Blue Iris UI3

[adam_adam]

@adam_adam You don't need a VPN or port forward for local access. Probably you need to create a rule in Windows firewall that allows incoming TCP traffic on port 81.

Thanks, bp2008. I didn't realize there was a different between opening and forwarding ports -- I'm fairly new to much of this networking stuff.

I don't want to hijack this thread if this is too off-topic, but I've searched for "blue iris open port" and only seem to find hits for people speaking of forwarding ports.

• Is it normal to have to open a port in order to access BI within a LAN? (I'm surprised I haven't run across this -- I've probably read 100 hours worth of networking and/or BI information over the last 6 months, lol).
• Would somehow be able to direct me to a guide or let me know which type of inbound port opening instructions to utilize? I see options for creating inbound rules that are program-based (select BI in program files?), port-based (port 81 ... secure only? completely open?), and other options as well (e.g., custom). I'm completely unfamiliar, and don't want to just guess.

You guys are great for all the help you provide. BI is awesome, but has involved a steep learning curve for me.

 

[bp2008]

Port forwarding and opening a port in a firewall are similar things. When you forward a port (in a router), the router is internally opening that port in its firewall and also creating a NAT policy to route the traffic to your intended destination. I've worked with Sonicwall routers that don't have a simplified "port forwarding" feature. They force you to do these two things separately.

Windows Firewall is just another firewall like the one in your router. Of course you have to open a port in it to accept incoming connections. Many programs try to do this automatically, but it doesn't always work or stay working for one reason or another. I'm honestly not sure if Blue Iris tries to open a port for itself.

To open a port in windows firewall, what I prefer to do is go to the advanced settings > inbound rules > New Rule > Port. TCP or UDP depends on what type of packets the service is going to be receiving (TCP for a web server like Blue Iris). Then you enter the port number you want open. On the next screen, Allow the connection (ignore the "if it is secure" choice - that is worthless to us). Enable it for all network types (Domain / Private / Public). There's no reason not to unless you are setting up the firewall rule on a server that connects to multiple network types. Sometimes Windows will switch your network type for no good reason, like if you swap your router for a different one, so setting the rule for all network types makes sure your rule keeps working even if this happens.

 

[adam_adam]

Thanks, bp2008. Appreciate your help.

I set a new rule (inbound) to open port 81 TCP for all network types. I restarted the PC. However, I am still getting a timeout error when attempting to navigate to 192.bla.bla.bla:81 or 192.bla.bla.bla:81/ui3.htm (unless I do so from a browser on the BI machine itself).

Any other thoughts, by chance?

PS. On what I assume is a related note, I also still get the "unable to reach server" error when attempting to setup the BI Android app.

 

[m_listed]

When I use a reverse proxy, UI3 still asks for authentication even though I have the authentication requirement to be "Non-LAN only". I enabled the "Use X-Forwarded-For headers" option and I can see from the Connections status tab that the IP and Hostname are in the LAN (they are my router's local address), but it still asks for authentication.

 

[Walrus]

@adam_adam
In the network properties on the BI machine, is the network set to public or private?

Also, I think I remember having a hell of a time getting access to work from another computer on my home lan. I'll check my settings tonight when home.

 

[bp2008]

Thanks, bp2008. Appreciate your help.

I set a new rule (inbound) to open port 81 TCP for all network types. I restarted the PC. However, I am still getting a timeout error when attempting to navigate to 192.bla.bla.bla:81 or 192.bla.bla.bla:81/ui3.htm (unless I do so from a browser on the BI machine itself).

Any other thoughts, by chance?

PS. On what I assume is a related note, I also still get the "unable to reach server" error when attempting to setup the BI Android app.

Maybe you have another firewall on that machine besides windows firewall?

 

[bp2008]

When I use a reverse proxy, UI3 still asks for authentication even though I have the authentication requirement to be "Non-LAN only". I enabled the "Use X-Forwarded-For headers" option and I can see from the Connections status tab that the IP and Hostname are in the LAN (they are my router's local address), but it still asks for authentication.

Is UI3 actually asking for authentication, or are you just getting sent to the login page? There are a couple possibilities for why you would still be getting the login page.

1) In BI Options > Web server, there's a dropdown list where you have to choose the local network interface. Most people only have one of these, but if you have two, it might be set wrong. BI uses this to know which addresses are considered LAN addresses.

2) Your bookmark for UI3 might be a bookmark to the login page.

