unable to access ips on vlan after changing Gateway/dns

comet424 · Jan 19, 2023, 1:56 PM

hi i recently got 5 cameras.. and i been playing around with vlans and such not 100% and learning about vlans as i go. and trying locking things down
and solving the blank host name issue it has for them

but i locked out of the camera on the LAN but pfsense can ping it

so my lan is 192.168.0.x

the cameras are on 192.168.10.x

now the cameras were
192.168.10.1 gateway and dns

but i change the gateway and dns to 192.168.0.1 and now i cant access cameras but i can ping them from the pfsense

without having to climb up and reset all cameras... is there a way i can access ips from the lan and re change it bck to 192.168.10.1 for gate way and dns
or do i need to climb up and reset them

always learning

Jarhead · Jan 19, 2023, 2:23 PM

@comet424
Where did you change gateway and dns, in the cameras themselves?

If pfSense can ping them, you should be able to access them.
Can you ping them from a pc?

Did you add the vlan interface in pfSense?
Post pics of what you did, trying to figure it out from whet you say is not the easy way to go.

comet424 · Jan 19, 2023, 2:38 PM

@jarhead

so i changed them static in the camera and after i saved it it wasnt accessable
it was ok when it was dhcp and pointed to 10.1

ya pfsense setup for the vlan it gave the ips dhcp orginally and i use the miktok switch that has vlans on it.. so i was able to figure and set that up so the 1 port on the miktok switch goes to my poe switch that got
192.168.10.x dns gateway and ip

and the rest of ports so far for my home network 192.168.0.x

ill try and post pics then

comet424 · Jan 19, 2023, 2:47 PM

@Jarhead
so the rules is from LAN section

and i had the settings set to dhcp and went to static.. reason i was i found Vlans stopped working when pfsense goes down i found my cameras in dhcp go down if pfsense crashes so i was working on trying static ip and if pfsense goes down that the cameras would still work thats what i working on... but maybe vlans dont continue to work if static ip is set too? i dunno new to vlans i did before seperate my ips same ip 192.168.0.x but i segratated range in x for different things on my network.. but wanted to goto vlans seemed more easier

Jarhead · Jan 19, 2023, 2:54 PM

@comet424
The gateway for cameras should be 10.1, you changed them to 0.1, correct?
You won't be able to access them if so.
All you have to do is connect a pc to the camera network and you will be able to access them.
Then change the gateway to the correct 10.1.

What are the rules on the camera interface?
You shouldn't need the rule on the LAN if you have the default any/any rule in place.
Post all rules, not just the one. Order matters too.

comet424 · Jan 19, 2023, 3:19 PM

@jarhead
ok so see i was trying to solve the blank issue so i figured that would fix it

here my rules.. sorry they messy.. i recently got a smart switch and some poe cameras.. for xmas so i been learning how do do these vlans

before i only had 192.168.0.1-254 range
and i did
vpn computers 192.168.0.20-30 range
non vpen 192.168.0.31-50
iot devices 192.168.0.51-200
gaming consoldes 201-205
something like that so i wanted to try to move over to vlans

but it seems they go down if pfsense goes down i do not know if thats true or it just happened to me.. for testing on cameras.. as i want the vlans to work even if pfsense is turned off.. figured maybe thats what the smart network switch is for and then static ips

here is the rest
dont mind the mess i dont work with it everyday.. so im sure stuff i dont need is there so not advanced

viragomann · Jan 19, 2023, 3:42 PM

@comet424 said in unable to access ips on vlan after changing Gateway/dns:

but it seems they go down if pfsense goes down i do not know if thats true or it just happened to me

If pfSense is the gateway in the VLANs it's expected that inter-VLAN traffic and upstream doesn't work, when it's off.

as i want the vlans to work even if pfsense is turned off.. figured maybe thats what the smart network switch is for and then static ips

If it's an L3 switch that's possible, but you have to move over all your VLANs to the switch and you're not able to manage them on pfSense or filter any traffic any more.

