New pfSense server - not receiving BI alert images

[Mike A.]

Put up a new pfSense server and I'm no longer getting images along with BI's notifications either on LAN or WAN. I do get the notifications, just not with images.

Anyone know what needs to be set up for the right traffic to be passed?

Network is flat at the moment. No VLANs or otherwise segregated networks set up yet. BI server can access the WAN (cams blocked from WAN and will be from rest of LAN but N/A re this). Other in-coming traffic originated by BI on-alert actions to outside tunneled services (e.g., monocle, voice monkey, etc.) works fine. Remote access is via VPN only which works well otherwise but, as above, images not working on LAN side either.

 

[smiticans]

I'm running PfSense CE 2.6.0 and I'm getting alerts with images without any issues. I'm using openVPN for remote access and I don't have any special configurations for the BI computer. UPNP and NAT-PMP are disabled. The only configuration for my BI computer is I assigned it a static LAN IP address within pfSense.

How are you getting BI notifications?

 

[Mike A.]

Same as far as UPnP disabled. Static address for BI server. OpenVPN and WireGuard both working fine otherwise.

Notifications are via Apple push service to my iPhone. No problem getting the alerts on LAN or VPN, just no images attached in either case. This was all working fine under my prior setup. I changed some things as far as how various devices were segregated until I can get things set up again on the new router/firewall but much more simple as it sits now as a flat network. Nothing changed as far as the BI server goes other than dropping the firewall up front. No VLANS, double-NAT or anything, just WAN - pfSense router/firewall (192.168.2.1) - BI server (192.168.2.4).

Haven't done much as far as any additional rules go. Blocked the cams from the WAN but that's about it. I did have to set up a custom option under DNS Resolver > Custom Options to get the Monocle Gateway (similar tunneling back in) to be able to resolve a host address with a local IP that it creates. Wondering if I need to do something along those lines for BI, though I don't know what host name would be used.

Also running pfBlockerNG. Should have mentioned above. Tried disabling that but didn't make any difference.

 

[smiticans]

What APP are you using for the BI notifications? Is it Pushover, Telegram, or the BI mobile app? I believe the BI mobile app requires the ports to be forwarded to work with push notifications. I could be wrong on that but I think I read that here somewhere. I don't use the BI app for push notifications so I'm not going to be able to help you if that's what you use.

I've read before the pfBlockerNG can still block applications after it's been disabled. If you haven't invested too much time in configuring your pfSense install, I would reset it to factory defaults and try it without installing pfBlocker. You could also make a backup of your config and restore it if necessary.

Otherwise you might be better off posting this issue on the PfSense Netgate troubleshooting forums.

 

[Mike A.]

Oh, sorry... Yes, using the BI app. I could go with Pushover if I have to I suppose but kind of want to understand why it's not working. Pretty much the only thing left that I've not been able to get working right again after the switch. No ports need to be forwarded for the images to work with the BI app (though I know some struggle getting that to work right and I did have some problems long ago using BI v4). It was fine local/remote without anything other than the VPN before the change. As long as the VPN was running when remote I'd get the images with the notifications. And that shouldn't come into play when on the LAN I don't think. I'm not getting the images when there now either. That was what was making me think more along the lines of something related to resolving/accessing local host names/IPs.

I can get images using SMS but that's a different thing too. I think they just come as attachments vs any link back to the host.

Yeah, I searched the pfSense forum before asking here but didn't seem to be much BI-specific experience there. Won't hurt to ask.

Along those lines is there a good overall outline anyone knows of re exactly what happens with the traffic flow for notifications and the images? I've found bits and pieces and I know how, for example, the Apple push service and various other parts of it go but nothing that details it all very well.

 

[smiticans]

I just enabled BI push notifications on one of my cameras to test it out. I received the BI push notification via the BI app with the alert and image without any problems. I tested it only while on the same LAN.

My suggestion is to backup your pfSense config, reset to factory defaults and configure it without installing pfBlocker and see if it works.

What version of pfSense are you using?

 

[Mike A.]

2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE
The system is on the latest version.

Yeah, I may do that. Need to go though and make sure that I understand everything that I may have changed before I do. Not sure if all settings for everything (VPN, etc.) get captured in the backups.

I think the deal with pfBlocker still blocking things is that while you can toggle and disable it from running, the rules that it may have added still are there. May try that first. Disable it and disable any rules it added. I didn't think to do the latter when I tried before.

Thanks for testing that and your help.

 

[smiticans]

No problem, I think you’re right about PFblocker.
I believe the backup config captures everything including VPN CA’s and Certs. There are options in the settings to include that if I remember correctly.

 

[whoami ™]

With pfBlockerNg you can exclude a host from DNSBL (DNS Black Listing).
Firewall / pfBlockerNG / DNSBL
Set
DNSBL Mode = Unbound python mode
Python Group Policy = enable
Then click the + on the right of Python Group Policy under the section you enabled it at.
Then add the local IP's of the computers you want to bypass pfBlocker.

