Port forwarding on NOW

Forums › Mercury and NOW › Port forwarding on NOW

robertosc

49 posts

Geek
+1 received by user: 2

#278458 17-Oct-2020 18:58

I'm trying to set up port forwarding on my router (DLink DIR-810L) so I can later connect to a camera via DDNS, but it's not working.

If I access it using the LAN IP everything works, but if I try my public ip it doesn't. So I'm wondering if NOW blocks the ports.

canyouseeme.org also tells me the ports are closed (connection refused).

Does NOW block ports or am I doing something wrong?

Spyware

3818 posts

Uber Geek
+1 received by user: 1366

Lifetime subscriber

#2586714 17-Oct-2020 19:01

I think you'll find that NOW use CG-NAT so port forwarding can't possibly work.

https://www.nownz.co.nz/support/technical-support/broadband-help/public-ip-address/

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

robertosc

49 posts

Geek
+1 received by user: 2

#2586720 17-Oct-2020 19:11

Thanks for your prompt reply.

I saw here https://www.nownz.co.nz/support/technical-support/router-help/port-forwards/ that they mention it's possible if I use a "publicly accessible IP address", I assumed they meant I should use my public address instead of the LAN IP... do they mean static IP?

If so, does it mean it's impossible to use DDNS services too?

Spyware

3818 posts

Uber Geek
+1 received by user: 1366

Lifetime subscriber

#2586731 17-Oct-2020 19:30

Yes, DDNS is impossible to use under CG-NAT as public address is not on router WAN interface.

snnet

1413 posts

Uber Geek
+1 received by user: 556

#2586741 17-Oct-2020 19:52

Does your camera system have a P2P configuration? I've used this on CCTV and alarm monitoring systems on CGNAT connections with success (and it's more secure than opening ports directly from the internet)

If you get in touch with NOW they may shift you off CGNAT (they'll tell you if theres a charge or not)

Jase2985

13730 posts

Uber Geek
+1 received by user: 6202

ID Verified

Lifetime subscriber

#2586785 17-Oct-2020 21:29

you shouldn't be port forwarding a camera anyways. you are just leaving yourself open to be hacked.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2586787 17-Oct-2020 21:35

This is where I think CG-NAT is good. Port forwarding to security cameras is always a giant no-no for security.

Also I note you've got port forwards to your Xbox etc. This is again a giant "don't do this". Port forwarding should never have to be done unless if you've explicitly got a service you want to expose to everyone on the internet. And I note you've got a port forward to your Raspberry Pi etc. Unless if you understand security then again, don't do this. Instead this is where a VPN comes in.

But behind CG-NAT, port forwarding won't work at all anyway.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

cyril7

9073 posts

Uber Geek
+1 received by user: 2499

ID Verified

Trusted

Subscriber

#2586792 17-Oct-2020 22:00

Scary, kids out playing in back streets with drug dealers and pimps about,.......... Not good.

Cyril

robertosc

49 posts

Geek
+1 received by user: 2

#2588031 19-Oct-2020 22:23

The system is a TruVision NVR 10, I don’t think it has a P2P feature. It was working previously with a DDNS.
Does it mean the whole DDNS concept that the system relies on by default and that ADT (security company that installed the camera) uses is not safe? I mean, my understanding is that DDNS needs port forwarding unless my NVR is connected straight to the internet.
Thanks!

nztim

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#2588037 19-Oct-2020 22:48

robertosc: The system is a TruVision NVR 10, I don’t think it has a P2P feature. It was working previously with a DDNS.
Does it mean the whole DDNS concept that the system relies on by default and that ADT (security company that installed the camera) uses is not safe? I mean, my understanding is that DDNS needs port forwarding unless my NVR is connected straight to the internet.
Thanks!

