Anyone using an Asus router, blocking nvr/BI internet access and receiving apple push notifications? If so, how are you doing this?

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
Hi all,

Got my Dahua PoE NVR and 3 cameras set up over the weekend. I am using an Asus RT-AC68U router and have it preventing my nvr from accessing the internet. When the nvr is not blocked, I get push notifications (trip wire) to iDMSS Plus on my iphone. When nvr is blocked, as expected, I get no notifications.

I've read in many old threads on this site that setting up the router firewall to allow the nvr to have outbound access on ports 2195/2196 will allow push notifications to work. I'll be damned if I can figure out how to do this - assuming it is even possible on my router.

Is anyone doing this with an Asus router? If so, can you please provide a relatively detailed description of how you have things configured?

If you are doing this on a non-Asus router, I still appreciate and specific guidance you can provide.

At first I was thinking to use a black list rule to block all outbound nvr access and then a white list rule to allow the nvr access to ports 2195/2196 and specify an outbound ip of 17.0.0.0/8 (Apple's subnet). But the router will only let you set up black list rules OR white list rules. Not both.

This said, the router let's me block the internet access to the nvr without using a black list rule - so I did this and then tried using a white list rule to allow the notifications. Did not work. Not sure if the approach (using a white list) is wrong or if I just set up the white list incorrectly or if the fact that the nvr has internet access blocked outside of the firewall settings means that the firewall white list will not work.

At any rate, I am at a loss and am starting to wonder if there would really be much risk if I just allowed the nvr to have internet access. Probably not ideal, but given the cameras are on their own subnet, maybe not the end of the world either?

Thanks for any guidance.
 

Noki

n3wb
Joined
Sep 24, 2019
Messages
19
Reaction score
3
Location
Work
Hi all,

Got my Dahua PoE NVR and 3 cameras set up over the weekend. I am using an Asus RT-AC68U router and have it preventing my nvr from accessing the internet. When the nvr is not blocked, I get push notifications (trip wire) to iDMSS Plus on my iphone. When nvr is blocked, as expected, I get no notifications.

I've read in many old threads on this site that setting up the router firewall to allow the nvr to have outbound access on ports 2195/2196 will allow push notifications to work. I'll be damned if I can figure out how to do this - assuming it is even possible on my router.

Is anyone doing this with an Asus router? If so, can you please provide a relatively detailed description of how you have things configured?

If you are doing this on a non-Asus router, I still appreciate and specific guidance you can provide.

At first I was thinking to use a black list rule to block all outbound nvr access and then a white list rule to allow the nvr access to ports 2195/2196 and specify an outbound ip of 17.0.0.0/8 (Apple's subnet). But the router will only let you set up black list rules OR white list rules. Not both.

This said, the router let's me block the internet access to the nvr without using a black list rule - so I did this and then tried using a white list rule to allow the notifications. Did not work. Not sure if the approach (using a white list) is wrong or if I just set up the white list incorrectly or if the fact that the nvr has internet access blocked outside of the firewall settings means that the firewall white list will not work.

At any rate, I am at a loss and am starting to wonder if there would really be much risk if I just allowed the nvr to have internet access. Probably not ideal, but given the cameras are on their own subnet, maybe not the end of the world either?

Thanks for any guidance.
Hi fought,

Just wondering whether you managed to work this out. Saw your other thread detailing what you tried "If you properly lock down you nvr/computer - how do you get notifications?"
 

Noki

n3wb
Joined
Sep 24, 2019
Messages
19
Reaction score
3
Location
Work
Thanks looney2ns. I understand the OpenVPN is to prevent "outsiders" from accessing your home network. So once it is setup, I need to "VPN" into my home network and then use iDMSS plus app. However, I am not sure how that will help the NVR send messages/notifications out if it detects movement across the tripwire. If I block the NVR from sending messages out as recommended, I still won't get them even with the VPN. Like foghat, was looking was a way to set up the router to block all outgoing communication from the router except for sending the messages
 
Last edited:

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
Hi fought,

Just wondering whether you managed to work this out. Saw your other thread detailing what you tried "If you properly lock down you nvr/computer - how do you get notifications?"
I still have not figured it out. Granted, I sort of took a break from trying after my post above.

