Problem accessing UDP Webcam Port on Opt1



  • Hi @ll

    We've added a OPT1 interface to our Pfsense box running 1.3.2 Release with a private subnet
    192.168.0.x with a few webcams attached we'd like to access from the LAN subnet (10.0.0.x)

    At first we've created a rule to allow all traffic from the LAN Interface to the OPT1 Interface and
    it is possible to ping the Webcams and to configure them via http(s).

    The problem is that we cannot see the video stream running on UDP 5003 from the LAN subnet.
    This however works fine if we're accessing the cams from the OPT1 network.

    Any attempt to access the Webcams on Port 5003 fails with a timeout and I cannot see anything
    in the logfiles…

    Does someone have a clue or hint how to resolve this ?

    Regards thafener



  • Please post you config setup.



  • Hi

    Here are two config screenshots…I have done some further
    troubleshooting on this and tried a packet capture too but I
    cannot capture any packets on Port 5003 on both the LAN
    interface and the OPT1 interface  ???

    cheers thafener





  • Rebel Alliance Developer Netgate

    You may need to do a packet capture on both LAN and OPT1 to see what is happening to the traffic.

    I helped someone out yesterday with a similar issue on phones and checking the "disable pf scrub" option on System > Advanced cleared it up.



  • Hi jimp

    I have tried to set the option you mention but unfortunately without success.
    Next to this I have made a packet capture on the LAN Interface, it is showing
    http (80) traffic between my machine :10.0.0.70 and the cam 192.168.0.21

    14:58:39.799163 IP (tos 0x0, ttl 128, id 14838, offset 0, flags [DF], proto TCP (6), length 48) 10.0.0.70.2458 > 192.168.0.21.80: S, cksum 0xd609 (correct), 751217506:751217506(0) win 65535 <mss 1460,nop,nop,sackok="">
    14:58:39.799218 IP (tos 0x0, ttl 64, id 65350, offset 0, flags [DF], proto TCP (6), length 48) 192.168.0.21.80 > 10.0.0.70.2458: S, cksum 0xcc57 (correct), 997183589:997183589(0) ack 751217507 win 65228 <mss 1460,sackok,eol="">
    14:58:39.799305 IP (tos 0x0, ttl 128, id 14840, offset 0, flags [DF], proto TCP (6), length 40) 10.0.0.70.2458 > 192.168.0.21.80: ., cksum 0xf6e7 (correct), ack 1 win 65535
    14:58:39.799373 IP (tos 0x0, ttl 128, id 14841, offset 0, flags [DF], proto TCP (6), length 263) 10.0.0.70.2458 > 192.168.0.21.80: P, cksum 0x14ee (correct), 1:224(223) ack 1 win 65535
    14:58:39.799399 IP (tos 0x0, ttl 64, id 56070, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.21.80 > 10.0.0.70.2458: ., cksum 0xf642 (correct), ack 224 win 65477
    14:58:39.861608 IP (tos 0x0, ttl 64, id 11368, offset 0, flags [DF], proto TCP (6), length 262) 192.168.0.21.80 > 10.0.0.70.2457: P, cksum 0x0b52 (correct), 223:445(222) ack 1108 win 65535
    14:58:39.862695 IP (tos 0x0, ttl 64, id 55831, offset 0, flags [DF], proto TCP (6), length 262) 192.168.0.21.80 > 10.0.0.70.2456: P, cksum 0x30b4 (correct), 2235:2457(222) ack 1056 win 65535
    14:58:39.862810 IP (tos 0x0, ttl 64, id 44035, offset 0, flags [DF], proto TCP (6), length 262) 192.168.0.21.80 > 10.0.0.70.2455: P, cksum 0x6388 (correct), 3982:4204(222) ack 1370 win 65535
    14:58:40.020292 IP (tos 0x0, ttl 128, id 14843, offset 0, flags [DF], proto TCP (6), length 40) 10.0.0.70.2457 > 192.168.0.21.80: ., cksum 0xb7e5 (correct), ack 445 win 65091</mss></mss>
    

    Unfortunately I cannot see any traffic on the required UDP port (5003) I could easyly chnage this port
    to a different one but I guess this is a problem with UDP itself

    cheers Hafnix


  • Rebel Alliance Developer Netgate

    Try doing that same capture on the OPT interface but only filter it by the camera's IP.



