Full access to cameras via Hikvision NVR?
- Thread starter highon2str
- Start date
I realize that this is an old thread(!) but I'm currently at that point where I am trying to access my IP cameras which are connected to my NVR. My NVR's firmware doesn't support Virtual Host.
My cameras and NVR have been set up for some time now and the cameras have the NVR's IP address scheme of 192.168.254.x whereas my home network is 10.0.2.x. If I follow the advice above and connect an ethernet cable from one of the POE ports to my router and the other ethernet cable from the LAN port of the NVR to the router, will I be able to access my cameras with a browser by entering the address 192.168.254.x? Or do I have to start all over with the cameras and have them derive their address from the LAN's DHCP server?
My cameras and NVR have been set up for some time now and the cameras have the NVR's IP address scheme of 192.168.254.x whereas my home network is 10.0.2.x. If I follow the advice above and connect an ethernet cable from one of the POE ports to my router and the other ethernet cable from the LAN port of the NVR to the router, will I be able to access my cameras with a browser by entering the address 192.168.254.x? Or do I have to start all over with the cameras and have them derive their address from the LAN's DHCP server?
alastairstevenson
Staff member
Yes, with a couple of caveats.
If you want browser access to the cameras, you'll also need to (presumably temporarily) change the PC IP address to be in the same address range as the NVR PoE interface, for example 192.168.254.100
Also - if for any reason 'Virtual Host' does become active (eg firmware update) it's theoretically possible that a 'network loop' could occur.
The NVR PoE connected cameras will likely have their default gateway set the same as that of the NVR LAN interface, maybe 10.0.2.1, so any packets sent to that address (eg ntp requests) will then be able to reach your router / gateway. If the router / gateway was to learn that the 192.168.254.0 network was accessible via the NVR LAN IP address, a network loop could occur.
I did say theoretical - in reality, highly unlikely.
Thanks for the quick reply...
If I change a local computer temporarily to 192.168.254.100 then I do get access but I don't need the extra ethernet cable attached to the router to make this work. Simply connecting a laptop to one of the POE ports allows me this access. My issue is that I would like to access the camera pages remotely. Is there a way to get the cameras on to the same address range of my home network and still work with the NVR?
Out of curiosity, would enabling a static route, on my router, allow me to get to the camera config pages?
If I change a local computer temporarily to 192.168.254.100 then I do get access but I don't need the extra ethernet cable attached to the router to make this work. Simply connecting a laptop to one of the POE ports allows me this access. My issue is that I would like to access the camera pages remotely. Is there a way to get the cameras on to the same address range of my home network and still work with the NVR?
Out of curiosity, would enabling a static route, on my router, allow me to get to the camera config pages?
Clearly the cameras prioritize DHCP over the NVR's proprietary IP assignment protocol, so your cameras would get their addresses from your DHCP server. Maybe not immediately, but certainly after a reset, and maybe even after some polling period.
So barring any additional steps, that means you'd have to reconfigure those cameras in the NVR by pointing to their new IP addresses (which you should make persistent in the DHCP configuration).
You could try disabling DHCP on the cameras, then resetting them. That would presumably put them back on the NVR IP range, allowing for easier configuration. But that would also require you make changes to your LAN setup to make them reachable. Adding an address from that range to your computer's interface would be the simplest, though in Windows, that means disabling DHCP, so you'd also have to add your normal LAN address manually. Anything beyond that would require configuring another device as a router. Simply enough if you use a Linux machine, but possibly obscure or impossible with standalone router devices.
alastairstevenson
Staff member
Yes, but only if the NVR has the Linux kernel 'IP_forward' capability enabled, and if the cameras default gateway was to to the NVR PoE interface IP address, usually 192.168.254.1
This is implicitly enabled if Virtual Host is active, which you have said your NVR doesn't have.
What's the NVR model and firmware version?
If the firmware is old enough to still have telnet enabled, it is possible to activate the kernel IP_forward capability, but that manually-changed setting would not survive a reboot.
My NVR is a DS-7632N-E2/8p NVR (FW v.3.0.8, build 140825) which from another thread you told me is old enough to have telnet enabled. However, this is a non-starter given that the setting doesn't survive a reboot! My NVR and cameras are at a remote location (cottage) that loses power from time to time. I think that I have to continue on the path of trying to upgrade my NVR's FW to one that has virtual host
Would you please explain this concept... if I were to set up a Raspberry PI as a router what would I connect to the router and how would that router fit into my network?
