Menu
What's new

HIKVISION NVR - Firewall Config - IVMS-4500

S

Skyking

n3wb
Joined
Jan 2, 2016
Messages
15
Reaction score
3
All,

I am configuring the following:

  1. ASUS RT-AC88U router on a connection to a WISP with a NATd IP.
    .
  2. Since ASUS no longer makes it easy by hosting DDNS themselves, I set up a NO-IP client on a network connected computer. The router DDNS and port forwarding-triggering setups (respectively):
    .
    DDNS

    DDNS

    .
    Port Forwarding-Triggering

    Port Forwarding-Triggering

    .
  3. I have assigned a static IP address to the HIKVISION DS-7716NI-SP / 16 NVR.
    .
  4. I have configured NVR with AUTO on the NIC, DHCP on and it has picked up the IP address from the router.
    .
  5. I have the DDNS page configured as instructed by HIKVISION here and depicted here:
    .
    HIKVISION NVR DDNS Config

    HIKVISION NVR DDNS Config

    .
  6. The port settings are the default ports.
    .
  7. The NAT tab is as depicted:
    .
    NAT tab

    NAT tab


  8. The iPhone iOS app iVMS-4500 has a device information page and this is where I get stumped in a hurry. Here are the choices:
    .
    1. Alias - Easy, I named the device.
      .
    2. Register Mode - This one is a little perplexing. The first two choices are Hik-Connect Domain and HiDDNS. The former will not search for the serial number as it limits the number of characters to about a third of the characters needed to do the search and the latter is discontinued. That leaves me with IP/Domain and IP Server and so far I find no combination that works.
      .
    3. If you choose IP Server everything looks familiar except for one field labeled as "Identifier". I find zero documentation anywhere as to what a person is to put into that field and nothing I have tried has worked.
      .
I have the router configured and I am pretty sure it is right. I have the NVR configured and it looks right. In spite of these things I cannot put any IP address and port combination into a browser external to the network and have anything load. LAN yes, WAN no. And iVMS-4500 will not connect either.

So, looking this over can anyone tell me that I have goofed something up? Have a better suggestion? I am not an NVR expert but I am pretty good with networking and computers but this one is vexing me. Any assistance would be greatly appreciated.

Best Regards,

Phillip
 
W

Whoaru99

Pulling my weight
Joined
Dec 22, 2018
Messages
422
Reaction score
159
Location
Here
The general recommendation here is no port forwarding.

Rather, set up a VPN into your LAN and access the system that way.
 
S

Skyking

n3wb
Joined
Jan 2, 2016
Messages
15
Reaction score
3
Whoaru99 said:
The general recommendation here is no port forwarding.

Rather, set up a VPN into your LAN and access the system that way.
Click to expand...
Thanks for the comment and I see your point. However, while use of a VPN is an option, this is a residence and not a commercial entity with the higher need for camera access security. As a result I see the benefit of VPN added security outweighed by the the additional complexity of a VPN in this particular application. Further, I sincerely doubt that even a fraction of residential camera/nvr installs use VPN to facilitate accessing their setup, but maybe I am wrong.

While there are likely only going to be six users of the iVMS app, all using iOS devices, two of these people are elderly. In their 80's. I am reticent to have to put a VPN client onto all of their iPhones just to make the HIKVISION app, designed to work without the use of a VPN, and then have to support all of these people with various Apple accounts. Installation of a VPN client on six iPhones, perhaps several iPads, all to solve what should be a simple firewall issue; it seems to me to simply add too much administrative overhead. Maybe you know of a way to use a VPN in their router and then not have to put a client on other devices. If that is the case then I will need someone to clarify that point?

I tried not to write a tome, but here is some added detail. I had this system up and running perfectly for the last two years, but last week the elderly homeowners (my parents) changed their WISP and got a new radio. Along with that came a new public IP address and either the new radio or the new IP caused the ASUS DDNS setup to stop working. I am not trying to provoke a VPN/non-VPN debate. What I am hoping is that someone here on the site can suggest how to solve this port forwarding problem that has vexed me since Friday, without adding another layer of complexity such as VPN. If someone can help with that, that is my preference. Unless someone can offer a really simple VPN solution where there is minimal configuration and zero client app installation requirement. I hope my desire makes sense.

Again, thanks for the reply. With twenty-five views and no responses I was starting to lose hope that someone would help. LOL I appear to have two issues. 1) An iVMS configuration issue. 2) A port forwarding issue. Surely someone out there can scan the details I posted, knows something about both and can offer some resolution.

