Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - charliechuck01

Pages1
#1
General Discussion / Re: Cross-VLAN Camera Access Issue: State Tracking Problem
May 22, 2025, 12:44:37 AM
Thanks for the response! Here are my firewall rules:

LAN Interface rules:
- Default allow LAN to any rule
- Specific rule allowing LAN to SecurityVLAN

SecurityVLAN Interface rules:
- Allow Reolink Camera (192.168.20.102) TCP/UDP return traffic to LAN
- Allow Reolink Camera ports specifically (80, 443, 554, 8000, 9000) via both TCP and UDP
- Allow internal SecurityVLAN communication
- Allow DNS to OPNsense
- Block SecurityVLAN from initiating LAN connections (after specific allow rules)
- Allow SecurityVLAN Internet Access

Regarding your question about Layer 3 routing on the switch:
No, all routing is handled by OPNsense. The switch (TP-Link TL-SG3428) is only doing VLAN tagging at Layer 2. It's managed via an Omada OC200 controller.

One detail that might be relevant: I'm using Hybrid outbound NAT rule generation. I have a manual rule for another device on the Security VLAN with Static Port: YES, but the automatic rules for all networks have Static Port: NO. Could this be causing the state tracking issues?
#2
General Discussion / Cross-VLAN Camera Access Issue: State Tracking Problem
May 21, 2025, 11:00:03 PM
TL;DR
I can ping my camera across VLANs but can't connect via apps. Suspect NAT/state tracking issue with port randomization breaking the connection. Any solutions?

I'm experiencing an issue with cross-VLAN access to a security camera on my OPNsense firewall. Here are the details:

## Network Configuration
- OPNsense on Protectli vault with two primary networks:
  - Main LAN: 192.168.1.0/24 (VLAN 1)
  - Security VLAN: 192.168.20.0/24 (VLAN 20)
- Reolink Argus B740X camera located on Security VLAN (IP: 192.168.20.102)

## Current Issue
- Devices can successfully connect to the camera when they're on the same VLAN (SecurityVLAN)
- Devices on the main LAN cannot establish application-level connections to the camera
- ICMP (ping) works across VLANs, but TCP/UDP application traffic fails with "state violation" errors

## What I've Confirmed
- Firewall rules are correctly configured to allow traffic in both directions
- All necessary ports (80, 443, 554, 8000, 9000) are explicitly allowed
- Ping tests from main LAN to the camera are successful
- Connection attempts from main LAN to camera result in "Default deny / state violation rule" entries in the firewall logs

## Current NAT Configuration
- Using Hybrid outbound NAT rule generation
- Have a manual NAT rule for another device on the Security VLAN with Static Port: YES
- Automatic rules for all networks have Static Port: NO
Pages1