Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


48 posts

Geek
+1 received by user: 6


Topic # 203135 19-Sep-2016 13:00
Send private message

I have just joined Flip and have possibly found out the hard way that I can no longer access my security cameras and IP alarm.  Searching their support didn't alert me that  there would be any problems accessing any devices on my internal LAN.  Support has been absolutely hopeless and don't even seem to understand my problem.  It wasn't until I read this forum that I learned there is such a thing as CG-NAT and Flip uses this so is probably my issue.

 

So, before I change ISP's again, is there any way around this to allow my phone app's to access my alarm and cameras via IP again?  There is mention in a couple of threads here about VPN etc but that's more aimed at web hosting etc and I don't know enough about it.

 

Is it normal with CG-NAT even with a fast polling Dyn DNS service that I wouldn't be able to reach a forwarded port at my LAN? 

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
21532 posts

Uber Geek
+1 received by user: 4385

Trusted
Subscriber

  Reply # 1635820 19-Sep-2016 13:07
One person supports this post
Send private message

No. You could mess around with an outgoing VPN to a provider that provides a real IP address but those are rare and not cheap.

 

If you can't get a real IP out of them then change ISP and tell them not fit for purpose and that you are not going to be paying the termination fee as a result. Hiding this as they do is IMO false advertising as it isnt really an internet connection if it only goes one way.





Richard rich.ms

2065 posts

Uber Geek
+1 received by user: 342

Lifetime subscriber

  Reply # 1635824 19-Sep-2016 13:14
Send private message

Spin up OpenVPN server on an AWS (Sydney) virtual machine maybe.

 

Note: Flip don't provide public IPs under any circumstances.





Ross

 

Spark FibreMAX using Mikrotik CCR1009-8G-1S-1S+

 


Speed Test


27128 posts

Uber Geek
+1 received by user: 6572

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1635874 19-Sep-2016 13:53
One person supports this post
Send private message

Slightly OT I hope you didn't have port forwards to your cameras and were using a VPN. Having port forwards to devices such as alarms, cameras etc is extremely insecure and should be avoided unless these are locked down to whitelisted IP's.

 

A CG-NAT connection does not provide a public IP so it's not possible to connect directly your router from the Internet.

 

 

 

 


622 posts

Ultimate Geek
+1 received by user: 12


  Reply # 1635876 19-Sep-2016 14:00
Send private message

dont you just use DynDNS service.. that updates the given ip provided by your ISP? thats how I always do it.

 

a windows tray program like dynsite for windows  or even ip cameras firmware have a section that can call a given dyndns service provider and update new IP every 30min or alike

 

 

 

theres free dynamic DNS out there with a monthly nag to click and confirm

 

 

 

 

 

I use this firm

 

 https://www.noip.com/

 

but for like small fee can rid nag per year


21532 posts

Uber Geek
+1 received by user: 4385

Trusted
Subscriber

  Reply # 1635881 19-Sep-2016 14:08
Send private message

kiwigeek1:

 

dont you just use DynDNS service.. that updates the given ip provided by your ISP? thats how I always do it.

 

a windows tray program like dynsite for windows  or even ip cameras firmware have a section that can call a given dyndns service provider and update new IP every 30min or alike

 

 

 

theres free dynamic DNS out there with a monthly nag to click and confirm

 

 

Only works if the IP is direclty accessible. The tray app will end up with the external IP of the ISP, which will have a good chance that the port will not come back to you.

 

Some UDP stuff that has sent first to establish the NAT entry on their gear will end up open, I have not bothered to see if the CGNAT on my bigpipe connection works that way or not, but this is how voip etc still works, but incoming TCP connections will not be possible. 





Richard rich.ms

622 posts

Ultimate Geek
+1 received by user: 12


  Reply # 1635885 19-Sep-2016 14:18
Send private message

 Well first I heard of CG-NAT on isps .. so  now I see a new problem hes experiencing..

 

geeh I hope we arent forced to IPv6 as theres a few issues with it

 

 

 

they say this

 

 

 

Carrier Grade NAT (CGN) which uses IPv6 instead fo the old standard IPv4 we use today.

 

 

 

This basically means you can no longer port forward. IP cameras and many other applications require port forwarding so they can accessible from the internet outside the home. Many gamers also require this ability.

 

 

 

 

 

Eventually everyone will be on IPv6

 

 

 

 

 

.. allows many subscribers to be on same IP address and ISP routes traffic to each subscriver from web side

 

 

 

so I guess thats the problem their routing and killing direct device access to video stream

 

 

 

they do say run a vpn over it and can then use DYNDNS to that ip to access the cameras

 

 

 

perhaps theres a how to guide


622 posts

Ultimate Geek
+1 received by user: 12


  Reply # 1635891 19-Sep-2016 14:29
Send private message

Also how is accessing ip cameras via port forwarding from router insecure.. you generally have user ACL

 

and passwords and also most ip cameras log and can email when ever its accessed

 

but any hacker could use bruteforce

 

I wouldnt use a admin level for remote access though myself

 

 

 

however alarms access via web thats kinda scarey...

 

 

 

I see some shows covering this type of security and hacking.. whats its name now. hmm

 

 

 

I think its cyberwar? and also another interesting show is dark net

 

 

 

prob can find on a  stream somewhere or utube some


27128 posts

Uber Geek
+1 received by user: 6572

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1635893 19-Sep-2016 14:32
Send private message

IPv6 is an individual IPv6 address that is publically routable to every to every device on your network. IPv6 does NOT use CG-NAT and doesn't even use NAT.

 

99% of applications do not require port forwards hence CG-NAT not being an issue for 99% of Internet users. It is only users who have specific use cases that need a public IP address. As I mentioned though you should never have port forwards set to cameras anyway, these should always be locally accessible on your network. If you want access you should have white listed IP's (sometimes very difficult) or be using a VPN for access.

