Need to access cameras behind Dahua NVR

haselnut

haselnut

n3wb
Aug 15, 2023
12
1
Estonia
Hi

I have Dahua NVR DHI-NVR4108-8P-4KS2 (firmware V4.001.0000005.1) and 8 Dahua cameras connected to POE ports.
NVR has an ip 192.168.1.108, cameras are on different subnet 10.1.1.X managed by the NVR.

I am trying to control the LED's on my cameras programmatically instead of the cameras own day/night function.
So to be able to make an api request to one of the cameras, I use 192.168.1.108:10080 (or 10081 etc port for other cameras) as an address.

BUT for this to work I first have to open NVR's web interface with a browser, navigate to the Camera section and click IE icon for every camera to activate the port forwarding or whatever going on there. Otherwise I will get "ECONNREFUSED 192.168.1.108:10080".
And unfortunately the ports "deactivate" after a while and I can not make any request to cameras without clicking the IE icons in the web interface.

Does anybody know if there is some solution to keep port forwards to camreas active all times or is it possible to activate port forwarding by some api call?
I did not find anything useful from the offical API doc.

Regards
 
  • Like
Reactions: mat200
Set up a static route in your router so that anything on the 10.1.1.x network goes via the 192.168.1.108 address.

You will be able to access all your cameras directly.
 
  • Like
Reactions: haselnut
I added route on my OpenWrt router but it does not seem to work.

Code: 
config route
    option interface 'lan'
    option gateway '192.168.1.108'
    option target '10.1.1.70/24'

Does firewall need configuration also?
 
haselnut said:
I added route on my OpenWrt router but it does not seem to work.

Code: 
config route
    option interface 'lan'
    option gateway '192.168.1.108'
    option target '10.1.1.70/24'

Does firewall need configuration also?
Click to expand...
Would the target not be 10.1.1.0/24?
 
Sorry, yes, current target is 10.1.1.0/24. I just tried different solutions and pasted here the wrong version.
On ithe IPC web interface I see my router is the default gateway too.

image.png

Still can't reach 10.1.1.70
Code: 
root@OpenWrt:~# ping 10.1.1.70
PING 10.1.1.70 (10.1.1.70): 56 data bytes
^C
--- 10.1.1.70 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

root@OpenWrt:~# traceroute 10.1.1.70
traceroute to 10.1.1.70 (10.1.1.70), 30 hops max, 46 byte packets
1  *  *  *
2  *  *  *
3  *  *  *
 
It's like this by default. I have not touched these settings. What should the gateway be, how do I know if NVR is 10.1.1.1 or something else?
 
Well I assume 10.1.1.1 is the NVR as a gateway in 10.1.1.x subnet, it answers to ping.
I changed IPC gateway to 10.1.1.1 but no success.

Code: 
root@OpenWrt:~# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: seq=0 ttl=64 time=4.682 ms

root@OpenWrt:~# ping 10.1.1.70
PING 10.1.1.70 (10.1.1.70): 56 data bytes
^C
--- 10.1.1.70 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

Also found Switch section in NVR web ui. 10.1.1.1 is the gateway.
Screenshot 2023-09-30 at 17.43.21.png
 
Last edited:
The fact you can ping the Lan side of the NVR and get a reply suggests your static route in your router is working.

As for why the camera doesn't respond there might be a setting in either the camera or possibly the NVR which is blocking it.

Set the dns on the camera to match the gateway.
 
I did set IPC DNS to match the gateway 10.1.1.1 - still can't ping 10.1.1.70
Screenshot 2023-10-01 at 11.51.06.png
I also tried to set DNS on NVR to 192.168.1.1 (default was 8.8.8.8) it did nothing,
Here are other settings on NVR:
Screenshot 2023-10-01 at 11.55.23.png Screenshot 2023-10-01 at 11.55.29.png Screenshot 2023-10-01 at 11.55.44.png Screenshot 2023-10-01 at 11.56.05.png
And on the IPC:
Screenshot 2023-10-01 at 11.56.20.png Screenshot 2023-10-01 at 11.56.32.png
 
Do you have other cameras on the 10.1.1.0 network?
Can you ping any of them?

Edit: so you have any firewall settings enabled in the cameras?

My camera has a firewall tab under system->safety
One of the options is ping prohibited.
 
I have 8 cameras total on the 10.1.1.0 network and I can't ping nor access with a browser any of them.
I have firewall disabled on all IPCs by default on all options: Network access, PING Prohibited, Prevent Semijoin
Screenshot 2023-10-01 at 13.22.22.png Screenshot 2023-10-01 at 13.22.27.png Screenshot 2023-10-01 at 13.22.32.png

On IPC I also tried to enable SSH, Private Protocol Authentication to Compatible, enable LLDP but it didn't have any effect.
Screenshot 2023-10-01 at 13.24.46.png

I managed to log into NVR by ssh and got this:
Code: 
#diagnose 6

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

But I can't get into shell to do anything else but execute default diagnose commands
Code: 
#shell
Domain Accounts:
Domain Accounts  not avaliable
 
Everything looks to be ok.
If you can get to 10.1.1.1 you should be able to get to any other address on that subnet.
 
Unfortunately can not reach any other ip than the gateway itself on the 10.1.1.x

Code: 
root@OpenWrt:~# nmap -sn 10.1.1.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2023-10-01 17:08 EEST
Nmap scan report for 10.1.1.1
Host is up (0.0069s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 4.26 seconds

Thank you for all the effort so far, really appreciate it.

If there are any ideas what else to try I'm still here looking for a solution.
 
Last edited:
This is by design on Dahua PoE NVRs. You're not going to 'fix" it by playing with routing.

The Internal switch sets up a network of 10.1.1.x for the cameras and cannot be accessed without going through the NVR and the IE icons.
It also adds a layer of security for this same reason.

If you dont want to do that, you can simply plug your NVR (using the LAN port) and cameras into an external switch and put them all on the same network as your router is providing now. 192.168.1.X. You dont HAVE to use the internal switch and associated PoE ports.
 
  • Like
Reactions: haselnut, looney2ns, Flintstone61 and 3 others
bigredfish said:
Im not a network pro but this may help in your use case if your NVR supports it.
View attachment 173746

Click to expand...

The way i understand it, enabling bridge mode on the NVR amounts to the same as doing this...
If you dont want to do that, you can simply plug your NVR (using the LAN port) and cameras into an external switch and put them all on the same network as your router is providing now. 192.168.1.X. You dont HAVE to use the internal switch and associated PoE ports.
Click to expand...

Except you're using the switch built into the NVR rather than an external one.
 
  • Like
Reactions: JDreaming, mat200 and bigredfish
You must log in or register to reply here.
Top Bottom