Random router connections

[MauriceM99]

Hello!
hope you’re all well in these strange times!
I’m hoping to pick your brains.
I have a dahua NVR for about 5 years now. I recently noticed my internet going strange having cut outs on my devices. I logged onto the router initially didn’t notice anything different then it started displaying a loading screen for an older version router. I was worried and started disconnecting everything and started reconnecting things trying to locate the source...it turned out to be my NVR..when I connected it up it would display random devices connected over the same Ethernet port with Mac addresses relating to apple devices, and huawei p20 phone. And the internet would act strange again. I’d disconnect the NVR all Random connections would drop..internet back to normal. I’ve since been playing with the NVR doing a factory reset changing port numbers but nothing seems to shake these random devices. I’ve even don’t a firmware upgrade and it’s no longer supported it’s so old. Any ideas? Anyone else experience this?
Device is NVR4104H-P POE 4 channel
Thanks in advance!

 

[djernie]

Here is a thread from @bigredfish it may be helpful. Good luck!

***PSA for those with a New DAHUA NVR with Built-in PoE switch

IF you have a Dahua NVR with built-in PoE switch... DO NOT follow instructions telling you to use the config tool or switch the IP of your cameras or initialize anything..! With NVR's typically with a -P designation (Built-n PoE switch - example: 4208-8P-4KS2) none of that is required and it...

ipcamtalk.com

 

[bigredfish]

Cant say I've seen that before, I guess its possible you are port forwarding and have been hacked... wouldnt be the first..

Will need a LOT more information..

1- Are you port forwarding your router to be able to see your cameras when remote?

2- Has anything changed on your network before this started? Did you add a camera or change/update your router?

3- I assume your router is whats showing these devices, Are these devices you know and own?
....it turned out to be my NVR..when I connected it up it would display random devices connected over the same Ethernet port with Mac addresses relating to apple devices, and huawei p20 phone.

4- When you say "random devices over the same Ethernet port" do you mean Same IP address? (example 192.168.1.108)

 

[Mike A.]

4- When you say "random devices over the same Ethernet port" do you mean Same IP address? (example 192.168.1.108)

I think that he's saying that he's seeing multiple outside devices/IPs coming into the same port number on his network.

In that case, yes, sounds like something is open/forwarded. Your internet could be acting strange because of the added traffic in/out. Who knows what could be running on old NVR firmware... bots, miners, etc.

Close the open ports on your router. Turn off uPnP on your router to keep ports from being opened again by devices. Block Internet access for the NVR at your router. Also turn off any other remote access services on the NVR and change the gateway setting on it to an invalid address (usually can use its own IP). Whatever still may be installed and running be on your NVR but traffic won't be getting in/out. Obviously you won't be able to get to it from outside either. Set up a VPN to do that.

 

[MauriceM99]

Cant say I've seen that before, I guess its possible you are port forwarding and have been hacked... wouldnt be the first..

Will need a LOT more information..

1- Are you port forwarding your router to be able to see your cameras when remote?

2- Has anything changed on your network before this started? Did you add a camera or change/update your router?

3- I assume your router is whats showing these devices, Are these devices you know and own?
....it turned out to be my NVR..when I connected it up it would display random devices connected over the same Ethernet port with Mac addresses relating to apple devices, and huawei p20 phone.

4- When you say "random devices over the same Ethernet port" do you mean Same IP address? (example 192.168.1.108)

Thanks for the quick response!

I did have it setup so I can view the cctv from my phone. This was all setup by a cctv company. I didn't so any of this myself.
No changes to my network that I know.
I do not own any of the devices. Its like they are using my NVR to use additional bandwidth. I had a new router supplied to my by my internet provider as we didn't know about the issues currently they believed it to be the router. I have not plugged the NVR into that router and not had any issues or rogue devices. I still have the old router so I use that for testing.
One device which is called Emilys Airbook uses the same IP address on that port, and another which is called Simons PC uses what looks like IPV6 address but again on the same port. Since checking and doing tests with factory reseting the nvm I do not see a Huawei p20 anymore.

 

[MauriceM99]

I think that he's saying that he's seeing multiple outside devices/IPs coming into the same port number on his network.

In that case, yes, sounds like something is open/forwarded. Your internet could be acting strange because of the added traffic in/out. Who knows what could be running on old NVR firmware... bots, miners, etc.

Close the open ports on your router. Turn off uPnP on your router to keep ports from being opened again by devices. Block Internet access for the NVR at your router. Also turn off any other remote access services on the NVR and change the gateway setting on it to an invalid address (usually can use its own IP). Whatever still may be installed and running be on your NVR but traffic won't be getting in/out. Obviously you won't be able to get to it from outside either. Set up a VPN to do that.

Thats correct, multi devices on that port. The NVR is the latest firmware but I guess I have been already been pwned then that wouldn't really fix the problem. Also the NVR is running the latest Firmware which is available there isn't any others available or going to be available.

Would turning off uPNP cause any issues on my network? Alexa/PS4/hue lights? the only reason I have the NVR connected to the internet is so that I can view my cctv from anywhere on my phone.

Do you think I need to flash the firmware completely to get rid of them and then do the VPN work? I have a raspberry pi sitting around doing nothing which I have thought about doing a vpn. already have one on my network as a piHole.

Thanks again to you both for the quick responses.

 

[Mike A.]

Thats correct, multi devices on that port. The NVR is the latest firmware but I guess I have been already been pwned then that wouldn't really fix the problem. Also the NVR is running the latest Firmware which is available there isn't any others available or going to be available.

Would turning off uPNP cause any issues on my network? Alexa/PS4/hue lights? the only reason I have the NVR connected to the internet is so that I can view my cctv from anywhere on my phone.

Do you think I need to flash the firmware completely to get rid of them and then do the VPN work? I have a raspberry pi sitting around doing nothing which I have thought about doing a vpn. already have one on my network as a piHole.

Thanks again to you both for the quick responses.

Disabling uPnP shouldn't affect things. It's more of an option than a requirement. All that it does is to allow a device to request that the router open a port automatically. You still can do so manually if you want. May somewhat complicate adding something new to your network but most all have gotten away from that these days. Alexa/PS4/Hue/etc., all should work fine. They do on my network with things locked down much more than that. They tend to use more of a P2P-type of approach which doesn't rely on specific in-coming ports being open. Which is why I said to disable any similar remote access settings on the NVR - another pathway in.

Blocking Internet access, etc., likely will affect your ability to access the NVR from the outside as well as possibly blocking control of other devices that you might also restrict. But again the VPN generally is the better way to do that. You can change some things once you have that set up to get that working. Basically, you'll connect to the VPN and then you'll effectively be a client on your internal network (not strictly true but works for simple explanation).

Flashing the firmware might be a good idea assuming that doesn't cause problems otherwise. I've not used a Pi to do VPN but I know some do. Not sure how well that works. Should be lots of info out there. The VPN will greatly slow your throughput vs not but only when connected through it and not really a problem for viewing cams and controlling devices. Only way to improve that much is with something that has hardware-based encryption as the host for the VPN and VPN software that can use it.