HI,
I've been using Blue Iris on a PC, but have been considering a change to a dedicated NVR. One NVR up for consideration is the Hikvision DS-7608NI-E2/8P Embedded Plug & Play NVR with 1TB HDD
After reading through some threads it seems a common problem is that the cameras are not easily reachable when behind the NVR, from the local LAN. If I understand correctly the NVR is essentially operating as a Layer 3 router between the single LAN port and the 8 POE ports (which are essentially their own L2 bridge).
Some folks have posted "work arounds" , like enabling IP forwarding on the NVR or directly cabling the LAN port to a POE port etc. These seem sacrificial (losing two POE ports) and cumbersome maintaining two individual IP subnets.
There may be a much simpler way that I'll throw out, but I don't have access to an NVRs to confirm. If linux bridge utils are present or can be installed, it should be possible to create a L2 bridge and add the LAN and POE ports as members. Then disable the NVR DHCP server, where the idea is that the LAN port and cameras all obtain an IP address from your exiting network DHCP server running on your router.
Can anyone confirm or care to comment? If this is possible then I will likely order the NVR.
I've been using Blue Iris on a PC, but have been considering a change to a dedicated NVR. One NVR up for consideration is the Hikvision DS-7608NI-E2/8P Embedded Plug & Play NVR with 1TB HDD
After reading through some threads it seems a common problem is that the cameras are not easily reachable when behind the NVR, from the local LAN. If I understand correctly the NVR is essentially operating as a Layer 3 router between the single LAN port and the 8 POE ports (which are essentially their own L2 bridge).
Some folks have posted "work arounds" , like enabling IP forwarding on the NVR or directly cabling the LAN port to a POE port etc. These seem sacrificial (losing two POE ports) and cumbersome maintaining two individual IP subnets.
There may be a much simpler way that I'll throw out, but I don't have access to an NVRs to confirm. If linux bridge utils are present or can be installed, it should be possible to create a L2 bridge and add the LAN and POE ports as members. Then disable the NVR DHCP server, where the idea is that the LAN port and cameras all obtain an IP address from your exiting network DHCP server running on your router.
Can anyone confirm or care to comment? If this is possible then I will likely order the NVR.
I wouldn't say that at all. The integrated PoE switch is a completely separate network from the management port. That's why you can't reach the cameras through the NVR without enabling the Virtual Host setting, which turns the NVR into a proxy for communicating with the cameras.
The Virtual Host functionality just maps a port on the NVR to the camera's management interface, so you're not fiddling with different subnets. If you have two switch ports into the main network available, you only need take up one of the PoE ports to make the cameras directly accessible without involving the NVR.
Whether or not you can even get into the NVR via telnet or SSH is a question to answer first. I very much doubt anything extraneous is installed, nor would I expect it to be easy to install something not already present.
But if you could manage to create the software bridge, you don't need to disable DHCP, as there isn't any. The NVR uses a proprietary protocol to give the camera's an address. The cameras will try DHCP first, though, so as long as they can see your DHCP server, they'll get an address from that instead of the NVR.
alastairstevenson
Staff member
Almost, but not quite. So it's possible I missed it, but these are all layer 3 solutions. That is the forwarding of packets from one IP subnet to another hence the "This implicitly activates the Linux kernel 'IP_forward'" statement and why you need to add static routes.
What I am thinking / wondering is if via the command line (this is embedded Linux right?) one might be able to rig up a layer 2 configuration. This would allow a single flat IP subnet between the POE bridge (and cameras) and the rest of the network cabled into the LAN side of the router. Anyhow I'm close to pulling the trigger on this NVR so I'll be able to play around myself and I'll report back what I see.
alastairstevenson
Staff member
You would have to re-write the NVR firmware in order to achieve a Layer 2 solution (devices are identified by IP address / port, not MAC address), and probably even recompile the Linux kernel to include trunking.
If you really want a Layer 2 solution, you might be better off using an NVR with no PoE ports and connecting the cameras to a PoE (Layer 2) switch on the LAN.
What don't you like about a routed environment? It's just one static route to add.
It performs well. I have a PoE NVR where all the cameras are also pull to 3 destinations on the LAN. The NVR CPU handles it with ease.
Oh, sorry for the confusion. Have no fear it's not as complex as re-writing the firmware. 
For the record I have nothing against the suggested configurations, go with what works best for you. I was merely pondering the possibility of a different configuration. Plus I just enjoy tinkering with stuff, so it's kind of fun.
OK so without having one, I'll just throw out how I'd guess it works.Someone who knows for sure can please correct me if I'm wrong.
