Camera web interface visible through ADSL router IP without any config/setting

MerNion

Young grasshopper
Joined
Nov 5, 2016
Messages
55
Reaction score
4
Hello,

i don't know if this is actually a problem of the camera (DS-2CD2342WD-I) or the modem/router.

When I access the WAN ip address of the modem/router through the internet, I get to the login page of the camera instead of the interface of the modem/router.

Is there a config setting I might have missed or changed in error and led to that?

Thanks!
 

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
451
Reaction score
166
Wrong NAT ? Wrong DMZ value setup ?
 
Last edited:

MerNion

Young grasshopper
Joined
Nov 5, 2016
Messages
55
Reaction score
4
On the router or the camera? On the camera Network>Basic Settings>NAT I have UPnP enabled and on the table below it says:
Port type, External Port, External IP Address, Internal Port, Status
HTTP, 80, 0.0.0.0, 80, Not Valid
(the same with RTSP and Server Port, 554 and 8000 respectively).

-edit-
I checked on the NVR same page and it has completely different things:
HTTP, 30916, WAN.IP.ADDRESS.HERE, 80, Valid.

So maybe something wrong on the camera settings?

DMZ is disabled on the router..
 
Last edited:

Dodutils

Pulling my weight
Joined
Dec 10, 2016
Messages
451
Reaction score
166
If you connect port 80 on your WAN router's IP you connect to your Camera so it mean your router has been setup to do that because it wont do it by default and the routing has to be specified on internal private IP addr too.

So you did it or your camera instructed the router to do so.
 

MerNion

Young grasshopper
Joined
Nov 5, 2016
Messages
55
Reaction score
4
Maybe the UPnP had to do something with that. I disabled it on both the camera and the NVR and it stopped doing that.. Now the problem is that I can't get even the router web interface to show up, but that is off topic anymore.. Thanks!
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,778
Location
Scotland
have UPnP enabled and on the table below it says:
Ouch! Playing with fire there.
Having UPnP enabled on both the router and one or more devices on your LAN is opening holes in your firewall that lets the entire internet world poke at them.
Now the problem is that I can't get even the router web interface to show up, but that is off topic anymore..
If that's from outside your LAN, from the internet, that's a good thing, and is the usual default on routers 'Disable WAN administration'.
To see how bad it would be to allow the entire internet access to your router admin interface, check out the recent big-brand severe router vulnerabilities that are in the news.
 

MerNion

Young grasshopper
Joined
Nov 5, 2016
Messages
55
Reaction score
4
@nayr I have a mikrotik router that supports vpn server but having it with behind the router I don't think it works with NAT...
 

MerNion

Young grasshopper
Joined
Nov 5, 2016
Messages
55
Reaction score
4
Ouch! Playing with fire there.
Having UPnP enabled on both the router and one or more devices on your LAN is opening holes in your firewall that lets the entire internet world poke at them.

If that's from outside your LAN, from the internet, that's a good thing, and is the usual default on routers 'Disable WAN administration'.
To see how bad it would be to allow the entire internet access to your router admin interface, check out the recent big-brand severe router vulnerabilities that are in the news.
Yes, at first I thought I will need the web interface from the internet but after all it is useless. So for now is everything ok, except of some port forwarding which if i could avoid with VPN, I would do.
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
4,342
Reaction score
3,524
@nayr I have a mikrotik router that supports vpn server but having it with behind the router I don't think it works with NAT...
If it's built into your internet facing router you can set up a VPN easily.

It your talking about a spare router, you can still do it you just have to segment your network. You'd put all your cameras behind the mikrotek, set up the vpn server and forward ports on your internet facing rotuer. A few rules to allow the rest of your lan to access the cameras would also be required on the mikrotek.
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
you can port forward to an internal VPN Server behind NAT; it dont HAVE to run on your external router.. it just makes the most sense to do so; less points of failure and all that jazz.
 

MerNion

Young grasshopper
Joined
Nov 5, 2016
Messages
55
Reaction score
4
My adsl router/modem doesn't have the vpn capability.. That's why I have to use another pc/router/board/whatever.. I am just looking at my options right now.. I am thinking of a WRT54G with dd-wrt firmware would be the best choice since I have one sitting in my drawer..
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
4,342
Reaction score
3,524
My adsl router/modem doesn't have the vpn capability.. That's why I have to use another pc/router/board/whatever.. I am just looking at my options right now.. I am thinking of a WRT54G with dd-wrt firmware would be the best choice since I have one sitting in my drawer..
you can set a dsl gateway to be just a modem and pass off the routing to another device, but you must know your pppoe login.

Test the old router, bandwidth through a vpn may be slower than you expect.
 
Joined
Sep 28, 2016
Messages
13
Reaction score
3
You can use the 54g with tomato and setup a very strict connection using iptables. Then install a software firwall on the Windows box along with OpenVPN using high encryption with two step verification. There's several ways to whitelist hosts maybe the simplest is the "Windows hosts file".. Don't forget Windows updates, firewall updates and virus defs if you use that pc to download.
Openvpn is used by majority to hide people IP using a service such as ipvanish so it can be confusing to find decent how to articles for a site to site vpn. ddns is how you will know your dynamic ip address, you need no other services. You can do it router to router, router to computer, router to tablet and so on, whatever you need with no special nothing.

I dunno if that 54g could do encryption, it's pretty old and I didn't Google on that. Here's something I did though..

Cheap solution: 12.5 mbit @ 6192 bit encryption 256 bit cipher:
I learned that a T-Mobile TM-AC1900 is a re-branded Asus RT-AC68U (a dual 800 core router). So I picked up a used TM-AC1900 for 65 dollars then I followed instructions to convert it to an RT-AC68U. It wasn't easy to be honest but after a couple of hours I had it working. There are clear instructions you can Google but here's a recap to see if it sounds like you can do it. You downgrade it by flashing an earlier software release. Then you telnet in and using linux commands (given in instructions) you copy a file named cfe.bin to your USB stick. Open that file with a hex editor to find two different mac addresses across 3 areas. Then you edit a new_cfe.bin file with your hardware mac addresses. Then you copy it back and flash the RT-AC68U firmware in.
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
the 54g is going to have pretty poor crypto performance with a 200Mhz proccessor; I would not expect it to be capable of VPN speeds greater than a couple Mbit.. probably want something more beefy depending on your internet upload speeds.

quick google search shows about 360KB/s is what it'll max out at without overclocking the cpu... mebe 400KB/s overclocked.
 
Top