How to access 8 IP cam on lan from wan



  • hi

    i have an interesting request from a pre-school principle, she wants parents to access school's internal cams to see their pupils, at a certain limited time of a day with username and password for each parents, is that possible? do i need a public IP for eache IP can? any body have done some thing similar? if so please can you help me?

    help really appreciated

    thanks in advance

    hadi57



  • you need to forward the ports.
    either you have a public IP for each cam
    or you have a single IP and forward different ports to the different cams.

    you can make timescheduled rules to allow access on different times.

    but the autentifiction has to happen at the cam itself.
    dont think you can do that with pfsense.



  • thanks for the reply

    can you please give me lead how to create a rule to forward ports to IP?

    thanks again

    hadi57





  • hi and thanks for the link

    i followed the text in the link but it didnt work, what port range should i use?

    could you please give me en example on 192.168.0.x, i am trying to access 36 D-link access points and upgrade them, this would be a great time saving to do it from home.

    hadi57



  • hi

    i tried the follwoings:

    interface: wan
    external address: any
    protocol: tcp
    external port range:
    from: other 1400
    to: other
    nat ip: 192.168.113.112 (that is one of my wireless access point
    local port: other 1400

    my dhcp range is: 192.163.10 to 192.163.1.245
    my gateway address is: 192.163.1.254

    so i tried accessing one access point with the public ip of my server 87.230.x.x:1400 with no luck.

    what did i do wrong

    help is highly appreciated

    hadi57



  • Did you NAT port 1400?
    Your post makes me believe you only put in a firewall rule.

    And the rule's source port should be any as well, BTW!



  • hi

    thank you for your help

    this was the firewall/Nat

    and i can see on the nat page:

    if: wan
    proto: TCP
    ext.port range: 1400
    NAT IP: 192.163.1.112 ext:any
    Int. port range: 1400

    i don't know if this is correct

    note: i am using 1.2-RC3

    that's all

    is that right, if so how to access my ip cams form wan?



  • hi again

    still cant access, how access the 8 cams? so i put the wan ip of pf box with the port to the wanted to be access cam, like this: 212.45.xx.xx:1400? if so i still cant access

    help really appreciated

    hadi57



  • you have added a NAT rule. now check if you have firewall allow rule on the WAN interface to allow traffic to 192.163.1.112 : 1400



  • @hadi57:

    …access cam, like this: 212.45.xx.xx:1400? if so i still cant access

    If you are using Internetexplorer it's maybe just an issue with a missing "http://" in front of that IP and port. For non standard ports (80 and 443) it won't know that this is http. Somehow stupid. Other browsers like firefox do it better  ;)

    Also how do you test this? If you test this from inside your network it won't work without natreflection turned on (system>advanced, very bottom).



  • hi

    i am using linux and firefox for browse, this is my current configuration:






  • Your first nat rule (the one for port 810) is wrong. It has to have the interface IP like all the others in it and not "any". Also disable or delete the first firewallrule at the WAN tab. Your pfSense is wide open to the world that way.

    Just another thought, a colleague of me baught a rather cheap ipcam. The cam has one port for the webgui to configure, however once you hit the webgui it loads an activex plugin that needs some other ports to be forwarded as well, that you can't change or that are not even documented in the manual. Once we found that out and added the according portforwards the cam worked. However if that was the case with your cam you would not be able to make more than one cam available at WAN.



  • hi and thanks

    i am looking now at the ip cam site http://www.networkipcamera.com/faq_009-java.php
    trying to understand it.



  • Their cameras really seem to use multiple ports: http://www.networkipcamera.com/faq_004_soho.php

    So you have to modify all of those ports on each cam so that each cam has unique ports and add a bunch of portforwards/firewallrules for each. Btw, you can make this much easier by adding portaliases for the cams and reduce the number of portforwards/firewallrules this way ;)



  • thanks again and again, ill go to site tomorrow and work on that

    hadi57



  • hi
    i went today and changed the video and web ports for all cams as well so my nat and fw looks like this but still cant access the cams i don't know what i did wrong:






  • Just a quick observation:
    If you NAT 15973 UDP you should firewall this as 15973 UDP as well. Not TCP…



  • How do you check that you cannot reach the cams from WAN?
    If you're sitting behind a consumer router, usually doing just NAT, this is doable.
    Since you are using pfSense in this install, chances are, you are behind a pfSense at home/in your office as well.
    If you only opened http(s) ports for surfing there, you'll never get to school-ip:810. Then the problem is on the other side of the connection.



  • hi

    the port 15973 tcp is now udp

    i am checking from home:
    1- with pfbox connected.
    2- without pfbox connected directly to dsl router

    i try changing the 1st line https:443 to allow any so every thing is wide open like before, but still couldn't to connect to the school ip cams. i still don't know where is the problem, is it ok i give you the access to the server for a check? it will be really appreciable.

    thank you again.



  • I'm on holidays starting tomorrow.



  • How about an entirely different approach?  ZoneMinder!

    Setup a Linux host on your private network running ZoneMinder to create a single centralized point to access all cams.

    Then you only have a single host to worry about when it comes to providing public access via your pfSense firewall.  :)

    Oh, and you want per-parent user access control, I would go a step further and setup OpenVPN connectivity - I always perfer VPN to poking holes in a firewall when it comes to providing access to hosts on my private network.  If you are going to control user access instead of just have open public access, you should always implement VPN rather than poke holes in my opinion.

    You could then create your time-of-day requirements on pfSense (rule only allows the OpenVPN connections during certain time frame) and manage your user access accounts on the ZM box.



  • thanks a lot for the advice, i download zm long ago, but never tried it, so i ll follow your advice and try it and post here what happens.

    thanks again



  • i was trying today to log in to one ip cam, it started to log but it took very long almost 10 minutes, i see the image frame but not the image itself, i mean white image.



  • hi

    it is working i changed the IP cam model # and working perfectly.

    thanks a lot for all the help



  • hi again

    now i requested to make schedule rule for each cam to be available at a certain time of the day to be accessible publicaly, so i went to firewall > schedules to create a time rule for one of the cameras, i saw schedule name and description, how do i make this related to camera a or b or c etc…

    thanks in advance for the help



  • You need to create a rule for each cam and assign the schedule to it.

    Beware that schedules work a bit differently from the rest of the rules. It's mentioned when creating them, IIRC.



  • hi

    i saw the schedule, but time is quarterly based is there any other option like 5 minutes base.  one more thing caw we add yearly based rule too.

    thank you
    haddi57



  • No and No. Actually these rules are on a per year basis iirc. So if you block let's say on January the 1st it will block on that day every year (2008, 2009, 2010,…). Why is a 15 minute slice not enough? A Cronjob will run every 15 minutes to see if the ruleset has to be changed and recreate and reload the filter if needed. Making smaller slices will put additional load on the firewall as it would have to check for changes more often. We thought 15 minutes intervals should be enough usually.


Locked