I'll speak from this diagram. The NVR has a single port labeled LAN, and then 8 more POE ports (Linux likely sees these as a single port, but doesn't matter). Notice that on the LAN side it is IP subnet 192.168.1.XXX and on the POE port side it's a different IP subnet 192.168.254.XXX. The LAN port gets it's IP from the router, while the Cameras get their IPs from a DHCP server running on the NVR.
At this point the PC can not directly access the camera directly. Rather you need to follow the configuration you pointed me to. That is enable IP forwarding on the NVR, and then either have the router push a static route to my PC or directly add the static route on the PC, so something like all packets with destination 192.168.254.XXX, send them to the LAN IP on 192.168.1.XXX
I'm with you and this likely works great. However I read another fellow who plugged an ethernet cable from the LAN port to one of the POE ports, and then his management traffic took a second POE port. This has the net effect of burning two POE ports, but what he has essentially accomplished is he bridged the two networks.
So this got me thinking, if the NVR has bridge utils (a long shot I know, and the more I think of it, even if I can compile the binary on another system, the kernel likely won't support it so this all moot anyway) then would it be possible to log into the NVR, kill the DHCP server, create a bridge with LAN port and POE port as bridge members. Had that been possible then you could have your cameras on the same IP subnet as your PC and all devices connected to the LAN side of your router.
Hopefully I managed to clear up thoughts for you, and as I wrote that out it occurs to me that I will end up doing the IP forwarding as well.
For the record I have nothing against the suggested configurations, go with what works best for you. I was merely pondering the possibility of a different configuration. Plus I just enjoy tinkering with stuff, so it's kind of fun.
OK so without having one, I'll just throw out how I'd guess it works.Someone who knows for sure can please correct me if I'm wrong.
I'll speak from this diagram. The NVR has a single port labeled LAN, and then 8 more POE ports (Linux likely sees these as a single port, but doesn't matter). Notice that on the LAN side it is IP subnet 192.168.1.XXX and on the POE port side it's a different IP subnet 192.168.254.XXX. The LAN port gets it's IP from the router, while the Cameras get their IPs from a DHCP server running on the NVR.
At this point the PC can not directly access the camera directly. Rather you need to follow the configuration you pointed me to. That is enable IP forwarding on the NVR, and then either have the router push a static route to my PC or directly add the static route on the PC, so something like all packets with destination 192.168.254.XXX, send them to the LAN IP on 192.168.1.XXX
I'm with you and this likely works great. However I read another fellow who plugged an ethernet cable from the LAN port to one of the POE ports, and then his management traffic took a second POE port. This has the net effect of burning two POE ports, but what he has essentially accomplished is he bridged the two networks.
So this got me thinking, if the NVR has bridge utils (a long shot I know, and the more I think of it, even if I can compile the binary on another system, the kernel likely won't support it so this all moot anyway) then would it be possible to log into the NVR, kill the DHCP server, create a bridge with LAN port and POE port as bridge members. Had that been possible then you could have your cameras on the same IP subnet as your PC and all devices connected to the LAN side of your router.
Hopefully I managed to clear up thoughts for you, and as I wrote that out it occurs to me that I will end up doing the IP forwarding as well.
alastairstevenson
Staff member
You seem to have a worked up a good understanding of how a Hikvision NVR PoE network is set up - despite not having one.
Just a small correction - there isn't a DHCP server on the PoE segment - the NVR simply has administrative control of the camera configurations, they are set to a static IP address.
On the 'bridge utils', I just had a quick look.
These are not native to the Hikvsion firmware implementation, and may not be in the kernel, but they do show (but not active) in my 7816N-E2/8P as it has the full-fat Busybox instead of the emaciated version from the stock Hikvision firmware.
Example:
Just a small correction - there isn't a DHCP server on the PoE segment - the NVR simply has administrative control of the camera configurations, they are set to a static IP address.
On the 'bridge utils', I just had a quick look.
These are not native to the Hikvsion firmware implementation, and may not be in the kernel, but they do show (but not active) in my 7816N-E2/8P as it has the full-fat Busybox instead of the emaciated version from the stock Hikvision firmware.
Example:
Code:
alastair@PC-I5 ~ $ telnet 192.168.1.210
Trying 192.168.1.210...
Connected to 192.168.1.210.
