PfSense put a computer in the DMZ ??
- Thread starter Fritz
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
I'm sure you checked this. but... is there an exception in whatever windows firewall you are using (defender, sophos etc. etc.) to allow inbound 443 through?
Most likely if you can't connect via https locally then that has to be solved first before the firewall...
Most likely if you can't connect via https locally then that has to be solved first before the firewall...
might be helpful if you can run from an elevated command prompt on the BI server:
netstat -abn > c:\foo.out
and then post the contents of foo.out in a spoiler or code to make the thread a little more compact.
Basically we're looking for the processes listening on certain ports. particularly 443...
netstat -abn > c:\foo.out
and then post the contents of foo.out in a spoiler or code to make the thread a little more compact.
Basically we're looking for the processes listening on certain ports. particularly 443...
sorry I wasn't clear...
Check the firewall software on your Blue Iris Server (not pfsense) to see if there is an exception for https, the blue iris executable, and/or port 443.
If your phone is on the local lan (wifi) and it can't open an https connection to the local blue iris IP address (you posted previously that it cannot) then it simply does not matter what changes you make to pfsense right now . Got figure out what's up with the lack of local access via 443 on your BI server.
Code:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TermService
[svchost.exe]
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:9999 0.0.0.0:0 LISTENING
[BlueIris.exe]
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
[wininit.exe]
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
EventLog
[svchost.exe]
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
Schedule
[svchost.exe]
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
[spoolsv.exe]
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 0.0.0.0:49170 0.0.0.0:0 LISTENING
[lsass.exe]
TCP 127.0.0.1:25 0.0.0.0:0 LISTENING
[stunnel.exe]
TCP 127.0.0.1:110 0.0.0.0:0 LISTENING
[stunnel.exe]
TCP 127.0.0.1:143 0.0.0.0:0 LISTENING
[stunnel.exe]
TCP 127.0.0.1:50123 127.0.0.1:50124 ESTABLISHED
[stunnel.exe]
TCP 127.0.0.1:50124 127.0.0.1:50123 ESTABLISHED
[stunnel.exe]
TCP 127.0.0.1:50125 127.0.0.1:50126 ESTABLISHED
[stunnel.exe]
TCP 127.0.0.1:50126 127.0.0.1:50125 ESTABLISHED
[stunnel.exe]
TCP 192.168.5.2:139 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 192.168.5.2:58046 192.168.5.183:554 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:58047 192.168.5.129:554 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:58048 192.168.5.123:554 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:58049 192.168.5.124:554 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:58050 192.168.5.126:554 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:58051 192.168.5.188:7008 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:58052 192.168.5.128:554 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:58054 192.168.5.101:34567 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:58055 192.168.5.127:554 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:58056 192.168.5.125:554 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:58060 192.168.5.101:34567 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:63598 192.168.5.121:8999 ESTABLISHED
[BlueIris.exe]
TCP 192.168.5.2:63599 192.168.5.121:8999 ESTABLISHED
[BlueIris.exe]
TCP 192.168.10.100:139 0.0.0.0:0 LISTENING
Can not obtain ownership information
TCP 192.168.10.100:3389 192.168.10.2:41422 ESTABLISHED
TermService
[svchost.exe]
TCP 192.168.10.100:9999 192.168.10.2:55064 ESTABLISHED
[BlueIris.exe]
TCP 192.168.10.100:9999 192.168.10.2:57112 ESTABLISHED
[BlueIris.exe]
TCP [::]:135 [::]:0 LISTENING
RpcSs
[svchost.exe]
TCP [::]:445 [::]:0 LISTENING
Can not obtain ownership information
TCP [::]:3389 [::]:0 LISTENING
TermService
[svchost.exe]
TCP [::]:5985 [::]:0 LISTENING
Can not obtain ownership information
TCP [::]:9999 [::]:0 LISTENING
[BlueIris.exe]
TCP [::]:47001 [::]:0 LISTENING
Can not obtain ownership information
TCP [::]:49152 [::]:0 LISTENING
[wininit.exe]
TCP [::]:49153 [::]:0 LISTENING
EventLog
[svchost.exe]
TCP [::]:49154 [::]:0 LISTENING
Schedule
[svchost.exe]
TCP [::]:49155 [::]:0 LISTENING
[spoolsv.exe]
TCP [::]:49156 [::]:0 LISTENING
Can not obtain ownership information
TCP [::]:49170 [::]:0 LISTENING
[lsass.exe]
UDP 0.0.0.0:3389 *:*
TermService
[svchost.exe]
UDP 0.0.0.0:5355 *:*
Dnscache
[svchost.exe]
UDP 192.168.5.2:137 *:*
Can not obtain ownership information
UDP 192.168.5.2:138 *:*
Can not obtain ownership information
UDP 192.168.10.100:137 *:*
Can not obtain ownership information
UDP 192.168.10.100:138 *:*
Can not obtain ownership information
UDP [::]:3389 *:*
TermService
[svchost.exe]thank you.
okay so I don't see 443 with a listener at all. Without a listener. nothing is going to connect via https to your blue iris server - pfsense configuration or no.
