Router-modem doesn't recognise our NVR anymore

[Ludo Van der Stock]

The access point doesn't function anymore. I took it out. The PC is plugged into the modem /router with an ethernet cable, the NVR also,just next to it.

Other info. I've set as IPv4 address of the NVR my external IP address (again), in order to be able to log into the Hikvision website ( www.hik-connect.com ). So, I discovered that my NVR device was NOT mentioned, but one camera was "shared" with the security company (alarm systems). I found it googling the address. I didn't give permission! I deleted this camera from "shared".
Furthermore, when I try to add my NVR with the serial # on the website ( https://www.hik-connect.com/devices/page ) the message is: "Operation failed. The device is added by other users." Strange things happen! So, tomorrow I will telephone the company to ask for some explanations.
I presume that a reset of the NVR will be necessary. I'll wait till a professional comes to install again. Meanwhile, the NVR is working in a stand-alone modus.

 

[Ludo Van der Stock]

Some background? I saw IT growing the last 50 years, started with it as a generalist user in 1973. I worked with mainframes and punch cards, slave stations, later on PS2, Apple Macintosh, etc. etc. till the iPad and SSD PC's. It was too much to follow and learn everything. In 2015 on my 67 y., I finished another master, this one in History at the UA. Everything was "online" and the papers to send on the "Blackboard". So using the systems became second nature, but repairing networks is not my thing.
I'm very pleased that you put in so much effort to help me/us. I'm grateful, thank you out off the bottom of my heart.

 

[catcamstar]

Some background? I saw IT growing the last 50 years, started with it as a generalist user in 1973. I worked with mainframes and punch cards, slave stations, later on PS2, Apple Macintosh, etc. etc. till the iPad and SSD PC's. It was too much to follow and learn everything. In 2015 on my 67 y., I finished another master, this one in History at the UA. Everything was "online" and the papers to send on the "Blackboard". So using the systems became second nature, but repairing networks is not my thing.
I'm very pleased that you put in so much effort to help me/us. I'm grateful, thank you out off the bottom of my heart.

I also "enjoyed" the mainframe era (enjoying some at work), these beasts remain rock solid!

For your case: I would suggest the following:
- unplug that NVR from your internet modem: it may (or may not unintentionally) be hijacked. To avoid further "complications", do isolate it as of now. Only plug it in when an on-site technician either factory resets OR secures the complete NVR for you
- when the NVR is good to go (or as preparation in the meantime), I suggest you plough through VPN Primer for Noobs . It contains a vast amount of interesting information, but in two sentences: a VPN ensures that YOU (and only you) can connect to your NVR (from any device, being abroad / coffee shop / ... ) WHILST your NVR remains completely isolated from the (dirty) internet. If you need more information, you can find lots of help on the openvpn forum, or you jump back in here, lots of expertise to help you on that journey too.

My life moto is: sharing is caring, so I'm glad I could spend some of my online time helping you out, although I am VERY curious to know which settings in that Telenet thing messed up your NVR... Please feedback if you technician found something interesting.

Have a lovely Sunday evening!
CC
PS. congratz on your master at your age!

 

[Ludo Van der Stock]

Today, I had to paint outside, until a rain shower drove me inside, tomorrow I continue. The VPN Primer studies have to wait, but I'm curious.
The firm couldn't explain, they will make an appointment to control and to reset the NVR. Meanwhile, I disconnected the NVR from the net, as you proposed.
I will keep you posted on this.

 

[Ludo Van der Stock]

It's a stupid follow-up story.
The security firm tells me that Telenet has to adapt the 'ports' again. Telenet says that I can do it myself. The security firm contacted: it is not necessary to come from (far away) and the technician asks me for a Team View link but then he notes that he doesn't have version 14 on his laptop. Before it happens he disappears and doesn't ring back. The offices are closed. Another man, the duty technician calls me but he hasn't Team View either. He THINKS the ports are XXX, YYY and ZZZ (I have them).
I know how port forwarding works (from long ago). I have the advanced settings of Telenet before me: "the IPv4 Firewall & port forwarding", but dare not to touch at these settings without guidance. On the other hand, I want to learn how to fix such thing myself. So, if a complete stranger takes over my PC to "fix" the NVR problem, I learn nothing.
Can you help me with the specific settings, please?