Escape character is '^]'.
dvrdvs login: root
Password:
BusyBox v1.16.1 (2016-06-29 13:49:45 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
psh: applet not found
[root@dvrdvs /root] # ifconfig
eth0 Link encap:Ethernet HWaddr 8C:E7:48:6F:81:28
inet addr:192.168.254.1 Bcast:192.168.254.255 Mask:255.255.255.0
inet6 addr: fe80::8ee7:48ff:fe6f:8128/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1649896672 errors:0 dropped:0 overruns:0 frame:0
TX packets:1805873826 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:760960311 (725.7 MiB) TX bytes:2283911007 (2.1 GiB)
Interrupt:59
eth1 Link encap:Ethernet HWaddr 8C:E7:48:6F:81:27
inet addr:192.168.1.210 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::8ee7:48ff:fe6f:8127/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:768402899 errors:0 dropped:120 overruns:0 frame:0
TX packets:2028310788 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1235727377 (1.1 GiB) TX bytes:3879754308 (3.6 GiB)
Interrupt:59 Base address:0x4000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:123840 errors:0 dropped:0 overruns:0 frame:0
TX packets:123840 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8446955 (8.0 MiB) TX bytes:8446955 (8.0 MiB)
[root@dvrdvs /root] # brctl addbr mybridge
brctl: bridge mybridge: Package not installed
[root@dvrdvs /root] # ll /bin/br*
lrwxrwxrwx 1 root root 19 Apr 27 09:27 /bin/brctl -> /bin/busybox-armv7l
[root@dvrdvs /root] #
alastairstevenson
Staff member
Which seller on the Amazon listing?
The 'NI' in the model number, and the 76xx doesn't suggest it's Chinese, what makes you think it is?
Was it a reply from the seller?
The 'NI' in the model number, and the 76xx doesn't suggest it's Chinese, what makes you think it is?
Was it a reply from the seller?
The seller I was looking at was LightInTheBox for $329.99CA. I read this from one of the reviewers on Amazon that gave me pause:
1.0 out of 5 stars ... a Hikvision product so I am screwed - total WASTE OF TIME - DON'T buy this version you will ... Nov. 3 2016
By Jason - Published on Amazon.com
Size: DS-7608NI-E2/8P Verified Purchase
Very unhappy - I need to update the firmware and when I contact Hikvision USA they told me to call the China Tech Support - When I did that they told me that is was not a Hikvision product so I am screwed - total WASTE OF TIME - DON'T buy this version you will be sorry...Pay a little extra and get it from an authorized dealer of Hikvision USA -
-EDIT- In the meantime I've emailed the seller asking, will take up to two business days for a reply.By Jason - Published on Amazon.com
Size: DS-7608NI-E2/8P Verified Purchase
Very unhappy - I need to update the firmware and when I contact Hikvision USA they told me to call the China Tech Support - When I did that they told me that is was not a Hikvision product so I am screwed - total WASTE OF TIME - DON'T buy this version you will be sorry...Pay a little extra and get it from an authorized dealer of Hikvision USA -
So, my DS-7608NI-E2/8P arrived and is up and running! 
I don't have enough experience with it yet to give a strong opinion but so far I like it a lot. That said, I'm learning as I go and know very little about Cameras, NVRs security etc. An example of this is was a self-made issue where I wasn't able to view any camera main streams. They just showed blacked out boxes. Turns out setting the max bitrate to 8192Kbps was a bad move. (I wanted to record the best image possible). I dropped this down significantly to 1280Kbps. Now both the Browser and iVMS-4200 live views are fast to display. That actually took me a while to figure out.
So I have 24/7 recording, email line-crossing alerts functioning, and so far so good!
Out of curiosity how did you enable that Telnet daemon? Or maybe Hikvision killed it with the firmware on my unit? Speaking of firmware, it's interesting that on Hikvision USA there seems to be none available for this device.
Anyway, if you have any configuration suggestions or just general advice for this NVR it would be most welcome.
I don't have enough experience with it yet to give a strong opinion but so far I like it a lot. That said, I'm learning as I go and know very little about Cameras, NVRs security etc. An example of this is was a self-made issue where I wasn't able to view any camera main streams. They just showed blacked out boxes. Turns out setting the max bitrate to 8192Kbps was a bad move. (I wanted to record the best image possible). I dropped this down significantly to 1280Kbps. Now both the Browser and iVMS-4200 live views are fast to display. That actually took me a while to figure out.
So I have 24/7 recording, email line-crossing alerts functioning, and so far so good!
Out of curiosity how did you enable that Telnet daemon? Or maybe Hikvision killed it with the firmware on my unit? Speaking of firmware, it's interesting that on Hikvision USA there seems to be none available for this device.
Anyway, if you have any configuration suggestions or just general advice for this NVR it would be most welcome.