comet424 · Jan 19, 2023, 3:59 PM

@viragomann
ah ok so i plugged in the computer in the poe switch and was able to access the cameras.. the gateway was saved as 192.168.0.1 but when i got into the cameras they were saved as 0.0.0.0

i not sure if the switch is a l3? whatever that means
all i know is it
CSS326-24G-2S+ MikroTik SwOS switch

so whats the best way to setup vlans i removed the network switch i had in the pfsense box a 4 port as i figure it was causing pfsense to go down where no network traffic... it was a realtek card and i read or was told in past realtek cards not really supported by pfsense even the computers onboard is a realtek... and intels on amazon are expensive... i trying now
10Gtek dual card..

but what do you or people to do keep cameras stable then as if pfsense goes down i still want my cameras working... is there like a fail over or is that something the network switch does? or do u need the 4 network card port so each one is a lan and not a vlan?

as i thought vlans was a good thing but not if pfsense goes down? but i new to vlans so i have no idea just started learning in the past week or 2

comet424 · Jan 19, 2023, 4:02 PM

ive watched some youtube videos like the lawerance systems and the craft guy that drinks beers but maybe they got better smart switchs or i guess managed switchs u call them that are more reliable then what i have?

comet424 · Jan 19, 2023, 4:13 PM

and or is it better to scrap vlans
and what be better is

192.168.0.1 - 192.168.100.254 range

and then you say 192.168.10.x is cameras and 192.168.20.x is iot devices and 192.168.0.x is non vpn and 192.168.5.x is vpn computers

but then there is no seperate dhcp server except for vlan or i guess different nics on the pfsense box...

learning as i go... and trying to understand things better

viragomann · Jan 19, 2023, 4:49 PM

@comet424
On an L3 you can create different subnets and it can act as a router like pfSense.
Maybe some are also capable doing a basic traffic filtering.

pfSense is designed to act as a router and gateway for all connected network segments, either hardware or VLANs.
A default gateway should never be shutdown. If its down, the devices cannot communicate with other network segments, meaning other VLANs here or with the internet.
It doesn't matter if you use VLANs or have the subnets on the NICs directly.

To avoid outages while you restart it, there are techniques like CARP. That means you need an second router, which take over the connections till the primary is up again.

Jarhead · Jan 19, 2023, 4:47 PM

@comet424
Viragomann meant to say a L3 switch, just a typo.

You don't want to scrap vlans, just set them up properly.
Honestly, with your setup, I would delete all those rules and start over, you have a mess there.

The cameras aren't going down when pfSense goes down, you just can't access them.
As long as your recorder is on the same subnet as the cameras they will still be recording.
If your switch goes down, then they are all down.

So set the gateways in the cams to the 10.1 and with the proper rules you will be able to access them from the LAN again. Take it from there and clean up that mess.

viragomann · Jan 19, 2023, 4:48 PM

@jarhead said in unable to access ips on vlan after changing Gateway/dns:

Viragomann meant to say a L3 switch, just a typo.

Yes, thx. I correct it above for clarity.

comet424 · Jan 19, 2023, 5:39 PM

@viragomann
@Jarhead
ah ok ill look up this carp.. ill look that up.. and is that what they call high availabilty i heard before.. is that the same?

so thats why i was able to access my home assistant and iot devices.. everything is on the LAN so it can communicate.. i just broke my network into segements to isolate things as i didnt have vlan cabablilties.. i did it on the same network... but thats why i cant access other networks you need the pfsense to to from 192.168.0.1 to 192.168.10.1 and vise versa but the subnets they can communicate with each other on the same network.. but not to another..

and do you guys know if the 10gtek network cards anygood? and is there a way to monitor if a pfsense crashes as when i restart Pfsense it doesnt say it crashes.. but i dont have a monitor hooked up to the computer so that doesnt help things

and i cleaned up my lan rules a bit took away some of the grayed out as they were tests... and did i do the camera vlan rules right or mistakes there... and is it possible to make it so if someone unhooked the network cable at a camera and plugged into it.. they cant have access to cameras.. i know odds are never going to happen.. i just curious if thats possible.. like only the cameras id would be allowed and nothing else.. like a a list of there id numbers... i know never going to happen but always learning and figure asking cant hurt too..

johnpoz · Jan 20, 2023, 12:35 PM

@comet424 said in unable to access ips on vlan after changing Gateway/dns:

and is it possible to make it so if someone unhooked the network cable at a camera and plugged into it.. they cant have access to cameras.