While your at it give your wifes devices a static IP and add them to that white list. You'll thank me later... Trust me.

 

[Mike A.]

Tried that. Still doesn't do it. Also tried disabling the floating rule that pfBlockerNG creates and disabling it with no effect.

Probably should be rebooting after changing things too but I haven't been. Think I'll probably just start from scratch again when I get a chance. At least can test it in a default state and work back up from there to figure out why it's not working.

Do the backups maintain the settings for WireGuard and OpenVPN? That's the only part that was much of a pain to get working.

Another hint might be that notifications are much slower than they used to be. Not absolutely terrible but some delay. A few minutes. Used to be very quick most of the time. Seems like something's not quite right. Most everything else like the triggered alert tunneling in for Monocle, VPN, etc. is much faster.

Yeah, understand the reason for the wife thing. Unfortunately she's the one that I worry most about. She's a sucker for blindly clicking on links in email and texts and that kind of thing. Try to keep her stuff separated as much as I can from the rest of things. : / She doesn't do much so not too bad as far as locking her down. Facebook was a little bit of a struggle to get her off of. Just doesn't seem to work here anymore... for some reason. ; )

 

[Mike A.]

No problem, I think you’re right about PFblocker.
I believe the backup config captures everything including VPN CA’s and Certs. There are options in the settings to include that if I remember correctly.

Yeah, I see the settings can be maintained. Wasn't sure about the keys. I'd think so. Guess I'll find out. I know what was tripping me up in how pfSense does it now so still not that bad if I have to do it again.

 

[smiticans]

I get my alerts very quickly, usually within 5 seconds but that's with using Pushover.

Thankfully there are a ton of videos on YouTube on how to configure the VPN in pfSense. Netgate also has instructions online. It was a huge learning curve for me coming from an Asus/UDM Pro router to pfSense, but once you understand the concept of how it works it's easy to set up. I would probably never go back to a consumer grade router.

 

[Mike A.]

Yes, much better. I know the VPN side pretty well from other systems. Just needed to go through how things worked in pfSense. OpenVPN I've done a bunch of times so that was easy. WireGuard I hadn't and I missed something that took me a while to figure out. Not that bad to do again if I end up wiping it all. Just kind of a pain to have to set up the keys and clients and all again if I end up wiping it all. Can get it all back up pretty quickly though. Probably good to go through it all again anyway so I know it better.

Thanks again for your help. I'll post back once I figure out why it wasn't working.

 

[Mike A.]

Well, that didn't work... Set back to defaults. Did nothing other than change the IP address to be back on my network.

No images with the alerts on LAN.

 

[smiticans]

So you're saying when you reset back to factory defaults it only reset your LAN IP addresses back to 192.168.1.1 and your previous configurations are still there?

 

[eeeeesh]

Are you using the ZFS file system? If so, there is a new option - Boot Configuration that may be worth looking into for your situation:

 

[Mike A.]

Are you using the ZFS file system? If so, there is a new option - Boot Configuration that may be worth looking into for your situation:

I am. Thanks. Have to take a look,

 

[Mike A.]

So you're saying when you reset back to factory defaults it only reset your LAN IP addresses back to 192.168.1.1 and your previous configurations are still there?

No, the reset worked and took everything back to defaults. I was saying that I didn't make any other changes to the defaults except to change the IP. No packages or rules added, etc., that might be affecting things. Still no images.

 

[whoami ™]

I can only think of stupid things you would least expect to be causing the issue like time and date mismatch on the machine due to no NTP server or hostname vs. IP that is set up in the app. Maybe a .local vs .localdomain or something stupid like that.

I dont enable BI app notifications personally. If I did I would get one ever few seconds. Personally I use AITool to send pushover image notifications that way I never get any false alarms. But I'm also still running a 2 yr old version of BI.

 

[Mike A.]

I'm not sure either. Based on other posts I've found it seems that BI uses ports 2195 and 443 for the push notifications. Those should be passed OK by the default firewall rules for traffic originating inside the LAN out anyway and shouldn't be involved inside the LAN when LAN-to-LAN, but I've made explicit exception rules for both ports on both interfaces just to be sure with no effect. I've temporarily opened up everything to that IP in/out on the WAN interface i.e., just sitting there completely naked to the Internet and no effect. Tried turning on NAT reflection in various ways with no effect. Other services that rely on an outside site to pass similar things back into the same server/IP work fine. And the notifications themselves do work both inside and outside of my net so I know that part is OK. Just the images don't come. NTP works fine, everything is in sync.

I can plug my old router back in and they work fine again so not anything changed within BI or the app. I've tried using both the outside and inside IPs in the WAN setting for the app with no effect.