 

 


27128 posts

Uber Geek
+1 received by user: 6572

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1635896 19-Sep-2016 14:33
One person supports this post
Send private message

kiwigeek1:

 

Also how is accessing ip cameras via port forwarding from router insecure.. you generally have user ACL

 

and passwords and also most ip cameras log and can email when ever its accessed

 

but any hacker could use bruteforce

 

I wouldnt use a admin level for remote access though myself

 

 

You're clearly not aware of the huge number of CCTV systems that have been exploited over the years. Do you have ONVIF cameras? Most don't even need a username or password to access an ONVIF stream.

 

 


21532 posts

Uber Geek
+1 received by user: 4385

Trusted
Subscriber

  Reply # 1635899 19-Sep-2016 14:42
Send private message

kiwigeek1:

 

Also how is accessing ip cameras via port forwarding from router insecure.. you generally have user ACL

 

and passwords and also most ip cameras log and can email when ever its accessed

 

 

Because they are insecure things running on a full linux operating system, so a very desirable target to take over, and running services written by someone with no clue about security so things like passing command lines thru the URL and similar are often possible.

 

If you have one from a real supplier like dahua or hikvision and are up to date then you might be ok, but generic chinese rebrands will be swiss cheese to someone that wants to try. Best case they just constantly crash the NVR when scanning it, worst case, they get in and use it as a point to start going after somewhere else, or pull your email credientials off it and start spamming out via it.





Richard rich.ms

622 posts

Ultimate Geek
+1 received by user: 12


  Reply # 1635900 19-Sep-2016 14:42
Send private message

 no I just use 50-100buck china ones on the house not talking commerical sites or old cameras

 

that lack id/passwords.. (you think they would be replaced or firmware updated though)

 

 

 

even if they access not much they could do apart move them about and see whos outside lol

 

 

 

dont think my china cameras allow admin access to see email details and other things

 

 

 

this is a good article..

 

http://chrisgrundemann.com/index.php/2011/nat444-cgn-lsn-breaks/

 

 

 

seems the whole world needs to switch instantly to IPV6 to rid this kind of nat

 

to allow end to end connections like it should be


21532 posts

Uber Geek
+1 received by user: 4385

Trusted
Subscriber

  Reply # 1635905 19-Sep-2016 14:51
Send private message

kiwigeek1:

 

 no I just use 50-100buck china ones on the house not talking commerical sites or old cameras

 

that lack id/passwords.. (you think they would be replaced or firmware updated though)

 

even if they access not much they could do apart move them about and see whos outside lol

 

 

No, they generally do not care about what the camera is looking at, they care about using it to scan your lan for other things that can be explioted, or just using them as part of a botnet to ddos people.

 

http://securityaffairs.co/wordpress/30451/cyber-crime/how-hackers-exploit-dvrs.html

 

This video shows one of the many automated hacking tool to get into one particular system. https://www.youtube.com/watch?v=5r-_jw67UGc

 

And here is one of the exploits against a large OEM vendors gear http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

 

If none of what those pages say mean anything to you, then you should not be putting appliances on the internet where they are globally accessible with blind faith in the programmers ability to implement any form of authentication, let alone the cleartext on http crap that most seem to impliment.





Richard rich.ms

919 posts

Ultimate Geek
+1 received by user: 224

Subscriber

  Reply # 1635912 19-Sep-2016 15:02
Send private message

sbiddle:

 

 

 

You're clearly not aware of the huge number of CCTV systems that have been exploited over the years. Do you have ONVIF cameras? Most don't even need a username or password to access an ONVIF stream.

 

 

Exactly this, even the good ones like Hikvision have a lot of cameras that suffer from this vulnerability - go to http//ipaddress/onvif/snapshot in an incognito browser session if you'd like to test it out yourself.




48 posts

Geek
+1 received by user: 6


  Reply # 1635914 19-Sep-2016 15:11
Send private message

Ok, thanks everyone, that has confirmed my fears.  I will now have to seek a new ISP.

 

 

 

sbiddle:

 

Slightly OT I hope you didn't have port forwards to your cameras and were using a VPN. Having port forwards to devices such as alarms, cameras etc is extremely insecure and should be avoided unless these are locked down to whitelisted IP's.

 

A CG-NAT connection does not provide a public IP so it's not possible to connect directly your router from the Internet. 

 

 

My cameras are not directly accessable on my LAN, they connect to a NVR.  So only the NVR needs a port forwarded to allow viewing on a mobile app.  I don't use whitelisted IP's as I suspect a mobile phones ip would change regular?  So I'm sure there are vulnerabilities but it is a main stream brand (Dahua) and google doesnt find any reports from any experts complaining about them being particularly vulnerable so I can live with that.  Similar with my alarm, it is a well known IP module and I think I have it networked as the per manufacturers recommendation so I assume they did have some consideration about security.

 

You will never stop everyone I guess.  I think the bigger risk today is still the dumb burglar that will throw a brick through a window and grab what they can even with the alarm screaming and  cameras recording.  It's probably unlikely there are many burglars in NZ that are interested and smart enough to hack my network & IP devices to disable my alarm.  If someone was smart and hacked my cameras they could put a pic of my dick on the interweb but there is probably not too much reward in that...

 

 




48 posts

Geek
+1 received by user: 6


  Reply # 1635925 19-Sep-2016 15:14
Send private message

Adamww:

 

My cameras are not directly accessable on my LAN, they connect to a NVR. 

 

 

 

 

Correcting myself here.  My cameras are not IP at all.  They are analog HDCVI.  DVR still has a port forwarded though.


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.