How to get push notifications through firewall - working finally

[jesd03]

Hi,

I was struggling to get push notifications through my firewall and had to allow my NVR access to internet which I was not happy with.

Looking at my firewall logs captures i figured out whenever there was an IVS alert port TCP 2195 was getting blocked which is Apple Push notification service port.

I allowed this one port through the firewall for the NVR and bingo it works now.

You only need to allow this if you are blocking NVR/camera access to the internet like i do for security reasons.

I am still testing but will be good to see if anyone else can try.

edit: seems like i can get alerts but no videos, back to drawing board.

Thanks

 

[jesd03]

OK got it working as i wanted over the VPN Hurrayyyyyy!

All i had to do is allow TCP 2195 through the firewall.

If i am already on the VPN to home network from the phone, video will load straight away.

If not all i need to do is enable VPN and click on alert again.

Hope it helps someone else who don't like allowing NVR/Cameras talking to Internet but just allowed it to get push working.

 

[tangent]

@roryk
Anyone know what ports Dahua push notifications use?

 

[DavidDavid]

This is awesome!! Nice find!

For me though, I added a rule to allow TCP traffic from my NVR IP address to destination port 443 (2195 does nothing for me) and now I'm getting my IVS notifications again!

But, I guess now I'm not sure what the point is of blocking my NVR from accessing the internet if I'm now allowing it to get thru on port 443.

I could see if port 2195 was specifically for push notifications and if that was opened I could believe that still being "safe" but 443 is HTTPS and that would make me believe anything goes on that port.

Or Maybe opening up this port rule as being the destination port, it is allowing the pushes to get out but nothing can get back in?

Can you offer up any more detailed explanation on this? I really only know enough to be dangerous :/

 

[DavidDavid]

This is showing my rule 1 allowing 2195 (and showing no traffic in the stats)

And rule 3 allowing 443 (and showing the traffic count increasing as I get an IVS alert)

Then rule 4 blocks all traffic from all of my cameras and NVR from reaching the internet.

 

[PointLookout247]

OK got it working as i wanted over the VPN Hurrayyyyyy!

All i had to do is allow TCP 2195 through the firewall.

If i am already on the VPN to home network from the phone, video will load straight away.

If not all i need to do is enable VPN and click on alert again.

Hope it helps someone else who don't like allowing NVR/Cameras talking to Internet but just allowed it to get push working.

dude, im in the exact same situtation. vpn is on, if i disable upnp, i cant get any notifications from the app or nvr email motion sent... how did you find out it was that port? I dont want to let the nvronline either, but want the push notification and the email alerts...

could you post all the rules you have for your nvr setup please? looking to maybe mirror... i have assigned nvr static ip so i can fwd the ports for it ok once i know...

 

[DavidDavid]

I watched the log from my router as the OP mentioned doing and saw activity for my NVR's IP address when IVS went off...but I never saw 2195. I only saw 443 as the destination port and then other random ports as the source. Those source ports seem to change, but the 443 stays constant.

 

[PointLookout247]

ok, gonna change the router log to allow all messages as its on error only. then check back into the log. thanks for the tip.

 

[jesd03]

Hi all

I was basically monitoring my firewall logs to check on what ports was getting blocked. TCP 2195 came up every time there was a trigger. Port 2195 also seems to be a standard port for push notifications which was also used by Apple for push notifications.

My rules for pretty simple using Sophos Firewall. It only allows NTP, SMTP and 2195 and drops all other traffic.

Not sure why it would be different port for different devices as i would have assumed it would be same.

 

[jesd03]

This is awesome!! Nice find!

For me though, I added a rule to allow TCP traffic from my NVR IP address to destination port 443 (2195 does nothing for me) and now I'm getting my IVS notifications again!

But, I guess now I'm not sure what the point is of blocking my NVR from accessing the internet if I'm now allowing it to get thru on port 443.

I could see if port 2195 was specifically for push notifications and if that was opened I could believe that still being "safe" but 443 is HTTPS and that would make me believe anything goes on that port.

