Paradox IP alarm monitoring issues

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Paradox IP alarm monitoring issues

chevrolux

4962 posts

Uber Geek
Inactive user

#202066 15-Sep-2016 17:35

Just a quick one to see if anyone has had any experience with Paradox IP enabled alarms. Have a customer who we manage the broadband for (and router obviously which is a Mikrotik). They have a paradox alarm system which they can monitor themselves through an app (or something like that).

Anyway, alarm guy asks us to forward TCP 10000 to the alarm IP address. All good done. Seems to be OK for a little while. Then customer rings and says the port is "closed". To which I said, rules don't disappear haha.

So I enabled logging on the nat rule, and don't see any traffic coming in on the port. The only traffic I have seen come in have been my own tests with nmap. You see quite clearly the traffic getting processed by the NAT rule. So I don't think the alarm module is communicating properly. Nmap reports the port is open and even detects the service as something called 'snet-sensor-mgmt'.

Anyone had any dealings with these things and know any other tricks?

Adamww

48 posts

Geek

#1631723 16-Sep-2016 12:59

It is most likely an IP150 module. You can download the manuals here: http://www.southlandsecurity.com.au/paradox-ip150-user-and-installer-guide.html

I might be wrong but I thought the default port that the "app" and web interface uses is 80. I think the 10000 port was only used by the "babyware" software and/or the alarm monitoring company.

davidcole

6041 posts

Uber Geek

Trusted

#1631725 16-Sep-2016 13:02

Adamww:

It is most likely an IP150 module. You can download the manuals here: http://www.southlandsecurity.com.au/paradox-ip150-user-and-installer-guide.html

I might be wrong but I thought the default port that the "app" and web interface uses is 80. I think the 10000 port was only used by the "babyware" software and/or the alarm monitoring company.

This is correct.

So does that mean the chap had asked for port 10000 to be accessible from outside their network? I thought this is why paradox has their www.paradoxmyhome.com to secure the communications via them rather than force people to port forward.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

chevrolux

4962 posts

Uber Geek
Inactive user

#1631887 16-Sep-2016 18:08

So does that mean the chap had asked for port 10000 to be accessible from outside their network? I thought this is why paradox has their www.paradoxmyhome.com to secure the communications via them rather than force people to port forward.

Yep they just asked for a port forward. I did question the installer but he just said "thats what we always do" - I don't argue when people think they know best.

Good to know about port 80 services - i won't forward that unless they ask, just seems a bit brave to do that to something that secures your premises. Also good to know about the dynamic DNS/monitoring service.

rfdawn

39 posts

Geek

Lifetime subscriber

#1631925 16-Sep-2016 19:52

There was an IP-enabled Paradox at my previous home and I think it was IP-100 module but not sure now. I didn't like to enable the incoming portmapping for port 10000 very often, it just does seem insecure. You don't need that unless you are using the monitor/control app from far away somewhere.

On your home network, you can just point the app at the home private network address and port mapping is not needed. So that can work from outside your front door if your home wifi reaches that far :)

What I preferred to have enabled was the email notifications from the Paradox that told me about alarm events and power failures wherever I was, but it took me a while to get that working reliably. Since you asked for any tips, I'll tell the trick to that....

It turns out that the my Paradox IP module had a stone-age version of DNS resolver (that talks to a DNS server to find out where the email server is). It was sending DNS queries with a query sequence number 0000 (always). That is against official DNS protocol and most name servers just silently ignore such queries (after maybe the first), making it hard to send that email.

The name servers at my ISP (Orcon) and on my router (Orcon Genius) both despised that Paradox IP module :(

My fix was to install the Linux dnsmasq package on my Raspberry Pi and configure the Paradox to use that as a name server. dnsmasq just accepted queries (including the stone-age ones), did the actual lookups on a real name server, then replied to the Paradox module. Of course, I had to have the Pi powered by my UPS to make the powerfail emails work.

My local Paradox supplier (whose name I forget) didn't seem to understand the problem or the solution. Perhaps not surprising.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1631932 16-Sep-2016 20:33

chevrolux:

So does that mean the chap had asked for port 10000 to be accessible from outside their network? I thought this is why paradox has their www.paradoxmyhome.com to secure the communications via them rather than force people to port forward.

Yep they just asked for a port forward. I did question the installer but he just said "thats what we always do" - I don't argue when people think they know best.

Good to know about port 80 services - i won't forward that unless they ask, just seems a bit brave to do that to something that secures your premises. Also good to know about the dynamic DNS/monitoring service.

I've encountered probably half a dozen security installers in the past year that know absolutely nothing at all about networking or IP yet think their word is gospel. It's dangerous to think they're in the "security" business yet don't even understand the basics of what they're doing. Port forwards and default passwords (on the devices that have port forwards on port 80) spring to mind from one who simply couldn't understand what the issue was.

chevrolux

4962 posts

Uber Geek
Inactive user

#1631937 16-Sep-2016 20:57

sbiddle:
chevrolux:

So does that mean the chap had asked for port 10000 to be accessible from outside their network? I thought this is why paradox has their www.paradoxmyhome.com to secure the communications via them rather than force people to port forward.

Yep they just asked for a port forward. I did question the installer but he just said "thats what we always do" - I don't argue when people think they know best.

Good to know about port 80 services - i won't forward that unless they ask, just seems a bit brave to do that to something that secures your premises. Also good to know about the dynamic DNS/monitoring service.

I've encountered probably half a dozen security installers in the past year that know absolutely nothing at all about networking or IP yet think their word is gospel. It's dangerous to think they're in the "security" business yet don't even understand the basics of what they're doing. Port forwards and default passwords (on the devices that have port forwards on port 80) spring to mind from one who simply couldn't understand what the issue was.

Agreed. This same company installed a nice 16-channel hybrid nvr for my customer too. Origibal router had port forwards directly to the nvr which had a 4 digit pin as the admin password - I just wasn't having that and customer now connects via vpn. However, this Muppet is still insisting my router is stopping the alarm monitoring. Maybe time to do packet captures to prove it properly.

sparkz25

750 posts

Ultimate Geek
Inactive user

#1685473 9-Dec-2016 19:45

you can change the HTTP port of the ip module in the settings of the ip module, i use the ip150 and havent had any problems so far,the log in details are usually a pin and then the passowrd for the module, the pin is your pin for the alarm and then the password is the password that has been used to setup the ip module, if you made the HTTP port something ike 10001 then you would need to forward that to the ip module and when remotely accessing the module you would go to you static ip like 100.101.123.123:10001 and that should let you in

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

vpsnine

17 posts

Geek

#1686779 13-Dec-2016 03:05

is the issue perhaps that the IP address is changing? The IP150 usually uses the paradoxmyhome dynamic DNS service, but if the client has setup his Paradox software on his phone incorrectly it may not be using that. I am assuming his is using the Paradox software on a phone to remote control the alarm.