Network clarifications first camera

[mike31]

Hi,

I have to say i really liked your comparison with the cake story^^ You are absolutely right.
And additionnaly to that, i will say, if you do not know how to close the door properly, don't buy any cake .

To come back to the technical part, i just have to adapt the chain to be sure it is above default router rules:

iptables -I FORWARD 1 -s 192.168.100.208 -p tcp --dport 587 -j ACCEPT
iptables -I FORWARD 2 -s 192.168.100.208 -j DROP

For the time being, there will be only one camera on the router and nothing else, i will see to adapt it to block the subnet instead if i connect additional devices in the future.

Thank you all for helping .

PS: I also add a rules to block easy4ip using access restrictions in Tomato, just in case.

 

[Whoaru99]

It holds true; one can't eat their cake and have it too.

 

[civic17]

So if you are only accessing the Dahua cameras when connected to the VPN, you can't use the gDMSS/iDMSS app to live view? Can it still receive motion notifications on the phone app since you allowed the port for the cameras to send out notifications (not email alerts)?

 

[Whoaru99]

Before I started using BI I was using ONVIF/Onvifer for live view. Connect to VPN, open Onvifer, view cameras.

Now I receive the email notices from BI instead of the cameras directly, and connect to the VPN and use UI3/BI to live view the cams.

 

[catcamstar]

So if you are only accessing the Dahua cameras when connected to the VPN, you can't use the gDMSS/iDMSS app to live view? Can it still receive motion notifications on the phone app since you allowed the port for the cameras to send out notifications (not email alerts)?

Hi,

my cams are only accessible through gDMSS/iDMSS, if you don't open outbound port 2195 (for apple push notifications), you are not receiving any notifications. Live view & playback is possible across the VPN tunnel.

Hope this helps!
CC

 

[mike31]

Hello all,

I just received the camera, i set everything like written on the wiki, but unfortunately i cannot access to it using the VPN...
When i connect my computer to the internal lan of the router, i can reach the camera, but not through the VPN, could it be a problem on iptables configuration?

Thanks.

 

[catcamstar]

Hello all,

I just received the camera, i set everything like written on the wiki, but unfortunately i cannot access to it using the VPN...
When i connect my computer to the internal lan of the router, i can reach the camera, but not through the VPN, could it be a problem on iptables configuration?

Thanks.

Hi Mike!
Iptables has the capability to "log" the dropped connections - first google result: https://www.thegeekstuff.com/2012/08/iptables-log-packets/ --> on my Edgerouter, I can then quickly look in /var/log/messages and see which iptable rule is giving me the headache. But keep in mind of one (sometimes forgotten) VPN pitfall: if you connect your PC to your internal lan of the router (or use your phone on the wifi) and thén open the VPN tunnel: this will NOT work as both the VPN tunnel and the home router have the same (internal) gateway address. You have to connect to either your main ISP router (not the asus), 3g/4g or the wifi of your neighbour. To debug this pitfall, you can watch the output of a "traceroute" command.

I'm betting you were using the VPN tunnel on the internal LAN.

Hope this helps!
CC

 

[mike31]

I use my ISP router with my PC to connect to the VPN of the Tomato router, then i can access to the interface of this router. Nothing except the camera is connected to this router. Even if i use my phone 4G to connect to the VPN, i cannot access to the camera. I tried the log of iptables but it crash the router, maybe too much for this old one.

Edit: I was able to log using the logging configuration feature of the router for inbound and outbound traffic, i did not see any error, and no access on or from ip of the camera, this is strange

 

[catcamstar]

I use my ISP router with my PC to connect to the VPN of the Tomato router, then i can access to the interface of this router. Nothing except the camera is connected to this router. Even if i use my phone 4G to connect to the VPN, i cannot access to the camera. I tried the log of iptables but it crash the router, maybe too much for this old one.

Edit: I was able to log using the logging configuration feature of the router for inbound and outbound traffic, i did not see any error, and no access on or from ip of the camera, this is strange

Couple of things you might try:
- disconnect your cam, put your pc behind your tomato, put IP 192.168.100.208 in it (as like it would have been your cam). Try to surf on it. Does it work? Then your iptable isn't working anyhow. If it is getting blocked, you should already see something in your iptables log
- when you connect from your pc on your ISP router, can you show the output of a traceroute 192.168.100.208? Repeat with the OpenVPN tunnel active?
- idem as above, but turn your phone into a 4g-based wifihotspot and connect your pc to it, openVPN tunnel and execute traceroute.

 

[mike31]

I tried a better thing, keep the camera connected with 192.168.100.208, connect my phone using wifi to 192.168.100.209. I was able to reach the camera.
Then i tried to apply the same iptables rules to the phone, i lost internet connection AND lan access. Before that, i was able to ping my phone from my PC through the VPN, after iptable, i lost it.
Something seems too restrictive on iptables. I can see the traceroute to my phone only if i do not apply iptable rule.

Edit: Huuumm... seems to be better to apply rule WITH interfaces (thanks the logfiles^^) like this:

iptables -I FORWARD 1 -i br0 -o vlan1 -s 192.168.100.208 -j DROP