Blue Iris Over Internet

F

freqflyer

Young grasshopper
Dec 2, 2015
49
3
I want to apologize in advance. I know this has been talked about and I have searched for the threads and can't find them.

I need to connect two cheap ONVIF cameras in a friends house to the Blue Iris in my house over internet. I know this is a bad idea and its only temporary. It will probably be only for a few months. Can someone steer me in the right direct to do this? Either threads that explain it or some quick advice.

Thank you.
 
Do do it securely you will need to setup a VPN or something similar between the two routers, what routers are at each end and does each of them support a VPN client? It is not a good idea to open ports for the cameras as you will likely get hacked in a very short time!
 
  • Like
Reactions: The Automation Guy and TonyR
A site to site VPN setup can be pretty complicated. Some routers let you open a port with a restricted source IP address so it is only accessible to the IP address you specify. That is almost as good as using a VPN, if you can do it that way.
 
I haven't done this myself, but if you install Tailscale on the BI server, and on some machine at the remote location, I believe Tailscale has a feature that lets you use a node as an exit point to access other devices on its LAN. Apparently the correct term for this is "subnet router" but it does seem to be supported. Looks complicated.

 
Last edited:
  • Like
Reactions: Flintstone61
If time is money, just get a cheap Amcrest NVR and use the Amcrest View pro App to see the Cams? just spit ballin.
image_2025-04-12_230005837.png
 
freqflyer said:
I need to connect two cheap ONVIF cameras in a friends house to the Blue Iris in my house over internet.
Click to expand...
How close is the friends house?
Does the friend require access to review the video feed either live or as a time line?

1) If within 100 meters then run a CAT-5 for your camera data.

2) Or if within line of sight then an RF link like the airMAX LiteBeam 5AC.

3) Or if close and on the same side of the 220 VAC power transformer then one of the Ethernet over power line devices might work for the data link.

4) If none of the above are practical then consider installing BI, on another computer, at the friends house for all video capture needs. Or as previously mentioned above, an inexpensive NVR.

The idea, in this scenario, is to use your existing BI system for video storage and camera management. Thus not requiring large uploads to the internet which may be slow and monthly limited by the ISP.

If your friend need remote access to the video from your house then install TailScale on your BI computer and on any other remote device such as the friend's laptop, desktop or phone.

Note: Some BI systems use dual NICs with one connected to your LAN and the other connected to a POE switch and then to BI. With this scenario, both NICs can be prevented form internet connectivity thus keeping the entire system off the net.

The downside if internet isolated, then BI updates become more of a issue plus TailScale will not function without an internet connection.

Note that TailScale, in exit point mode, works well for BI systems that do not have internet access. This can be accomplished by either adding TailScale to your router or adding a GL-MT3000 Travel Router (TailScale built in) to access UI3 on your LAN.
 
  • Like
Reactions: TonyR
As others have said, you could port forward, but we don't recommend it.

In fact recently I tried it.

So I tried streaming one camera from my neighbor (they were aware of the risks of doing that but said they do nothing sensitive online - elderly couple that just use it for surfing net and no banking or anything) because they had a better angle for LPR and their ISP threw a fit within 2 days and called them and said if whatever device is IPC-LPR isn't removed from their internet they will be cut off. We found out Spectrum unlimited really is limited LOL.

Who knows if the camera was hacked that quick and being used as a DDoS or if the ISP truly didn't like that unbuffered data being sent, but it didn't last long.

Even more disturbing is the ISP knew the name of the device in question. In theory they shouldn't know about how many or names of devices on the home side of their modem...
 
wittaj said:
In fact recently I tried it.

So I tried streaming one camera from my neighbor (they were aware of the risks of doing that but said they do nothing sensitive online - elderly couple that just use it for surfing net and no banking or anything) because they had a better angle for LPR and their ISP threw a fit within 2 days and called them and said if whatever device is IPC-LPR isn't removed from their internet they will be cut off. We found out Spectrum unlimited really is limited LOL.

Who knows if the camera was hacked that quick and being used as a DDoS or if the ISP truly didn't like that unbuffered data being sent, but it didn't last long.

Even more disturbing is the ISP knew the name of the device in question. In theory they shouldn't know about how many or names of devices on the home side of their modem...
Click to expand...

What bit rate were you using, and was it the same ISP at both houses?

