Developing easy-deployed OpenVPN software and Dahua firewall

Yes my NVR does this also and trying to make it more secure. I am receiving advice from @catcamstar so anything I can learn or do I will share!
 
catcamstar said:
And that is the reason why I don't like it when people are putting in random gateway ip's or leaving them blank. That's the reason why I advice on vlans. With everything nicely consealed in its own "zone".
Click to expand...

You are right man. This is more reason to put the NVR and IP cam all on a separate VLAN. For those who don't want to invest in one, the alternative is to just block the cams/router from reaching the WAN from their router.

This really irks me because the NVR firmware is trying to be smart like it has AI and tries to go find a gateway IP, regardless of what you put in there.
 
  • Like
Reactions: TL1096r and catcamstar
Ran into issues tonight which I do not know how to solve easily..

Basically, the NVR polls the dns server for time.nist.gov and gateway.push.apple.com for the IP address. The problem is, it is constantly changing, every few seconds, the IP fetched from the DNS can vary. Since iptables can allow me to drop by destination IP, I would have to hard code the IP ahead of time. But because ip rule is static, I would need some kind of background daemon process to capture that the NVR is fetching DNS, and then whatever it receives, I need to intercept a copy of it, store it to a file, then later, dynamically remove the old iptables forwarding rule, and add the new one in.

Sounds tricky... but doable..
 
MakeItRain said:
Ran into issues tonight which I do not know how to solve easily..

Basically, the NVR polls the dns server for time.nist.gov and gateway.push.apple.com for the IP address. The problem is, it is constantly changing, every few seconds, the IP fetched from the DNS can vary. Since iptables can allow me to drop by destination IP, I would have to hard code the IP ahead of time. But because ip rule is static, I would need some kind of background daemon process to capture that the NVR is fetching DNS, and then whatever it receives, I need to intercept a copy of it, store it to a file, then later, dynamically remove the old iptables forwarding rule, and add the new one in.

Sounds tricky... but doable..
Click to expand...

Interesting. I only allow outbound port 2195, no external DNS and push notification works.
 
The nvr only pings the dns once I think, then stores that IP in memory, from what I can see in the tcpdump. I’ve been rebooting the nvr a few times.

The problem is, the RPI could ping it as well and store it and do a compare, but the RPI is not guaranteed to get the same fetched set of IP addresses as the first time the NVR.
 
Last edited:
You must log in or register to reply here.
Top Bottom