I have somehow created some sort of bug in my system. I have pfSense set up with a dedicated subnet 192.168.7.1 set up for my camera server. The Windows 10 camera server pc is assigned 192.168.7.50. It has a dual network card in it so that 192.168.0.1 and 192.168.2.1 are two networks connected to a number of cameras. I would like to allow this camera server pc only very limited access to the internet. Mostly I would just like to allow it to see NTC time and manually allow it to occasionally perform Microsoft updates. I also would like to view the Web Interface from another pc internal to my home network. I thought I sort-of had this working for awhile, but not any longer. At this point the camera server pc can't find the internet even when I think I have modified the pfSense rules to allow it. I can't successfully ping anything from the camera server pc except the cameras. From my network I can successfully connect to the Blue Iris Web UI at 192.168.7.50:81 but I can't even ping the 192.168.7.50 pc itself. This seems really strange and I do not see any special firewall rules in pfSense to explain this. Could my Windows 10 firewall or network setup perhaps be causing this weirdness? Thanks.
Win10 Firewall and pfSense?
- Thread starter davej
- Start date
As for not being able to ping your BI server, yes the default Windows Defender Firewall will not allow ICMP traffic. You can enable ping, either from the command line or via the Windows Defender Firewall, for instructions see below.
As far as pfSense, If you can access your BI server from another computer on your 192.168.7.0/24 network and that computer can access the internet, then your BI server should be able too, unless you added a rule to prevent that.
You can set up a NTP server on your BI server to allow your cams to update their time using NetTimeSetup program (NetTime - Network Time Synchronization Tool).
www.howtogeek.com
As far as pfSense, If you can access your BI server from another computer on your 192.168.7.0/24 network and that computer can access the internet, then your BI server should be able too, unless you added a rule to prevent that.
You can set up a NTP server on your BI server to allow your cams to update their time using NetTimeSetup program (NetTime - Network Time Synchronization Tool).
How to Allow Pings (ICMP Echo Requests) Through Your Windows Firewall
When Windows Firewall is enabled with default settings, you can’t use the ping command from another device to see if your PC is alive. Here’s how to change that.
The BI server pc is the only thing on the x.x.7.1 subnet. I think I've found the problem: For this interface in pfSense I enabled the checkboxes for "Block private networks and loopback addresses" and "Block bogon networks," however this seems to create two rules which block everything.
With these rules removed the internet access is restored. I have NetTime 3.14 installed. I would like to isolate this subnet from the internet by filtering out all traffic except the time updates, but I can't seem to see any port 123 traffic.
With these rules removed the internet access is restored. I have NetTime 3.14 installed. I would like to isolate this subnet from the internet by filtering out all traffic except the time updates, but I can't seem to see any port 123 traffic.
Last edited:
Normally for the WAN interface, you should have them checked, but for LAN normally they are not.
When setting up a LAN, it will normally default not to allow any traffic. So you need poke a hole in the firewall for the LAN to allow NTP/port 123 thru. Check youtube, like Lawrence Systems videos and others. Also, check out this, not sure if it's up to date, but may help: pfSense Firewall - escBackslash
When setting up a LAN, it will normally default not to allow any traffic. So you need poke a hole in the firewall for the LAN to allow NTP/port 123 thru. Check youtube, like Lawrence Systems videos and others. Also, check out this, not sure if it's up to date, but may help: pfSense Firewall - escBackslash
All you need to do for NTP time is configure the PFSense NTP server and point your client(s) to the PFSense gateway IP for NTP.
Personally here have the PFSense firewall connected to a GPS with PPS (serial port) for more accurate time such that the PFSense NTP server primarily uses the GPS for time and just compares it to external NTP servers.
Personally here have the PFSense firewall connected to a GPS with PPS (serial port) for more accurate time such that the PFSense NTP server primarily uses the GPS for time and just compares it to external NTP servers.
Code:
[2.5.2-RELEASE][xxxx.com]/root: ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
oGPS_NMEA(0) .GPS. 0 l 2 16 377 0.000 -0.006 0.001
time-d-g.nist.g .POOL. 16 p - 64 0 0.000 +0.000 0.000
0.pool.ntp.org .POOL. 16 p - 64 0 0.000 +0.000 0.000
2610:20:6f15:15 .POOL. 16 p - 64 0 0.000 +0.000 0.000
0.ubuntu.pool.n .POOL. 16 p - 64 0 0.000 +0.000 0.000
0.pfsense.pool. .POOL. 16 p - 64 0 0.000 +0.000 0.000
*time-d-g.nist.g .NIST. 1 u 34 64 377 34.378 +3.356 1.219
+time-d-g.nist.g .NIST. 1 u 9 64 377 34.032 +3.691 0.858
+44.190.6.254 .PPS. 1 u 24 64 377 60.021 +2.755 0.493I can go to pfSense Services>NTP>Settings and set this up for my 7.1 subnet -- but will NetTime on the BI server use this? I don't want the cameras to be able to reach this.
I am also curious about typical NTP synched performance. Even for my identical cameras I do not see absolute synchronization as the seconds click by on the overlay.
Last edited:
spammenotinoz
Getting comfortable
Why let them have internet access at all? Run NTP from your Blue Iris server.
If you can't use a separate network, use a fake unused gateway IP and don't specify a DNS server (or fake one).
PS: Always disable IPv6 or they will find a way out.
I considered building a time standard years ago. I read the Amateur Radio articles on that topic. Had several GPS boards. Never could quite justify the effort. I will try setting the NetTime address to 192.168.7.1
Update: yes that seems to be working!
Last edited:
I have a dual NIC in the BI server for two camera subnets and do not allow the BI server to see the internet. It is the only pc on a pfSense subnet and is blocked by pfSense firewall rules. However I am still working on getting the NTP service working on pfSense.
I guess I still wonder if there is perhaps a pfSense firewall ruleset that would allow only Microsoft Win10 updates?
In the early days of Windows 10 tried to mod the build running a script to remove Microsoft update servers. There were all over the place. Next Windows 10 update would remove the modification.
I have no issues running Windows 2016 server as it has no fluff. Windows 10 Enterprise also doesn't have any fluff.
This is what I used for the original GPS with PPS device a few years ago. It sat in the second floor attic with a cat5e RS-232 balum down to the basement server room.
Sure GPS Board
On the second PFSense using a U-Blox GPS ...very price reasonable to built. Purchased the U-Blox with an Aux antenna on Ebay.
In the early days of Windows 10 tried to mod the build running a script to remove Microsoft update servers. There were all over the place. Next Windows 10 update would remove the modification.
I have no issues running Windows 2016 server as it has no fluff. Windows 10 Enterprise also doesn't have any fluff.
This is what I used for the original GPS with PPS device a few years ago. It sat in the second floor attic with a cat5e RS-232 balum down to the basement server room.
Sure GPS Board
On the second PFSense using a U-Blox GPS ...very price reasonable to built. Purchased the U-Blox with an Aux antenna on Ebay.