Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


robertosc

14 posts

Geek


#278458 17-Oct-2020 18:58
Send private message quote this post

I'm trying to set up port forwarding on my router (DLink DIR-810L) so I can later connect to a camera via DDNS, but it's not working.

 

If I access it using the LAN IP everything works, but if I try my public ip it doesn't. So I'm wondering if NOW blocks the ports.

 

canyouseeme.org also tells me the ports are closed (connection refused).

 

Does NOW block ports or am I doing something wrong?

 


Filter this topic showing only the reply marked as answer Create new topic
Spyware
2596 posts

Uber Geek

Lifetime subscriber

  #2586714 17-Oct-2020 19:01
Send private message quote this post

I think you'll find that NOW use CG-NAT so port forwarding can't possibly work.

 

https://www.nownz.co.nz/support/technical-support/broadband-help/public-ip-address/





Spark FibreMAX using Mikrotik CCR1009-8G-1S-1S+. UAP, UAP AC Pro, UAP AC Pro Mesh, Apple TV 4, Apple TV 4K, iPad Air 1, iPhone XR, VodaTV Gen 2. If it doesn't move then it's data cabled.


robertosc

14 posts

Geek


  #2586720 17-Oct-2020 19:11
Send private message quote this post

Thanks for your prompt reply.

 

I saw here https://www.nownz.co.nz/support/technical-support/router-help/port-forwards/  that they mention it's possible if I use a "publicly accessible IP address", I assumed they meant I should use my public address instead of the LAN IP... do they mean static IP?

 

If so, does it mean it's impossible to use DDNS services too?


 
 
 
 


Spyware
2596 posts

Uber Geek

Lifetime subscriber

  #2586731 17-Oct-2020 19:30
Send private message quote this post

Yes, DDNS is impossible to use under CG-NAT as public address is not on router WAN interface.





Spark FibreMAX using Mikrotik CCR1009-8G-1S-1S+. UAP, UAP AC Pro, UAP AC Pro Mesh, Apple TV 4, Apple TV 4K, iPad Air 1, iPhone XR, VodaTV Gen 2. If it doesn't move then it's data cabled.


snnet
947 posts

Ultimate Geek

Subscriber

  #2586741 17-Oct-2020 19:52
Send private message quote this post

Does your camera system have a P2P configuration? I've used this on CCTV and alarm monitoring systems on CGNAT connections with success (and it's more secure than opening ports directly from the internet) 

 

If you get in touch with NOW they may shift you off CGNAT (they'll tell you if theres a charge or not) 


Jase2985
10014 posts

Uber Geek

Lifetime subscriber

  #2586785 17-Oct-2020 21:29
Send private message quote this post

you shouldn't be port forwarding a camera anyways. you are just leaving yourself open to be hacked.


michaelmurfy
/dev/null
9634 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #2586787 17-Oct-2020 21:35
Send private message quote this post

This is where I think CG-NAT is good. Port forwarding to security cameras is always a giant no-no for security.

 

Also I note you've got port forwards to your Xbox etc. This is again a giant "don't do this". Port forwarding should never have to be done unless if you've explicitly got a service you want to expose to everyone on the internet. And I note you've got a port forward to your Raspberry Pi etc. Unless if you understand security then again, don't do this. Instead this is where a VPN comes in.

 

But behind CG-NAT, port forwarding won't work at all anyway.





cyril7
7846 posts

Uber Geek

Trusted
Subscriber

  #2586792 17-Oct-2020 22:00
Send private message quote this post

Scary, kids out playing in back streets with drug dealers and pimps about,.......... Not good.

Cyril

 
 
 
 


robertosc

14 posts

Geek


  #2588031 19-Oct-2020 22:23
Send private message quote this post

The system is a TruVision NVR 10, I don’t think it has a P2P feature. It was working previously with a DDNS.
Does it mean the whole DDNS concept that the system relies on by default and that ADT (security company that installed the camera) uses is not safe? I mean, my understanding is that DDNS needs port forwarding unless my NVR is connected straight to the internet.
Thanks!

nztim
982 posts

Ultimate Geek

Subscriber

  #2588037 19-Oct-2020 22:48
Send private message quote this post

robertosc: The system is a TruVision NVR 10, I don’t think it has a P2P feature. It was working previously with a DDNS.
Does it mean the whole DDNS concept that the system relies on by default and that ADT (security company that installed the camera) uses is not safe? I mean, my understanding is that DDNS needs port forwarding unless my NVR is connected straight to the internet.
Thanks!


