The Mystery of the Inaccessible IP Cameras👻

I’m struggling so any help that anyone can provide would be awesome!

I’m trying to incorporate a Home Assistant server, a 5-port POE switch, a Reolink NVR, 3x Reolink cameras, and a Reolink doorbell into my network. Here is the set up:

I want:

  • Main PC to have full access to the Internet (complete), the Home Assistant server (complete), the Reolink NVR and NVR connected cameras (complete), and the switch connected Reolink cameras (incomplete - these are currently accessible when connected to the NVR but not the 5-Port switch).
  • Home Assistant to have partial access to the Internet (incomplete), full access to the Reolink NVR and NVR connected cameras (complete) and the switch connected Reolink cameras (incomplete - same as above).
  • Reolink devices to be locked down with no ability to access the Internet or other local networks (complete)

Current Rules:

  • Main PC is on the main LAN called “SecureLAN”. Rule is set to Pass on Any Protocol and Any Destination.
  • Home Assistant server is on HomeAssistantNet VLAN. Rule is set to Pass on Any Protocol to the CamNet subnets
  • Reolink devices are on CamNet. Rules are set to inverse Pass on Any Protocol to SecureLAN and Pass on Any Protocol from HomeAssistantNet subnets to CamNet.

Everything is working except I cannot access the 5-port switch connected cameras. The 24-port switch seems to be passing the VLAN info correctly as the 5-port switch connected cameras are on the appropriate VLAN because pfsense is handing them IPs on the appropriate subnet. Yet, any attempt to connect to these cameras using the IP address times out. I have connected all of the cameras to the NVR and they work appropriately when doing so. Also, I have updated the firmware on the NVR and the cameras. I also tried using the Windows Reolink client to connect to the cameras but it times out as well.

I’m sure there is a firewall rule(s) that I’m not getting right. Any thoughts?

It would be nice to actually see screenshots of your rules per interface.

Thanks for your reply, @xMAXIMUSx! Here’s what I have:

SecureLAN

HomeAssistantNet

CamNet

Is your 5 port PoE switch managed or unmanaged ?

@neogrid It is unmanaged. TP-Link TL-SG1005P.

Perhaps that is the source of your problems, if you were to plug your cams into the 24 port switch and see if your cams are now accessible then it’s probably the poe switch.

@neogrid Possibly. I just bought it used and yesterday was my first time testing it. I had thought about putting the cameras directly on the 24-port switch but its not POE and I don’t have any injectors at the moment.

It seems strange that pfsense would still detect the cameras and assign IP addresses if the switch wasn’t working, though.

Ok I see, it might be your rules but I can’t really follow them.

If you connect a 2nd laptop to the PoE switch and then your 24 port on the same vlan it will be the same thing.

Generally I’d suggest you use managed switches if you’re running vlans, I’d guess you might have problems otherwise.

@neogrid Thanks for the testing idea. I plugged the 5-port switch into the back of the NVR and the NVR system located the attached camera immediately. I think we are looking at a rules issue.

Your rules seem a bit off. SecureLAN already has access to HomeAssistantNet so there is no need to have that top rule on the HomeAssistantNet interface.

Same thing with CamNet interface, no need to add the source from Homeassistant81subnet. You should are building your rules on a per interface your source will always be the subnet of that interface and if you want to block anything from the source interface from getting out to other VLAN’s then you simply apply a block from the interface subnet to destination.

I simplify this by adding a few rules that block all RFC1918 (Private addresses) with an alias and then I allow out what I want. See the example below.

You will need only the bottom most 2 rules. Notice that I created an alias for RFC1918 and then created a rule that says “Allow all traffic EXECPT private networks”. Then there is the DNS rule that allows my GUEST subnets to talk to the GUEST address for DNS queries. Optionally you can call that top rule to block all DNS traffic EXCEPT to the GUEST address for DNS, but its not needed.

Also note how every rule has the source as the GUEST subnet. This is what you need to be doing when creating your firewall rules and causing you confusion in your rules. You ALWAYS do your blocks and allows based on the interface subnet for the source ONLY.

Example of allowing the Interface subenet to have access to a different VLAN and allowing HTTP and HTTPS:

Alias settings:

@xMAXIMUSx Thanks so much for your reply. I am still new to all of this so your explanation on best practices for setting rules is great.

I appreciate you and @neogrid jumping in to help. It turns out that the issue was not with the switch or the rules. It was actually with how the port was set up in the 24-port switch. For all of the other devices, I had the ports on the VLAN untagged, but I had the port to the 5-port switch tagged. I changed it to untagged and was granted immediate access to the switch connected cameras.