securing NVR5216-16P-4KS2 from the internet

I have to believe this is basic and covered extensively, and I've searched, but I can't seem to find an answer... and, I'm not exactly well versed in things networking (but trying to learn).

How do I know if my NVR is secure from the internet - nothing in or out?

I have all the cameras plugged into the POE ports and they're in their own network (10.10.X.X). The NVR is plugged into my router and is a different IP range.

I didn't (knowingly) enable any of the network options on the NVR (PPPoE, DDNS, etc).

When away from home, I access the cameras via OpenVPN (running on a pfSense box).

I setup a firewall rule to block the static IP for the NVR so it can't reach outside my LAN. At least, I think/hope I did it correctly. I'm still trying to learn pfSense too...

Any pointers would be greatly appreciated.

Many thanks,
Skip

skipdup said:

I have to believe this is basic and covered extensively, and I've searched, but I can't seem to find an answer... and, I'm not exactly well versed in things networking (but trying to learn).

How do I know if my NVR is secure from the internet - nothing in or out?

I have all the cameras plugged into the POE ports and they're in their own network (10.10.X.X). The NVR is plugged into my router and is a different IP range.

I didn't (knowingly) enable any of the network options on the NVR (PPPoE, DDNS, etc).

When away from home, I access the cameras via OpenVPN (running on a pfSense box).

I setup a firewall rule to block the static IP for the NVR so it can't reach outside my LAN. At least, I think/hope I did it correctly. I'm still trying to learn pfSense too...

Any pointers would be greatly appreciated.

Click to expand...

Without knowing all the ins and the outs of your network setup, I understand from your first post that you have put another IP range (hence subnet) in the NVR, however, when connecting from the WAN to openVPN, you do have a routing from your VPN server (your pfSense box too?) to that subnet. Hence your NVR is not completely isolated. It is a good start to have a firewall rule to block the static IP, but did you block inbound or outbound traffic? Working with different subnets is a smart way to separate networks, but do not forget this is not foolproof. If someone comes in, and puts an IP address from the NVR range in his device, he can easily get access. That's why I prefer to work with vlans, but that depends on the underlying networking gear whether (or not) they support it. For example, if your pfSense box is able to put its networking card in .Q trunking, and your upstream switch supports vlans, it makes your life much more easier. You configure switch ports in a static vlan (for your NVR, printer, domotica, NAS) and by doing so, you eliminate any risk from having your NAS being ransomwared by any rogue IOT device, or hacked pc, or whatever. You can drive security to the outer limits, but it's better to take good decisions before having to regret that your NVR gets hacked, all depending on your experience, willingness to learn, and invest in gear. Because good gear costs money. A managed vlan capable switch is not for free.

There are tons of pfSense tutorials on how to work with the firewall, different routing & subnets, VPN etc. Enjoy reading them

I'm fairly confident I blocked all inbound and all outbound traffic to the NVR static IP address. Been reading all afternoon and I "think" I got it right. I don't know how to ping from the NVR, or ping to the NVR from outside. So, I can't exactly confirm.

I'm pretty sure I can do vlans with my hardware. Also appears I can do something very similar physically by configuring individual ethernet ports on the pfSense box. But, I'd need to read a lot more before I dive into that. It's currently all greek.

Frankly, I'm surprised I got pfSense loaded & running, and the VPN working correctly. I was lucky enough to coax a neighbor (IT pro) to come check it out and confirm everything was "safe".

There is a universe of info out there. Most of which is over my head. I'll try and drill down on vlans...

Thanks,
Skip

Tip of the day: if you hook a screen to your NVR (vga/hdmi), there is under network a pingtest feature. Try to ping 8.8.8.8 for example, then you'll now for sure whether (or not) you have blocked all

sorry to jump in but I ran the ping test to 8.8.8.8 and shows packet loss rate 0% Average delay 13.87 ms, What does this tell me, my NVR is open to being hacked?

drewgost said:

sorry to jump in but I ran the ping test to 8.8.8.8 and shows packet loss rate 0% Average delay 13.87 ms, What does this tell me, my NVR is open to being hacked?

Click to expand...

