Home security - do I need a static IP?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Home security - do I need a static IP?

rayonline

1734 posts

Uber Geek

#208311 6-Feb-2017 19:40

They got a 4 camera unit system for one property. From Jaycar, all working good. When they are at home, it works on their smartphone fine but it loses connection after an hour or so .. When they go back to the property it works fine but using that WiFi. So they need a static IP from the ISP? Any other work arounds?

Someone else that were helping them said they can use a Night Hawk router. Is this the case and do they still need a static IP from the ISP? They are with 2Degrees.

Any views appreciated. Thanks.

1 | 2

BDFL - Memuneh
79316 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1716151 6-Feb-2017 19:52

Your post is a bit confusing. Are they port forwarding to this camera? If that's the case, before even going ahead I'd say STOP. Never open up these cameras to the Internet.

Also, they might not need a "Night Hawk router" it may be that the cameras are in an area with low WiFi coverage. Perhaps an area with interference (when neighbours start using their own WiFi the WiFi bandwidth gets cut and the cameras drop). It may be as simple as repositioning the existing router for better coverage.

rayonline

1734 posts

Uber Geek

#1716153 6-Feb-2017 19:57

freitasm:

Your post is a bit confusing. Are they port forwarding to this camera? If that's the case, before even going ahead I'd say STOP. Never open up these cameras to the Internet.

Also, they might not need a "Night Hawk router" it may be that the cameras are in an area with low WiFi coverage. Perhaps an area with interference (when neighbours start using their own WiFi the WiFi bandwidth gets cut and the cameras drop). It may be as simple as repositioning the existing router for better coverage.

Should had been clearer.

Property address 1 - with the security.

Property address 2 - back at their own home.

As the instruction booklet said so yes port forwarding has been enabled.

They were at their own home (different property address) the WiFi is good, the router is in the same living room 8m away from it. It was working on their phones before but just dropped off. Uninstalled the app, and reinstalled it and still not working.

They drove out back to the property with the security and it works fine - again WiFi but in the other property.

freitasm

BDFL - Memuneh
79316 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1716154 6-Feb-2017 19:59

The instruction booklet is a trap!

Do not EVER port forward to cheap cameras - do so and risk it becoming a zombie in a DDoS botnet.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1716157 6-Feb-2017 20:17

Because you should never under any circumstances have port forwards for CCTV gear the whole question is really a moot point. You need to remove these before your system is compromised.

To access the cameras remotely you will need a VPN of some sort, so if the current router doesn't support VPN termination you'll need to look at hardware that supports this if you want remote access.

Obviously to connect remotely you either need a static IP or use a service such as dyndns if your IP changes regularly.

rayonline

1734 posts

Uber Geek

#1716160 6-Feb-2017 20:36

Ok thanks - port forwarding disabled.

Yes the only issues are when we are off site - remotely.

Someone did mention VPN on the phone I think. I am not sure if the security unit itself supports it though. They said it was working at the different address for an hour before it cut off. Then later as they were driving there it worked suddenly. So a bit lost why it worked on that occasion. Will look into the a static IP :)

We have a Fritzbox router. Maybe soemone else's Night Hawk supported VPN termination? Hmmmm.... Maybe that was why he suggested it. Will check it out maybe the Fritzbox had VPN termination on.

freitasm

BDFL - Memuneh
79316 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1716161 6-Feb-2017 20:38

Fritz!box supports L2TP VPNs.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1716162 6-Feb-2017 20:39

The most obvious conclusion is that they're not using the correct IP anyway. Since most routers don't support hairpin NAT you would not be able to connect using the external IP when connected locally, and since you would need the external IP when connecting from outside the network you would need to keep changing this for it to work.

A VPN (which would terminated in your router not the unit itself) is the only way cameras should be viewed remotely.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

sultanoswing

814 posts

Ultimate Geek

#1721628 17-Feb-2017 00:45

sbiddle:

...most routers don't support hairpin NAT you would not be able to connect using the external IP when connected locally, and since you would need the external IP when connecting from outside the network you would need to keep changing this for it to work.

A VPN (which would terminated in your router not the unit itself) is the only way cameras should be viewed remotely.

Reason #237 to use pfSense, which makes the above (VPN servers + NAT reflection) a cinch ;)

Similar to the dodgy cameras above, there are an increasing number of so-called smart "internet of things" devices such as power socket timers (orvibo s20 et al) which punch holes in your LAN>WAN in the name of being able to do something remotely back into your home. As with the cameras, many are using proprietary code which is compromising your security in unknown ways and phoning home to who know who. I wouldn't trust 'em as far as I could throw them.