No it means you were not on CG-NAT when it worked - When an RSP introduces CG-NAT and they use port based authentication as NOWNZ do each ASID needs to be moved one by one into a CG-NAT pool

This takes time to complete

Moving on look at a camera system that connects to the cloud, or ask NOW for a static but make sure you fully understand the security risks

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

sbiddle

30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2588080 20-Oct-2020 07:21

robertosc: The system is a TruVision NVR 10, I don’t think it has a P2P feature. It was working previously with a DDNS.
Does it mean the whole DDNS concept that the system relies on by default and that ADT (security company that installed the camera) uses is not safe?

100% correct. You should NEVER be using port forward to a NVR regardless of brand. If ADT still recommend that it really shows they lack any basic knowledge of network security - the fact they're a "security" company doesn't mean a lot at the end of the day.

NVR's and IP cameras would be one of the most hacked devices online in the world. You only need to look at the tens of thousands of cameras online on the insecam website to see that. Creating port forwards to a NVR is a bit like leaving your door unlocked when you go out and determining that your're safe because nobody will try your door handle. It's very much a false sense of security. Bots scan the Internet 24/7 and even if they don't know your password doesn't mean much, as services such as ONVIF are often left open with no authentication on many older cameras and NVR's.

The problems don't just extend to people being able to view your cameras, multiple NVR brands have been exploited for all sorts of things ranging from DNS amplification attacks to mining cyrpto.

The only way you should ever access a NVR is via a VPN connection.

You can't have remote access via a port forward (and all your other port forwards don't actually do anything either) since you have a CG-NAT IP address.

jjnz1

1371 posts

Uber Geek
+1 received by user: 195

Lifetime subscriber

#2588087 20-Oct-2020 07:59

While I very much agree with port forwarding being a big risk that often gets exploited, the OP needs a solution for an existing system.

I would expect most CCTV installers to provide the system and assist in opening ports. I unfortunately wouldn't expect them to assist with a VPN, reverse proxy with 2fa etc as it is not within their scope of work.

OP, ask for a static IP and it should work OR switch providers to one that doesn't utilise CGNAT.

NOTE: should you become a target for an opportunistic hacker, it would be very easy for them to access your CCTV system, and any other computers/tvs in your house through your CCTV system IF you rely on opening ports.

If you know an IT friend, ask them to set up VPN access to your CCTV system, and close all other ports.

An alternative would be sell your current set up, and purchase a CCTV system that provides its own remote access without the need to open ports (ie Google Nest or Arlo).

Hope this helps.

Lego

Shop now for Lego sets and other gifts (affiliate link).

mdf

3566 posts

Uber Geek
+1 received by user: 1519

Trusted

#2588205 20-Oct-2020 11:18

I wrote a noobs guide to VPN a while back when I was learning about these things: https://www.geekzone.co.nz/forums.asp?forumid=46&topicid=245015

You will still need either a static IP or public dynamic IP, not CG-NAT.

nztim

4012 posts

Uber Geek
+1 received by user: 2710

ID Verified

Trusted

TEAMnetwork

Subscriber

#2588229 20-Oct-2020 11:29

mdf:

I wrote a noobs guide to VPN a while back when I was learning about these things: https://www.geekzone.co.nz/forums.asp?forumid=46&topicid=245015

You will still need either a static IP or public dynamic IP, not CG-NAT.

Just read your guide, that looks really good!

My only gripe with OpenVPN is that outwards connections on 1194 is often blocked at places like hotels etc

Any views expressed on these forums are my own and don't necessarily reflect those of my employer.

robertosc

49 posts

Geek
+1 received by user: 2

#2588322 20-Oct-2020 13:13

Owo, really thank you guys, you were all very supportive!

That insecam website was scary. I can live without being able to access it for now - I also have some Arlo cameras. I don't have a lot of network knowledge but I'm a programmer so I should be able to set up the VPN some day... in the future... maybe.

I live in a "nice neighbourhood" in Auckland, but three years ago some guys knocked on my door, I opened, they beat me and stole my stuff. So I hired ADT and installed these cameras, which I paid a pretty penny so I don't want to get rid of it. Since it was pretty traumatic, I also bought the Arlos too. You know, redundancy...

Anyway, thank you all very much!