Unable to access Reolink IP cams from different VLAN
-
In my home network, I have setup VLANs to segregate cameras from the main subnet (MAIN and CAM VLANs). My router runs OPNSense. I have successfully configured the two VLANS and created a firewall rule to allow access from MAIN to CAM. Both VLANs currently have internet access (temporarily, to make it easier to access the cams remotely. The plan is to disable internet access in the CAM VLAN soon.). So the issue is that, from a Windows PC on the MAIN subnet, I cannot connect to a camera on the CAM subnet via IP address using the Reolink client. I certainly am able to ping the camera's IP address, proving that the firewall rule does work, but it fails to connect via the Windows client. If I use the UID feature, I am able to connect, but this is not ideal since I mentioned I intend on disabling internet access in the CAM VLAN.
So my question is: why is it that I am unable to connect to the Reolink cameras via IP address when they are in a different subnet, even though I have a firewall rule allowing access from MAIN to CAM and I can ping them from MAIN? Are there any further steps I need to follow in order to connect to them via IP address across VLANs? I have two Reolink Argus 3 Pro and one Reolink TrackMix Wifi cameras and the issue is present in all of them. They are all running the latest firmware.
Any help is appreciated!
PS: This is the OPNSense firewall rule allowing access from MAIN to the Reolink cams (reolink_cams is an alias:
Rule:
Action: Pass
TCP/IP Version: IPv4
Protocol: any
Source: MAIN net
Dest/Invert: unchecked
Destination: reolink_cams
Dest Port: any
Description: Allow access to Reolink cams
Alias:
Name: reolink_cams
Type: Host(s)
Content: (the cameras IP addresses, which are static)
Description: Reolink IP cams0View 7 replies-
@tchubaba Try to source nat your traffic so to the camera it looks like it came from the IP of opnsense in this network. Client and cams have to be on same subnet. Their design.
-
@joseph_1979 Thanks Joseph. I suppose blocking access from a different subnet is a security feature, but it would be nice if I could configure this to my liking as an end user. In any case, I've read about the proposed solution in other discussions elsewhere as well, however, I'm not entirely sure how to accomplish this in OPNSense. I have tried using Outbound NAT rules but either I'm doing something wrong or this is not how I should do this. I suppose this is out of scope for this forum, but if you could point me in the right direction I'd appreciate it!
-
@tchubaba VLANs are pretty technical. Could it be that another rule is required to allow traffic FROM the cam VLAN TO the main VLAN?
In addition to testing with ICMP (ping), if these are RLC cameras, they also have a web server on both port 80 (http) and 443 (https). Might be worth checking if those respond to a connection from the main VLAN. -
@crimp-on_62210811129 As per what Joseph posted above, the issue appears to be that Reolink cameras, by design, do not accept connections from devices in a different subnet. I would not want to create any rules that allow traffic from the IOT VLAN to the MAIN VLAN, as that would negate the benefit of segregating these devices by VLANs in the first place. I am able to connect to other non-Reolink devices I have in the IOT VLAN with just 1 firewall rule allowing traffic from MAIN to IOT.
The TrackMix camera I have does have a web server indeed, but I also cannot connect to it across VLANs, pinging it seems is the only thing I can do. -
@tchubaba I was thinking of a very specific firewall rule.
i.e. "allow this one IP address (camera) to connect to this one IP address (Reolink Client machine or computer running web browser if it is different) on these specific TCP ports"
My thinking is that it is actually not clear whether a "connection" has been made or not.
i.e.- A TCP request comes into the camera.
- The camera replies, accepting the connection request.
- The firewall blocks the ACK from going back to the computer making the request.
An ICMP packet is not the same as a TCP or UDP packet, so the firewall rule affecting TCPv4 will not affect it.
Search for "ICMP packet wiki"
(Because Reolink does not allow us to include URLs in messages.) -
This post is deleted! -
This post is deleted! -
You need to use the Outbound Nat rule (manual) and assign the IPs. Otherwise try to use the 1:1 NAT as a start.
-
@tchubaba I also use OPNSense and also use a separate vlan for video. I think this NAT stuff is a bad idea. If you want to do it, however, it's done under Firewall, Nat, Outbound. set up manual rules for interface Video (or whatever you called that VLAN) to mirror vlan LAN (except of course don't include Video in the list of courses). This would mean a connection from LAN to VIDEO would use the Video interface address as the source as seen by the camera.
The problem with this is that it does not pass broadcast, and I suspect the issue is the clients are using nDNS or similar garbage configuration tools that rely on broadcasts.
I cannot speak for all cameras, but I just tested my only reolink, a RLC-823A 16x, and it works fine. I initially configured it in the android client (as it didn't seem to want to pull a DHCP address) while the camera was plugged into a LAN (not VIDEO vlan) port. Then I used the web browser to change the IP to a VIDEO subnet address, and switched that switch port to the Vldeo VLAN. Everything then worked, except the client lost sight of it -- delete camera, add back in by explicit IP address (NOT letting it search) and then client worked. To test the windows client I downloaded it, did the same, that worked also. And it works with Blue Iris just fine, and the web browser. I have OPNSense configured to allow connection from LAN to VIDEO, but not from VIDEO to LAN (except for NTP), so the cameras cannot get access outbound, but will respond to connections from inside.
Again, this is one (newer) camera, others may work differently, but I would suggest testing a similar approach and avoiding NAT, as I doubt NAT will fix the issue. It might, and OPNsense can do it, but NAT doesn't carry broadcast (at least not in any normal setup). And normally vendors doing this is not because of security but because they rely on broadcast messages, and both separate VLAN's (by default) and NAT (almost always) will block broadcast.
It is possible to carry broadcasts between VLAN's (not sure about when NAT is involved), but you can look up "broadcasts across vlans" if you want to head down that rathole. However, I would fix see if static IP addresses in client and camera won't solve your problem.
It's pretty clear Reolink is aimed more at "I do not understand computers and do not plan to learn" crowd, and anyone knowing the term "OPNsense" is already out of that class.
Linwood
-
