Asus ac68u router, VPN OK, but can't reach NVR

Steveee

Pulling my weight
Joined
Aug 16, 2019
Messages
93
Reaction score
116
Location
Kent, England
Hi guys,
I'm hoping someone can help me with this.
I can access my NVR with no problems when on my local wifi network.

I have an Asus ac68u router, I have set up the ddns OK, I have set up the VPN ( I think OK,- I can access my router login page and a printer on my local network, from mobile data OK), Followed Randy OpenVPN guide.
router and phone say connected.

But I can't access my Dahua NVR, I am thinking it is something to do with how NVR is blocked from internet?

Or have I set up VPN incorrectly?

I have tried just Block from network map area.
I have tried Block time(All) in parental controls.

This router is new to me, so I would really appreciate it if someone with the same router could be kind enough to explain their set-up / Firewall rules ?
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
I know on my RT-N66U I had some issues when combining VPN access to a remote site and "block internet access" on the clients (these were cameras). I just figured it is my old setup, but there could be more to it. I just logged in remotely to flip the "block internet access" on a single camera and ended up with the "No signal" indicator in Blue Iris.
 

Steveee

Pulling my weight
Joined
Aug 16, 2019
Messages
93
Reaction score
116
Location
Kent, England
Ok, so instead of block internet, What about blocking the nvr ip address in firewall or network services filter for the ports that it uses.
Maybe I should not block the udp port if that is what it uses for push notifications?
Or do I not need to block it at all?
No ports are forwarded,
Upnp off.
I thought blocking Nvr from internet completely, then using VPN would work and be safest option.
Unless I've got something set up wrong?
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
@Steveee you are on the right track trying to limit internet access to the NVR (or cameras for other users using Blue Iris), but you may have to tinker. Since my RT-N66U is remote, I try not to mess with it until I am onsite because it signficiantly reduces my stress to be able to monitor the remote location without constantly having to travel and check on it. The last time I started tinkering I had to pay a tech to go onsite to fix it, because there is a fixed cost to travel (car or air) to visit the site myself.

If this AC68U is at you home location and you can safely tinker (with the worst case being you break VPN access for a few minutes at a time), I would definitely investigate Parental Controls next. I just can't afford to tinker with that myself due to the above. You are already in a better posture using VPN than some idiots using port forwarding, but you will definitely want to continue to work on preventing access by the NVR or cameras to the internet.
 

Steveee

Pulling my weight
Joined
Aug 16, 2019
Messages
93
Reaction score
116
Location
Kent, England
Ok, Thanks for your help.
I will carry on blocking NVR from internet, and keep trying different settings.
 

Steveee

Pulling my weight
Joined
Aug 16, 2019
Messages
93
Reaction score
116
Location
Kent, England
Spent many hours last night playing with firewall rules in the network service filter(Asus ac68u router).
I was practicing on a spare laptop trying to block it from internet, using the Blacklist and various ports.
It doesn't seem to work no matter what I try.
I'm obviously doing it wrong. This is a new router to me!

Could someone please show examples of firewall rules for blocking and allowing, for this or similar router with an explanation.

I also note it says https cannot be blocked, is this a problem.

Many thanks.
 

c hris527

Known around here
Joined
Oct 12, 2015
Messages
1,782
Reaction score
2,066
Location
NY
I can tell you this on my Asus VPN setup, Block the client = NO VPN access period. I have everything (camera wise)blocked accept my NVR. Your NVR should be locked down anyway by disabling all the garbage in its GUI. I have messed with it to some extent but do not worry to much about it, It still sits behind the router, Its NOT port forwarded to allow Ingress traffic to probe and hit it and I was at first checking my logs and a little paranoid about it but its not being seen from the outside. That being said, can it call home? Yup but I have never seen it do that and you should not either if you have all the usual suspects turned off.
This issue has been thrown around here before, and as far as I know nobody has come up with a special firewall rule to get around this, I think its by design anyway because technically your client still needs to chat over the Internet through your VPN. That being said, after a year and a half of it being active through my ASUS router, its been fine with NO issues. If somebody has a better solution I wish they would let us know but as of right now I deem my network pretty secure with the setup.
 

Steveee

Pulling my weight
Joined
Aug 16, 2019
Messages
93
Reaction score
116
Location
Kent, England
Thank you very much @c hris527 for your set-up explanation, I was starting to pull my hair out!!
I will go with you on this.

My setup, Just to check please before I Unblock NVR on router

Cameras are all Poe direct to NVR, so are NOT exposed to LAN, so NO further action required ?
In NVR GUI :- NO uPnP , NO SNMP, NO P2P, Onvif dissabled.
On router:- NO port forwarding, NO uPnP

I did leave Push notifications enabled , is that OK ?
 

c hris527

Known around here
Joined
Oct 12, 2015
Messages
1,782
Reaction score
2,066
Location
NY
Thank you very much @c hris527 for your set-up explanation, I was starting to pull my hair out!!
I will go with you on this.

My setup, Just to check please before I Unblock NVR on router

Cameras are all Poe direct to NVR, so are NOT exposed to LAN, so NO further action required ?
In NVR GUI :- NO uPnP , NO SNMP, NO P2P, Onvif dissabled.
On router:- NO port forwarding, NO uPnP

I did leave Push notifications enabled , is that OK ?
Here is what I tell some of my paranoid clients, Go to GRC (Gibson Research) and run sheilds up on your system, That can do a basic probing of open ports on your system OR there is a more in depth scanner that scans the higher ports. With a stock Asus router it should come back clean, If it shows open ports then you have work to do. As far as push notifications go , your NVR will need Egress access to the Internet for that to work. is it OK ? Depends on how paranoid you are, Enable it and see what happens and check your logs, I do not have that feature but I know people here do and some of them have a hell of a time getting them set and working correctly. If it motion alerts, you will most likely disable it after a week because of all the false alerts.:highfive:
 

Steveee

Pulling my weight
Joined
Aug 16, 2019
Messages
93
Reaction score
116
Location
Kent, England
Yes, I am a bit paranoid.
I will unblock NVR and check as suggested.

Only had NVR for a few weeks, Not had chance to play with settings very much, but I have very few false alerts.
The IVS on NVR and cams seems to work really well. Very Impressed with the Dahua NVR and IPC's so far.

Now that VPN firewall issue is sorted:), thanks very much to @c hris527 :), I can get back to playing with the various setting on the cams.
 
Top