OPNsense Forum

TL;DR
I can ping my camera across VLANs but can't connect via apps. Suspect NAT/state tracking issue with port randomization breaking the connection. Any solutions?

I'm experiencing an issue with cross-VLAN access to a security camera on my OPNsense firewall. Here are the details:

## Network Configuration
- OPNsense on Protectli vault with two primary networks:
  - Main LAN: 192.168.1.0/24 (VLAN 1)
  - Security VLAN: 192.168.20.0/24 (VLAN 20)
- Reolink Argus B740X camera located on Security VLAN (IP: 192.168.20.102)

## Current Issue
- Devices can successfully connect to the camera when they're on the same VLAN (SecurityVLAN)
- Devices on the main LAN cannot establish application-level connections to the camera
- ICMP (ping) works across VLANs, but TCP/UDP application traffic fails with "state violation" errors

## What I've Confirmed
- Firewall rules are correctly configured to allow traffic in both directions
- All necessary ports (80, 443, 554, 8000, 9000) are explicitly allowed
- Ping tests from main LAN to the camera are successful
- Connection attempts from main LAN to camera result in "Default deny / state violation rule" entries in the firewall logs

## Current NAT Configuration
- Using Hybrid outbound NAT rule generation
- Have a manual NAT rule for another device on the Security VLAN with Static Port: YES
- Automatic rules for all networks have Static Port: NO

Best to show your rules for each source and destination interfaces (VLANs in this case).
You don't have any Layer 3 routing on the managed switch, right? Just to be sure of the basics.

Thanks for the response! Here are my firewall rules:

LAN Interface rules:
- Default allow LAN to any rule
- Specific rule allowing LAN to SecurityVLAN

SecurityVLAN Interface rules:
- Allow Reolink Camera (192.168.20.102) TCP/UDP return traffic to LAN
- Allow Reolink Camera ports specifically (80, 443, 554, 8000, 9000) via both TCP and UDP
- Allow internal SecurityVLAN communication
- Allow DNS to OPNsense
- Block SecurityVLAN from initiating LAN connections (after specific allow rules)
- Allow SecurityVLAN Internet Access

Regarding your question about Layer 3 routing on the switch:
No, all routing is handled by OPNsense. The switch (TP-Link TL-SG3428) is only doing VLAN tagging at Layer 2. It's managed via an Omada OC200 controller.

One detail that might be relevant: I'm using Hybrid outbound NAT rule generation. I have a manual rule for another device on the Security VLAN with Static Port: YES, but the automatic rules for all networks have Static Port: NO. Could this be causing the state tracking issues?

Thanks but these are the intention of your rules, not necessarily how they've been setup. For folks to cast their eyes on them here, it is best to show them with screen captures. Are you able to do that? No link to hosting sites please.