Menu
What's new

Developing easy-deployed OpenVPN software and Dahua firewall

TL1096r

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
Yes my NVR does this also and trying to make it more secure. I am receiving advice from @catcamstar so anything I can learn or do I will share!
 
M

MakeItRain

Pulling my weight
Joined
Aug 7, 2017
Messages
401
Reaction score
218
catcamstar said:
And that is the reason why I don't like it when people are putting in random gateway ip's or leaving them blank. That's the reason why I advice on vlans. With everything nicely consealed in its own "zone".
Click to expand...
You are right man. This is more reason to put the NVR and IP cam all on a separate VLAN. For those who don't want to invest in one, the alternative is to just block the cams/router from reaching the WAN from their router.

This really irks me because the NVR firmware is trying to be smart like it has AI and tries to go find a gateway IP, regardless of what you put in there.
 
M

MakeItRain

Pulling my weight
Joined
Aug 7, 2017
Messages
401
Reaction score
218
Ran into issues tonight which I do not know how to solve easily..

Basically, the NVR polls the dns server for time.nist.gov and gateway.push.apple.com for the IP address. The problem is, it is constantly changing, every few seconds, the IP fetched from the DNS can vary. Since iptables can allow me to drop by destination IP, I would have to hard code the IP ahead of time. But because ip rule is static, I would need some kind of background daemon process to capture that the NVR is fetching DNS, and then whatever it receives, I need to intercept a copy of it, store it to a file, then later, dynamically remove the old iptables forwarding rule, and add the new one in.

Sounds tricky... but doable..
 
C

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
MakeItRain said:
Ran into issues tonight which I do not know how to solve easily..

Basically, the NVR polls the dns server for time.nist.gov and gateway.push.apple.com for the IP address. The problem is, it is constantly changing, every few seconds, the IP fetched from the DNS can vary. Since iptables can allow me to drop by destination IP, I would have to hard code the IP ahead of time. But because ip rule is static, I would need some kind of background daemon process to capture that the NVR is fetching DNS, and then whatever it receives, I need to intercept a copy of it, store it to a file, then later, dynamically remove the old iptables forwarding rule, and add the new one in.

Sounds tricky... but doable..
Click to expand...
Interesting. I only allow outbound port 2195, no external DNS and push notification works.
 
M

MakeItRain

Pulling my weight
Joined
Aug 7, 2017
Messages
401
Reaction score
218
The nvr only pings the dns once I think, then stores that IP in memory, from what I can see in the tcpdump. I’ve been rebooting the nvr a few times.

The problem is, the RPI could ping it as well and store it and do a compare, but the RPI is not guaranteed to get the same fetched set of IP addresses as the first time the NVR.
 
Last edited:
You must log in or register to reply here.
Top