Dahua NVR Web Interface

The push messages go to the AWS server to connect to your phone. Much like ANY P2P application I suppose.

I'm not a network egineer or security expert, but I did sleep at a Holiday Inn Express once and near as I can tell, WireGuard VPN, OpenVPN, Tailscale and others all use the same handshake to an external "traffic cop" to initiate a device to device direct connection
 
Correct me if I am wrong @bigredfish as I know the systems have changed with the newer ones from the versions I have, but if someone downloaded DMSS and didn't create an account and added the NVR via LAN IP instead of WAN or serial or QR code, wouldn't that then be all local?

Or does DMSS now require an account to use it?
 
Im not signed into the DMSS account either. I thought it was required by not in my latest testing

In theory I think you're right, but Id have to wipe my DMSS completely and redo all my connections :(

I have an idea to test that, on Mrs bigredfish's Iphone... will advise
 
Last edited:
I think this may explain some of the changes recently.
Sent to my DMSS mailbox in June, I recently discovered it because to check your “mailbox” in DMSS you must login to the Dahua account

DMSS -Update to Use Google's New Push API Notification - DMSS

Dear DMSS Users,
dmss.app dmss.app

“2, Solution: To resolve this issue. The DMSS app and platform have been upgraded for compatibility. The device will use the old push API to first push notifications to the relay server, which will then use the new push API to deliver notifications to users. You only need to upgrade DMSS to the latest version after June 20 and re-subscribe to notifications. The specific measures are as follows.”
 
It sounds like The Google forced them to use its relay servers to push, so Dahua devices push to the old relay which then hands it off to Google relay which then makes the P2P connection to your phone
 
bigredfish said:
It sounds like The Google forced them to use its relay servers to push, so Dahua devices push to the old relay which then hands it off to Google relay which then makes the P2P connection to your phone
Click to expand...

How does this affect people with apple devices? Are they still going thru Dahua?

I guess this also raises the concern for folks that don't want to use google products and services?
 
I use iPhones so yeah it works fine.

Anyone who’s serious about not touching or interacting with ANY Google service is not on the internet. Period.
 
bigredfish said:
I use iPhones so yeah it works fine.

Anyone who’s serious about not touching or interacting with ANY Google service is not on the internet. Period.
Click to expand...

One would hope, but we see crazy things here like people all concerned with security and having this, that or the other and then has no-name cameras or something that is a much more security risk than what they say they don't want to use LOL.
 
  • Like
Reactions: bigredfish
Many iOS apps and web sites go through somewhere other than Apple servers…
 
If I keep the NVR on the IoT VLAN, it's not any more dangerous than other countless IoT devices I have. The biggest risk is getting the outside footage of my home exposed unless the router has vulnerabilities which in that case I have bigger issues. In this setup though, I need to use the app and not the web interface. The app is apparently much more limited.
Maybe I can create a custom VLAN for this which blocks only outgoing LAN traffic to other networks but allows incoming traffic. That should allow me to use the web interface.
 
coder7 said:
If I keep the NVR on the IoT VLAN, it's not any more dangerous than other countless IoT devices I have. The biggest risk is getting the outside footage of my home exposed unless the router has vulnerabilities which in that case I have bigger issues. In this setup though, I need to use the app and not the web interface. The app is apparently much more limited.
Maybe I can create a custom VLAN for this which blocks only outgoing LAN traffic to other networks but allows incoming traffic. That should allow me to use the web interface.
Click to expand...

That is why we have these conversations and ask questions that may seem redundant LOL.

Everyone has a different idea of security or maybe uses different phrasing or terminology, so we like to hash these things out so people fully recognize what is going on.
 
  • Like
Reactions: bigredfish
coder7 said:
If I keep the NVR on the IoT VLAN, it's not any more dangerous than other countless IoT devices I have. The biggest risk is getting the outside footage of my home exposed unless the router has vulnerabilities which in that case I have bigger issues. In this setup though, I need to use the app and not the web interface. The app is apparently much more limited.
Maybe I can create a custom VLAN for this which blocks only outgoing LAN traffic to other networks but allows incoming traffic. That should allow me to use the web interface.
Click to expand...

You can use the app for live view, playback and some top level settings.