  • Here's the packet capture output from the OPT1 interface, looks nearly the same :

    15:25:23.853752 IP (tos 0x0, ttl 64, id 63982, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.22841 > 192.168.0.21.80: ., cksum 0xcb95 (correct), ack 193 win 65508
    15:25:23.862513 IP (tos 0x0, ttl 64, id 54850, offset 0, flags [none], proto TCP (6), length 1500) 192.168.0.21.80 > 192.168.0.1.22019: P 234:1694(1460) ack 649 win 5840
    15:25:23.862535 IP (tos 0x0, ttl 64, id 6896, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.22019 > 192.168.0.21.80: ., cksum 0x04d5 (correct), ack 1694 win 64240
    15:25:23.862636 IP (tos 0x0, ttl 64, id 54851, offset 0, flags [none], proto TCP (6), length 1422) 192.168.0.21.80 > 192.168.0.1.22019: P, cksum 0x7fef (correct), 1694:3076(1382) ack 649 win 5840
    15:25:23.862655 IP (tos 0x0, ttl 64, id 60061, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.22019 > 192.168.0.21.80: ., cksum 0xff20 (correct), ack 3076 win 64318
    15:25:23.862688 IP (tos 0x0, ttl 64, id 5032, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.22019 > 192.168.0.21.80: F, cksum 0xfa5e (correct), 649:649(0) ack 3076 win 65535
    15:25:23.862821 IP (tos 0x0, ttl 64, id 54852, offset 0, flags [none], proto TCP (6), length 1500) 192.168.0.21.80 > 192.168.0.1.37513: P 234:1694(1460) ack 645 win 5840
    15:25:23.862857 IP (tos 0x0, ttl 64, id 38597, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.37513 > 192.168.0.21.80: ., cksum 0xb3e3 (correct), ack 1694 win 64240
    15:25:23.862887 IP (tos 0x0, ttl 64, id 54853, offset 0, flags [none], proto TCP (6), length 40) 192.168.0.21.80 > 192.168.0.1.22019: ., cksum 0xe38e (correct), ack 650 win 5840
    15:25:23.863306 IP (tos 0x0, ttl 64, id 54854, offset 0, flags [none], proto TCP (6), length 450) 192.168.0.21.80 > 192.168.0.1.37513: P, cksum 0x1a99 (correct), 1694:2104(410) ack 645 win 5840
    15:25:23.863340 IP (tos 0x0, ttl 64, id 24528, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.37513 > 192.168.0.21.80: ., cksum 0xae2f (correct), ack 2104 win 65290
    15:25:23.863375 IP (tos 0x0, ttl 64, id 61382, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.37513 > 192.168.0.21.80: F, cksum 0xad39 (correct), 645:645(0) ack 2104 win 65535
    15:25:23.863644 IP (tos 0x0, ttl 64, id 54855, offset 0, flags [none], proto TCP (6), length 40) 192.168.0.21.80 > 192.168.0.1.37513: ., cksum 0x9669 (correct), ack 646 win 5840
    15:25:23.872245 IP (tos 0x0, ttl 64, id 54856, offset 0, flags [none], proto TCP (6), length 40) 192.168.0.21.80 > 192.168.0.1.22019: F, cksum 0xe38d (correct), 3076:3076(0) ack 650 win 5840
    15:25:23.872315 IP (tos 0x0, ttl 64, id 26080, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.22019 > 192.168.0.21.80: ., cksum 0xfa5e (correct), ack 3077 win 65534
    15:25:23.872375 IP (tos 0x0, ttl 64, id 54857, offset 0, flags [none], proto TCP (6), length 40) 192.168.0.21.80 > 192.168.0.1.37513: F, cksum 0x9668 (correct), 2104:2104(0) ack 646 win 5840
    15:25:23.872432 IP (tos 0x0, ttl 64, id 5850, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.37513 > 192.168.0.21.80: ., cksum 0xad39 (correct), ack 2105 win 65534
    15:25:23.876934 IP (tos 0x0, ttl 64, id 13707, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.1.6038 > 192.168.0.21.80: S, cksum 0x6ae3 (correct), 2384880381:2384880381(0) win 65228 <mss 0="" 703670769="" 1460,nop,wscale="" 4,sackok,timestamp="">
    15:25:23.877103 IP (tos 0x0, ttl 64, id 63223, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.1.57066 > 192.168.0.21.80: S, cksum 0x8148 (correct), 1542567800:1542567800(0) win 65228 <mss 0="" 703670769="" 1460,nop,wscale="" 4,sackok,timestamp="">
