I’m trying to make some RTSP streams available from GREEN zone to BLUE zone, but they are being blocked. Access to the cameras work fine. Picture is displayed in the cameras internal software, however, when I pull up the stream in VLC… nothing!
Outgoing Firewall Rule #1 ALLOW, All protocols, Source firewall BLUE, Destination CIDR range
HTTP works. Camera images displays.
RTSP blocked.
What am I missing?
this is not a good idea. everything might as well be in the same network.
Assuming the CIDR is Green?
A service group rule would be better.
and a network group for Cameras.
But the point is that it didn’t work. Once something is working, it can be tightened down.
It would help to see a screenshot of the rule involved.
The description says that the source is firewall blue, not the blue subnet which if true would not do what is expected.
We need to see the details of the actual rule defined.
Hi @wolfie
Welcome to the IPFire community.
Yes, you have used the firewall as your source.
Your firewall rule for a Blue to green pinhole should end up in the section circled.
In the wiki it says that the use of the firewall entry is for
The firewall dropdown menu allows an easy selection of the firewall's IP addresses. They can be selected to create rules which filter packets that are originating from or directly sent to the firewall system.
You don’t want the rules to be controlling things originating from the firewall system but from the blue subnet.
https://www.ipfire.org/docs/configuration/firewall/rules/bg-holes
Note in step 1 that the source is chosen to be an IP or a network and not the firewall entry on the right hand side.
This wiki section should help you get your firewall rule correctly defined.
Come back if you still have problems after reading through it and trying it out.
EDIT:
When you are trying out firewall rules for the first time, then I would definitely suggest to enable the logging so that you can see what the firewall is actually doing with the packets that are sent.
So it sounds like you have a wifi camera on blue and want to view it on green with a computer.
It should be the same way when I had my nvr on green and my doorbell cam on blue.
I reserved an ip outside the dchp pool for my wireless doorbell cam that is on blue.
Then I added to the firewall rules: ALL, (ip address of web cam on blue) to green, Accept
Because you can send from green to blue, but not receive by default.
Of course this would work the same way if you were trying to use a mobile phone on blue to connect to a green camera.
What @bonnietwin says: You need to select the BLUE zone and not just the BLUE interface of the firewall.
I’m with @hvacguy saying its a bad idea to merge the blue network to green.
Its better to static the device on blue and grant it access to green.
At this point, it’s turning into more trouble than it’s worth. RTSP is being blocked. I don’t know why. There’s nothing in the logs. I have no way to troubleshoot this problem. So that’s that! I do have access to the cameras via HTML, so that’s just going to have to suffice. Time to put this puppy to bed and call it a day.
Much appreciation to everyone who has contributed their valuable time trying to diagnose this problem. I’m very impressed with the level of support I’ve received.
THANK YOU EVERYONE! You’re the best!
It could be using unicast/multicast.
I think its because of your firewall entries.
Because I selected the “standard network” → color instead of entering the ip net.
My wireless doorbell used to point to green, now it points to orange since I moved the NVR to Orange and blocked the whole orange network internet access as I am using orange for my devices that I don’t want them to have internet access. Also, you will see I blocked the doorbell to the internet as well since it communicates to the NVR and all the push notifications of the doorbell go through the NVR app. I did this because the doorbell ap and the NVR were sending me the same push notifications and I was tired of seeing the alert twice on my phone, but I have to keep the doorbell phone app since its port 80/443 server is disabled by the manufacturer.
