Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 6 subscribers
  • Views 8841 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NVR local and VPN access only

J F

Hello

I am running the latest version utm 9.411-3 at home and I have tried all sorts of tricks to get my scenario to work. I have a CCTV NVR _network video recorder_ and some wifi cameras that I want to block them from getting to the internet totally. But I want to have access to them when I am on the local network at home or signed into the VPN and access them from outside the network.

So far I have set the cameras and NVR to static IP.

Then I added them to the exclusion list in the web proxy list so I can bypass the proxy and use the firewall to control them.

In the firewall I set a rules

devices_nvr/cam_ -> any -> Internal_network_/vpn pool -> allow
Devices -> any -> any-> reject
Internal network -> any -> any -> allow

The devices are not accessible from the internet anymore _good_ but when I try to access them after VPN into the network, they are still not accessible.

I also tried to set up a SNAT rule from VPN pool ->any->any

Source translate -> internal _address_

But it still does not work. Any advice would be appreciated.



This thread was automatically locked due to age.
  • 0

    So, if I understand it correctly, your NVR and cameras are sitting on another network, different from the internal network, right?

    If so, how is your SSL VPN setup? Did you allow your VPN clients to access the NVR/Cameras network on the SSL VPN profile "Local Networks" and checked "Automatic firewall rules"? If you are configuring all the rules manually, then you need another rule to allow traffic coming from the SSL VPN Pool to reach the NVR/Cameras network, as your rules, as you stated, only allow traffic originating from the NVR/Cameras to pass through the firewall. Since your SSL VPN Client is the one originating the connection, your firewall rules as it is won't suffice.

    Some screenshots from your setup might help us to help you. =)

    Regards,

    Giovani

  • 0 in reply to giomoda

    I finally figured it out. I was using a camera app to access my cameras on my phone and it was a mis-configuration on the app as to why I could not access the cameras on the phone while VPN. Now it works great. I actually only have to use the block rule in firewall and removed the allow rule. The SSL remote is set just to internal and it all works. Thanks for the response. I will keep trying to make sure that it still works in all situations before I can consider it all resolved. 

  • 0 in reply to J F

    The simplest answer is usually the correct one, right? Glad you got things sorted.

    Regards,

    Giovani

  • 0 in reply to giomoda

    well now I have another problem lol. 

    It seems like the firewall does not take the rules in order. If I allow the NVR to send an email and set it above the rule to block traffic to the net it does not work even though that is rule 3. Not sure what to make of that. Any advice would be nice. I have to turn off rule 3 for it to work. But rule two should allow it. 

     

  • 0 in reply to J F
    We need to see some logs in order to help you, mate.
  • 0 in reply to giomoda

    firewall live log after i pressed test email in my nvr.

     

  • 0 in reply to J F

    I don't see any blocks on port 25 or 587 on these logs, most likely because your rules are not setup for logging.

    Please, enable logging on your rules ( tick the logging option under advanced) and provide us with the logs. If possible, only obsfuscate you WAN and internal addresses from it, not the destination.

