Can not remotely access Blue Iris running in a VM

[pjdevries]

I am in the process of setting up my first ever surveillance camera. On the advice of @Sphinxicus, backed by several other helpful forum members, I decided to start with one camera, an IPC-T5442T-ZE to be exact, to get acquainted and test, play and experiment. This should help with the selection of other camera's. Using a Blue Iris demo version, it allows me to play with that as well, to see if it fits my needs. My aim is to access the Blue Iris server both from within my local LAN and remotely, through the Blue Iris web interface and/or using mobile apps. This is my current setup:

• A laptop running Windows 10 Pro.
• Blue Iris 5 demo up and running in a VMware Workstation VM with Windows 10 Pro.
• The network interface of the VM is a TP-LINK Gigabit Ethernet USB Adapter, connected directly to the VM.
• The network is completely separated from my LAN:
  • Dedicated FRITZ!Box 4040 router.
  • Fixed WAN IP address.
• I ran the Blue Iris "Remote Access Wizard" with nothing but green check marks, .
• In the router I set up a port forward, called Port Sharing on a FRITZ!Box, to the Blue Iris webserver port in the VM.
• I added Blue Iris to the Windows firewall of the VM.

This is just a test setup which will be replaced by a dedicated PC eventually.

For several hours now, I have been unsuccessful in trying to remotely access Blue iris. At first glance, everything looks fine. The access check on canyouseeme.org is successful and I can access Blue iris from within the VM vi the WAN address and assigned port. I just can not access it from the VM host laptop, or any other computer for that matter.

Apparently I am missing something completely. I just don't see what it is. Does anybody else?

 

[jmhmcse]

Attempting to make sense of your setup description. Attached is likely wrong, please correct as to how devivces are physically connected. Also, provide their ip addresses.

Issue in not with BI, but rather your configuration of VM and separate network. How well versed are you with networking principles?

 

[pjdevries]

Thanx for the response @jmhmcse.

I'm quite sure you are right and the problem is not BI. If it was, I would not be able to conenct to from my laptop, the VM host, either. I do know a bit about networking principles, but am hardly an expert. There's a lot I often struggle with. But I'm familiar with (most of) the terminology, so don't hold back

Your draft is almost right. The difference is that my FRITZ!Boxes are both on a separate fixed WAN IP address.

 

[jmhmcse]

Here's an updated diagram with a couple of items for you to confirm/configure. This setup seems more elaborate (commercial/multiple family) than a typical home BI installation.



You should read up and understand more networking basics if you are to support and maintain such a configuration beyond testing.

 

[pjdevries]

I guess my diagram was not sufficiently clear. Each of the routers address a different subnet. If you look at the laptop host and VMware client, you can see that.

You should read up and understand more networking basics if you are to support and maintain such a configuration beyond testing.

I don't quite understand. I have two routers, configured for different WAN IP addresses, each addressing a different subnet. The laptop host is directly connected to the one and the VMware client to the other. In my percecption there are two completely separate local networks, both of which are exposed with a different WAN IP address. The only thing they have in common (more or less), is the laptop on which the VM runs. The networks are compeletely separated though. The USB ethernet adapter is connected directly to and only visible in the client. Is that an incorrect train of thought?

 

[jmhmcse]

Although my original version had additional hardware boxes, they represent the same environment. I've simplified the pic to be the same as yours.

IP addresses ranges within each router are isolated and can be the same, different, whatever. They are separate and have no knowledge of the each other.

provided that both WAN ports can be resolved by canyouseeme, the area(s) which needs to be investigated/configured may be within the modem and definitely within the routers.

how does your modem handle traffic between the WAN ports; do the packets remain local within the modem or are then sent to the ISP and back to the modem?

router(s) will likely need firewall entries and opened ports.

The basic hardware configuration you have, the missing tweeks are to the software within the modem, routers, and host systems.

