La View LV-PC902F2-W port forwarding security help needed

[samone4]

I have 3 La View LV-PC902F2-W cameras configured with SADP setup using BI on my pc. I would like to ensure that I'm only forwarding the port for the BI pc. I do not need or want to forward the camera ports. I plan to use Team Viewer to connect remotely to the PC to view BI. I have blocked control access for the 3 camera IP in the router settings. And I changed the default password. But I don't know if my setup is correct or secure. My router is showing the static ip of all 3 cameras with with several ports open for; HTTP, IPC_Civil_CMM, RTSP, etc.

When I used the SADP to initially setup the cameras, I changed the port from 8000 to 8686. The SADP needs a port from 2000 to 65535? I just used 8686 as a place marker here. Could this be the issue?

I would appreciate some help to fix it.

 

[ruppmeister]

If you in fact have any ports open in your router currently, then you have a problem. You say you want to access your BI machine using Teamviewer which doesn't require any ports in your firewall to be open. Teamviewer uses ports 80 and 443 to communicate with your machine inside your network. Delete all the rules allowing your cameras out of your firewall and even put a new rule in that prevents the IPC IPs from exiting your LAN.

Now if you are wanting to take full advantage of BI server, then you should put a rule in your firewall that allows for BI to come and go as it pleases from your network. You can configure which port BI uses in the BI Settings > Web Server I believe then you just put that port into your firewall rules to gain remote access to BI. You might also want to tell BI to use authentication/secure only which forces BI to ask for credentials.

 

[samone4]

Thank you. I deleted the ports and rebooted the router. However the ports for the cameras reappeared after 30 min or so.

Then, I reset the the router to its default configuration and started restarted. The port forwarding for the cameras come back.

 

[nayr]

disable uPNP on your router so nothing can open ports without your expressed permission... thats your security problem right there.

if your router does not support disabling it, see if you can put DD-WRT on it.. if not sounds like a great reason to chuck it in the bin.

also consider a VPN instead of exposing BI to the internet, its typically easier and always safer than port forwarding..

 

[samone4]

Thank you! That was the exact issue. FIOS router had that particular page hidden. Found it and disable uPNP.

 

[samone4]

Okay, now that the ports are closed, I'm ready to take another step forward. I want to attempt setting up a VPN on the PC (same location of BI). I understand the PC needs to be on 24/7. That works. I have downloaded and installed the Softether windows software and created a user, password, and DDNS setting. So far, so good.

How do I use BI to connect to the PC?
Also, it there a way to test that its working?

 

[nayr]

a VPN bridges your remote device so its just another device on the local network, everything is connected by virtue of your switch.. the easiest way to test its working:

1. Setup the VPN on your Smart Phone
2. Turn off your WiFi so your on moble network
3. Connect to your VPN
4. Open your BI App and access it the same way you would if you had wifi enabled.

 

[ruppmeister]

I tried for the life of me to get the Softether server to work with my setup, but failed every time. I am not a tech buffoon either. I have worked tech for the last 12 years or so and consider myself tech savvy and STILL couldn't get it to work. Now I might have been facing a technical limitation of my setup trying to connect with an iPhone, I don't know, but I wasn't able to ever get it working.

If you want to use the Windows machine that you are running BI on try this out - http://www.howtogeek.com/135996/how-to-create-a-vpn-server-on-your-windows-computer-without-installing-any-software/

I know from experience that running an OS X server as VPN is easy as pie when using the iPhone to connect, so would recommend that to you if you have an Mac to leave on all the time.

Good luck and post back if you have questions.

 

[samone4]

Thanks again for helping me plug the hole in the port forwarding security.
Regarding the softether VPN, I couldn't get the VPN working on my android phone. But I did run the softether client software on a remote PC. It connects to the VPN. That said, I don't know what the next step is. I'm reading and trying to learn more about the VPN service.
I have two questions: (1) how do I use BI on the VPN? and (2) can I use the BI app for the android to connect to the VPN server as well?

 

[ruppmeister]

Running a VPN server on your internal network allows you to build a secure tunnel between a remote device and your internal network. When the remote device it connected to your VPN the remote device appears as if it is inside your local network and gets an IP address from your internal network. Imagine if you will your android device while you are at home. The android device gets its IP address from your home router (presumably) and your BI machine thinks it is on your local network thus the BI app uses the IP address that you configured for use on your LAN (within the BI app itself). When you are on the go using your android device you are obtaining the IP address from the service provider that you pay to provide your data (ATT, Verizon, T-Mobile, etc). Since this IP address is not the same one as you get when you are home from your home router, BI uses the WAN address that you configured in the BI app settings to connect to your server. This WAN IP address is the address that you have from your internet service provider (Cox, Comcast, etc).

Now lets say you are on your android device out and about but instead of using the WAN address for your home's IP address, you instead connect to your home VPN server. There is a tunnel that is built between your android device and your home VPN server (the connection is Cell Provider to Home Internet Provider) but your android device believes that it has an IP address that is inside your home network. Also, your home network believes that your android device is at home and treats your android device as such. So when you are connected to BI through your home VPN server BI assumes you are home and uses the LAN configured IP address.

To answer your actual questions (1) you use the BI app just like you would if you are home while you are connected to your home VPN server and (2) connecting to the VPN server is not possible via the BI app. The establishing of the secure tunnel to your VPN server is done through other means on your android device. Anymore these days a VPN feature is baked into mobile devices (most electronics really that have a full feature OS running on it). So you first have to establish your secure tunnel to your VPN via the android device built in means (or third party app) and then use the BI app to connect to your server.

Hope that all makes sense.

 

[samone4]

Yes. It is making a lot more sense now. Thanks! Using a remote PC I can connect to the VPN server, no problem. And I can see the remote client listed on the PC/server when connected. Now I think it boils down to connecting the android for "out and about" use of the BI app. However, I can't get the android device to connect to the VPN. It just times out after about a minute. I went through the steps of the softether tutorial. No luck. I've disabled my AV software and firewall protection on both the server and the android for testing purposes. Same result. I don't know if I'm missing something or not. I am using the L2TP pre-shared key on the device and I'm certain I'm using the correct user name and password as well. Maybe a third-party android app would work?

 

[samone4]

It is finally working. The android device connects to PC/server. I'm able to connect remotely via the BI app now. And I have no ports open. Thank you for helping guide me through the process. One question regarding the BI options setup on the PC: In the web server tab, why is it necessary to enable the HTTP web server if I'm not intending to connect remotely through the WAN?

 

[nayr]

so you can access BI server with a browser instead of a remote desktop, browser is going to be easier on slow connections.. for most people every remote connection is a slow one (limited by your upload speeds)

 

[ruppmeister]

It is finally working. The android device connects to PC/server. I'm able to connect remotely via the BI app now. And I have no ports open. Thank you for helping guide me through the process. One question regarding the BI options setup on the PC: In the web server tab, why is it necessary to enable the HTTP web server if I'm not intending to connect remotely through the WAN?

The long and the short of this question is, because the BI app uses the web server to connect to streams from BI. Won't make too much of a difference though as long as you don't have a port open in your firewall to access the http web server (default port 81). Congratulations on making your home network a little safer than it was before.