Assuming it is the same ISP, then both of your houses are probably connected to the same network cabinet and the traffic likely never even left town and cost them basically nothing. But local traffic in this manner is such a rare scenario that I doubt their monitoring/metering was even built to distinguish local traffic from everything else. Hard to say if hacking was involved. That could certainly amplify the amount of network traffic being used and make it be flagged quicker. As for them knowing the name of the device, I assume either the neighbor's ISP-provided router was spying on them, or the ISP's monitoring tools were able to discern the device name by probing the device through the port you opened.

My brother's house gets internet service from a relatively small regional ISP, and there I run a wireguard VPN server which is used to stream in video from three remote locations:

  • Starlink remote -- 3 cameras -- 3 Mbps total.
  • Spectrum cable remote -- 4 cameras -- 3 Mbps total.
  • Spectrum cable remote -- 1 camera -- 1.5 Mbps total.

Each 1 Mbps is about 11 gigabytes per day, or 329 gigabytes per month. We've never gotten a complaint from any of the ISPs involved. That could be because of the VPN usage making the data opaque to all the ISPs, or it could just be a sign that the networks in my area are not as heavily oversubscribed and congested as in your area.
 
Yeah same provider. The 2MP Z12E at 4096 bitrate and 12FPS.

It shocked me. I think it must have got hacked and was used for DDoS.

Strong password was my older one purchased in 2019 (but was isolated when on my house), so it wasn't like it was brand new and someone had scanned the serial recently.
 
  • Like
Reactions: bp2008
freqflyer said:
There's no way to put the correct IP address in my BI and get the video over internet?
Click to expand...
You can't use the network address of the actual camera because it is a private address that has no meaning in the world wide web. For example, if the camera has a local address of 192.168.1.200, you can't simply plug that address into your BI machine and expect it to connect over the internet. As mentioned, you could create a VPN connection between the two networks (which is the best solution) or your friend could forward a random port on their firewall (lets say port 35867) . You would need their networks public IP address (or the web address of a forwarding service - like DNYDNS- if your friend's public IP address might change in the future). You would put their public address with the forwarded port in your BI machine and it should connect. So it would look like this [public address]:[port] or something like 8.8.8.8:35867 where 8.8.8.8 was the public address for your friends network.

That being said, you really don't want to port forward anything on a router/firewall. See this thread for an example of why this is a bad idea. A VPN type connection is the only secure way to accomplish what you want to do.
 
  • Like
Reactions: Bruce_H
As I've said before, port forwarding doesn't have to be risky. If your router allows you to restrict access to a particular source IP or IP range when creating the port forwarding rule, then you can use that to ensure there is no unauthorized access. Unfortunately many home routers (especially those provided by an ISP) are garbage that can't do this.

Additionally, if IPv6 is available at both locations and is properly supported by the firewall in the router at the camera location, then you can assign the camera its own public IPv6 address and open the necessary port or ports in the router's firewall (with a source IP restriction in place ideally). There is a learning curve to figuring out IPv6, much like there is for IPv4. But once you wrap your head around it, some aspects are really nice, such as not needing to worry about Network Address Translation (NAT). Your router is given a certain IPv6 address prefix, for example 2001:1234:5678:1234::/64. That specifies the digits which all your IPv6 addresses must start with, and generally that should never change unless you move or change internet providers. Then you have an effectively unlimited number of public IPv6 addresses to assign to your devices however you see fit. So you could assign a camera the address 2001:1234:5678:1234::100 for example, which is shorthand for 2001:1234:5678:1234:0000:0000:0000:0100. That address could then be accessed from any IPv6-enabled host in the world as long as your firewall rules permit the access. To create a web link to that address, you wrap the IPv6 address in square brackets and then add the port number if it isn't the default number for the protocol (just like with IPv4). So for example to link to that address, port 8080, using the HTTP protocol, the URL is The length is a bit unwieldy, which is why it is recommended to use a proper DNS service so you don't have to be working with raw IPv6 addresses all the time.
 
Last edited:
  • Like
Reactions: jaydeel and TonyR
bp2008 said:
As I've said before, port forwarding doesn't have to be risky. If your router allows you to restrict access to a particular source IP or IP range when creating the port forwarding rule, then you can use that to ensure there is no unauthorized access. Unfortunately many home routers (especially those provided by an ISP) are garbage that can't do this.
Click to expand...
My Exos router, furnished by our fiber ISP, has the feature when a specific port is forwarded to a LAN IP you can specify the remote IP address that is allowed in.
 
  • Like
Reactions: bp2008
You must log in or register to reply here.
Top Bottom