    Regards,

    Giovani

  • 0 in reply to giomoda

    Here are some logs

    2017:04:02-16:42:25 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="28:f3:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.55" dstip="220.231.142.84" proto="17" length="56" tos="0x00" prec="0x00" ttl="63" srcport="51700" dstport="51700"
    2017:04:02-16:42:25 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="e8:ab:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.30" dstip="60.205.107.59" proto="17" length="60" tos="0x00" prec="0x00" ttl="63" srcport="51700" dstport="51700"
    2017:04:02-16:42:25 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="20:f4:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.29" dstip="60.205.107.59" proto="17" length="60" tos="0x00" prec="0x00" ttl="63" srcport="51700" dstport="51700"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="e8:ab:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.30" dstip="198.105.244.24" proto="1" length="84" tos="0x00" prec="0x00" ttl="63" type="8" code="0"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="20:f4:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.29" dstip="198.105.254.24" proto="1" length="84" tos="0x00" prec="0x00" ttl="63" type="8" code="0"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="28:f3:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.55" dstip="60.205.107.59" proto="17" length="56" tos="0x00" prec="0x00" ttl="63" srcport="51700" dstport="51700"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="e8:ab:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.30" dstip="60.205.107.59" proto="17" length="60" tos="0x00" prec="0x00" ttl="63" srcport="51700" dstport="51700"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="20:f4:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.29" dstip="104.250.135.114" proto="17" length="72" tos="0x00" prec="0x00" ttl="63" srcport="51880" dstport="51880"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="20:f4:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.29" dstip="85.195.88.14" proto="17" length="72" tos="0x00" prec="0x00" ttl="63" srcport="51880" dstport="51880"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="20:f4:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.29" dstip="60.205.107.59" proto="17" length="60" tos="0x00" prec="0x00" ttl="63" srcport="51700" dstport="51700"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="28:f3:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.55" dstip="60.205.107.59" proto="17" length="56" tos="0x00" prec="0x00" ttl="63" srcport="51700" dstport="51700"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="e8:ab:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.30" dstip="60.205.107.59" proto="17" length="60" tos="0x00" prec="0x00" ttl="63" srcport="51700" dstport="51700"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="20:f4:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.29" dstip="60.205.107.59" proto="17" length="60" tos="0x00" prec="0x00" ttl="63" srcport="51700" dstport="51700"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="28:f3:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.55" dstip="104.250.135.114" proto="17" length="72" tos="0x00" prec="0x00" ttl="63" srcport="51880" dstport="51880"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="28:f3:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.55" dstip="85.195.88.14" proto="17" length="72" tos="0x00" prec="0x00" ttl="63" srcport="51880" dstport="51880"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="28:f3:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.55" dstip="118.144.68.156" proto="17" length="72" tos="0x00" prec="0x00" ttl="63" srcport="51880" dstport="8000"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="28:f3:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.55" dstip="220.231.142.84" proto="17" length="72" tos="0x00" prec="0x00" ttl="63" srcport="51880" dstport="8000"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="28:f3:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.55" dstip="114.67.48.145" proto="17" length="72" tos="0x00" prec="0x00" ttl="63" srcport="51880" dstport="51880"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="28:f3:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.55" dstip="43.241.76.61" proto="17" length="72" tos="0x00" prec="0x00" ttl="63" srcport="51880" dstport="51880"
    2017:04:02-16:42:26 julian ulogd[4495]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="4" initf="eth0" outitf="eth1" srcmac="28:f3:xx:xx:xx:xx" dstmac="00:01:xx:xx:xx:xx" srcip="192.168.2.55" dstip="114.119.9.170" proto="17" length="72" tos="0x00" prec="0x00" ttl="63" srcport="51880" dstport="969"

     

    from what I can see, only rule 4 is being activated. I turned on logging for everything. So I don't understand why ruler 1 -3 are not being activated. Especially ruler 3 seeing as it is a blocking ruler. it only shows rule 4. 

     

  • 0 in reply to J F

    Well, if it's not being logged it's because no communication is happening. Are you sure your NVR has the right gateway?

    If your gateway is right, try changing your SMTP/S rule destination to "Any" and trigger an email delivery from your NVR. Then search the firewall log for entries with your NVR IP. You might just be missing the entry because of all that noise.

    Regards,

    Giovani

  • 0 in reply to giomoda

    Lets back up a let me give you the complete settings I have on the UTM to make sure that I didn't mess something up there. And now the SSL vpn is not working, I went to google and tried to find my IP and it was not my home network it was the one I am using currently. So something is wrong someplace. 

     

    Interfaces and routing

    Internal and external added by installation wizard

    Nothing else is configured in the rest of the options 

     

    Network Services

    DNS -> Internal,

    Forwarders -> checked "use assigned by ISP),

    DynDNS setup to my DDNS service ( works ok from what I can tell)

    DHCP server set up 192.168.2.1 - 192.168.2.254 DNS server one 192.168.1.100 and default gateway is the same. WINS Node type b-node (no WINS)

    Nothing else under network services

     

    Network protecton 

    Firewall

     

    NAT masquerading rule network internal -> interface: external

    Nothing in NAT rules

    Intrusion prevention

     

    nothing else configured.

    Web protection

     

    Https scanning is turned off. 

     

    web filtering profiles

     

    advanced threat protection

    web applicatoin firewall

     

     

    SSL remote connection

    user -> local networks internal

    settings interface any ->protocol tcp -> port 443

    virtual ip pool VPN POOL SSL

    advanced settings

    advanced

     

    That's it, those are all of my settings. Please let me know if something is messed up. as to why nothing is working. 

Unfiltered HTML