Remote Access / Port Forwarding on Spark Wireless Broadband (4G) Huawei B315s-607

Forums › Spark New Zealand (including Skinny and BigPipe) › Remote Access / Port Forwarding on Spark Wireless Broadband (4G) Huawei B315s-607

inspectaclueso

29 posts

Geek

#265432 21-Jan-2020 15:14

Few points regarding the above...

This forum is a great resource for information when ISP's let you down. Wish I'd looked here first instead of going through 'proper' channels.
If you are trying to setup port forwarding/remote access on Spark Wireless Broadband... STOP! It won't work unless you order a fixed IP for $15 p/m as the connection uses CG-NAT.
Should a Spark representative see this post, it would be great if your help desk staff could be a little more knowledgeable about the subject. I'm not talking about help with actual configuration, I'm talking about knowing that their network uses CG-NAT so they can advise that remote access won't work without ordering a fixed IP.

Context...

Installed a security system for my in-laws. Configured router port forwarding/DDNS however remote access failed. Factory reset router, checked firmware up to date, hardwired NVR to router instead of using wireless AP in client mode. No go. Port checker shows configured ports as closed. Can't contact DDNS name or external IP directly.

Contacted Spark chat support and explained what I was trying to do, all actions taken along with screenshots of port forwarding configuration. Even mentioned it was as if they were using CG-NAT like I'd experienced on BigPipe. I was told that is beyond the level of support provided. It was suggested I seek the services of a local tech company. I explained that I was familiar with the process/configuration however I suspected either the router or connection was blocking incoming traffic. I was asked "You can browse the internet right?". Sure, I browsed to the chat page. "Then there is nothing wrong with your connection". "You should contact Huawei for support."

So I phoned the Huawei 0800 number while still connected to Spark chat. "As the routers have customised firmware for each provider, please contact your ISP for support."

Back to Spark... "You can pay for premium support for a monthly fee or a $150 one-off payment."

Spent the next hour on other ISP websites figuring out how hard/costly it would be to switch them to another ISP and port phone number and keep Xtra email address and if wired connections were still available at their address.

Drove home, jumped onto Geekzone and found out the issue within 5 minutes of searching.

Summary...

Geekzone community is awesome!
Spark don't support Spark supplied routers.
Port forwarding won't work on Spark Wireless Broadband (without ordering a fixed IP) despite the Spark firmware having port forwarding/virtual server settings.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2402993 21-Jan-2020 15:19

Hi,

the agent should have been able to advise you of this, apologies for the experience.
It is made very clear to our reps that for port forwarding to work, you require a static ip (which yes does cost).

Port forwarding does work, it just requires a static ip.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

inspectaclueso

29 posts

Geek

#2402999 21-Jan-2020 15:39

Wish I'd spoken to you, would have saved my last remaining non grey hairs. 😁

While I have your attention... they were kind of pushed onto 4G as "copper lines were on the way out."

If they get a few of their visiting grandkids on the internet at the same time it grinds to a halt. I read that Twizel, Wanaka and some other areas are getting 5G soon. Any plans for Fairlie?

Alternatively, although 4G was promoted to them as the way forward, can a connection be changed back to VDSL or is copper not being supported anymore? They had paid for VDSL installation previously so wiring is pre-existing.

Thanks in advance.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#2403000 21-Jan-2020 15:46

copper lines aren't on the way out, but in many cases wireless Is a better option.

Might be worth having a chat with the Resolve helpdesk folk, a rollback to VDSL might be the best option for you or possibly just an antenna installation :)

I can't comment on 5G future plans, communicable sensitivity etc.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2403013 21-Jan-2020 16:15

I hope you're aware of the security implications of port forwards, particularly if this is to a CCTV system. You should never have a port forward in place to any CCTV system unless it's securely whitelisted to allowed public IP range(s).

While Spark FWA has always been CG-NAT by default, the move by 2degrees in particular to move to CG-NAT has done wonders with a few insecure camera dropping off insecam and Shodan.

inspectaclueso

29 posts

Geek

#2403020 21-Jan-2020 16:41

Thanks for the info.

I know opening ports up comes with some risk but I thought forwarding traffic to a device with non default username/password should be relatively normal practice? The alternative is using the manufacturers P2P service but that comes with its own risks from what I've read.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2403021 21-Jan-2020 16:57

inspectaclueso:

Thanks for the info.