As others have said, if you want remote access to do this sort of stuff, use a VPN to get back home remotely (e.g. android has a good openVPN client). You don't need a static IP to set up your own VPN (and/or webserver), dynamic IP services are OK. That said, if you want to hang with the cool kids, get a static IP and register it to a domain name. I went half way, got a static IP, then cheaped out and set it up with a (free) dynamic IP provider (dynu.com) so I can just type in a domain name, rather than the IP address itself.

Zeon

3918 posts

Uber Geek

Trusted

#1721630 17-Feb-2017 01:07

If Property 1 has a Static IP address he could enable the NAT but firewalled to only that address? Still not ideal as it probably isn't encrypted but would beat the security issues. VPN is preferred.

Speedtest 2019-10-14

1eStar

1604 posts

Uber Geek

#1729999 4-Mar-2017 16:40

Ok so I'm staying with some people who have a Jaycar Security Cam to install.

The router here is a TP Link w8960n. I can't see that it supports a vpn in firmware, ddwrt will brick it etc.
So the only solution is to Port Forward, unless I suggest they buy more hardware?

Does there need to be a computer connected to the network for someone to use a port forwarded network as a zombie in a botnet?

I think I'm out of my depth a bit. They want to be able to remote in to see their camera from 1 device, (their iphone). Is this not an achievable thing securely with no VPN?

They did get a local computer shop to set it all up, I think with port forwarding. But it stopped working soon after. The shop has since changed hands, and it's all too hard for the new owners.

richms

28218 posts

Uber Geek

Trusted

Lifetime subscriber

#1730004 4-Mar-2017 16:51

1eStar: Ok so I'm staying with some people who have a Jaycar Security Cam to install.

The router here is a TP Link w8960n. I can't see that it supports a vpn in firmware, ddwrt will brick it etc.
So the only solution is to Port Forward, unless I suggest they buy more hardware?

Does there need to be a computer connected to the network for someone to use a port forwarded network as a zombie in a botnet?

I think I'm out of my depth a bit. They want to be able to remote in to see their camera from 1 device, (their iphone). Is this not an achievable thing securely with no VPN?

They did get a local computer shop to set it all up, I think with port forwarding. But it stopped working soon after. The shop has since changed hands, and it's all too hard for the new owners.

You may be able to foward to another device on the network to terminate the VPN, many nas boxes will do that quite easily. No PC is needed, the cameras and DVRs are quite powerful embedded devices running linux so most of the hacking tools work great on them, once into them however then getting full ownership of the device is usually quite easy from the demos I have seen people do, since everything runs as root you just need to find something in the websever or similar that is exploitable and then you can get all your other tools onto it and hack away. But the botnets automate all that nasty hard work so they just get infected and then go looking for other things.

You cant really do it without a VPN from a phone. If the phone is always used at another location on wifi with a static IP you could limit your foward to that IP, which is what I did when I was working at a place that had a router that didnt really work for outgoing VPN's because the rules put on it to allow incoming ones seemed to be done by a person with minimal clue and I wasnt allowed to ask them to fix it since they charged "a fortune" to do anything.

But if its used on 4g where the IP is anything in a huge range, then no, dont bother trying. Those are CG NAT so the source IP will change and be shared with other people anyway.

Ahhh, the 'local computer shop' - words I dread hearing most of the time.

Richard rich.ms

BarTender

3607 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1730010 4-Mar-2017 17:14

As I suggested last time. Low end spirit make cheap as VPS for $6 per year. Then OpenVPN from your home to the VPS then your phone to the same end point. Job done.

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#1730045 4-Mar-2017 19:02

richms:

Ahhh, the 'local computer shop' - words I dread hearing most of the time.

Totally agree.

Comes very close with "My IT Guy".

There are some out there that are amazing, but others that know how to plug something in and press go and call themselves an expert...

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

freitasm

BDFL - Memuneh
79316 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1730052 4-Mar-2017 19:24

Or "I have a friend who is doing|coding|developing it for me."

And this "friend" registers a domain on his name. And hosts a site on his shared account. And don't tell the owner anything about it.

tdgeek

29755 posts

Uber Geek

Trusted

Lifetime subscriber

#1730062 4-Mar-2017 19:38

BarTender: As I suggested last time. Low end spirit make cheap as VPS for $6 per year. Then OpenVPN from your home to the VPS then your phone to the same end point. Job done.

Low end spirit? Typo, or you had too many low end spirits today??

Tony D!

1 | 2