Carrier-Grade NAT problem: How to access my IP cameras? VPN?

[perla]

My Internet provider just started using CGN (Carrier-Grade NAT), so I’m no longer receiving a public IPv4 address for my router. All in all, I can’t access my IP cameras outside my home network (so from the Internet).


Can somebody give me an advice how to solve this problem?


Maybe using a paid VPN server can be a solution?
Until this moment I viewed my cameras also by connecting to my router’s own VPN server. But it is not the same. If I buy an online VPN subscription and connect my router and mobile phone to that same paid VPN server will I able to access my router and my IP cameras?

Thanks for your help!

 

[bp2008]

Typical paid VPN servers only work for outgoing communication, and won't help you with incoming connections like you need.

The first thing you should probably try is to ask your ISP if they will forward a port to you for your VPN. I don't know what VPN technology you've been using, but OpenVPN only requires one port. Other VPN types may use more than one, and some use less common protocols even, though if this is indeed "carrier-grade NAT" then it should be no problem for them to set up the routing.

If they won't do that, see if they'll sell you a dedicated IP for a reasonable amount ($5-10 per month?).

If you can't get them to help you, then the next best option is something that tunnels out, such as Teamviewer or LogMeIn Hamachi or NeoRouter.

Lastly, you could run a VPN server elsewhere, such as on an inexpensive virtual private server (about $5 a month from the likes of Godaddy), and run a VPN client on your router or a PC at home to connect to this VPN server and bridge the VPN network with your local network. Then you can connect to your new VPN server from mobile devices to access your home network.

 

[perla]

Thanks for the quick reply.
I will definitely call my ISP. I know that they don't sell static IP addresses for home users, but maybe they will help me with port forwarding. I read on a different forum that sometimes only asking for getting back a simple dynamic public IPv4 address can help.

Thanks for the tips. If they can't help me I will probably rent a private virtual server.

 

[nayr]

Where are you located at and whats your ISP just for curiosity's sake?

If you know linux, and want a good cheap server through a company with no US presence (NSA Honeypot) check out running OpenVPN @ edis, http://www.edis.at/en/server/kvm-vps/usa/kvm-smart/

 

[xtropodx]

Realise this is old however I've found myself in the same boat recently.

I have ASUS RT-AC3200 & was able to remote in until recently when ISP rolled out CGNAT. I can call them & request IP but I'd rather see if there's a way around this first. You know, for fun & kicks.

Typical paid VPN servers only work for outgoing communication, and won't help you with incoming connections like you need.

The first thing you should probably try is to ask your ISP if they will forward a port to you for your VPN. I don't know what VPN technology you've been using, but OpenVPN only requires one port. Other VPN types may use more than one, and some use less common protocols even, though if this is indeed "carrier-grade NAT" then it should be no problem for them to set up the routing.

Is this the same port forwarding that shouldn't be used? ie dangerous etc or is this something else.

My router has VPN server & has DDNS set up, & I was connecting on my mobile through OpenVPN Connect to access my cameras. Which now isn't connecting.
Is there a way around this with my current gear without resorting to another 3rd party?

 

[bp2008]

Is this the same port forwarding that shouldn't be used? ie dangerous etc or is this something else.

Yes, it is the same port forwarding. No, it is not dangerous. People here often make a blanket statement to never forward ports, and use a VPN instead. That is oversimplifying matters in an attempt to keep people safe without having to make them experts in IP networking.

Port forwarding is not the enemy. Port forwarding is just the way we allow incoming traffic to come into a NAT (router) and get routed to the desired destination. The danger comes when ports get forwarded to insecure services. If you are only forwarding a port to your VPN server, you are fine. It is no more risky than the way you were running your VPN server previously.

I have ASUS RT-AC3200 & was able to remote in until recently when ISP rolled out CGNAT. I can call them & request IP but I'd rather see if there's a way around this first. You know, for fun & kicks.

If you can't accept incoming connections, then you need the help of a third party that can. That costs money and requires additional effort and expertise on your part. Best to get the ISP to forward a port for you.

And no, there is no magic way for your VPN server to accept incoming connections from the internet without setting up the appropriate routing.

 

[majones]

I know this is an old post. but it caught my eye as I needed to install a remote BI installation using an LTE modem, and I came across this Carrier-Grade NAT problem whereby the outward facing WAN IP can't be used for port forwarding to the BI machine. I tried the free ngrok solution but was frustrated by the url changing every time the BI machine rebooted under the free plan. I tried the free LogMeIn Hamachi VPN and was frustrated because under their free plan the VPN only fires up when the user on the BI machine logs in. My best solution so far is the free Neorouter VPN solution with a client loaded on the BI machine that kicks in whenever Windows starts, and a server running on my main PC that runs 24/7. Neorouter has versions that run under most operating systems, so I can include any device (eg Android) that I might want to use to access the BI server via the Neorouter VPN. Hopefully this will help someone else.

 

[iantan]

Hi majones,

Sounds like I have the same issue. I'm in the UK as well and behind a CGNAT. I was using ubiquiti protect, which works behind CGNAT, but I was looking at getting BI and adding some additional cameras.
I tried setting up openvpn on a remote AWS server, that worked but I was looking for other options to log in from my mobile whilst away from home.
Could you give me some info on the neorouter option you mention?
Thanks.

 

[majones]

The easiest option is to obtain a Three SIM and specify 3internet as the APN, which gives you a public IP address so you can port forward to your BI server. But I want cheap and am using SMARTY who don’t provide a public IP address.

