BI Remote Viewing via WAN address. 2 servers, one works the other doesnt

[achalmersman]

Good evening and Merry Christmas to all!

I have 2 Blue Iris servers that I am trying to be able to view the web server remotely via my public IP. One (mine) is on my local network and works fine. I have a NAT rule in my pfSense firewall to translate my public addres xxx.xxx.xxx.xxx:81 to private address 192.168.1.13:81. This is working correctly. I have another server (dads) that is full time hooked to another subnet on my network via VPN that I cannot get to work. I am trying to use port 82 for it. I created the same NAT rules (xxx.xxx.xxx.xxx:82 resolves to private 192.168.30.4:82, logs show the NAT rule is working, but the web server interface will not appear. I have tried disabling Windows firewall etc. If I browse the LAN address from another LAN PC I can view the 2nd server web interface so I know the web server is working. I feel like I am being dumb here. What am I doing wrong? Pictures attached which include NAT log showing traffic passing (green check-mark). Thanks, Andrew

 

[erensfd]

I would try something other than port 82 on the WAN side to see if your ISP is being picky about that.

 

[achalmersman]

I figured since my firewall saw, passed, and logged the traffic to port 82 the ISP couldn't be blocking it. But I'll give it a try.

Sent from my SM-G965U using Tapatalk

 

[achalmersman]

Port change did not effect anything. I reconfigured to port 8081 and symtom remains unchanged. Can access via LAN, but cannot access via WAN / remote port via NAT / firewall rule. Checked logs and the firewall rule is passing this traffic to port 8081.

 

[achalmersman]

Fiddled a little more. Packet captures on the server showing packets entering from the WAN address and using the correct port. But I assume there is not response from the application as there is not [syn, ack] packet from port 81 back to the WAN address. I have fully disabled Windows defender with no effect. I can provide screen snips later.

I have a BI support plan on this machine. Perhaps I'll submit a support ticket.

Sent from my SM-G965U using Tapatalk

 

[TonyR]

Is there a need for the VPN port to be open on his end (like 1194 for OpenVPN) ?

 

[achalmersman]

Is there a need for the VPN port to be open on his end (like 1194 for OpenVPN) ?

The VPN is working fine. Can RDP, LAN view, etc all through the VPN interface.

Sent from my SM-G965U using Tapatalk

 

[Valiant]

If you are establishing a remote access VPN connection then you are effectively connected to you LAN. You don't need to connect to your wan address:8082

Once the VPN is connected, try connecting via the internal IP address 192.168.30.4:82

 

[achalmersman]

If you are establishing a remote access VPN connection then you are effectively connected to you LAN. You don't need to connect to your wan address:8082

Once the VPN is connected, try connecting via the internal IP address 192.168.30.4:82

You're not understanding my topology which is understandable. Its kind of screwy and perhaps I didn't explain it well enough. Due to my fathers limited choice in ISPs he has a double NAT situation in which he has no control over ports, etc. I establish a VPN connection between his BI server and my home Network VLAN 30 and essentially act as his ISP for the Blue Iris webUI interface. This allows me to control ports, my WAN address doesn't change, etc. I am not a Wireshark expert, but you can see from the packet captures on his server that the WAN traffic is being properly NATed by my firewall, routed properly over the VPN connection, and making it to his device. However I believe this shows no response from his device (Blue Iris?) acknowledge the TCP connection and respond to the WAN address. To make sure something weird wasn't happening with routing at his device (essentially 2 LANs) I did a capture on his other LAN interface but the responses are not going there either. Attaching packet captures from the server that works, and the server that doesn't.

 

[crw030]

You probably need to configure a ROUTE on his router so it knows the vpn tunnel & your gateway subnets have to go back via the vpn tunnel between your two sites.

You said you are using pfsense on your end, what device is establishing the connection from his end (What type of router / firewall device)?

 

[achalmersman]

You probably need to configure a ROUTE on his router so it knows the vpn tunnel & your gateway subnets have to go back via the vpn tunnel between your two sites.

You said you are using pfsense on your end, what device is establishing the connection from his end (What type of router / firewall device)?

Open VPN client is installed on his PC the routing for the VPN is done by his PC. The packet capture showed it was not being routed wrong. From what I can tell, Blue Iris is not replying.

I have a support plan so I've also sent an inquiry into BI

Sent from my SM-G965U using Tapatalk

 

[crw030]

If it is a ROUTE issue, then the reason you aren’t seeing a reply from Blue Iris is because it is going back out through his WAN network interface (not across the VPN).

I had a similar setup where my remote router would open an OpenVPN connection to my main network, and the response packets would never come back across the VPN tunnel. That’s what made me think that might be the problem.

I don’t think this is a Blue Iris issue, and it will take some time to get a response from BI support, so thought it was worth investigating just in case? With the VPN tunnel established can his PC ping to any of the IP addresses on your end of the tunnel?

 

[achalmersman]

Yes it can ping stuff on my side of the tunnel. Did you read where I did packet captures? The response is not going out the other interface. I did captures on both his interfaces. The incoming WAN traffic is coming in on 192.168.30.4:8081 but there is no reply on either of his interfaces.

 

[achalmersman]

I did another packet capture just to make sure I didn't miss something last time. I have included both in the same snip. As you can see the WAN traffic is coming in via the OpenVPN interface, but there is no reply on either interface.

 

[crw030]

Ok, so just to check all the critical details:

• your fathers Blue Iris computer is running BI web server at 192.168.30.4 on port 8081 (In Blue Iris -> Options -> "Web Server" -> "local internal (LAN) access" = 192.168.30.4:8081 )
• you still have Window Firewall disabled
• you are tracing all the interfaces with Wireshark on that remote computer (so it only has two)

 

[achalmersman]

Ok, so just to check all the critical details:

• your fathers Blue Iris computer is running BI web server at 192.168.30.4 on port 8081 (In Blue Iris -> Options -> "Web Server" -> "local internal (LAN) access" = 192.168.30.4:8081 )
• you still have Window Firewall disabled
• you are tracing all the interfaces with Wireshark on that remote computer (so it only has two)

Yes. That is all correct.

Sent from my SM-G965U using Tapatalk

 

[IAmATeaf]

Does look like a routing issue to me?

 

[achalmersman]

Does look like a routing issue to me?

Can you explain how? I'm not saying you're wrong, but I've done everything I know to do in order to prove that theory wrong. See packet captures above.

Sent from my SM-G965U using Tapatalk

 

[crw030]

on your fathers computer, with OpenVPN established, can you drop to CMD prompt and type ROUTE PRINT (mask the critical IP addresses like his home one) and post back? It could let us know at least that his computer knows where to send the packets.

 

[achalmersman]

That route to that specific public address does not show up but neither did it show up in the server that is working (covered by the default route I suppose). All this time just like you guys I suspected a routing issue but I thought the packet captures showing no response on either interface proved that not to be the case. Well I was wrong. I need to learn more about using wireshark.

As a test I did a client specific override for his connection profile to redirect all client generated traffic through the tunnel. I had specifically NOT done this because I did not want all his WAN traffic coming through my ISP and using my bandwidth for windows updates, etc. I guess I made a mistake in assuming when a TCP connection comes in, the PC learns what interface it came in on, adds a temporary mapping, and then replies using the same interface it received the packets on. I guess I was wrong.

I would really prefer to not provide all his WAN traffic for this server and only be the ISP for the Blue Irirs application. I think the only way I could potentially make it work would be to add static routes to his PC for all the IPs I plan to connect from. I've done this for my NAT rule in pfSense but with Aliases its much more manageable to update / keep track of.

Thanks for helping me and being persistent.