Any work around for IP cameras and IP alarms etc with Flip's CGNAT?

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › Any work around for IP cameras and IP alarms etc with Flip's CGNAT?

Adamww

48 posts

Geek

#203135 19-Sep-2016 13:00

I have just joined Flip and have possibly found out the hard way that I can no longer access my security cameras and IP alarm. Searching their support didn't alert me that there would be any problems accessing any devices on my internal LAN. Support has been absolutely hopeless and don't even seem to understand my problem. It wasn't until I read this forum that I learned there is such a thing as CG-NAT and Flip uses this so is probably my issue.

So, before I change ISP's again, is there any way around this to allow my phone app's to access my alarm and cameras via IP again? There is mention in a couple of threads here about VPN etc but that's more aimed at web hosting etc and I don't know enough about it.

Is it normal with CG-NAT even with a fast polling Dyn DNS service that I wouldn't be able to reach a forwarded port at my LAN?

1 | 2

28191 posts

Uber Geek

Trusted

Lifetime subscriber

#1635820 19-Sep-2016 13:07

No. You could mess around with an outgoing VPN to a provider that provides a real IP address but those are rare and not cheap.

If you can't get a real IP out of them then change ISP and tell them not fit for purpose and that you are not going to be paying the termination fee as a result. Hiding this as they do is IMO false advertising as it isnt really an internet connection if it only goes one way.

Richard rich.ms

Spyware

3764 posts

Uber Geek

Lifetime subscriber

#1635824 19-Sep-2016 13:14

Spin up OpenVPN server on an AWS (Sydney) virtual machine maybe.

Note: Flip don't provide public IPs under any circumstances.

Spark Max Fibre using Mikrotik CCR1009-8G-1S-1S+, CRS125-24G-1S, Unifi UAP, U6-Pro, UAP-AC-M-Pro, Apple TV 4K (2022), Apple TV 4K (2017), iPad Air 1st gen, iPad Air 4th gen, iPhone 13, SkyNZ3151 (the white box). If it doesn't move then it's data cabled.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1635874 19-Sep-2016 13:53

Slightly OT I hope you didn't have port forwards to your cameras and were using a VPN. Having port forwards to devices such as alarms, cameras etc is extremely insecure and should be avoided unless these are locked down to whitelisted IP's.

A CG-NAT connection does not provide a public IP so it's not possible to connect directly your router from the Internet.

kiwigeek1

637 posts

Ultimate Geek
Inactive user

#1635876 19-Sep-2016 14:00

dont you just use DynDNS service.. that updates the given ip provided by your ISP? thats how I always do it.

a windows tray program like dynsite for windows or even ip cameras firmware have a section that can call a given dyndns service provider and update new IP every 30min or alike

theres free dynamic DNS out there with a monthly nag to click and confirm

I use this firm

https://www.noip.com/

but for like small fee can rid nag per year

richms

28191 posts

Uber Geek

Trusted

Lifetime subscriber

#1635881 19-Sep-2016 14:08

kiwigeek1:

dont you just use DynDNS service.. that updates the given ip provided by your ISP? thats how I always do it.

a windows tray program like dynsite for windows or even ip cameras firmware have a section that can call a given dyndns service provider and update new IP every 30min or alike

theres free dynamic DNS out there with a monthly nag to click and confirm

Only works if the IP is direclty accessible. The tray app will end up with the external IP of the ISP, which will have a good chance that the port will not come back to you.

Some UDP stuff that has sent first to establish the NAT entry on their gear will end up open, I have not bothered to see if the CGNAT on my bigpipe connection works that way or not, but this is how voip etc still works, but incoming TCP connections will not be possible.

Richard rich.ms

kiwigeek1

637 posts

Ultimate Geek
Inactive user

#1635885 19-Sep-2016 14:18

Well first I heard of CG-NAT on isps .. so now I see a new problem hes experiencing..

geeh I hope we arent forced to IPv6 as theres a few issues with it

they say this

Carrier Grade NAT (CGN) which uses IPv6 instead fo the old standard IPv4 we use today.

This basically means you can no longer port forward. IP cameras and many other applications require port forwarding so they can accessible from the internet outside the home. Many gamers also require this ability.

Eventually everyone will be on IPv6

.. allows many subscribers to be on same IP address and ISP routes traffic to each subscriver from web side

so I guess thats the problem their routing and killing direct device access to video stream

they do say run a vpn over it and can then use DYNDNS to that ip to access the cameras

perhaps theres a how to guide

kiwigeek1

637 posts

Ultimate Geek
Inactive user

#1635891 19-Sep-2016 14:29

Also how is accessing ip cameras via port forwarding from router insecure.. you generally have user ACL

and passwords and also most ip cameras log and can email when ever its accessed

but any hacker could use bruteforce

I wouldnt use a admin level for remote access though myself

however alarms access via web thats kinda scarey...

I see some shows covering this type of security and hacking.. whats its name now. hmm

I think its cyberwar? and also another interesting show is dark net

prob can find on a stream somewhere or utube some

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1635893 19-Sep-2016 14:32

IPv6 is an individual IPv6 address that is publically routable to every to every device on your network. IPv6 does NOT use CG-NAT and doesn't even use NAT.