Or Maybe opening up this port rule as being the destination port, it is allowing the pushes to get out but nothing can get back in?

Can you offer up any more detailed explanation on this? I really only know enough to be dangerous :/

Hi,

Just making sure you have subscribed to push notifications from the IDMSS software?

Also is this on IOS or android? Its possible the port 2195 is only for IOS devices being the apple push notofication port?

I will try to setup my Android and will update if it works on it with the same port.

 

[jesd03]

OK did a test, seems like Android devices it is using 443 and IOS is 2195.

I guess only allowing outbound 443 is OK as normal home routers normally allow everything outbound.

I like to control what i allow outbound and have specific rules although all my other devices are allowed 443, 80 outbound by default which is safe.

It is just that i am not comfortable with the NVR/Cameras talking outside with all the issues about hacking etc hence wanted to control it.

 

[DavidDavid]

Yes I'm subscribed, and I'm on Android. (gDMSS is the Android app and iDMSS is apple) and I've been getting notifications all day today.

And here's a snippet from my logs. I'm assuming you saw 2195 as the SPT? You can see mine changes. It increases up by 7 I think for each IVS event, and also gives different numbers for individual events (as shown in the code)

And you can see the destination port (DPT) is always 443.

Mar 21 13:27:10 ubnt kernel: [WAN_OUT-8-A]IN=switch0 OUT=eth0 MAC=xxxx SRC=192.168.1.17 DST=172.217.9.202 LEN=575 TOS=0x00 PREC=0x00 TTL=63 ID=37313 DF PROTO=TCP SPT=56139 DPT=443 WINDOW=160 RES=0x00 ACK PSH URGP=0
Mar 21 13:27:10 ubnt kernel: [WAN_OUT-8-A]IN=switch0 OUT=eth0 MAC=xxxx SRC=192.168.1.17 DST=172.217.9.202 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=37314 DF PROTO=TCP SPT=56139 DPT=443 WINDOW=160 RES=0x00 ACK FIN URGP=0
Mar 21 13:27:10 ubnt kernel: [WAN_OUT-8-A]IN=switch0 OUT=eth0 MAC=xxxx SRC=192.168.1.17 DST=172.217.9.202 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=4847 DF PROTO=TCP SPT=56140 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0
Mar 21 13:27:10 ubnt kernel: [WAN_OUT-8-A]IN=switch0 OUT=eth0 MAC=xxxx SRC=192.168.1.17 DST=172.217.9.202 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=4848 DF PROTO=TCP SPT=56140 DPT=443 WINDOW=115 RES=0x00 ACK URGP=0

 

[DavidDavid]

I guess only allowing outbound 443 is OK as normal home routers normally allow everything outbound.

I like to control what i allow outbound and have specific rules although all my other devices are allowed 443, 80 outbound by default which is safe.

It is just that i am not comfortable with the NVR/Cameras talking outside with all the issues about hacking etc hence wanted to control it.

Right that's exactly my point. I previously had EVERYTHING coming from my NVR/Cameras blocked from reaching the internet. Now, I have a rule (before the block rule) that allows the NVR to get out via port 443.

This allows me to receive the push notifications, but hell I might as well just remove the NVR from my blocking rule in this case.

Also at this level, I'm not sure how the NVR knows that it's sending the push to an Android or iPhone. Unless it was told that when I linked my gDMSS app (or in your case, iDMSS) to the NVR in the app.

 

[jesd03]

Right that's exactly my point. I previously had EVERYTHING coming from my NVR/Cameras blocked from reaching the internet. Now, I have a rule (before the block rule) that allows the NVR to get out via port 443.

This allows me to receive the push notifications, but hell I might as well just remove the NVR from my blocking rule in this case.

Also at this level, I'm not sure how the NVR knows that it's sending the push to an Android or iPhone. Unless it was told that when I linked my gDMSS app (or in your case, iDMSS) to the NVR in the app.

Yep I believe it does know what device it is when you subscribe from either of the apps and sends the notifications on either of the ports as required.


Sent from my iPhone using Tapatalk