No it means you were not on CG-NAT when it worked - When an RSP introduces CG-NAT and they use port based authentication as NOWNZ do each ASID needs to be moved one by one into a CG-NAT pool

This takes time to complete

Moving on look at a camera system that connects to the cloud, or ask NOW for a static but make sure you fully understand the security risks

sbiddle
29280 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #2588080 20-Oct-2020 07:21
Send private message quote this post

robertosc: The system is a TruVision NVR 10, I don’t think it has a P2P feature. It was working previously with a DDNS.
Does it mean the whole DDNS concept that the system relies on by default and that ADT (security company that installed the camera) uses is not safe?

 

100% correct. You should NEVER be using port forward to a NVR regardless of brand. If ADT still recommend that it really shows they lack any basic knowledge of network security - the fact they're a "security" company doesn't mean a lot at the end of the day.

 

NVR's and IP cameras would be one of the most hacked devices online in the world. You only need to look at the tens of thousands of cameras online on the insecam website to see that. Creating port forwards to a NVR is a bit like leaving your door unlocked when you go out and determining that your're safe because nobody will try your door handle. It's very much a false sense of security. Bots scan the Internet 24/7 and even if they don't know your password doesn't mean much, as services such as ONVIF are often left open with no authentication on many older cameras and NVR's.

 

The problems don't just extend to people being able to view your cameras, multiple NVR brands have been exploited for all sorts of things ranging from DNS amplification attacks to mining cyrpto.

 

The only way you should ever access a NVR is via a VPN connection.

 

You can't have remote access via a port forward (and all your other port forwards don't actually do anything either) since you have a CG-NAT IP address.

 

 


jjnz1
1198 posts

Uber Geek

Subscriber

  #2588087 20-Oct-2020 07:59
Send private message quote this post

While I very much agree with port forwarding being a big risk that often gets exploited, the OP needs a solution for an existing system.

I would expect most CCTV installers to provide the system and assist in opening ports. I unfortunately wouldn't expect them to assist with a VPN, reverse proxy with 2fa etc as it is not within their scope of work.

OP, ask for a static IP and it should work OR switch providers to one that doesn't utilise CGNAT.

NOTE: should you become a target for an opportunistic hacker, it would be very easy for them to access your CCTV system, and any other computers/tvs in your house through your CCTV system IF you rely on opening ports.

If you know an IT friend, ask them to set up VPN access to your CCTV system, and close all other ports.

An alternative would be sell your current set up, and purchase a CCTV system that provides its own remote access without the need to open ports (ie Google Nest or Arlo).

Hope this helps.

mdf

mdf
2683 posts

Uber Geek

Trusted
Subscriber

  #2588205 20-Oct-2020 11:18
Send private message quote this post

I wrote a noobs guide to VPN a while back when I was learning about these things: https://www.geekzone.co.nz/forums.asp?forumid=46&topicid=245015

 

You will still need either a static IP or public dynamic IP, not CG-NAT.


nztim
982 posts

Ultimate Geek

Subscriber

  #2588229 20-Oct-2020 11:29
Send private message quote this post

mdf:

 

I wrote a noobs guide to VPN a while back when I was learning about these things: https://www.geekzone.co.nz/forums.asp?forumid=46&topicid=245015

 

You will still need either a static IP or public dynamic IP, not CG-NAT.

 

 

Just read your guide, that looks really good!

 

My only gripe with OpenVPN is that outwards connections on 1194 is often blocked at places like hotels etc


robertosc

14 posts

Geek


  #2588322 20-Oct-2020 13:13
Send private message quote this post

Owo, really thank you guys, you were all very supportive!

 

That insecam website was scary. I can live without being able to access it for now - I also have some Arlo cameras. I don't have a lot of network knowledge but I'm a programmer so I should be able to set up the VPN some day... in the future... maybe.

 

I live in a "nice neighbourhood" in Auckland, but three years ago some guys knocked on my door, I opened, they beat me and stole my stuff. So I hired ADT and installed these cameras, which I paid a pretty penny so I don't want to get rid of it. Since it was pretty traumatic, I also bought the Arlos too. You know, redundancy...

 

Anyway, thank you all very much!


Filter this topic showing only the reply marked as answer Create new topic





News »

NASA discovers water on sunlit surface of Moon
Posted 27-Oct-2020 08:30


Huawei introduces new features to Petal Search, Maps and Docs
Posted 26-Oct-2020 18:05


Nokia selected by NASA to build first ever cellular network on the Moon
Posted 21-Oct-2020 08:34


Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS16211+
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.