Joined to seek answer to a dumb daisychained setup

[MickG01]

I had a Fios network with a DVR remote in 100' cable to an adjacent building. I could view the cameras locally and via port forwarding 192.168.1.150:80 (the dvr) I could connect remotely.
We decided to put a remote access point in the second building si I added a Wifi Route on the end of the 100' cable and plugged the DVR in to that. While it's still using the same 192.168.1 network addresses it does have its own WIFI access id. However that DVR with the same fixed IP is on an Ethernet connection.
I can connect to wither WAN and my client software sees the DVR and all connected 13 cameras. But now for port forwarding, although the main ActionTec router shows it in the list of connected devices it doesn't show it as an available device for forwarding. Inserting it's IP with port 80 adn forwarding that doesn't make it available for external connection.
The set up is Internet -> ActionTec WAN, ActionTec Ethernet -> Router Ethernet (not WAN), Router Ethernet to DVR.

Using SUperLivePro on Android connects to ActionTec WAN or Router WAN and sees DVR. Remote connect to ActionTec Is unable to connect.

 

[crw030]

Mick, I'm guessing you put a traditional wi-fi router at the end of that pre-existing LAN run? If so the most likely scenario is that that remote router is behaving as designed and is firewalling the incoming connection and performing Network Address Translation (NAT). In this case you should not have both networks on the same 192.168.1 subnet, or sometimes those devices let you change a setting so they act as a transparent bridge instead of a NAT router, so it might be worth looking into the manual for the device to see if that option is available.

Lacking that capability, I would expect if you changed the new router to assign addresses in the 192.168.2.XXX subnet the problems might disappear for you. This is based on my suspicion that the devices behind the new Router, sending packets back to the router but it won't normally route 192.168.1 traffic back out the WAN interface, because it is configured as the LAN side network so it expects to find those devices on the LAN side only.

For reference a quick Google for multiple subnet networks would provide some sample images that illustrate how you might want to do this differently. example: Multiple subnets with DD-WRT

 

[MickG01]

Mick, I'm guessing you put a traditional wi-fi router at the end of that pre-existing LAN run? If so the most likely scenario is that that remote router is behaving as designed and is firewalling the incoming connection and performing Network Address Translation (NAT). In this case you should not have both networks on the same 192.168.1 subnet, or sometimes those devices let you change a setting so they act as a transparent bridge instead of a NAT router, so it might be worth looking into the manual for the device to see if that option is available.

Lacking that capability, I would expect if you changed the new router to assign addresses in the 192.168.2.XXX subnet the problems might disappear for you. This is based on my suspicion that the devices behind the new Router, sending packets back to the router but it won't normally route 192.168.1 traffic back out the WAN interface, because it is configured as the LAN side network so it expects to find those devices on the LAN side only.

 

[MickG01]

I had tried using it as a. NAT router but couldn't see the DVR on the original LAN so I bypassed the WAN port on the new router and disabled DHCP on it so it basically extends the 192.168.1.0 network to the remote location.
I can now see the DVR and cameras on all internal locations. I just can't seem to port forward it for viewing externally as I used to.
The additional router is basically acting as an access point for the existing network.
We have a PC there which is working fine including web access.

 

[crw030]

Sounds like you are basically using the lan-side as a dumb switch. Offhand I cant see why it wouldnt be working.

Are you getting DHCP addresses from the first lan router to devices at the second router correctly?

Sometimes those routers have built-in tools so could you ping & tracert from the first router to the destination device that isnt working?

Sent from my SM-G950U using Tapatalk

 

[looney2ns]

Do yourself a favor and stop port forwarding. It's very insecure.
VPN Primer for Noobs

 

[MickG01]

Yeah, I probably didn't explain that very well. I am just using the LAN side basically as an extender. And DHCP just from the first LAN.
I'm just puzzled why I can't port forward via the Fios Actiontec unit

 

[MickG01]

Do yourself a favor and stop port forwarding. It's very insecure.
VPN Primer for Noobs

Gotta get to those cameras remotely somehow. No choice in that requirement.

 

[J Sigmo]

If you set up a VPN, you can use that to remotely access your DVR and cameras without allowing the cameras or DVR to have direct access to the internet, and without using port forwarding.

Essentially, the VPN allows you to tunnel into your LAN, as if you were right there, logged onto or wired to, one of your routers.

Port forwarding is dangerous. Allowing the NVR or any of these cameras to have access to the internet is dangerous.

With a VPN, all traffic is encrypted, and only devices that you have set up with the encryption key can get in remotely.

It sounds overwhelming at first, but with a bit of reading, and the help of a good website that has a step-by-step setup tutorial that works with the ASUS routers that have the built-in VPN capabilities, it was really easy and smooth for me to set this up on my system. And along the way, I learned a lot that will be helpful for other systems and setups.

It is really very well worth the time to look into this. People on this forum will help with it all. Give it a look!

 

[SouthernYankee]

provide a detailed complete drawing of your network.

