PORT FORWARD TO CCTV DVR



  • I have been able to set up pfSense on an old system as follows:
    1. pfSense on system with 2 nic cards. rl0 – wan (dhcp 192.168.2.2)  rl1 - lan. (dhcp server 192.168.1.1)
    2. the wan is connected to a belkin wiresless modem / router. The belkin has pppoe settings.
    3. a CCTV DVR is connected to the pfSense system thru a switch ( fixed ip 192.168.1.150 with gateway 192.168.1.1 of pfSense). DVR listens on Port 8000
    4. dynamic dns account has been set as mydvr.dyndns.org
    5. pfSense has been configured with dyndns update.
    6. Earlier captive portal which I enabled, i tried disabled also.

    I am able to ping the dvr. I can connect from another system to the dvr and see the camera views on Local connection.
    But when I use the mydvr.dyndns.org, I dont get any response.
    I tried the nat settings port forwarding. (Earlier before using the pfSense I used the belkin router for remote view - using the dyndns address. at that point I had set up port forward and dmz for the dvr which was successful)
    My ultimate aim of using pfSense is as follows:
    1. Set DVR behind pfSense so I can secure the remote access to dvr using captive portal. I want remote users to login to see the dvr. I am not sure how to do this. But I am bogged at the first stage as above.
    I used nat port forward with target ip and port as 192.168.1.150 and 8000. for destination I used wan, then the ip address of the pfSense system. But no way could i connect. Can somebody please help
    Thanks
    pfSense Novice



  • did you determine source port also?
    What errors it gives?



  • I am still not able to connect to the DVR.  I have setup the mydvr.dyndns.org. pfSense is updating the same properly. But when I give mydvr.dyndns.org i get the pfSense web gui instead of the DVR login page. Can I have done the port forwarding under nat. Yet I get the same problem. The dynamic dns and portforwarding works on a Belkin router. I setup the Belkin router to update the dyndns.org site. Then I set up portward and dmz for the dvr (ip addr and port). Thats all. It works. But I am not able to do the same with the PfSense router. Can somone help



  • yes you should have portforward setted up.
    If it isn't working after portforward send your port forward and wan rules to us to view.



  • Hi Metu69salemi
    Thanks for the prompt response. I shall set up the port forward also and send the images. But another main issue i am facing, port forward or not, when I am trying to use the dynamic dns address to access the pfSense server from within the network, it works and i get the web gui. But it does not happen from an external network (When I say within network, when my laptop is connected to pfsense and pfsense has internet connection. But when I say external nework, my laptop is disconnected from pfsense and I use a usb modem based internet connection on the laptop).



  • Does your machine solve out correct ip-address when using usb-modem?
    What is the error it gives when trying to use usb-modem to connect webgui



  • I am getting page not found error. 1. When I check the PfSense Dynamic Dns page, the link is in green showing that the client update is successful. When from that connection i give mydvr.dyndns.org, I am able to get the pfSense web Gui. But. After disconnecting from the pfSense , I use a modem to connect to net and then when I try with Chrome, I get oops message witih page not found. This also happens when I use my mobile with 3g connection to connect to mydvr.dyndns.org. But if connect the mobile over wifi to pfsense. I get the web gui login page when I type mydvr.dyndns.org in the address bar. This is when there no port forwards are set as of now.



  • OK now I am able access my pfSense WEB GUI from my mobile (using a different internet connection and mydvr.dyndns.org at the address bar). I set a firewall (NAT) rule as follows
    Interface  WAN
    Protocol TCP
    Destination Any
    Destination Port https
    redirect target ip ipAddress of the pfSense
    redirect target port   https

    I did not make any changes to source using the advanced button. it is at any

    Can you please help me to forward this to my dvr (device) from this point onward.\
    thanks a lot



  • redirect access to your cctv device if you want to redirect traffic there. you almost got it.



  • Hi Metu69Salemi,
    Thanks ! But your reply is quite in broad aspect. I did try that by trying to redirect to the dvr. Yet I am not able to access the dvr.



  • I checked the logs. I saw an entry showing the ip address of the external internet connection against the incoming internet with port (8900 of the CCTV) under the normal view firewall entry. I added this under easy rule add. With this i am getting the pfsense web gui as against the cctv.



  • reply with your wan and portforward rules. and there the knowledge of what ports this dvr listens for webui and what ports you want to use externally.



  • Hi
    I think we are in different time zones. Anyway I have uploaded the pdf file with nat rules and portforwarding here http://min.us/mtNrSJ9DL

    Hope you can access it.
    The DVR has ip address 192.168.1.150 and listens on port 8000. The http port of DVR is 80.
    The pfSense is configured for secure access. it listens on port 443. As of now even that is blocked. But when I do the easy firewall rule add, i can get teh webgui of pfsense. (All this from different net connection).
    I have checked the disable webconfigurator redirect rule.
    So what is going wrong
    Thanks for your responses.



  • This works like a buick™. I haven't had not a single problem with portforwarding.

    
    Start all over. I think that you're over complicating things.
    1) remove portforwards
    2) remove belogning wan rule.
    3) Start creating new portforward ( Firewall:NAT:Port Forward)
    	Disabled:	unchecked
    	No RDR:		unchecked
    	Interface:	WAN
    	Protocol:	TCP
    	Source:		1.38.175.63 ( I would leave any, but this was IP you provided)
    	Source port:	any
    	Destination:	Wan address
    	Dest. Port:	80
    	Redirect ..:	192.168.1.150
    	Redirect port:	80 or 8000 which one is wanted webui
    	Description:	DVR
    	No XMLRPC S..:	unchecked
    	NAT reflec:	use system default
    	Filter rule as:	Add associated filter rule
    4) Apply changes
    5) Check your firewall rule
    	Action:		Pass
    	Disabled:	unchecked
    	Interface:	leave as is
    	Protocol:	leave as is
    	Source:		leave as is
    	Destination:	leave as is
    	Dest.port:	leave as is
    	Log:		up to you
    	Description:	leave as is
    
    6) Test it. Should work like a buick
    
    

    My home address resides in western Europe



  • Hi
    Thanks for your response.
    I did this same setting at the very first instance. Failing which I tried the other options. Anyway, I will start from the scratch again and update you.



  • Hi
    I am going crazy. feeling throwing out the box and going for other fw or hardware.
    The same problem persists.



  • Hi
    At last got it. This is wat i did.  http://blog.linuxniche.net/2009/09/need-a-firewall-part-2/ The aliasing for ports did the trick.

    I need to use both 80 and 8000 port of the DVR. so with this i could get it going. But now the final catch. When I enable captive portal I am not able to connect over dyndns.
    is there a solution for this.



  • Dont know, i'm not using CP at this point anywhere. Maybe someone more experienced pfsense user will be able to help you



  • Hi
    Thanks for your replies. I could get it up and running.  Of course, I did a factory reset also. I just added an alias for the ports needed by the dvr. When to NAT port settings and did the rest as per Metu69 advise. Only I used the alias for the ports. The Source was any.
    It started working like a charm.
    Now I wanted to have captive portal so that any one accessing the DVR from the remote using the dynamic dns address should be presented with a login screen for access to the dvr. But I think this is not possible. Somewhere else I read that this is called reverse captive portal. I am not sure so I request others not to take this as the last word on CP.
    Please suggest how security can be achieved if not using CP.
    Thanks


Log in to reply