Can't access camera on newly created Cam VLAN

SethPF · May 21, 2023, 9:19pm

I’ve followed a number of different videos to segment my home network and have learned quite a lot from this channel/forum, but I’ve hit a snag when creating a Cam VLAN. I’ve created the VLAN, I can connect to it from various devices and it doesn’t have internet access (huzzah!) but I don’t seem to be able to actually access a camera after switching it over to the Cam VLAN, either from the Cam VLAN or LAN. I can ping 10.10.30.1 from both and if I connect both my PC and Android to the Cam VLAN i can ping each device. But I changed the profile of the port of one of my POE Cams to the Cam VLAN and am unable to ping it (or access the POE Cams gui like I can for other cams still on my LAN). Pinging the cams old LAN address (10.10.10.125) gives me a “Destination Host Unreachable” and pinging the new one (10.10.30.10) gives me a “Request Timed Out”. I’ve trying to paste screenshots of relevant info, but please let me know if anything further would be helpful…(edit: the first set of Firewall rules is for the LAN, sorry for cutting off the top)

P.S. And yes i know the tutorial suggests putting the NVR/Controller on the same subnet but that would wreck a few backup scripts currently run. I assume everyone would think this isn’t the most secure way to set this, but i’d love to get over this hurdle an get everything with BlueIris back up and running before I starting moving the BlueIris box behind the cam vlan/subnet…

paolo · May 21, 2023, 10:37pm

Have you power cycled the camera? It may just be that it hasn’t refreshed its IP address via DHCP yet.

Edit: I guess this is not the problem since you know the new IP address. Sorry, it’s late here

xMAXIMUSx · May 21, 2023, 10:39pm

For testing try to loosen up your rules on the cam VLAN and allow all traffic without restrictions. If successful then try tighten up the rules again.

paolo · May 21, 2023, 10:44pm

Regarding the security aspect of having the NVR on a different network from the cameras: This is actually an example of a more general problem. Unless you put extra measures in place like IP-MAC Binding and Port Security, a threat actor could theoretically spoof a camera’s IP address and gain access to parts of the overall network that they shouldn’t. But perhaps the more pressing concern is that all the traffic between the cameras and NVR is now forwarded through the router instead of being switched, which negatively impacts your router’s performance.

SethPF · May 22, 2023, 7:11pm

I think this is a good suggestion and something I will try anyways, but in the Unifi Controller Software it states that the IP is one i assigned in the DHCP server for the new VLAN

So you’d recommend, for example, just the last “* to *” rule as a beginning test?

yikes! i don’t want to negatively impact anything! So it sounds like it would be best to put the BlueIris PC behind the Cam VLAN (eventually) and then give the BlueIris PC access to the WAN?

xMAXIMUSx · May 22, 2023, 7:32pm

Yeah. Set a wide open rule for testing.

SethPF · May 24, 2023, 4:11am

well i disabled all the rules except the bottom “* to *” rule and thankfully I was about to access the Cam residing on the cam VLAN (as well as various other Cam VLAN clients). One by one, I re-enabled the rules top to bottom and each time everything still worked as expected…all the way to the last rule! Nothing worked, then I simply disabled all the rules, then re-enabled them and everything worked. I guess I’ll take it but I hate when a problem gets solved with the ole “have you tried turning it off and on?”

There is one issue though: I am able to ping around 10.10.30.x and i’m blocked from other networks and the internet, but I’m unable to ping my Blue Iris pc when connected to Cam VLAN. Is there a conflict in the rules passing traffic from Cam Net to 10.10.10.7 and the following one blocking Cam Net to Lan Net (10.10.10.x)?

xMAXIMUSx · May 24, 2023, 4:55am

Are you sure that the blue iris server itself allows ICMP traffic?

Paul · May 24, 2023, 7:21am

Yorur rules only allow TCP traffic, for ping you need to add a rule for icmp traffic - select ICMP as the traffic type, any as icmp subtypes

SethPF · May 24, 2023, 12:18pm

I can ping the Blue Iris PC from my LAN network (e.g. 10.10.10.10 to 10.10.10.7) so i assume so

they def used to (see screenshot in first post) but I thought i changed it (see screenshot in last post) to allow all protocols. Does it look wrong?

SethPF · May 24, 2023, 12:25pm

I tested just your suggestion (changed any to icmp/any) and still was unable to ping 10.10.10.7 from Cam VLAN

SethPF · May 25, 2023, 4:11pm

sorry to bump, just curious if there were any further troubleshooting suggestions for allowing my Cam VLAN to access the Blue Iris box on the LAN?

xMAXIMUSx · May 25, 2023, 4:41pm

It might not matter but you have an ANY rule on the source first rule on your cam interface. You should switch the source to CAMS net.

Also your allow all rule at the bottom needs to have the sources to be CAMS net

SethPF · May 26, 2023, 1:25am

Like this?

if so, unfortunately i was still unable to ping 10.10.10.7 when connected to the Cam VLAN

xMAXIMUSx · May 26, 2023, 2:53am

Can you show me what ipconfig show in a command prompt?

SethPF · May 27, 2023, 4:08pm

Let me know if the “media disconnected” output above this is of any use…

SethPF · May 31, 2023, 2:02pm

Hey sorry to bump and apologies for my previous delayed response. Anybody have any ideas for troubleshooting the (in)ability to access the Blue Iris box (resides on the LAN network) from the Cam VLAN network?