 

[MickG01]

The issue would be that these cameras are in my wife's doggie daycare, boarding business. If she can't get to them clicking a single icon on her IPhone to check on the dogs and employees, that will be a big problem.
I'll search a bit more, but for now making the port forward work would make her really happy.

 

[SouthernYankee]

Make sure the cameras can not access the internet. If possible block the camera MAC address at you router. Set up your own time server on your network , set the cameras to use that time server.

 

[J Sigmo]

The issue would be that these cameras are in my wife's doggie daycare, boarding business. If she can't get to them clicking a single icon on her IPhone to check on the dogs and employees, that will be a big problem.
I'll search a bit more, but for now making the port forward work would make her really happy.

I set my wife up with remote access to our cameras and the recorded videos, etc., by installing the VPN app and the Blue Iris app both on her phone. The Blue Iris stuff is simply because I'm running Blue Iris as the NVR.

She has to click one icon, switch the VPN on, then dismiss the VPN app and click another icon to get into the Blue Iris app which then lets her view the cameras live or look through anything that's been recorded recently.

Really, it's very easy to use once you have it set up. I think she'd like it.

It is good to turn the VPN back off when you're done using it, but it's just two clicks (well, touches on the phone, actually).

And once you have the VPN set up, you can use it for other things where you want to have access to devices on your network. Again, when the VPN is "on", it is just as if you were right there, sitting in your home or business, and logged into your LAN on WiFi. But this all happens over the cell network when you're out and about. Yet the security is excellent.

Allowing your NVR or cameras to directly access the internet, or by port forwarding, opens your entire network up to remote hacking both by the well-known back-doors built into many NVRs and Cameras or by hackers who have figured out how to break into the cameras and NVRs by other means. Remember that each camera and each NVR is, effectively, a computer on your network. Once someone commandeers any of them, they then have direct access to your entire network. Effectively, the cameras, NVR, and anything "port forwarded" bypasses the firewall in the router that you have connected to the internet.

So your personal data is open to anyone, and your cameras and/or NVR can now be reprogrammed to collect data, view the images, or be used as "bots" to do nasty things like be part of denial of service attacks on other sites, etc.

The software that comes with the cameras and NVRs makes it really easy to remotely view, but the way it works requires you to open your network up to the outside world, and that's not safe, especially if you (as most folks) use that very same local area network for your other computers, etc.

 

[MickG01]

Thanks. I'll do some checking see what I can set up.

 

[J Sigmo]

Are either of your routers ASUS units with the built-in VPN support? If so, they're very easy to set up for this. If not, it may be worth getting one to replace your main router (the one you've got connected to the internet modem). From there, things are really easy!

 

[MickG01]

Main is Actiontec originally from Verizon. It's combined Modem / Router. SECONDARY IS A Wise Tiger which I believe has VPN available.

 

[looney2ns]

If using OPENVPn connect on a phone, it can easily be configured for one touch activation of the VPN. No need to dismiss it to get to BI app.
Using Tasker app, you can automate all sorts of actions.

 

[J Sigmo]

Main is Actiontec originally from Verizon. It's combined Modem / Router. SECONDARY IS A Wise Tiger which I believe has VPN available.

It sounds like you're using the second router more or less as a switch with WiFi to extend the network into the second building.

And your first router is built into your modem, which I believe is fairly common.

I think I would want the first router (the one tied to the modem for internet access) to be the one with the VPN capabilities, but maybe it doesn't matter.

But if that's the case, you would still need another router. You would abandon the router and WiFi features in your modem and only use it as a modem.

Then you would set up the new router to be your "main" router and WiFi for your house. And you would set up the VPN in that new router.

At that point, since you would be buying a new router, anyhow, you could choose one of the ones that the gurus here recommend for their VPN capabilities.

I may be misunderstanding your exact configuration. But this is what I'm picturing.

A newish router is a good idea for implementation of a VPN, anyhow, because you want fast computing power and plenty of RAM so the encryption and decryption can happen fast and not slow down your data throughput.

You may also find that even the non-VPN traffic is faster for you because of the improvements in WiFi, etc., in the latest routers.

The router I'm using is one that was recommended here. And it has a lot of features that have made it very easy to set up and administer. For example, it is easy to block all of my cameras and other gadgets that I dont trust from having internet access. You simply look at all of the devices and switch off their internet access on a case by case basis.

As mentioned above, if you draw up a simple cabling diagram, showing how your system is connected, it will make it easier for us to help diagnose the original problem and also suggest how to fix that while also ensuring good security.

Maybe you can use what you already have. But if you do end up needing a new router, just realize that you may find that it will be a lot nicer, and you'll enjoy it for some of its other features, anyhow.

If using OPENVPn connect on a phone, it can easily be configured for one touch activation of the VPN. No need to dismiss it to get to BI app.
Using Tasker app, you can automate all sorts of actions.

But that would just make me even lazier than I already am!

Seriously, though... I will look into that. I've never used it, but have heard of it for automating things on these gadgets!