Tengo un problema con una aplicación de visionado de cámaras (BVMS de Bosch). La aplicación se comunica perfectamente con el servidor, recibe alarmas, etc... puedo conectarme a las cámaras directamente a través de su servidor web sin ningún problema, puedo acceder a todos los servicios de la Red, puedo conectarme a las cámaras por RTSP, pero... la imagen en directo de las cámaras a través de dicha aplicación no me funciona, sin embargo la reproducción sí.
Tengo un recién adquirido Fortigate 101E.
El PC cliente donde utilizo la aplicación de cámaras está conectado a un interface (Ha2) con IP 10.16.0.170/255.255.255.252 que llamaremos Red Externa. Actualmente para pruebas tengo conectado un PC con IP 10.16.0.169/255.255.255.252 puerta 10.16.0.170, cuando todo funcione correctamente irá conectado un Firewall fuera de mi gestión.
El servidor y las cámaras están en una Red interna la cual está conectada a un interface (Ha1) del Firewall con IP 10.168.0.254/255.255.255.0 que llamaremos Red Interna.
Las rutas estáticas entiendo que están bien configuradas porque si no funcionaría nada, no solo el vídeo en directo.
Desconozco si los interfaces Ha son los apropiados para hacer esto, probé con otros interfaces y el resultado fue el mismo.
El vídeo está configurado en Unicast y supuestamente utiliza puertos UDP para los streamings en directo. La política actual creada para el Firewall es admitir todos los puertos (de momento no estoy cerrando nada), desde todas las direcciones origen hasta todas las direcciones final de Red Externa --> Red Interna
Como he comentado antes funciona todo menos el vídeo en directo.
Vengo de un Juniper SSG-140 (modelo del 2008 aprox.) y funciona perfectamente, no tiene ninguna política multicast configurada.
Ayuda por favor!
Esta es la política:
Código: Seleccionar todo
edit 17
set name "RED EXTERNA > RED INTERNA"
set uuid bab7a27c-1daa-51eb-170e-4d0e0fd9786b
set srcintf "ha2"
set dstintf "ha1"
set srcaddr "all"
set dstaddr "all"
set internet-service disable
set internet-service-src disable
set rtp-nat disable
set learning-mode disable
set action accept
set status enable
set schedule "always"
set schedule-timeout disable
set service "ALL"
set dscp-match disable
set utm-status enable
set logtraffic all
set logtraffic-start disable
set capture-packet disable
set auto-asic-offload enable
set np-acceleration enable
set permit-any-host disable
set permit-stun-host disable
set fixedport disable
set ippool disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set fsso disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments ''
set block-notification disable
set replacemsg-override-group ''
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set ssl-mirror disable
set scan-botnet-connections disable
set dsri disable
set radius-mac-auth-bypass disable
set delay-tcp-npu-session disable
unset vlan-filter
set profile-type single
set av-profile ''
set webfilter-profile ''
set dnsfilter-profile ''
set ips-sensor ''
set application-list "default"
set voip-profile ''
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
set traffic-shaper ''
set traffic-shaper-reverse ''
set per-ip-shaper ''
set nat enable
set match-vip disable
next
Código: Seleccionar todo
config system interface
edit "ha1"
set vdom "root"
set vrf 0
set fortilink disable
set mode static
set dhcp-relay-service disable
set ip 10.168.0.254 255.255.255.0
set allowaccess ping https ssh http
set fail-detect disable
set pptp-client disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-send-redirect enable
set icmp-accept-redirect enable
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type physical
set netflow-sampler disable
set sflow-sampler disable
set scan-botnet-connections disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set disconnect-threshold 0
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set description ''
set alias "HA RED INTERNA"
set l2tp-client disable
set security-mode none
set device-identification disable
set lldp-transmission vdom
set fortiheartbeat disable
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set vrrp-virtual-mac disable
set role lan
set snmp-index 5
set secondary-IP disable
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set vrrp-virtual-mac6 disable
set vrip6_link_local ::
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set speed auto
set mtu-override disable
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
next
end
Código: Seleccionar todo
config system interface
edit "ha2"
set vdom "root"
set vrf 0
set fortilink disable
set mode static
set dhcp-relay-service disable
set ip 10.16.0.170 255.255.255.252
unset allowaccess
set fail-detect disable
set pptp-client disable
set arpforward enable
set broadcast-forward disable
set bfd global
set l2forward disable
set icmp-send-redirect enable
set icmp-accept-redirect enable
set vlanforward disable
set stpforward disable
set ips-sniffer-mode disable
set ident-accept disable
set ipmac disable
set subst disable
set substitute-dst-mac 00:00:00:00:00:00
set status up
set netbios-forward disable
set wins-ip 0.0.0.0
set type physical
set netflow-sampler disable
set sflow-sampler disable
set scan-botnet-connections disable
set src-check enable
set sample-rate 2000
set polling-interval 20
set sample-direction both
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set egress-shaping-profile ''
set disconnect-threshold 0
set spillover-threshold 0
set ingress-spillover-threshold 0
set weight 0
set external disable
set description ''
set alias "HA RED EXTERNA"
set l2tp-client disable
set security-mode none
set device-identification enable
set device-user-identification enable
set device-access-list ''
set lldp-transmission vdom
set fortiheartbeat disable
set estimated-upstream-bandwidth 0
set estimated-downstream-bandwidth 0
set vrrp-virtual-mac disable
set role lan
set snmp-index 6
set secondary-IP disable
set preserve-session-route disable
set auto-auth-extension-device disable
set ap-discover enable
config ipv6
set ip6-mode static
set nd-mode basic
set ip6-address ::/0
unset ip6-allowaccess
set ip6-reachable-time 0
set ip6-retrans-time 0
set ip6-hop-limit 0
set dhcp6-prefix-delegation disable
set dhcp6-information-request disable
set vrrp-virtual-mac6 disable
set vrip6_link_local ::
set ip6-send-adv disable
set autoconf disable
set dhcp6-relay-service disable
end
set speed auto
set mtu-override disable
set wccp disable
set drop-overlapped-fragment disable
set drop-fragment disable
next
end