This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't access NVR or CCTV cameras on internal Vlan from Internet

My setup is

FritzBox  ------> IOT / Home automation server and sensors

|

Sophos UTM on exposed host ----> Internal Trusted Network

|

Vlan 3 CCTV

Vlan 5 Media

etc

I can use PC on Internal Trusted Network to access Cameras & NVR on Vlan 3 but only after turning on Web Filtering in Trasparent mode. I cannot access the Cameras & NVR on Vlan 3 from the Internet and i have tried multiple ways of setting the DNat but not having any success.



This thread was automatically locked due to age.
  • can you draw a topology, because nobody answered. That means nobody understood

  • My internal secure network is on ETH0 and the Vlans are all on ETH2. I can access the NVR and Cameras from ETH0 but only after turning on transparent mode web filtering and setting the NVR ports back to there defaults and not custom ports. However I cannot access the NVR or Cameras from the internet using TCP ports 30080, 38000, 30554 i then translate the ports to 80, 8000 and 554 in the Nat Rule. I have tried using Dnat and Fullnat rules but all I get is ERR_ADDRESS_UNREACHABLE.

  • Accesing from internal, have you made firewall rule to allow traffic from one network to other, can you ping by IP.

    From internet:

    If you hit your external ip (example from 3g mobile) to access the NVR, you should see a grey line in Firewall Live logs. Otherwise the problem is the Frixbox

  • Only DNAT should work. Do this simple checks step by step, bigining with wan address

  • Hi Trevor and welcome to the UTM Community!

    We can dig into this as an exercise if you want, but the easiest solution is to forego all the NAT rules and just access via VPN.  The easiest is the SSL VPN - just configure a Profile with what you want to be able to reach and select 'Automatic firewall rules'.  You can download the client and config from the 'Users' tab of 'Users & Groups'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello BAlfson thanks for your suggestion. I'm not sure from looking at the online help if this will work for me as I need to access the NVR from 2 Android devices not from a PC. Sorry I did not include this piece of information in my original post. If it makes any difference I already have a DDNS service set up that uses Lets Encrypt certificates to access my home automation front end. One change I have made is the  connection from the FritzBox is now a normal ethernet connection and not an exposed host. Even though this means I have a double Nat to the UTM i can now see the requests going to the WAN interface and I can see the Dnat rule passing the call but the connection still times out.

    Thanks Trevor

  • The OpenVPN client is free for Android and works well.  It's easier to load a configuration for iPhone or Android via the User Portal.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi BAlfson

    I will look into that. I'm rather new to this, for 25+ years I only had a flat network, and the most difficult thing I had to do was some port forwarding and static IP's.  Now in my mid 50's due to stability issues & security concerns, with CCTV & home automation all on one network I find myself having to learn about things that I never had to worry about until a few months ago.

    Thanks Trevor

  • Hi BAlfson

    This suggestion worked great. Thanks for your insight. Had been trying the other way for over a week and not getting far, managed it after a couple of attempts doing it with a VPN.

    With Thanks Trevor