Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


3621 posts

Uber Geek
+1 received by user: 1343

Subscriber

Topic # 202066 15-Sep-2016 17:35
Send private message

Just a quick one to see if anyone has had any experience with Paradox IP enabled alarms. Have a customer who we manage the broadband for (and router obviously which is a Mikrotik). They have a paradox alarm system which they can monitor themselves through an app (or something like that).

 

Anyway, alarm guy asks us to forward TCP 10000 to the alarm IP address. All good done. Seems to be OK for a little while. Then customer rings and says the port is "closed". To which I said, rules don't disappear haha.

 

So I enabled logging on the nat rule, and don't see any traffic coming in on the port. The only traffic I have seen come in have been my own tests with nmap. You see quite clearly the traffic getting processed by the NAT rule. So I don't think the alarm module is communicating properly. Nmap reports the port is open and even detects the service as something called 'snet-sensor-mgmt'.

 

Anyone had any dealings with these things and know any other tricks?


Create new topic
48 posts

Geek
+1 received by user: 6


  Reply # 1631723 16-Sep-2016 12:59
Send private message

It is most likely an IP150 module.  You can download the manuals here: http://www.southlandsecurity.com.au/paradox-ip150-user-and-installer-guide.html

 

I might be wrong but I thought the default port that the "app" and web interface uses is 80.  I think the 10000 port was only used by the "babyware" software and/or the alarm monitoring company.


4097 posts

Uber Geek
+1 received by user: 544

Trusted

  Reply # 1631725 16-Sep-2016 13:02
One person supports this post
Send private message

Adamww:

 

It is most likely an IP150 module.  You can download the manuals here: http://www.southlandsecurity.com.au/paradox-ip150-user-and-installer-guide.html

 

I might be wrong but I thought the default port that the "app" and web interface uses is 80.  I think the 10000 port was only used by the "babyware" software and/or the alarm monitoring company.

 

 

This is correct.

 

So does that mean the chap had asked for port 10000 to be accessible from outside their network?  I thought this is why paradox has their www.paradoxmyhome.com to secure the communications via them rather than force people to port forward.

 

 

 

 





Previously known as psycik

NextPVR: 
Gigabyte AMD A8 Brix --> Samsung LA46A650D via HDMI, NextPVR,
OpenHAB: ODroid C2 eMMC DriveOpenHAB with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave and Bluetooth LE Sensors
Media:Chromecast v2, ATV4, Roku3, HDHomeRun Dual
Windows 2012 
Host (Plex Server/Crashplan): 2x2TB, 2x3TB, 1x4TB using DriveBender, Samsung 850 evo 512 GB SSD, Hyper-V Server with 1xW10, 1xW2k8, 2xUbuntu 16.04 LTS, Crashplan, NextPVR channel for Plex,NextPVR Metadata Agent and Scanner for Plex




3621 posts

Uber Geek
+1 received by user: 1343

Subscriber

  Reply # 1631887 16-Sep-2016 18:08
Send private message

So does that mean the chap had asked for port 10000 to be accessible from outside their network?  I thought this is why paradox has their www.paradoxmyhome.com to secure the communications via them rather than force people to port forward.

 

Yep they just asked for a port forward. I did question the installer but he just said "thats what we always do" - I don't argue when people think they know best.

 

Good to know about port 80 services - i won't forward that unless they ask, just seems a bit brave to do that to something that secures your premises. Also good to know about the dynamic DNS/monitoring service.


33 posts

Geek
+1 received by user: 5

Subscriber

  Reply # 1631925 16-Sep-2016 19:52
One person supports this post
Send private message

There was an IP-enabled Paradox at my previous home and I think it was IP-100 module but not sure now. I didn't like to enable the incoming portmapping for port 10000 very often, it just does seem insecure. You don't need that unless you are using the monitor/control app from far away somewhere.

 

 

On your home network, you can just point the app at the home private network address and port mapping is not needed. So that can work from outside your front door if your home wifi reaches that far :)

 

 

What I preferred to have enabled was the email notifications from the Paradox that told me about alarm events and power failures wherever I was, but it took me a while to get that working reliably. Since you asked for any tips, I'll tell the trick to that....