Thanks again,

Phillip
 
W

Whoaru99

Pulling my weight
Joined
Dec 22, 2018
Messages
422
Reaction score
159
Location
Here
VPN is easy with OpenVPN, and is the recommended way here.

What masses of uniformed do by unnecessarily opening ports isn't grounds for you to do it as well.

VPN. There is plenty of info about it if you just look around the site, the VPN primer, and the Wiki.
 
NoloC

NoloC

Getting comfortable
Joined
Nov 24, 2014
Messages
701
Reaction score
454
Those 10. addresses look like maybe the WISP is also using NAT. Double NAT? What does tracert 8.8.8.8 show on the first couple hops?
 
S

Skyking

n3wb
Joined
Jan 2, 2016
Messages
15
Reaction score
3
Whoareu99,

OK, I will continue to look. But, since your post what I have found so far are people using VPN...and trying to figure out how to open ports. LOL Illustrating my point that maybe it isn't so easy. And I don't know if millions of commercially installed devices would be done by "masses of uninformed" people, but maybe every big company doing NVR installs is also putting VPN in. Who knew? I will keep looking, but in the meantime maybe someone could on point specifically look at my post and see if they can tell me what I am doing wrong...other than not using a VPN...so far.

Thanks,

Phillip
 
W

Whoaru99

Pulling my weight
Joined
Dec 22, 2018
Messages
422
Reaction score
159
Location
Here
Skyking said:
OK, I will continue to look. But, since your post what I have found so far are people using VPN...and trying to figure out how to open ports. LOL
Click to expand...
The biggest problem is old habit, like opening ports, dying hard because it has been so deeply ingrained. At some point in the past VPN was a big company thing. But, today, it's different. Any number of routers incorporate VPN server capability in their OEM firmware. Others by installing 3rd party firmware like DD-WRT.

But, horse, water, and all that. Your call, do as thou whilst.
 
S

Skyking

n3wb
Joined
Jan 2, 2016
Messages
15
Reaction score
3
NoloC said:
Those 10. addresses look like maybe the WISP is also using NAT. Double NAT? What does tracert 8.8.8.8 show on the first couple hops?
Click to expand...
NoloC, in my original post I noted that they are on a WISP that does use NAT. That is pretty typical, right? They do not and never did have a static IP. But your question does get me to wondering why you asked it so please share your thoughts if something is percolating there. And tomorrow I will call and see if their technician has any ideas, maybe he'll offer a static IP to solve the problem, but the tracert result is:

C:\>tracert 8.8.8.8

Tracing route to google-public-dns-a.google.com [8.8.8.8]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms router.asus.com [192.168.2.1]
2 18 ms 19 ms 18 ms 10.0.14.1
3 24 ms 18 ms 22 ms 12.71.191.129
4 24 ms 27 ms 23 ms 12.244.19.133
5 29 ms 29 ms 42 ms dlstx21crs.ip.att.net [12.122.100.106]
6 32 ms 22 ms 28 ms 12.123.18.237
7 29 ms 22 ms 28 ms 12.255.10.96
8 25 ms 22 ms 29 ms 108.170.240.193
9 25 ms 27 ms 18 ms 216.239.42.187
10 28 ms 28 ms 33 ms google-public-dns-a.google.com [8.8.8.8]

Trace complete.

Thanks,

Phillip
 
NoloC

NoloC

Getting comfortable
Joined
Nov 24, 2014
Messages
701
Reaction score
454
That is double NAT. WISP is blocking the forwarded ports possibly.

You should really VPN. IMHO.
 
S

Skyking

n3wb
Joined
Jan 2, 2016
Messages
15
Reaction score
3
NoloC,

OK, that explains why TeamViewer works fine and the cameras won't. I'll call the provider in the morning and see if they have a suggestion. I'll explore VPN in the meantime.

Regards,

Phillip
 
NoloC

NoloC

Getting comfortable
Joined
Nov 24, 2014
Messages
701
Reaction score
454
That ASUS router makes OpenVPN setup really easy. Mention you are considering that to the WISP tech as he may need to forward 1194 for OpenVPN to work.

There are some very good recent threads on here about the ASUS and OpenVPN setup.

Best!
 
S

Skyking

n3wb
Joined
Jan 2, 2016
Messages
15
Reaction score
3
NoloC said:
That ASUS router makes OpenVPN setup really easy. Mention you are considering that to the WISP tech as he may need to forward 1194 for OpenVPN to work.

There are some very good recent threads on here about the ASUS and OpenVPN setup.

Best!
Click to expand...
NoloC,

I have made a note. Much thanks.

Phillip
 
You must log in or register to reply here.
Top