It means you pinged Google's DNS servers from your NVR and got a reply.. So basically your NVR is able to reach external facing IP's. Make sure your NVR ip address is blocked on your router from incoming and outgoing external traffic.

drewgost said:

sorry to jump in but I ran the ping test to 8.8.8.8 and shows packet loss rate 0% Average delay 13.87 ms, What does this tell me, my NVR is open to being hacked?

Click to expand...

No no, that does not mean that your NVR is exposed. It simply means that your NVR can send outbound packets. If you don't mind that your NVR is calling home (see other threads on this forum where people wiresharked/sniffed the NVR traffic) to Amazon & other Chinese services, then you leave it this way. Otherwise, you block internet access on your NVR.

I've literally searched everywhere for a pinger on the NVR. And yet, there it was.
I get a "Can not connect to the network", so that's good!
I also noticed last night the pfSense firewall log shows it's blocking the NVR IP connecting to WAN IPs.

Thanks for the tip!!

If you have an Android phone, install "RouterCheck" App.

This will scan your network and it will let you know if you are secure or not from external hacking.

I have the same NVR. I haven’t specifically blocked it as a firewall rule since I want to receive both iDMSS notifications as well as IVS tripwire emails.

Makes me wonder if I should try to block inbound requests to my NVR as a firewall rule on my router.

toolazyforalogin said:

I have the same NVR. I haven’t specifically blocked it as a firewall rule since I want to receive both iDMSS notifications as well as IVS tripwire emails.

Makes me wonder if I should try to block inbound requests to my NVR as a firewall rule on my router.

Click to expand...

If you want to receive push notifications, you only need to "open" outbound port 2195. All the rest can be closed. For my NVR, I block all incoming packets, except coming from my openVPN subnet. So even LAN access through wifi (for when scriptkids come and scan our network) is blocked.

not sure what i am doing wrong I will look into further when I get back, I disabled port 37777 on NVR and added tcp and udp port 2195, but was not able to access from IDMSS not even on WiFi.

drewgost said:

not sure what i am doing wrong I will look into further when I get back, I disabled port 37777 on NVR and added tcp and udp port 2195, but was not able to access from IDMSS not even on WiFi.

Click to expand...

If you block all ports, also on your wifi/lan, you won't see any streams. For that you need (at least) these default ports open on your lan side: TCP: 37777 UDP: 37778 HTTP: 80 RTSP: 554 HTTPS: 443

Thanks cat, that is what is open and all works fine. But from what I am reading my NVR is open to hacking, well I guess they will be quite bored watching these cams

drewgost said:

Thanks cat, that is what is open and all works fine. But from what I am reading my NVR is open to hacking, well I guess they will be quite bored watching these cams

Click to expand...

You don't have to be over-paranoid, if you don't do external port forwarding on your internet router to your cams/nvr, no suspicious network activity can "hack" your cams/nvr. And it's not the cam feeds they are after (except for kinky bedroom pictures to blackmail you), but most of the hacking (eg IoT devices) is simply to parasite on the linux inside and create coordinated botnet attacks. That's one of the reasons why I did put my NVR & cams in a seperated vlan so even with a security layer with VPN, I do not want to let my NVR/ipcs "talk" to my "private" lan (eg to my NAS). Is that being over-paranoid? ;-)

Thanks and I will look into creating a separate vlan

catcamstar said:

If you want to receive push notifications, you only need to "open" outbound port 2195. All the rest can be closed. For my NVR, I block all incoming packets, except coming from my openVPN subnet. So even LAN access through wifi (for when scriptkids come and scan our network) is blocked.

Click to expand...

I found i needed to open the following in order for push notifications to work for IDMSS (ios):
1. NVR IP to Apple (17.0.0.0/8) port 2195 TCP
2. NVR IP to DNS -i have my router's DNS set to google so (8.8.8.8) port 53 UDP

That seemed to do it for me. Originally I only had the apple IPs open and push notifications worked for a few days but then stopped.

As an aside: Routed all router logs to papertrailapp.com - very useful cloud logging utility to search thru router logs (Using an Asus N66u with merlin firmware).

Hope this helps someone.
Amby