For the hundreds of settings on individual cameras and NVR, the app would have to be HUGE and update weekly. Its simply not practical to use a mobile app to do everything on a modern video surveillance system. You can do so on a Ring camera or similar wireless consumer product because they limit those hundred settings to a dozen or so
 
  • Like
Reactions: looney2ns
wittaj said:
Correct me if I am wrong @bigredfish as I know the systems have changed with the newer ones from the versions I have, but if someone downloaded DMSS and didn't create an account and added the NVR via LAN IP instead of WAN or serial or QR code, wouldn't that then be all local?

Or does DMSS now require an account to use it?
Click to expand...

So yes.
I added a profile to my wife's phone using the local LAN IP manual method.
It could receive alerts as long as she was connected to Wifi, but NOT on cellular.
For her to receive via cellular, I had to enable P2P on the NVR

Various phone OS will work differently. My wife's older iPhone 7+ with iOS 15.x wont relay messages out of wifi range without P2P being enabled on the NVR.

My newer (still old by todays standards) iPhone 13 with iOS 18.1.1 will receive push alerts in or out of wifi, with our without P2P enabled, and with or without being logged into the Dahua account.
 
  • Like
Reactions: Madflamethrower
bigredfish said:
So yes.
I added a profile to my wife's phone using the local LAN IP manual method.
It could receive alerts as long as she was connected to Wifi, but NOT on cellular.
For her to receive via cellular, I had to enable P2P on the NVR

Various phone OS will work differently. My wife's older iPhone 7+ with iOS 15.x wont relay messages out of wifi range without P2P being enabled on the NVR.

My newer (still old by todays standards) iPhone 13 with iOS 18.1.1 will receive push alerts in or out of wifi, with our without P2P enabled, and with or without being logged into the Dahua account.
Click to expand...
OK I think this is exactly what I was asking for. It sounds like you should be able to not allow NVR have any access to internet and still have local network only push alerts in the mobile app (unless you connect to your local network over VPN in your phone when on cellular).
 
  • Like
Reactions: bigredfish
Maybe… the question is, was it (the NVR) still poking a hole in the firewall to send the push alert to the AWS server?

I need to
1- lock the NVR out of bring able to escape the LAN completely,
2- check firewall logs and match times of the alerts to my wife’s phone
 
  • Like
Reactions: coder7
I am not sure how everyone has DMSS setup buy in my case. Setting up P2P and with p2p on in camera my alerts are active. I turn off P2P in camera my alerts stop. 3 pictures below you can see the top 2 are p2p enabled with top one offline and the App reflects the P2P is off showing camera offline. I try to connect and it is ofline.. first picture is with it online second picture is webui of camera p2p page showing offline last picture if the pictures load as listed as taken. If not 2 pictures of DMSS one showing online one showing offline. And cameras offline in WebUI
 

Attachments

  • Screenshot_20250114_195532.jpg
    Screenshot_20250114_195532.jpg
    151.1 KB · Views: 0
  • Screenshot_20250114_195502_Chrome.jpg
    Screenshot_20250114_195502_Chrome.jpg
    75 KB · Views: 0
  • Screenshot_20250114_194059.jpg
    Screenshot_20250114_194059.jpg
    158.4 KB · Views: 0
Are these cameras on the LAN /switch or plugged into the PoE ports of the NVR?

On a system where the cameras are plugged into the NVR PoE ports, nothing you do with respect to P2P or a lot of other things (email) happen from the camera. The NVR does all the work and sends the message
 
P.S because I run a NVR, I NEVER setup P2P on the cameras themselves.
Even ones on the LAN and NOT using the NVR PoE ports work fine on push alerts because the NVR is the one doing the sending
 
Ok just set up a camera with P2P using its serial number to add it to DMSS

Got the push over wifi but cant access the video clip

Turn off P2P on camera, no push message
 
Well the ones that are in the post was Connected to my POE+ Switch connected on my normal lan. Also if I access my router and turn off the camera from having internet access in my router there is no connection.. What is odd however is my system is setup for required giving access to anything that connects to my LAN. When I setup an Amcrest camera using P2P it would connect the camera and let me setup on app. I would be able to view it once. If I closed app and loaded camera or DVR/NVR again without first giving it access to internet the connection fails.. Having the camera connected and in use. If I go to my router and deny access to the internet P2P is no longer. So there is a way that I can access my Camera even with the camera denied access on the Router to the Internet. That is using NGROK. My guess is because the tunnel is relayed through my computer.. So the tunnel from NGROK servers passes though the local requesting computer and lets it pass the router access pool info and lets out using the computers granted access.
 
You must log in or register to reply here.
Top Bottom