnP traffic. UPnP is disabled by default in pfSense because of the security implications. The reefcam might require UPnP to open a port forward in the firewall for external access. You might also be able to add a forward manually.
https://docs.netgate.com/pfsense/en/latest/services/upnp.htmlIf you need to enable UPnP you should add restrictions so that only the reefcam can open ports.
You have a link to the cam instructions?
Steve
-
@stephenw10 said in Reefcam:
@redhammer999 said in Reefcam:
21:58:10.979557 IP 10.10.11.5.35120 > 239.255.255.250.1900: UDP, length 372
21:58:11.005125 IP 10.10.11.5.35120 > 239.255.255.250.1900: UDP, length 444The cam is at 10.10.11.5?
That looks like UPnP traffic. UPnP is disabled by default in pfSense because of the security implications. The reefcam might require UPnP to open a port forward in the firewall for external access. You might also be able to add a forward manually.
https://docs.netgate.com/pfsense/en/latest/services/upnp.htmlIf you need to enable UPnP you should add restrictions so that only the reefcam can open ports.
You have a link to the cam instructions?
Thanks again for the reply.
10.10.11.5 is the camera - correct.
Looking over your link there, I understand fair enough the UPNP. So I can essentially open it up but Solely to that IP address is basically an option? What is the port forward etc I may need to setup though, any idea?Manual can be found here:
https://www.manualslib.com/products/Tmc-Aquarium-Reef-Cam-10923373.htmlThanks
Red -
Mmm, nothing useful in that manual at all!
Manufacturers of IoT devices like this seems to prefer giving the user little to no info or options for some reason.....
But given they seem to be expecting it to 'just work' it's either streaming all video via some external cloud server or using UPnP. Streaming via cloud server is waaaay more expensive for them so assume UPnP!
First just try enabling UPnP without restrictions as a test. Check the Status > UPnP page to make sire the camera (and only the camera) is opening a port as expected. Once you've tested it's working you can add restrictions.
A device like that I would definitely want to have on a separate firewalled subnet if you can.
Steve
-
@stephenw10 said in Reefcam:
Mmm, nothing useful in that manual at all!
Manufacturers of IoT devices like this seems to prefer giving the user little to no info or options for some reason.....
But given they seem to be expecting it to 'just work' it's either streaming all video via some external cloud server or using UPnP. Streaming via cloud server is waaaay more expensive for them so assume UPnP!
First just try enabling UPnP without restrictions as a test. Check the Status > UPnP page to make sire the camera (and only the camera) is opening a port as expected. Once you've tested it's working you can add restrictions.
A device like that I would definitely want to have on a separate firewalled subnet if you can.
Steve
Hi Steve,
Yeah, IOT devices give as little as possible info...
Ok so I enabled UPNP (including LAN of camera). Everything is open on it, go to status and see nothing still :( I've given it maybe 10 minutes now and rebooted the camera.
I've put it on the guest VLAN which has no access to my cctv subnet, server or my others. Though it does allow access to other devices on that subnet (generic phones, laptops etc).
Any further thoughts perhaps?
-
Hmm, you enabled both UPnP and NAT-PMP?
-
@redhammer999 said in Reefcam:
Some basic info below about cam:
Manufacturer WAVEREEF
Camera model SBT-IPC-01
Camera version IPC-01Are you sure that's correct? I can find nothing about that device. The manual you linked if for the TMC Reef-cam, is that the same thing?
There do seem to be quite a few reports of people hitting similar problems with that device.
Steve
-
@stephenw10 said in Reefcam:
Hmm, you enabled both UPnP and NAT-PMP?
Yes, both enabled.
IE:
Enable UPnP & NAT-PMP - ticked
Allow UPnP Port Mapping - ticked
Allow NAT-PMP Port Mapping - tickedOnly other settings were to change the internal interface (left external at WAN)
Log packets handled by UPnP & NAT-PMP rules - Ticked -
Are you behind double NAT? Does pfSense have a public IP on it's WAN? That will prevent UPnP working.
Steve
-
@stephenw10 said in Reefcam:
Are you behind double NAT? Does pfSense have a public IP on it's WAN? That will prevent UPnP working.
