Nat works on one port, and not on another port, completely baffled :-/

fribert

I have a survaillance system set up based on QNAP.
It has the central unit set up on 1 IP running on port 80, this is mapped port 10000
Each camera has seperate IP's with a stream host working on port 80, they are mapped to 10000+camnumber, ie. cam1: 10001, cam2: 10002 etc.

I can reach the central unit without any problems on port 10000.
I can not reach any of the camera's.

I've set it up with aliases, but in desperation I've also tried just using straight IP's, no change.

Each camera has a NAT rule, that translates from the standard WAN IP port 1000x to the internal IP port 80.

pfSense is 1.2.3 release built sun dec 6 23:21:36

jimp

Do the cameras have a proper subnet mask and default gateway set?

fribert

Just made absolutely sure, yes they have the default gateway and dns and mask correctly.
I would like to send it out via a virtual ip, but for now I'm setting it up to use the default one.

jimp

You'll probably have to do some packet captures on WAN and LAN to see what is happening to the traffic.

fribert

Just set up a new NAT to access a VMWare virtual host via SSH, it also fails, so something is definetely screwy with the NAT implementation, my guess is a combination of Alias' and NAT.
I'll see if I can find the time to do a packet capture session before the end of the week.

fribert

He, just got a SSH tunnel set up (a NAT that actually works!), so I could do it from work  :o

The trace didn't give me much:
Packet capture WAN, filtered on outside senders IP (I manually removed the traffic stemming from the SSH tunnel).

683 00:02:cf:d6:84:9c > 00:50:04:3d:68:84, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 119, id 63055, offset 0, flags [DF], proto TCP (6), length 48) 193.219.30.10.13232 > 217.157.8.114.10001: S, cksum 0x52eb (correct), 27596448:27596448(0) win 64512 <mss 1260,nop,nop,sackok="">11:05:11.791211 00:02:cf:d6:84:9c > 00:50:04:3d:68:84, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 119, id 63075, offset 0, flags [DF], proto TCP (6), length 48) 193.219.30.10.13232 > 217.157.8.114.10001: S, cksum 0x52eb (correct), 27596448:27596448(0) win 64512 <mss 1260,nop,nop,sackok="">11:05:13.321855 00:02:cf:d6:84:9c > 00:50:04:3d:68:84, ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 119, id 63109, offset 0, flags [DF], proto TCP (6), length 48) 193.219.30.10.13232 > 217.157.8.114.10001: S, cksum 0x52eb (correct), 27596448:27596448(0) win 64512 <mss 1260,nop,nop,sackok="">Packet capture LAN

EMPTY!!!</mss></mss></mss>

jimp

Have you tried setting up the port forwards without using aliases to see if that works?

ee99ee

Do the cameras use RTP, by any chance, for video transfer?

-Chris

fribert

I've tried without aliases as well, the camera's CAN use RTP, but in this case, it's RTPoverHTTP as they call it.
I've tried using an SSH-tunnel (I have an NAT that actually works, SSH to my NAS), and forwarded just port 80 through that, and that works for all the cameras.