Messages

1

24.7 Production Series / Re: Is this the right way to block one host from internet?

« on: September 08, 2024, 04:38:14 pm »

I was thinking that setting "any" would make it hard to get anything from this device (which is an IP camera so I want to get the video out).

2

24.7 Production Series / Is this the right way to block one host from internet?

« on: September 08, 2024, 03:15:55 pm »

I'm trying to set a rule for what I believed would be the simplest thing but I'm still a little uncertain if I got it right.
I'm on 24.7.3_1.

I want to block a device on my LAN (I don't have VLANs yet) from accessing the internet. LAN network is 10.10.0.0/16.

I'm setting:
Action: Block
Quick: Checked "Apply the action immediately on match."

Interface: LAN
Direction: in
TCP/IP Version: IPv4
Protocol: any

Source / Invert: Unchecked ("Use this option to invert the sense of the match.")
Source: Single host or Network. 10.10.x.y / 32          <- Is this the right net mask?
Source port range: from:any to:any

Destination / Invert: Checked  "Log packets that are handled by this rule"  <- Due to setting Destination as LAN net, correct or not?
Destination: LAN net
Destination port range: from: any to: any

Log: Checked "Log packets that are handled by this rule"
 

I still see this device when looking at LAN traffic, it is a device that seems to be trying to call home. Maybe Waht I see in the Reporting -> Traffic -> Top Talkers is before the firewall drops the packets?

3

24.1 Legacy Series / Re: Access IP camera with static IP on other subnet?

« on: May 05, 2024, 04:53:38 pm »

Instead of posting wrong information presented by ChatGPT I would just throw away that camera. You cannot change the IP address? Well, what else does this thing do in your network you're not aware of?

Well, I guess that is also a topic to discuss - how to make sure this device doesn't call home and share some data or accesses other devices that it shouldn't. I guess firewall rules will at least help there. I don't know that ChatGPT is wrong - perhaps it is just me that is doing it wrong, but if it can be confirmed that solution will not work then that is good information.

Regarding your OPNsense question: set up another LAN (VLAN or seperate cable) for the camera. At least you'd have some control over the traffic

Sounds easy enough but I guess there is more to it - I will need to configure the switch for the VLAN also, right? Some rules in the firewall as well?

4

24.1 Legacy Series / Access IP camera with static IP on other subnet?

« on: May 05, 2024, 11:43:14 am »

I recently did some changes to my network setup in my home, like switching from using 192.168.1.0/24 to instead have 10.10.0.0/16 for my LAN (I'm not using VLANs yet). One problem I've run into is that I have this cheap IP camera that has a fixed IP address 192.168.1.X and I have not found any way to change that or set it to use DHCP.

I've tried a bunch of things wth routes and firewall rules but I don't have sufficient understanding of these things to make it work.

This is the setup:

• Computer running OPNsense 24.1.6-amd64 (at this moment). One NIC is used for WAN and one for LAN.
• Switch (Unifi 8-port PoE switch) - this one gets a 10.10.10.Y address (I've set up som static assignments in DHCP where I've used different ranges like 10.10.10, 10.10.20 and 10.10.100 for different types of devides. Yes, this should probably be done with VLANs instead but I'm not there yet.
• A few IP cameras are connected to the above switch, most of them get IP adresses through DHCP but this particular camera doesn't support that it seems - or at least there is no configuration option for it.

I'm trying to reach the IP camera via rtsp and ping.

I asked ChatGPT and it said the following (see firther down) but I don't get that to work either...

Any tips I could use to figure out a way to do this? I'm sure this is pretty easy but I don't get it...

(X and Y are of course some numbers.)

1. Configure a Static Route:

• Go to the OPNsense web interface.
• Navigate to the "System" menu and select "Routes."
• Click on the "+" icon to add a new static route.
• In the "Destination network" field, enter the network address of the camera's subnet, which is 192.168.1.0/24.
• In the "Gateway" field, enter the IP address of the switch that connects to the camera. This will likely be an IP address within the 10.10.0.0/16 subnet.
• Save the changes.

2. Configure NAT (if necessary):

• If the computers on the 10.10.0.0/16 subnet need to access the camera using its original IP address (192.168.1.X), you'll need to set up NAT.
• Navigate to the "Firewall" menu and select "NAT."
• Add a new NAT Port Forward rule.
• In the "Interface" field, select the interface that connects to the 10.10.0.0/16 subnet.
• In the "Protocol" field, select the appropriate protocol (e.g., TCP or UDP).
• In the "Destination" section, enter the original IP address and port of the camera (e.g., 192.168.1.X:port).
• In the "Redirect target IP" field, enter the IP address of the camera.
• Save the changes.

3. Ensure Firewall Rules Allow Traffic:

• Make sure that there are no firewall rules blocking traffic between the 10.10.0.0/16 subnet and the 192.168.1.0/24 subnet.
• Navigate to the "Firewall" menu and select "Rules."
• Check both the WAN and LAN interfaces for any rules that might block traffic between these subnets. Adjust or add rules as necessary.

After completing these steps, computers on the 10.10.0.0/16 subnet should be able to reach the camera at 192.168.1.X. If you're still encountering issues, double-check the configuration and ensure that the devices are properly connected to the network.