Steve
Hi Steve,
There's a modem (draytek Vigor 130 ADSL) in front of the PFSENSE box. It has a static WAN IP address.
WAN on PFSENSE is a PPPoE interface.
Has:
Block private networks and loopback addresses - Ticked
Block bogon networks - TickedEdit:
UPNP is on the device for sure (found it in a submenu). In PFSENSE in UPNP access control lists - do I have to explicitly allow using an ACL (even though at the moment "Default Deny" is not ticked?). -
@stephenw10 said in Reefcam:
@redhammer999 said in Reefcam:
Some basic info below about cam:
Manufacturer WAVEREEF
Camera model SBT-IPC-01
Camera version IPC-01Are you sure that's correct? I can find nothing about that device. The manual you linked if for the TMC Reef-cam, is that the same thing?
There do seem to be quite a few reports of people hitting similar problems with that device.
Steve
Hi Steve, This is correct for sure... so that manual is the correct one and the above info is a copy/paste from devices webpage (10.10.11.5 in my case).
Question also: should I be port forwarding at all?
UDP port 1900 is used for UPNP I believe? -
@redhammer999 said in Reefcam:
draytek Vigor 130 ADSL
That is a
"VDSL2/ADSL2+ Modem/ Firewall Router"If your behind a double nat UPnP isn't going to work..
-
@redhammer999 said in Reefcam:
draytek Vigor 130 ADSL
That is a
"VDSL2/ADSL2+ Modem/ Firewall Router"If your behind a double nat UPnP isn't going to work..
Hi @johnpoz
Thanks for clarifying, think I'm just a bit of a lost sole at this point...
So other options I have since I've found this menu:
UPNP - not an option
PPPoE setting, Needs, account, password and IP address
DDNS - Allows you to use a no-ip DDNS account (needs to use either eth0 OR PPPoE, but currently I'm using wireless?) + Account, password and hostnameWould I be able to use any of these or should I be using a direct port forward to achieve it connecting in? I guess the problem for me is, I don't know what port to use?
-
@redhammer999 problem with UPnP behind a double nat..
Your devices says hey router Im behind forward port xyz to me on your wan.. Problem is that router pfsense wan is rfc1918 (its behind another nat).
Now port xyz is never seen by pfsense wan.. If you want any hope for that to work you would need to put pfsense wan IP in the upstream routers what is common called dmz host.. So that all traffic is forwarded to pfsense wan IP. This way it if it sees traffic to port xyz, its says oh send that to device IP 123 via the request it did via UPnP
-
The Draytek V130 is, technically, a router but it's usually supplied and used in modem only mode.
If pfSense has it's WAN set as PPPoE it is in modem mode and you will have a public IP directly.
Are you in the UK? Using VDSL?
Steve
-
@stephenw10 said in Reefcam:
The Draytek V130 is, technically, a router but it's usually supplied and used in modem only mode.
If pfSense has it's WAN set as PPPoE it is in modem mode and you will have a public IP directly.
Are you in the UK? Using VDSL?
Steve
Hi Steve,
That's all correct. Scotland, UK but it's actually ADSL I think (standard broadband, not fibre 40mb/s down and around 12 up).
-
That's FTTC which is still VDSL. ADSL2+ is only good for 24Mbps. In the UK at least.
But that's good, you will have a public IP on WAN so UPnP should work if it's supposed to.
When googling this I saw a load of misinformation about this on a few fish keeping forums. I'm sure those guys know a lot more than me about marine aquariums but some of the stuff reported about pings not working over BTs network made me cringe!
However looking at your pcap there some of the things reported are also present. You can see the reefcam is pinging a few IPs but it sees no responses.
It does raise the possibility that whatever server it's trying to connect to so others can 'see' it as available is simply not there for some reason. Have you ever been able to connect externally to it at any other location? Behind a different router perhaps?Steve
-
@stephenw10 said in Reefcam:
whatever server it's trying to connect to so others can 'see' it as available is simply not there for some reason.
I few sites when looking for this device showed it discontinued - so yeah its quite possible the infrastructure that was in place for this to work, might just be gone.
Couldn't you just put a current webcam on the outside of the tank?