Just to be clear, X-Forwarded-For is an HTTP header that proxy servers can use to inform a web server of the actual originating source IP address (otherwise all requests appear to come from the proxy server). I haven't tested this feature in Blue Iris so I don't know if it affects the source IP seen on the connections status tab.

 

[adam_adam]

In the network properties on the BI machine, is the network set to public or private?

Network category = Public

Maybe you have another firewall on that machine besides windows firewall?

I'll investigate. Since buying that machine and installing Win10, I haven't really messed with anything other than installing BI, setting up cams, and setting up Chrome Remote Desktop (CRD).

On my Windows Defender Firewall settings page, it says...

• Incoming connections: Block all connections to apps that are not on the list of allowed apps.

Then, within "allow apps to communicate through Windows Defender Firewall", is has the BI port 81 rule I created, along with two others, see below. I noticed that the 'public' one does not have a check to the left of it.

 

[bp2008]

The "two others" would be automatically created rules (you may have been prompted to allow firewall access upon initially running Blue Iris). That all looks like it should be working. But in complex systems like this, so many things can be wrong.

Try setting your network to private (How to change Windows 10 network location from Public to Private | TinkerTry IT @ Home)
Try temporarily turning off Windows Firewall entirely. If this fixes it, then we know the problem is related to the firewall configuration.

 

[Walrus]

Change it to private.

 

[adam_adam]

Try setting your network to private.

Change it to private.

Thank you both -- this did the trick!
ui3 and BI Android app are now both working.

 

[bp2008]

Isn't it grand, when your firewall rules are set to allow the connection in both network types, yet it still gets solved by changing the network type? Yay Windows.

 

[awsum140]

Why do you think I cal it Windooohs 10?

 

[Walrus]

Isn't it grand, when your firewall rules are set to allow the connection in both network types, yet it still gets solved by changing the network type? Yay Windows.

If you look at his screenshot of allowed apps and features, the 2nd item didn't have public checked. The 3rd did, but to the far left, it wasn't checked as active. It could have been that combo doing it as well. Instead of changing to to private, checking those boxes might have fixed it as well.

 

[m_listed]

Is UI3 actually asking for authentication, or are you just getting sent to the login page? There are a couple possibilities for why you would still be getting the login page.

1) In BI Options > Web server, there's a dropdown list where you have to choose the local network interface. Most people only have one of these, but if you have two, it might be set wrong. BI uses this to know which addresses are considered LAN addresses.

2) Your bookmark for UI3 might be a bookmark to the login page.

Just to be clear, X-Forwarded-For is an HTTP header that proxy servers can use to inform a web server of the actual originating source IP address (otherwise all requests appear to come from the proxy server). I haven't tested this feature in Blue Iris so I don't know if it affects the source IP seen on the connections status tab.

I'm actually getting sent to the login page (when trying to access the bare URL, or the bare URL + /ui3.html). It doesn't do this when accessing it by the local IP. Only when accessing by the domain name (that goes to the reverse proxy). In the BI Options → Web Server, the only interface in the menu is 10.11.12.16, while the router is at 10.11.12.1 (which is also the IP that shows up in the BI connection logs).

Here's the relevant parts of the Connections log when UI3 is accessed through the LAN through the reverse proxy; "Front" is my first camera name.

 

[bp2008]

It is ui3.htm not ui3.html, thought I imagine that was only a typo in your post.

I'm not sure why it is sending you to the login page then. It shouldn't be. The only time UI3 sends you to the login page is when you click its "log out" button. Any time you get redirected unexpectedly to the login page, it is Blue Iris's doing.

 

[GZero]

Having issues with ui3 and viewing them through Chrome. I can login just fine, but video never displays. Just get a constant loading circle. Tried in IE and worked fine. Not real sure what to make of it. Suggestions? I'm not on a local machine either.

 

[bp2008]

@GZero The most common reason for H.264 streams (the default streaming method in Chrome) to not load is antivirus/antimalware software. Such software may intercept your web traffic and try to scan it before letting the browser have it. This is most likely what is happening to you. The offending software is most likely running on the device you run Chrome from.

You'll need to identify the offending security software and add an exception for the hostname you reach Blue Iris at.

 

[GZero]

@bp2008 Thanks. Added an exception for my Sophos Home software and seems to be working fine now. I thought it was strange that IE worked but Chrome didn't. Thanks for the info!

 

[bp2008]

The difference is that IE can't do H.264 streaming in UI3. It can only load Jpeg frames, which is an entirely different streaming method.

Here is what happens, more or less.

Jpeg:

H.264: