Firewall Rules for BI/RTSP on Segmented Network?

[TheWaterbug]

I'm working towards transitioning my network from a flat network to a segmented network with at least 3-4 zones, using pfsense as my firewall. At some point down the road I will move all of my cameras to a completely isolated network with a dedicated connection to a 2nd NIC on my BI computer, but for now I'm using this as an opportunity to learn firewalling. So I want to figure out how to make this work today, even though this will not be my configuration tomorrow.

Last week I had my BI PC and all my cameras on the same subnet, and everything worked fine, as you'd expect.

Yesterday I experimented by putting one camera (.50.26) on a new LAN like this. I'm the "me" computer in the LAN0 subnet:



Right now LAN0 has the default "pass any/any" firewall rule:



so I can access from "me" to the Amcrest camera at .50.26, in a browser with live video (which I believe travels over HTTP).

I set up a rule on the LAN50 side to allow RTSP traffic to come back:


where RTSP_Clients is an alias that includes the IP addresses for both the "me" PC and the BI PC. With this set of rules, BI can see (and serve) the stream from the 50.26 camera. I can also see the RTSP stream in VLC. All good so far.

Today I tried moving the BI PC camera to the LAN50 side:



Because the LAN50 side lacks the default "pass any/any" rule, I tried enabling a bunch of rules to allow the BI PC to see the camera that's still on the .0 side, e.g. 192.168.0.24, per the camera's settings:





I can access the .0.24 camera from a browser in the BI PC, including live video, but I cannot view an RTSP stream in VLC from the BI PC.

BI can interrogate the 0.24 camera's settings via ONVIF and the Find/Inspect button, but it cannot get the RTSP stream.

If I add a "pass any/any" firewall rule on the LAN50 side then VLC and BI both work from the BI PC, but of course that defeats the whole purpose of segmenting my network. But it at least tells me the problem is the firewall rules on the LAN50 side and not anything on the LAN0 side.

Am I missing some ports in my firewall rules? Thanks!

 

[bp2008]

I can access the .0.24 camera from a browser in the BI PC, including live video, but I cannot view an RTSP stream in VLC from the BI PC.

BI can interrogate the 0.24 camera's settings via ONVIF and the Find/Inspect button, but it cannot get the RTSP stream.

You allowed LAN50 net -> LAN net traffic for 37777-37778, 80, 443, and 580. But you did not allow it for TCP port 554.

 

[SpacemanSpiff]

You allowed LAN50 net -> LAN net traffic for 37777-37778, 80, 443, and 580. But you did not allow it for TCP port 554.

^^^ +1

What did you define "RTSP_Clients" as?

 

[bp2008]

When you have the Blue Iris PC connected to the LAN50 network, I would make a rule that allows any IPv4 TCP/UDP traffic from the Blue Iris PC to 192.168.0.24. That way you only use one rule to allow any access you could possibly need to that one cam, from the one device that needs that access. The way you set it up with these rules



it is allowing anything on the LAN50 network to access anything on the LAN network as long as it is using one of the listed ports and protocols, which is certainly more permissive than you intended and could be a security risk.

 

[bp2008]

Also I am pretty sure this rule

is backwards with the source and destination. RTSP streams are "pulled", not "pushed", so the traffic would originate from the RTSP_Clients group.

Likely you already set up this rule in reverse, but it does not appear in your screenshots.

It is really easy to get things mixed up so I'm not sure I'm correct

Yeah, it is probably covered by the default allow LAN to any rule. I don't think you need the "RTSP LAN50 to RTSP_Clients" rule at all.

 

[bp2008]

^^^ +1

What did you define "RTSP_Clients" as?

He said right here:

RTSP_Clients is an alias that includes the IP addresses for both the "me" PC and the BI PC

 

[SpacemanSpiff]

He said right here:

Thanks

 

[SpacemanSpiff]

RTSP_Clients is an alias that includes the IP addresses for both the "me" PC and the BI PC. With this set of rules, BI can see (and serve) the stream from the \

I believe you'll need to make an "RTSP_clients" alias for each respective VLAN (i.e. RTSP_Clients_LAN50) that lists out the corresponding IP's

 

[TheWaterbug]

Also I am pretty sure this rule
View attachment 155721
is backwards with the source and destination. RTSP streams are "pulled", not "pushed", so the traffic would originate from the RTSP_Clients group.

Likely you already set up this rule in reverse, but it does not appear in your screenshots.

It is really easy to get things mixed up so I'm not sure I'm correct

Yeah, it is probably covered by the default allow LAN to any rule. I don't think you need the "RTSP LAN50 to RTSP_Clients" rule at all.

That rule was originally put into place to allow RTSP traffic back from the .50.26 camera to the BI PC when the BI PC was at 192.168.0.13, and now I'm realizing it was both backwards (because you've told me RTSP is "pulled") and unnecessary because of the default allow LAN to any rule.

I've now reversed that rule, and made all of the allowed traffic for camera management specific to that one PC, and it's working!



I made BlueIrisServer an alias, so that if I ever need to change it or add another machine, I can do it in one place and not have to change a whole bunch of rules.

I wish a firewall rule could contain a set of ports instead just a single port or a contiguous range, so that I could collapse all of this into just one rule. But I don't think I can do that within pfsense. But if I can, someone please tell me how!

Thanks, all, for the help!

When you have the Blue Iris PC connected to the LAN50 network, I would make a rule that allows any IPv4 TCP/UDP traffic from the Blue Iris PC to 192.168.0.24. That way you only use one rule to allow any access you could possibly need to that one cam, from the one device that needs that access. The way you set it up with these rules

After thinking about this some more, I could make one alias to all my camera IPs, and then allow any/any from BlueIris to all my cameras. That would be easier than 5 different rules. But the security auditors tend to frown upon any rules that contain "any" unless you can demonstrate why "any" is truly necessary.

But I learned a ton today, both about the mechanics of firewalling, the direction of RTSP, and about the mindset of "most restrictive, least permissive." Thanks!

 

[SpacemanSpiff]

I wish a firewall rule could contain a set of ports instead just a single port or a contiguous range, so that I could collapse all of this into just one rule. But I don't think I can do that within pfsense. But if I can, someone please tell me how!

You can create a port alias that contains multiple non-contiguous ports:

Firewall — Aliases | pfSense Documentation

docs.netgate.com

Glad to hear you achieved your objective!

 

[TheWaterbug]

You can create a port alias that contains multiple non-contiguous ports:

Firewall — Aliases | pfSense Documentation

docs.netgate.com

I can't believe I missed that whole section on Port Aliases. Fixed:



I added HTTPS so that the BI PC can go out and get software updates, but I can't figure out what to put into Destination. If I put anything other than "any," then BI times out when checking for updates. I've tried WAN Net, This Firewall, LAN net, etc., but nothing else works.

I even tried creating a URL alias to blueirissoftware.com, but that generates an error:

 

[bp2008]

The Alias URLs are where pfSense will download a list of addresses from the given URL. It is not used to allow or deny access to the given URL. I'm not sure how you'd do that actually if you don't know the IP addresses of the website you want to allow access to, or if those IPs change often.