 

[pjdevries]

how does your modem handle traffic between the WAN ports; do the packets remain local within the modem or are then sent to the ISP and back to the modem?

Not a clue. My knowledge and experience ends here.

router(s) will likely need firewall entries and opened ports.

As far as I know, that's what the "Port Sharing" is for.

The basic hardware configuration you have, the missing tweeks are to the software within the modem, routers, and host systems.

I agree. If I only knew what they are. I simply don't know what's wrong with the setup.

 

[IAmATeaf]

Which devices from the BI VM can you actually ping? So can you ping the Fritz box and the router?

 

[pjdevries]

Thanx for pitching in @IAmATeaf

Which devices from the BI VM can you actually ping?

I am not sure what you mean here.

So can you ping the Fritz box and the router?

The FRITZ!Box is the router. It can be pinged from within the BI VM client It can not be pinged from the laptop host, because that's on a completely separate network. It can not be pinged from the outside either because it is not directly exposed to the internet. As you can see in the diagram above, the ISP modem sits between the internet and the router. The WAN IP's can be pinged though.

By the way, ping is not a reliable way of testing if a device can be reached. Ping can be disabled on a device, while it's still reachable in other ways.

 

[Sphinxicus]

@pjdevries
I'm not sure i have understood your topology 100% but I'll throw in my tuppence worth anyway

You mentioned that the BI remote access Wizard works (i have never ran this so dont know what exactly it checks but i will assume it checks that it can reach the internet).
You mentioned that canyouseeme.org shows successfull. I assume that this is showing that TCP port 8008 is open on your public facing firewall on the fritz box 4040 with IP of 95.x.x.1?
If I assume that the above is correct then the BI VM has a route to the internet and your firewall will allow and forward traffic inbound to 95.x.x.1:8008 to 192.168.40.2:8008

I will assume that your laptop 192.168.10.187 has access to the internet also.

I will also assume that your modem, is actually a modem and does not perform any kind of routing and is unaware of either of the other internal interfaces, (i.e. cannot pass traffic IP/ethernet or otherwise between them).

Lots of assuming but hey ho

With the above boat-load of assumptions in play, this suggests/assumes that

1. your BI config is correct, (no address restrictions in place on the BI webserver. Webserver is configured to listen on TCP port 8008)
2. your port forwarding/fritzbox firewall config is correct
3. your route from 192.168.40.0 network to WAN and back is correct
4. your route from 192.168.10.0 network to WAN and back is correct

It would make sense to confirm the above points. The below points match the above ones.

1. Read/check BI documents. BI help is very well written - Can you place another device on the 192.168.40.0/24 network and attempt to access BI from there?
2. Use a mobile device on the providers cellular network (not your own WiFi) to attempt connection to BI from outside your LAN.
3. Can you access something like google? This proves that your router can route packets originating from inside your network externally and back again while performing NAT
4. Same as number 3 for 192.168.10.0/24 network

With all the above ticked and confirmed, the only thing left that i can think of is that this is related to your ISP. Perhaps they are using some form of carrier grade NAT. Your two public IP addresses could be being NAT'ed and CGNAT has been known to cause a bunch of fuckery for people trying to port forward behind it. If this is the case there is also the possibility that because you are effectively trying to do a u-turn (as far as their NAT is concerned, your Public Ip's are the "LAN" side of their NAT) then if they dont allow some form of IP reflection then you may not be able to route traffic out one WAN IP address destined for the other.

The above may turn out to be a bunch of guff but i thought i'd let my rambling brain throw out what i was thinking in the event that it causes someone to chime in with the actual answer.

What would i do in your position? One of the two:

• Allow the Host OS to communicate with the VM directly. (directly connected route).
• Assuming they support this. Connect the two fritzboxes together with another network (192.168.255.0/24), enable some form of routing protocol on both fritzboxes to advertise their routes to eachother (RIPv2 is common on most routers) and your laptop will never have to touch the WAN

Good luck