    15:25:23.877256 IP (tos 0x0, ttl 64, id 54858, offset 0, flags [none], proto TCP (6), length 44) 192.168.0.21.80 > 192.168.0.1.6038: S, cksum 0x56d4 (correct), 520257790:520257790(0) ack 2384880382 win 5840 <mss 1460="">
    15:25:23.877293 IP (tos 0x0, ttl 64, id 15497, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.6038 > 192.168.0.21.80: ., cksum 0x8561 (correct), ack 1 win 65535
    15:25:23.877362 IP (tos 0x0, ttl 64, id 56033, offset 0, flags [DF], proto TCP (6), length 436) 192.168.0.1.6038 > 192.168.0.21.80: P, cksum 0x49c3 (correct), 1:397(396) ack 1 win 65535
    15:25:23.877426 IP (tos 0x0, ttl 64, id 54859, offset 0, flags [none], proto TCP (6), length 44) 192.168.0.21.80 > 192.168.0.1.57066: S, cksum 0x6d39 (correct), 520257790:520257790(0) ack 1542567801 win 5840 <mss 1460="">
    15:25:23.877452 IP (tos 0x0, ttl 64, id 36040, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.57066 > 192.168.0.21.80: ., cksum 0x9bc6 (correct), ack 1 win 65535
    15:25:23.877510 IP (tos 0x0, ttl 64, id 62364, offset 0, flags [DF], proto TCP (6), length 439) 192.168.0.1.57066 > 192.168.0.21.80: P, cksum 0xee50 (correct), 1:400(399) ack 1 win 65535
    15:25:23.877601 IP (tos 0x0, ttl 64, id 14305, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.1.20027 > 192.168.0.21.80: S, cksum 0x960d (correct), 2579953037:2579953037(0) win 65228 <mss 0="" 703670769="" 1460,nop,wscale="" 4,sackok,timestamp="">
    15:25:23.877910 IP (tos 0x0, ttl 64, id 54860, offset 0, flags [none], proto TCP (6), length 44) 192.168.0.21.80 > 192.168.0.1.20027: S, cksum 0x81fe (correct), 520257790:520257790(0) ack 2579953038 win 5840 <mss 1460="">
    15:25:23.877946 IP (tos 0x0, ttl 64, id 59605, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.20027 > 192.168.0.21.80: ., cksum 0xb08b (correct), ack 1 win 65535
    15:25:23.877983 IP (tos 0x0, ttl 64, id 53700, offset 0, flags [DF], proto TCP (6), length 440) 192.168.0.1.20027 > 192.168.0.21.80: P, cksum 0x93fd (correct), 1:401(400) ack 1 win 65535
    15:25:23.880589 IP (tos 0x0, ttl 64, id 54861, offset 0, flags [none], proto TCP (6), length 40) 192.168.0.21.80 > 192.168.0.1.22841: F, cksum 0xb4a9 (correct), 193:193(0) ack 641 win 5840
    15:25:23.880614 IP (tos 0x0, ttl 64, id 31161, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.22841 > 192.168.0.21.80: ., cksum 0xcb79 (correct), ack 194 win 65535
    15:25:23.880663 IP (tos 0x0, ttl 64, id 9434, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.22841 > 192.168.0.21.80: F, cksum 0xcb78 (correct), 641:641(0) ack 194 win 65535
    15:25:23.880902 IP (tos 0x0, ttl 64, id 54862, offset 0, flags [none], proto TCP (6), length 40) 192.168.0.21.80 > 192.168.0.1.22841: ., cksum 0xb4a8 (correct), ack 642 win 5840
    15:25:23.931938 IP (tos 0x0, ttl 64, id 54863, offset 0, flags [none], proto TCP (6), length 40) 192.168.0.21.80 > 192.168.0.1.6038: ., cksum 0x6d05 (correct), ack 397 win 5840
    15:25:23.931990 IP (tos 0x0, ttl 64, id 54864, offset 0, flags [none], proto TCP (6), length 40) 192.168.0.21.80 > 192.168.0.1.57066: ., cksum 0x8367 (correct), ack 400 win 5840
    15:25:23.932010 IP (tos 0x0, ttl 64, id 54865, offset 0, flags [none], proto TCP (6), length 40) 192.168.0.21.80 > 192.168.0.1.20027: ., cksum 0x982b (correct), ack 401 win 5840
    15:25:23.935277 IP (tos 0x0, ttl 64, id 33766, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.1.56602 > 192.168.0.21.80: S, cksum 0x74f4 (correct), 2544208303:2544208303(0) win 65228 <mss 0="" 703670826="" 1460,nop,wscale="" 4,sackok,timestamp="">
    15:25:23.935571 IP (tos 0x0, ttl 64, id 54866, offset 0, flags [none], proto TCP (6), length 44) 192.168.0.21.80 > 192.168.0.1.56602: S, cksum 0x60e2 (correct), 520257850:520257850(0) ack 2544208304 win 5840 <mss 1460="">
