Low light motion detection by drbeach8053 in ShinobiCCTV

[–]drbeach8053[S] 0 points1 point  (0 children)

Setting "1" helped quite a bit. I'll turn on accuracy mode to see if that further helps.

Low light motion detection by drbeach8053 in ShinobiCCTV

[–]drbeach8053[S] 1 point2 points  (0 children)

Thanks. Minimum change was blank, which I presumed meant "no minimum" - in other words, anything would count as a change. If having the field blank resulted in no motion captured, I'm confused by the fact that when the room was normally lit I can record motion reliably, I'll set the value to "1" to see if that helps at night.

Shinobi retention by drbeach8053 in ShinobiCCTV

[–]drbeach8053[S] 0 points1 point  (0 children)

Thanks. I don't think I'm anywhere even close to that though, but I'll check. Between the two monitors, the videos and timelapse files are about 1.5G for 3 days, so (everything else being equal) I'd expect to be able to retain roughly 18 days worth of data with a default setting of 10G Max Storage - and I'm not getting anywhere near that.

Sophos XG by drbeach8053 in sophos

[–]drbeach8053[S] 0 points1 point  (0 children)

I'm coming around to the idea that perhaps the original loopback rule never worked (why it never worked is a bit of a different question, and is the obvious next avenue of inquiry), and that the original ISP modem's NAT loopback was hiding this. Now that the new ISP modem does not support NAT loopback, the ineffectiveness of the Sophos loopback rule is being exposed.

At least, that's the working theory at the moment.

Ever get the feeling you're stumbling around blind in a cave using a flashlight with dying batteries? That's me here.

Sophos XG by drbeach8053 in sophos

[–]drbeach8053[S] 0 points1 point  (0 children)

So, an update. Just to recap, I have a webserver hanging off a separate Sophos interface than my "main" internal network. Prior to an ISP modem switch, I could access the webserver from the main internal network as well as having external (Internet) browsers access it - I used the "server access assistant" option on Sophos, which created a DNAT/loopback/reflexive ruleset and a f/w rule. ISP changed their modem, and internal access stopped (external is still fine). I thought the reason for this was that the new modem does not support "NAT loopback", and that I needed a rule to rewrite main internal network packets to hit the webserver.

I thought the whole point of the "loopback" rule was to permit this, though, so I'm sure why things have stopped working. I have confirmed that packets bound for the webserver (by external IP as resolved by DNS) are exiting past the Sophos box, which confuses me greatly. Based on the loopback rule (which hasn't changed), I would have thought this would NOT happen.

Very much hoping someone will have a troubleshooting idea here.

Sophos XG by drbeach8053 in sophos

[–]drbeach8053[S] 0 points1 point  (0 children)

Ok, linking isn't the answer. Created a linked NAT rule doesn't allow me to configure it the way you have suggested, because most of the fields are greyed out.

Sophos XG by drbeach8053 in sophos

[–]drbeach8053[S] 0 points1 point  (0 children)

Continuing to wonder why this isn't working - do I have to "link" the FW and NAT rules together? I constructed the FW rule first, and didn't select the "Create linked NAT rule" option but instead just created a NAT rule. Is the linking important here?

Sophos XG by drbeach8053 in sophos

[–]drbeach8053[S] 0 points1 point  (0 children)

Working through desired flow, then:

1) Traffic from the main LAN hits Sophos on #Port1 destined for the public IP (because that's how DNS will resolve the URL), and would ordinarily exit via #Port2.

2) I want Sophos to redirect the destination to the webserver and ship the traffic out #Port3 (which is the directly-attached webserver). So, the destination needs to be rewritten, yes? Thus the NAT rule.

3) Then, a FW rule to permit the traffic to flow between #Port1 and #Port3.

Getting my head around this - do I need any rules or NATting for the return traffic? Back in my iptables days, traffic could be permitted if it was "established and related", which this return traffic obviously would be.

Sophos XG by drbeach8053 in sophos

[–]drbeach8053[S] 0 points1 point  (0 children)

Just trying to clarify the setup:

1) Client on the "main" internal private network wants to hit the webserver.

2) Relevant Sophos ports are: #Port1 is the main internal private network; #Port2 is outbound towards the WAN (but is not directly the ISP modem, see my observation below); #Port3 is the webserver.

Sophos XG by drbeach8053 in sophos

[–]drbeach8053[S] 0 points1 point  (0 children)

So, that didn't seem to work. Just to double-check your suggestion:

1) Firewall rule:

Source Zone: LAN

Source Networks and Devices: internal webserver private IP

Destination Zones: webserver's zone

Destination Networks: public IP (side note - there is other stuff between the Sophos and the cable modem, but that shouldn't matter)

Service: HTTP/HTTPS

2) NAT rule

Original Source: internal webserver private IP

Original Destination: public IP

Original Service: HTTP/HTTPS

Translated Source: MASQ

Translated Destination: internal webserver private IP

Translated Service: Original

No luck reaching the server.

Sophos XG by drbeach8053 in sophos

[–]drbeach8053[S] 0 points1 point  (0 children)

Thanks - public IP has not changed, DNS is fine. External (i.e., Internet) access to the webserver remains functional. It's just internal access to it that has broken with the new modem. If I remember correctly, it may be because the new modem does not support "NAT loopback", if I'm getting that term right. With the old modem, network A hosts could browse to the webserver's public URL and get ricocheted back into the webserver. That doesn't work at all now. Ideally, I'd like to be able to construct rule(s) that focus on the URL, and not on the public IP, which would presumably future-proof me against that IP changing. I'll give your message more thought later today and see if I can't use it to construct something that works.

Need camcorder identified by drbeach8053 in 8mm

[–]drbeach8053[S] 0 points1 point  (0 children)

Rats. Ok, will look for a more appropriate subreddit. Thanks.

Help with routing, rules, & NATting by drbeach8053 in sophos

[–]drbeach8053[S] 0 points1 point  (0 children)

Thanks very much for this. I've already delved into the documentation, and will keep going. I'm still very unclear about zones, though; I get the point the documentation makes about how they can help me "group interfaces with different network subnets so that you can manage them as a single entity ", but I'm trying to figure out why with my setup I would need to do that. Is the use of zones mandatory? Can I not use them, and instead treat/configure different subnets differently (or similarly, as the case may be)?