Let me ask another stupid question, and I admit I'm not a BI expert.
Are you trying to access Blue Iris without having it configured for HTTPS but using HTTPS as transport? If so that would imply configuring a front end proxy for Blue Iris that handles the HTTPS encrypt/decrypt (whether pub certificate or private certificate).
basically (forgive ascii drawing)
[client] <--> {public Internet} <-->[Fritz's pfSense 443 port forward]<-->[HTTPS Front End Proxy on 443] <--> [Blue Iris Server on 80]
Last edited:
I should have mentioned that Blue Iris uses Stunnel for https. It installed along with BI and configured itself
Code:
2020.12.28 10:17:24 LOG5[main]: stunnel 5.57 on x64-pc-mingw32-gnu platform
2020.12.28 10:17:24 LOG5[main]: Compiled/running with OpenSSL 1.1.1h 22 Sep 2020
2020.12.28 10:17:24 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,OCSP,PSK,SNI
2020.12.28 10:17:24 LOG5[main]: Reading configuration from file stunnel.conf
2020.12.28 10:17:24 LOG5[main]: UTF-8 byte order mark detected
2020.12.28 10:17:24 LOG5[main]: Configuration successful
2020.12.29 10:17:24 LOG5[main]: Log file reopened
2020.12.30 10:17:24 LOG5[main]: Log file reopened
2020.12.31 10:17:24 LOG5[main]: Log file reopened
2021.01.01 10:17:24 LOG5[main]: Log file reopened
2021.01.02 10:17:24 LOG5[main]: Log file reopened
2021.01.03 08:18:15 LOG5[main]: Active connections:
2021.01.03 10:17:24 LOG5[main]: Log file reopened
2021.01.04 10:17:24 LOG5[main]: Log file reopened
2021.01.05 10:17:24 LOG5[main]: Log file reopenedso there's this...
You might try changing your pfsense port forward rule from 443 to 80 - make sure that works including viewing cameras then either turn that rule off or flip it back to 443 (since it doesn't work right now). don't want to leave 80 up all the time - just for testing - or did you already do that and it works?
sorry multi-tasking you. I believe you will need to leave the 9999 port forward rule in there.
I cuold be wrong , don't think the reboot will fix this.
In your netstat output I do NOT see a process listening on port 443. If there is no process listening on 443 then there will be no joy in mudville unless something is handling 443...
yes and I do not believe that BI is configured to use HTTPS right now based on the netstat output. sooo let me research this really quick. If BI does not support HTTPS natively then you'd have to configure a front end for it or decide to figure out vpn for your phone to come into your LAN and then access BI.Yea, port 80 works but it's not https.
soooo quick search says you either need to front end it / create a reverse proxy or try and get it to work with stunnel. I have a suspiscion you already worked on this since I see stunnel listening on ports (netstat output)...
follow on search says... you may be able to configure a reverse proxy in pfsense to handle the https traffic for you and then port forward to your BI server on port 80... If so it appears folks have worked on using SQUID plugin as a reserve proxy on pfSense...
I'm thinking your original question is more of ...
How do I make Blue Iris work using https through a pfsense firewall?
Is that a fair restatement of the problem?
follow on search says... you may be able to configure a reverse proxy in pfsense to handle the https traffic for you and then port forward to your BI server on port 80... If so it appears folks have worked on using SQUID plugin as a reserve proxy on pfSense...
I'm thinking your original question is more of ...
How do I make Blue Iris work using https through a pfsense firewall?
Is that a fair restatement of the problem?
yeah you betchya... gotta make your blue iris https issue go away first.... Like I said nothing lilstening on port 443 - which is what BI is telling you.
see my last post for ideas using stunnel alternatively you may be able to reverse proxy via squid ... basicall you need to pick your poison here.
edit:
btw, if it were me I'd just spin up a nginx vm and use that to front end HTTPS/SSL traffic. but that's just me.
edit:
using pfsense and squid example
using nginx to front end BI example
edit:
and apologies you have BI http running on port 9999 - earlier I talked about 80 - but should have been 9999
Last edited:
Thanks a million. Got some possible solutions to explore. I'll report back as soon as I do.