99% of applications do not require port forwards hence CG-NAT not being an issue for 99% of Internet users. It is only users who have specific use cases that need a public IP address. As I mentioned though you should never have port forwards set to cameras anyway, these should always be locally accessible on your network. If you want access you should have white listed IP's (sometimes very difficult) or be using a VPN for access.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1635896 19-Sep-2016 14:33

kiwigeek1:

Also how is accessing ip cameras via port forwarding from router insecure.. you generally have user ACL

and passwords and also most ip cameras log and can email when ever its accessed

but any hacker could use bruteforce

I wouldnt use a admin level for remote access though myself

You're clearly not aware of the huge number of CCTV systems that have been exploited over the years. Do you have ONVIF cameras? Most don't even need a username or password to access an ONVIF stream.

richms

28191 posts

Uber Geek

Trusted

Lifetime subscriber

#1635899 19-Sep-2016 14:42

kiwigeek1:

Also how is accessing ip cameras via port forwarding from router insecure.. you generally have user ACL

and passwords and also most ip cameras log and can email when ever its accessed

Because they are insecure things running on a full linux operating system, so a very desirable target to take over, and running services written by someone with no clue about security so things like passing command lines thru the URL and similar are often possible.

If you have one from a real supplier like dahua or hikvision and are up to date then you might be ok, but generic chinese rebrands will be swiss cheese to someone that wants to try. Best case they just constantly crash the NVR when scanning it, worst case, they get in and use it as a point to start going after somewhere else, or pull your email credientials off it and start spamming out via it.

Richard rich.ms

kiwigeek1

637 posts

Ultimate Geek
Inactive user

#1635900 19-Sep-2016 14:42

no I just use 50-100buck china ones on the house not talking commerical sites or old cameras

that lack id/passwords.. (you think they would be replaced or firmware updated though)

even if they access not much they could do apart move them about and see whos outside lol

dont think my china cameras allow admin access to see email details and other things

this is a good article..

http://chrisgrundemann.com/index.php/2011/nat444-cgn-lsn-breaks/

seems the whole world needs to switch instantly to IPV6 to rid this kind of nat

to allow end to end connections like it should be

richms

28191 posts

Uber Geek

Trusted

Lifetime subscriber

#1635905 19-Sep-2016 14:51

kiwigeek1:

no I just use 50-100buck china ones on the house not talking commerical sites or old cameras

that lack id/passwords.. (you think they would be replaced or firmware updated though)

even if they access not much they could do apart move them about and see whos outside lol

No, they generally do not care about what the camera is looking at, they care about using it to scan your lan for other things that can be explioted, or just using them as part of a botnet to ddos people.

http://securityaffairs.co/wordpress/30451/cyber-crime/how-hackers-exploit-dvrs.html

This video shows one of the many automated hacking tool to get into one particular system. https://www.youtube.com/watch?v=5r-_jw67UGc

And here is one of the exploits against a large OEM vendors gear http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

If none of what those pages say mean anything to you, then you should not be putting appliances on the internet where they are globally accessible with blind faith in the programmers ability to implement any form of authentication, let alone the cleartext on http crap that most seem to impliment.

Richard rich.ms

meesham

973 posts

Ultimate Geek

#1635912 19-Sep-2016 15:02

sbiddle:

You're clearly not aware of the huge number of CCTV systems that have been exploited over the years. Do you have ONVIF cameras? Most don't even need a username or password to access an ONVIF stream.

Exactly this, even the good ones like Hikvision have a lot of cameras that suffer from this vulnerability - go to http//ipaddress/onvif/snapshot in an incognito browser session if you'd like to test it out yourself.

Adamww

48 posts

Geek

#1635914 19-Sep-2016 15:11

Ok, thanks everyone, that has confirmed my fears. I will now have to seek a new ISP.

sbiddle:

Slightly OT I hope you didn't have port forwards to your cameras and were using a VPN. Having port forwards to devices such as alarms, cameras etc is extremely insecure and should be avoided unless these are locked down to whitelisted IP's.

A CG-NAT connection does not provide a public IP so it's not possible to connect directly your router from the Internet.

My cameras are not directly accessable on my LAN, they connect to a NVR. So only the NVR needs a port forwarded to allow viewing on a mobile app. I don't use whitelisted IP's as I suspect a mobile phones ip would change regular? So I'm sure there are vulnerabilities but it is a main stream brand (Dahua) and google doesnt find any reports from any experts complaining about them being particularly vulnerable so I can live with that. Similar with my alarm, it is a well known IP module and I think I have it networked as the per manufacturers recommendation so I assume they did have some consideration about security.

You will never stop everyone I guess. I think the bigger risk today is still the dumb burglar that will throw a brick through a window and grab what they can even with the alarm screaming and cameras recording. It's probably unlikely there are many burglars in NZ that are interested and smart enough to hack my network & IP devices to disable my alarm. If someone was smart and hacked my cameras they could put a pic of my dick on the interweb but there is probably not too much reward in that...

Adamww

48 posts

Geek

#1635925 19-Sep-2016 15:14

Adamww:

My cameras are not directly accessable on my LAN, they connect to a NVR.

Correcting myself here. My cameras are not IP at all. They are analog HDCVI. DVR still has a port forwarded though.

1 | 2