I know opening ports up comes with some risk but I thought forwarding traffic to a device with non default username/password should be relatively normal practice? The alternative is using the manufacturers P2P service but that comes with its own risks from what I've read.

Password offers zero security is there an exploit that bypasses the password. It also doesn't stop bots from trying to brute force logins.

The only truly secure remove access is via VPN.

snnet

1410 posts

Uber Geek

#2403140 21-Jan-2020 20:37

This is why I opt for Paradox systems using the SWAN server. Cloud p2p based, doesn't matter if you're on CG-NAT or not.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

inspectaclueso

29 posts

Geek

#2403169 21-Jan-2020 21:45

Yes, this Dahua system has a P2P option that can be activated but my preference was not to use it so as not to rely on a third party server. However, that is the way I'm having to go.

chevrolux

4962 posts

Uber Geek
Inactive user

#2403214 21-Jan-2020 21:55

With the amount of issues lately with 'cloud based' systems and security issues with their platforms (yet people still buy Ring!!), I think anyone is completely mad to have anything but local CCTV systems with VPN for remote access.

BarTender

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2404897 22-Jan-2020 18:39

If you want / need this and are technically capable then get a cheap VPS and do an outbound VPN from the home connection so you don't need a static IP.

As the person who built the Static IP on Mobile solution after a LOT of pushing to product managers to fund it I was quite concerned about people being DDoSed and either their data stopping (as that was the case with Fixed Wireless Broadband) or getting a large bill like in the old days of overage on wired broadband.

I can definitely see the use case but if it's just for CCTV cameras then use an outbound VPN to a known endpoint and then come in over that tunnel IMHO.

inspectaclueso

29 posts

Geek

#2404909 22-Jan-2020 19:00

I will have to educate myself further about VPN's. I am familiar with using an outgoing VPN at router or application level but I've not had experience setting up incoming traffic over VPN.

Also, as the main two people wanting to view the cameras are the retirement age home owners I don't think expecting them to use a VPN connection on their mobile phones etc. is realistic.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2405114 23-Jan-2020 07:46

Using the Dahua P2P option with secure passwords is probably your best option. Providing this is a legit current generation genuine English Dahua NVR (and not a Chinese model running hacked English firmware) and it is running newer firmware P2P is the most secure option short of a VPN.

Many of the P2P exploits people talk about are from very old hardware and exploits, many of which is not even Dahua.

inspectaclueso

29 posts

Geek

#2405124 23-Jan-2020 08:26

sbiddle:

Using the Dahua P2P option with secure passwords is probably your best option. Providing this is a legit current generation genuine English Dahua NVR (and not a Chinese model running hacked English firmware) and it is running newer firmware P2P is the most secure option short of a VPN.

Many of the P2P exploits people talk about are from very old hardware and exploits, many of which is not even Dahua.

Yes, it is a NZ sourced (CDLNZ) unit.

Did look at some of the Dahua gear on AliExpress but didn't want to take a punt with someone else's money. It seems the NVR's might be genuine as you can update the firmware but the camera's seem to be the problem as they can't be upgraded.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2405155 23-Jan-2020 09:33

inspectaclueso:

sbiddle:

Using the Dahua P2P option with secure passwords is probably your best option. Providing this is a legit current generation genuine English Dahua NVR (and not a Chinese model running hacked English firmware) and it is running newer firmware P2P is the most secure option short of a VPN.

Many of the P2P exploits people talk about are from very old hardware and exploits, many of which is not even Dahua.

Yes, it is a NZ sourced (CDLNZ) unit.

Did look at some of the Dahua gear on AliExpress but didn't want to take a punt with someone else's money. It seems the NVR's might be genuine as you can update the firmware but the camera's seem to be the problem as they can't be upgraded.

Most Dahua gear on Aliexpress both NVRs and cameras is hacked Chinese firmware despite the efforts of Dahua to clamp down on this.

If you want to buy from there you need to use a reputable seller like Andy from Empire Technology. I deal with him but direct.

inspectaclueso

29 posts

Geek

#2405169 23-Jan-2020 10:30

sbiddle:

Most Dahua gear on Aliexpress both NVRs and cameras is hacked Chinese firmware despite the efforts of Dahua to clamp down on this.

If you want to buy from there you need to use a reputable seller like Andy from Empire Technology. I deal with him but direct.

Thanks for the tip.