1:1 NAT not going to correct server



  • I have learned to correctly setup a VIP and get 1:1 somewhat working. I have a Camera NVR and several cameras installed that I want to access remotely. I placed the NVR and cameras on my DMZ interface, then created a VIP and 1:1 pointing to my NVR (192.168.1.50). When I connect to my external address, I end up at 192.168.1.53 (one of the cameras). I have double check all my entries on pfsense, and the entries pointing to NVR are correct. Does anyone one have a thought as to why I can't get to the correct host?



  • Post screens of your WAN/LAN firewall & NAT rules.  It's impossible to say otherwise.  Is this NVR some type of media hub and is acting as a passthrough for the camera?



  • The NVR act as controller for all of the cameras. Although each camera (192.168.1.[51-58]) is running embedded Linux and a webserver which can be individually addressed, in order to see all camera, one has to log into the NVR (192.168.1.50). The 192.168.1.0 subnet is my DMZ, and I have created a 1:1 NAT between one of my external IP addresses (66.231.217.131/24) and 192.168.1.1 with a end target of 192.168.1.50.

    Initially, when I was connect to the external IP address, I would end up connecting to one of the IP cameras (192.168.1.53) as opposed to the NVR (192.168.1.50). I have been playing the various configuration changes on the pfsense box, and now when I attempt to gain access from the remote IP address, although a tab on the browser states IP Camera, nothing shows on the screen. No camera pictures, no control tabs, and the screen is completely blank.

    Although someone previously made a suggestion that I should do a port forward, I have dismissed that since there are numerous ports that the NVR wants to access and it was easier to just open the server up and place it on the DMZ.

    ![WAN Rules.png](/public/imported_attachments/1/WAN Rules.png)
    ![WAN Rules.png_thumb](/public/imported_attachments/1/WAN Rules.png_thumb)
    ![DMZ Rules.png](/public/imported_attachments/1/DMZ Rules.png)
    ![DMZ Rules.png_thumb](/public/imported_attachments/1/DMZ Rules.png_thumb)
    ![1:1 NAT.png](/public/imported_attachments/1/1:1 NAT.png)
    ![1:1 NAT.png_thumb](/public/imported_attachments/1/1:1 NAT.png_thumb)



  • In your 1:1 rule, try changing the Internal IP to 192.168.1.50 and the Destination IP to Any.



  • Made the change and still no go. The browser tag shows HD Cam Client, but the page is completely blank. The only excitement today is that suddenly after posting the above detailed message, I was getting port 22 hits. I need to figure this one soon because I was called to the principal office to day.


  • LAYER 8 Netgate

    I think your DMZ rule allowing WAN net to access 192.168.1.50 need to be on WAN instead.

    permit any dest 192.168.1.50 any


  • LAYER 8 Netgate

    Also I think you want 192.168.1.50 as the Internal IP and any in the destination.



  • This NVR is just a web server right?  You view it in your browser?  I would get rid of the 1:1 NAT and just do a port forward from WAN address to port 80 on the NVR.  The ports the NVR needs are between it and the cameras on the same net segment?



  • I have just did a port forward and still getting the same thing. I am able to see a tab on the browser that says hd client, but still no image or control images. I know that when I began with the setup, I was able to at least get to the NVR control. When I started making changes with 1:1 (and yes I initially started with port forwarding). Now with the exception of seeing the name on the tab, I can see nothing. I am have tried this on both the 1:1 as well as the the forwarded port.


  • LAYER 8 Netgate

    Post images of your current firewall and NAT rules.  Don't change anything.


Log in to reply