Results 1 to 8 of 8
  1. #1
    Untangler
    Join Date
    Aug 2018
    Posts
    48

    Question Cannot reach one specific host in IPcam VLAN

    Hi guys,

    I've been struggling with some weird network behavior that I can't seem to solve myself.

    Situation:
    • 1 main home subnet and 1 VLAN dedicated for my IP cams;
    • IPcam VLAN has no access to any other VLAN nor to WAN/Internet (filterrules). I connect to the IPcams from my NAS (acting as NVR, located in the main home subnet)
    • In this IPcam VLAN I also have one dedicated Wifi- AP for some wifi IP cams

    All works just fine.

    Issue:
    • I can connect and ping to all my IPcams from my main computer in the main subnet but I cannot connect to the web interface of the wifi AP (Ping timeout and connection timeout);
    • But pinging the same IP address from the Untangle network troubleshoot functionality it replies just fine. Also a connection test on port 80 from Untangle just works fine.
    • Connecting a laptop to the IPcam VLAN also gives me access to the AP web interface just fine. So the interface is up and running.



    So something else seems to block access from my PC to this one specific host in my IPcam VLAN.

    Any suggestion where to look for a solution?

    Networkquestion.JPG

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,400

    Default

    You're going to need a NAT rule for the WAP. It has an internal firewall that says no to anything that isn't local.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,605

    Default

    Describe the Wi-Fi AP.
    make and model #
    what port are you plugged in to on it.

  4. #4
    Untangler
    Join Date
    Aug 2018
    Posts
    48

    Default

    Draytek Vigor AP900, plugged into port A1.
    No POE.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,400

    Default

    I repeat, you need a NAT rule, that device will now allow you to manage it if you aren't on its local IP network. The NAT rule will work around that limitation.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untangler
    Join Date
    Aug 2018
    Posts
    48

    Default

    This AP900 keeps giving me headaches...

    https://forums.untangle.com/networki...rent-nics.html

    Funny thing is that in the old setup (see link above) it used to work and I was able reach the webinterface on both subnets.
    So something must have changed in the AP900.

    Anyway, for now I’ll need to do some research on the suggested NAT solution.
    Thanks for the leads!

  7. #7
    Untangler
    Join Date
    Aug 2018
    Posts
    48

    Default

    Quote Originally Posted by sky-knight View Post
    You're going to need a NAT rule for the WAP.
    I’ve done some reading but still do not fully understand what you mean.
    Are you suggesting to turn on ‘NAT traffic coming from this Interface’ for the IPcam Vlan where the WAP is living?

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,400

    Default

    Quote Originally Posted by homenetwork View Post
    I’ve done some reading but still do not fully understand what you mean.
    Are you suggesting to turn on ‘NAT traffic coming from this Interface’ for the IPcam Vlan where the WAP is living?
    Nope, I'm suggesting you go to config -> network -> NAT Rules and make a rule that says

    Destination Address: IP of AP900
    Source interface: Any-NON WAN

    NAT Type Auto

    That rule will match any traffic coming from any LAN interface and destined to the IP address of the AP900, and force it to be translated to the local Untangle IP address. So when you try to manage the AP900 instead of it seeing your real LAN IP address, it'll see the local Untangle IP, which will pass its internal firewall check.

    This is a thing you get to do for a great many non-commercial devices, they have firewalls in them that require management traffic to be sourced from the local IP range. That NAT Rule satisfies that condition.

    Just make sure you make a rule at least as complex as the one I suggested, an over-match here will kill Internet access or worse.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2