Install OpenVPN on the router and phone. Run the VPN on your phone all the time, and alerts will work.
Are you sure? If I am on my home network (no vpn installed) I do not get notifications. If the nvr cannot access the internet, how can it send the push notifications? As I understand it, push notifications need to go through apples 17.x.x.x.x subnet?

Since the cameras are on their own subnet, I am tempted to just let the nvr access the internet; with a good password on the nvr, I am still not clear how allowing it access would be any more risky than allowing any other computer on my home network access the internet? Is it only a concern that the nvr will 'phone' home or are there other concerns?
 

Noki

n3wb
Joined
Sep 24, 2019
Messages
19
Reaction score
3
Location
Work
still have not figured it out. Granted, I sort of took a break from trying after my post above.
I think I have worked it out but not sure if it is correct.

As you found out, the Asus router only lets you do a Blacklist or Whitelist but not both. What I did was set up a blacklist with the IP of the NVR under source IP, left the port range blank, left the destination IP blank, but then for the port range (in the 4th column, presumably related to the destination IP) I put in 1:2194. I then did a second entry with the same values except for the destination port range, I put 2196:65535.

Therefore the NVR IP is blacklisted except for the 1 port (2195).

Finally you also need to turn off P2P under NVR settings. If you are using the IDMSS app or using SmartPSS, you need to set them up with the IP address of your NVR. Dont use the scan code as this make its P2P.

Setting up OpenVPN then helps to protect your network from the outside.


Since the cameras are on their own subnet, I am tempted to just let the nvr access the internet; with a good password on the nvr, I am still not clear how allowing it access would be any more risky than allowing any other computer on my home network access the internet? Is it only a concern that the nvr will 'phone' home or are there other concerns?
When I looked at the system logs, I found that the NVR IP address was constantly sending out a signal to an IP address in China. After blocking it (with the exception of port 2195), it still showed the outgoing attempt but it was blocked/no response.


Hope that helps. Also if I have inadvertently opened up some security holes, please let me know.
 

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
I think I have worked it out but not sure if it is correct.

As you found out, the Asus router only lets you do a Blacklist or Whitelist but not both. What I did was set up a blacklist with the IP of the NVR under source IP, left the port range blank, left the destination IP blank, but then for the port range (in the 4th column, presumably related to the destination IP) I put in 1:2194. I then did a second entry with the same values except for the destination port range, I put 2196:65535.

Therefore the NVR IP is blacklisted except for the 1 port (2195).

Finally you also need to turn off P2P under NVR settings. If you are using the IDMSS app or using SmartPSS, you need to set them up with the IP address of your NVR. Dont use the scan code as this make its P2P.

Setting up OpenVPN then helps to protect your network from the outside.




When I looked at the system logs, I found that the NVR IP address was constantly sending out a signal to an IP address in China. After blocking it (with the exception of port 2195), it still showed the outgoing attempt but it was blocked/no response.


Hope that helps. Also if I have inadvertently opened up some security holes, please let me know.
Awesome, thanks. I will give this a try when I get home. Curious, did you block the nvr internet access just via the blacklist or did you also 'Block Internet Access' when viewing the NVR in the client list on the router, as per below?

1590171661815.png
 

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
Also, can you tell where you were viewing the logs (and specially which log) that showed the nvr calling home? Was it the Connections tab in the System Logs section?
 

Noki

n3wb
Joined
Sep 24, 2019
Messages
19
Reaction score
3
Location
Work
Awesome, thanks. I will give this a try when I get home. Curious, did you block the nvr internet access just via the blacklist or did you also 'Block Internet Access' when viewing the NVR in the client list on the router, as per below?
I just used the blacklist. If you use the "Block Internet Access", it blocks everything so you dont get the push notifications.

Also, can you tell where you were viewing the logs (and specially which log) that showed the nvr calling home? Was it the Connections tab in the System Logs section?
Correct. The connections tab in the system logs.
 

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
Correct. The connections tab in the system logs.
Thanks. That is what I thought. I have looked through that list a few times since I've set the nvr up (about a month now) and never have I seen my nvr's ip address in the list. I do have 'block internet access' set, but would have thought if it was making an attempt it would still show in the list. Maybe not.

Before setting up the blacklist, perhaps I will try unblock it for a day or so to see if it starts appearing.
 
Top