Unable to access Reolink IP cams from different VLAN

tchubaba

In my home network, I have setup VLANs to segregate cameras from the main subnet (MAIN and CAM VLANs). My router runs OPNSense. I have successfully configured the two VLANS and created a firewall rule to allow access from MAIN to CAM. Both VLANs currently have internet access (temporarily, to make it easier to access the cams remotely. The plan is to disable internet access in the CAM VLAN soon.). So the issue is that, from a Windows PC on the MAIN subnet, I cannot connect to a camera on the CAM subnet via IP address using the Reolink client. I certainly am able to ping the camera's IP address, proving that the firewall rule does work, but it fails to connect via the Windows client. If I use the UID feature, I am able to connect, but this is not ideal since I mentioned I intend on disabling internet access in the CAM VLAN.

So my question is: why is it that I am unable to connect to the Reolink cameras via IP address when they are in a different subnet, even though I have a firewall rule allowing access from MAIN to CAM and I can ping them from MAIN? Are there any further steps I need to follow in order to connect to them via IP address across VLANs? I have two Reolink Argus 3 Pro and one Reolink TrackMix Wifi cameras and the issue is present in all of them. They are all running the latest firmware.

Any help is appreciated!

PS: This is the OPNSense firewall rule allowing access from MAIN to the Reolink cams (reolink_cams is an alias:

Rule:
Action: Pass
TCP/IP Version: IPv4
Protocol: any
Source: MAIN net
Dest/Invert: unchecked
Destination: reolink_cams
Dest Port: any
Description: Allow access to Reolink cams

Alias:
Name: reolink_cams
Type: Host(s)
Content: (the cameras IP addresses, which are static)
Description: Reolink IP cams

joseph_1979

@tchubaba Try to source nat your traffic so to the camera it looks like it came from the IP of opnsense in this network. Client and cams have to be on same subnet. Their design.

tchubaba

@joseph_1979 Thanks Joseph. I suppose blocking access from a different subnet is a security feature, but it would be nice if I could configure this to my liking as an end user. In any case, I've read about the proposed solution in other discussions elsewhere as well, however, I'm not entirely sure how to accomplish this in OPNSense. I have tried using Outbound NAT rules but either I'm doing something wrong or this is not how I should do this. I suppose this is out of scope for this forum, but if you could point me in the right direction I'd appreciate it!