    15:25:23.935607 IP (tos 0x0, ttl 64, id 50865, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.56602 > 192.168.0.21.80: ., cksum 0x8f6f (correct), ack 1 win 65535
    15:25:23.935641 IP (tos 0x0, ttl 64, id 45713, offset 0, flags [DF], proto TCP (6), length 298) 192.168.0.1.56602 > 192.168.0.21.80: P, cksum 0xf064 (correct), 1:259(258) ack 1 win 65535
    15:25:23.982598 IP (tos 0x0, ttl 64, id 54867, offset 0, flags [none], proto TCP (6), length 254) 192.168.0.21.80 > 192.168.0.1.6038: P, cksum 0xfd5d (correct), 1:215(214) ack 397 win 5840
    15:25:23.982623 IP (tos 0x0, ttl 64, id 53493, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.6038 > 192.168.0.21.80: ., cksum 0x8330 (correct), ack 215 win 65486
    15:25:23.983265 IP (tos 0x0, ttl 64, id 54868, offset 0, flags [none], proto TCP (6), length 255) 192.168.0.21.80 > 192.168.0.1.57066: P, cksum 0xe475 (correct), 1:216(215) ack 400 win 5840
    15:25:23.983287 IP (tos 0x0, ttl 64, id 30451, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.57066 > 192.168.0.21.80: ., cksum 0x9992 (correct), ack 216 win 65485
    15:25:23.983933 IP (tos 0x0, ttl 64, id 54869, offset 0, flags [none], proto TCP (6), length 255) 192.168.0.21.80 > 192.168.0.1.20027: P, cksum 0xfa37 (correct), 1:216(215) ack 401 win 5840
    15:25:23.983959 IP (tos 0x0, ttl 64, id 60098, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.20027 > 192.168.0.21.80: ., cksum 0xae56 (correct), ack 216 win 65485
    15:25:23.998837 IP (tos 0x0, ttl 64, id 54870, offset 0, flags [none], proto TCP (6), length 1500) 192.168.0.21.80 > 192.168.0.1.6038: P 215:1675(1460) ack 397 win 5840
    15:25:23.998860 IP (tos 0x0, ttl 64, id 40078, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.6038 > 192.168.0.21.80: ., cksum 0x825a (correct), ack 1675 win 64240
    15:25:23.998976 IP (tos 0x0, ttl 64, id 54871, offset 0, flags [none], proto TCP (6), length 1500) 192.168.0.21.80 > 192.168.0.1.6038: P 1675:3135(1460) ack 397 win 5840
    15:25:23.998999 IP (tos 0x0, ttl 64, id 54744, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.6038 > 192.168.0.21.80: ., cksum 0x7ca6 (correct), ack 3135 win 64240
    15:25:23.999060 IP (tos 0x0, ttl 64, id 54872, offset 0, flags [none], proto TCP (6), length 930) 192.168.0.21.80 > 192.168.0.1.6038: P, cksum 0x7d2a (correct), 3135:4025(890) ack 397 win 5840
    15:25:23.999076 IP (tos 0x0, ttl 64, id 21244, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.6038 > 192.168.0.21.80: ., cksum 0x76f2 (correct), ack 4025 win 64810
    15:25:23.999152 IP (tos 0x0, ttl 64, id 59370, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.6038 > 192.168.0.21.80: F, cksum 0x741c (correct), 397:397(0) ack 4025 win 65535</mss></mss></mss></mss></mss></mss></mss></mss>
    

    As we see there is http traffic again but nothing on UDP


  • Rebel Alliance Developer Netgate

    If that's the case, then the router isn't preventing the UDP traffic, since the camera is not even sending it in the first place.

    You may need to download those capture and analyze them further in Wireshark.



  • Thanks for your hints jimp,

    that is possible but how come I can access the cam and view the stream from
    inside the 192.168.0.x network ?

    thx thafener


  • Rebel Alliance Developer Netgate

    It may do something different when on the same subnet, perhaps using broadcast/multicast, but that's just a guess.



  • Hi @ll

    Found the problem myself. It was a problem with Squid (sorry I forgot to tell you this is
    installed).  I have entered my own IP to bypass the Proxy and it works since then.

    @ jimp : Thank you very much for your help

    Thx thafener


Locked