 

 

It turns out that the my Paradox IP module had a stone-age version of DNS resolver (that talks to a DNS server to find out where the email server is). It was sending DNS queries with a query sequence number 0000 (always). That is against official DNS protocol and most name servers just silently ignore such queries (after maybe the first), making it hard to send that email.

 

The name servers at my ISP (Orcon) and on my router (Orcon Genius) both despised that Paradox IP module :(

 

 

My fix was to install the Linux dnsmasq package on my Raspberry Pi and configure the Paradox to use that as a name server. dnsmasq just accepted queries (including the stone-age ones), did the actual lookups on a real name server, then replied to the Paradox module. Of course, I had to have the Pi powered by my UPS to make the powerfail emails work.

 

 

My local Paradox supplier (whose name I forget) didn't seem to understand the problem or the solution. Perhaps not surprising.

 

 

 


27145 posts

Uber Geek
+1 received by user: 6579

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1631932 16-Sep-2016 20:33
One person supports this post
Send private message

chevrolux:

 

So does that mean the chap had asked for port 10000 to be accessible from outside their network?  I thought this is why paradox has their www.paradoxmyhome.com to secure the communications via them rather than force people to port forward.

 

Yep they just asked for a port forward. I did question the installer but he just said "thats what we always do" - I don't argue when people think they know best.

 

Good to know about port 80 services - i won't forward that unless they ask, just seems a bit brave to do that to something that secures your premises. Also good to know about the dynamic DNS/monitoring service.

 

 

I've encountered probably half a dozen security installers in the past year that know absolutely nothing at all about networking or IP yet think their word is gospel. It's dangerous to think they're in the "security" business yet don't even understand the basics of what they're doing. Port forwards and default passwords (on the devices that have port forwards on port 80) spring to mind from one who simply couldn't understand what the issue was.

 

 

 

 




3621 posts

Uber Geek
+1 received by user: 1343

Subscriber

  Reply # 1631937 16-Sep-2016 20:57
Send private message

sbiddle:

chevrolux:


So does that mean the chap had asked for port 10000 to be accessible from outside their network?  I thought this is why paradox has their www.paradoxmyhome.com to secure the communications via them rather than force people to port forward.


Yep they just asked for a port forward. I did question the installer but he just said "thats what we always do" - I don't argue when people think they know best.


Good to know about port 80 services - i won't forward that unless they ask, just seems a bit brave to do that to something that secures your premises. Also good to know about the dynamic DNS/monitoring service.



I've encountered probably half a dozen security installers in the past year that know absolutely nothing at all about networking or IP yet think their word is gospel. It's dangerous to think they're in the "security" business yet don't even understand the basics of what they're doing. Port forwards and default passwords (on the devices that have port forwards on port 80) spring to mind from one who simply couldn't understand what the issue was.


 


 



Agreed. This same company installed a nice 16-channel hybrid nvr for my customer too. Origibal router had port forwards directly to the nvr which had a 4 digit pin as the admin password - I just wasn't having that and customer now connects via vpn. However, this Muppet is still insisting my router is stopping the alarm monitoring. Maybe time to do packet captures to prove it properly.

231 posts

Master Geek
+1 received by user: 53


  Reply # 1685473 9-Dec-2016 19:45
Send private message

you can change the HTTP port of the ip module in the settings of the ip module, i use the ip150 and havent had any problems so far,the log in details are usually a pin and then the passowrd for the module, the pin is your pin for the alarm and then the password is the password that has been used to setup the ip module, if you made the HTTP port something ike 10001 then you would need to forward that to the ip module and when remotely accessing the module you would go to you static ip like 100.101.123.123:10001 and that should let you in


17 posts

Geek
+1 received by user: 3


  Reply # 1686779 13-Dec-2016 03:05
Send private message

is the issue perhaps that the IP address is changing? The IP150 usually uses the paradoxmyhome dynamic DNS service, but if the client has setup his Paradox software on his phone incorrectly it may not be using that. I am assuming his is using the Paradox software on a phone to remote control the alarm.


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.