Hence Neorouter. To set it up, you’ll need one device on a network with a public IP address where you’ll run a Neorouter server that can be accessed externally via port 32976. That device could be a raspberry pi on a friend’s home network. The sequence of installation is: 1. Create a Neorouter domain with username and password on the Neorouter website; 2. Install the server with the domain details on your chosen device; 3. Install client software on your BI machine plus any devices that you want in the VLAN. Neorouter have apps for mobiles (up to 2 can be included in the VLAN in the free version). Then you can access the BI server from your mobile using its Neorouter VLAN address (10.0.0.x) plus its LAN port.

The clever thing is that all the traffic is peer-to-peer, so neither Neorouter nor the server see what is being transmitted between your BI server and your mobile. The other thing is that Neorouter starts as a service, so in the same way that BI fires up with Windows so does Neorouter, so if your BI machine suffers a power cut and the bios is set to reboot upon power restoration, you'll get communication back. This is not the case with the free Hamachi setup, where you have to log on as a user for it to work.

 

[iantan]

Thanks, I'll have a look.

I live in the countryside in North Scotland, Three isn't an option as I only get a few meg download speeds and even less upload. I'm using Vodafone and it gives circa 90 down and 20 up which seems so unlikely but I switched the whole house over about 9 months ago and its been great apart from the CGNAT issue. I need top look at the options to circumnavigate CGNAT or I may switch back to fixed line broadband, but that's a drop to around 30mbs down and about 15 up..

 

[majones]

Thanks for the background info. Maybe you should get a feel using Hamachi, that is also free but the server runs externally at the LogMeIn end. So you don't need a public IP address anywhere. The hassle with Hamachi is that the VPN setup on your phone isn't via an app. But I have it and run it in parallel with Neorouter, as a fallback. So I can help you out.

 

[iantan]

I had a quick look at Hamachi, it looks ideal. I haven't downloaded the software, I was trying out a couple of 4k cameras. The Reolink and the Annke, both seem to have pluses and minuses but the fact I don't seem to be able to stream the Reolink in 4k to BI is the major issue, anyway I digress.
Do I set up the phone as a normal VPN? I use Android.
I assume I could set up BI to notify my phone of any alerts and then simply login to BI via the VPN of Hamachi to see what the alarm was and view any video?
This seems a better option than my AWS openvpn as that sends all my traffic via the VPN, I'm assuming if the phone isn't connected my pc would route via my normal internet connection?
Thanks for your help to date.

 

[majones]

I've got a couple of Annke C800's that work fine with BI. The camera is fundamentally a Hikvision DS-2CD2383G0-IU and accepts the Hikvision firmware updates.

It's probably best to get a feel for Hamachi using Windows devices first. You'll need to register for a LogMeIn account, then go to Networks > My Networks > Add Networks. Then you add devices to your network with Add Clients. When it's up and running, you can have up to 5 client devices in any Network with IP's of 25.x.y.z.

Adding an Android device is a pain, as you have to initiate things at the LogMeIn end with Add Client > Add mobile client, and then LogMeIn send you an email with 3 files that have to be downloaded and run on your mobile. It's does work. You then have the option of Hamachi as a native "VPN" on your phone. No app, note.

When the "VPN" is running, the only change from normal functionality is that client devices on your Hamachi network are accessible. So if your BI LAN IP is

http://192.168.45.161:89

and it's been given a VLAN IP of 25.16.17.233 by Hamachi, you'll access the BI server from your phone on

http://15.16.17.233:89

. All other network functionality is unchanged.

 

[majones]

Actually, why not give ngrok a go? It is the simplest to set up. Then you can access BI from your phone simply by specifying an https:// address that ngrok maintains until you reboot your BI machine.

 

[iantan]

Thanks, I'll try the Hamachi over the weekend. The fact you mention ngrok maintains the connection until my machine is rebooted causes a concern. That would mean if I have a power cut I'd lose my external connection and if I'm travelling I can be away for 4 or 5 weeks at a time.
I'll let you know how I get on.

The cameras, the Annke seems a better build quality but the downside is the lack of audio. I knew it was a clone of a Hikvision but I didn't know which model so thanks for that info. I see a couple of reviews saying the new Reolink is better but I know that can be subjective so I'll set them up side by side and test them myself.

Fyi, I was going to use this camera in the soffit above my front door rather than the Nest doorbell I currently have, but saying that I think I have used the audio twice in two years and it wasn't very effective anyway

 

[TonyR]

.....but I was looking at getting BI and adding some additional cameras.

I see a couple of reviews saying the new Reolink is better but I know that can be subjective so I'll set them up side by side and test them myself.

FYI, to quote @fenderman below and as found here.

"No reolink camera will properly work with blue iris. This is because you cannot specify the iframe interval in the firmware. Reolinks, lies notwithstanding."

 

[iantan]

I have both "live" on Blue Iris but to be honest the Annke, is a wider angle and better dynamic range than the Reolink so its probably my favourite anyway. The cameras will be facing into the setting sun at this time of year.

I haven't tried the motion detection etc yet so can't comment but thanks for the heads up.

 

[majones]

The fact you mention ngrok maintains the connection until my machine is rebooted causes a concern. That would mean if I have a power cut I'd lose my external connection and if I'm travelling I can be away for 4 or 5 weeks at a time.

This is the precise scenario I've planned for in my case. Hence my BI computer BIOS is set to automatically reboot the machine after a power loss, and the essential software components (BI server and Neorouter server/client) are set as services that start whenever Windows starts, not requiring a user to log in or manually do anything.

 

[iantan]

majones, what's the sub stream address for the Annke cameras?

 

[iantan]

For anyones interest, excuse the pun but the difference between the Annke and the Reolink after the IR cuts in is night and day, the Annke is so much better.