There are ways to mitigate such action.. You're asking if someone just unplugged a device on a switch, and then say plugged their laptop into the switch would they have access to everything on that switch/vlan via the network right?

With the appropriate smart switch or fully managed switch there are a few things that could be done. Port security is a feature that prevents changing the device on a port, the mac of the device is set on the port, or the mac is learned from the first device plugged in - so that if the mac of the device changes, it wouldn't work.. Ie you unplugged a camera and plugged in a laptop.

You could also setup private vlans if your devices on this network don't really need to talk to each other, say cameras. Then even if some other device was plugged in - it wouldn't be able to talk to any other devices on the this network anyway.

You could setup 802.1x where any device on the network has to auth before its allowed to talk on the network. This would be NAC, and https://www.packetfence.org/ would be a good place to start if that is something you wanted to setup on your network. But the proper switch(es) would be required.

Pfsense wouldn't play a big part in such features. You could leverage say freeradius on pfsense for authing for 802.1x. With a dumb switching environment really the only thing you could do to try and mitigate someone just plugging in a device would be with dhcp limits. Ie don't hand out dhcp to unknown mac addresses.. This might prevent someone on accident plugging in device you haven't ok'd to be on the network. Static arp could be used to prevent someone from just plugging in a device and setting an IP and talking to pfsense, but this wouldn't stop the device from talking to other devices on the network/vlan unless you had setup say private vlans on your switch(es)..

None of this stuff prob makes much sense in a home setup, unless you're wanting to learn - as with any security measures they all come with costs. Be it with complexity, appropriate equipment, time in setup, user frustration or extra steps to get on the network, etc. Then there is the learning curve to implement such things.

comet424 · Jan 20, 2023, 12:36 PM

@johnpoz
oh ok ya i have my cameras outside using those poe's so i was just pondering if you could protect yourself from anyone just unhooking and plugging into it.. i gonna hide the cable .. but was curious if it can be done... ill read up on it... even if i dont do stuff like that least i always learning
and i bet even when your a network administrator it frustrates you guys too.. probably have a team of people so when you get frustrated someone else can give a hand etc

i have a question i have these reolink cameras.. i set up the rules but its not working for the time sync... ntp in the reolink camera is 123 port it says using pool.ntp.org
my 2 rules doesnt sync.. says failed.. but my grayed out.. allow rule allows time sync is there somethine i did wrong just wont sync

johnpoz · Jan 20, 2023, 12:42 PM

@comet424 your ntp rule there on the top. For starters ntp is only ever udp. But those rules show no evaluations, see the 0/0 means nothing has hit that rule. So either your alias does not have the correct Ips of your cameras in them? or they are not using pfsense as their gateway, or they just haven't tried to sync time. If they are trying to use pool.ntp.org - maybe that is not resolving for them. I don't see any rules that allow them to say talk to pfsense for dns. What are the cameras using for dns? I don't see any rules that would allow them to use some external dns either.

your 2nd rule there is pretty pointless setting the source port, since your first rule would allow any source port anyway.

Jarhead · Jan 20, 2023, 12:42 PM

@comet424 To add, why not use the NTP server in pfSense and have them sync to it?

comet424 · Jan 20, 2023, 12:51 PM

@jarhead
i have no idea how to set the pfsense one i did try

0.pfsense.pool.ntp.org i found in the pfsense services ntp and added it to the reolink camera
it didnt work
here some screen shots

so if ungray the 2nd allow i have.. it will sync when i press the sync button when i re gray it ... and try to sync.. she says failed on syncing does it mean its using a different port then 123 it says its using? as the reject line is increasing

johnpoz · Jan 20, 2023, 1:07 PM

@comet424 said in unable to access ips on vlan after changing Gateway/dns:

so if ungray the 2nd allow i have

well that would allow it to resolve pool.ntp.org, your pointing it to pfsense for dns - that 192.168.10.1 address.. But you have no rules to allow dns other than that allow all rule.

If all you want is for them to be able to sync time.. And not the actually use the internet. Might be better to just point them to pfsense IP for ntp. Then they need no dns nor any internet access at all.

But from your screenshot - they don't allow just putting in an IP for ntp server?