 

[catcamstar]

It's a stupid follow-up story.
The security firm tells me that Telenet has to adapt the 'ports' again. Telenet says that I can do it myself. The security firm contacted: it is not necessary to come from (far away) and the technician asks me for a Team View link but then he notes that he doesn't have version 14 on his laptop. Before it happens he disappears and doesn't ring back. The offices are closed. Another man, the duty technician calls me but he hasn't Team View either. He THINKS the ports are XXX, YYY and ZZZ (I have them).
I know how port forwarding works (from long ago). I have the advanced settings of Telenet before me: "the IPv4 Firewall & port forwarding", but dare not to touch at these settings without guidance. On the other hand, I want to learn how to fix such thing myself. So, if a complete stranger takes over my PC to "fix" the NVR problem, I learn nothing.
Can you help me with the specific settings, please?

Off course we can help! The question is: does it make sense to apply these settings? Or otherwise said: do you even want to apply these settings?

Let me explain what port forwarding does in the first place!
Telenet router receives a "publicly" available IP address (the 73. address you saw on your NVR, for an unknown reason). You "intranet" addresses (192.168.0.x) are UNroutable from the internet, meaning nobody can REACH them. Never ever. Period. Except, and now comes the "fun" part, if you open the gates on your fortress. Port forwarding means that port XYZ (on your public WAN IP) is "opened" and forwarded to 192.168.0.x at port XYZ. Meaning that if a chinese hackerd is sending traffic to that port XYZ, it immediately reaches your "internal" device. Which exposes a huge security risk, not only for this specific device, but for your entire network, including desktops, laptops, NAS, IoT devices. Why? Because IF that device holds a default (known) password, vulnerability (in the linux kernel), memory leakages etc, you are exposed. To say bluntly: in 1995, we did port forwarding to "facilitate" easy "home calling", but in 2019, every IP and every port is scanned by scriptkiddies, virusses and other knobheads to hunt for these vulnerabilities. Google once for what a "honeypot" is used for, you'll immediately grasp the idea why port forwarding is a no-go.

The question at stake is: why does your security firm proposes this port forwarding? And why is this required NOW? Does that mean it was already there in the first place? Then they are, in my humble opinion, not really providing a "secure" solution for your "security system" (you noticed the word game right?). It looks to me that you require this port forwarding to enable some Peer2Peer to actually "register" your NVR to view it on IVMS. But then I wonder why this VMS does not work on your LAN? That's ... weird.

And then we are back to my previous post: P2P and port forwardings should be avoidable (with a limited investment!) by applying a VPN. How? First make sure your NVR works on your LAN (without p2p, port forwarding etc). Then install and configure a VPN server and off you go!

Hope this explains a bit the background, but please please astublieft, no port forwarding!!!
CC

 

[Ludo Van der Stock]

Yes, I understand the dangers and I'm not amused at all with 1) the attitude of Telenet "Do it yourself" and 2) the security firm who stalls the intervention and tries to hide behind "standard procedures". Even: ""But, you cannot go yourself into your NVR" you don't have the permission. Eh???? I refuse to be a sitting duck. Sure, I will install a VPN.

Anecdote. Years ago in the Balkans. We had Motorola hardware encryption, with telephone and fax. One night, some dull old microphones into the wall went into the Larsen effect ! The next morning two "repairmen" from the telecom company were fiddling with the overhead lines at our house. No marks on their white van, no logo's on their overall. Asked one of our local correspondents to find out. Nobody had been there! So, a special team flew in from Brussels to sweep the premises and "cut the lines".
From then we've sent the driver (again) with sealed envelopes. We encrypted our communications with PGP and used Onion browser and Tor to go on the net. etc. etc.

I hoped to be free from all that hush-hush hassle, but it doesn't stop! I'm not interesting anymore !!! I hope it is just a case of carelessness. See what is next,

 

[catcamstar]

Yes, I understand the dangers and I'm not amused at all with 1) the attitude of Telenet "Do it yourself" and 2) the security firm who stalls the intervention and tries to hide behind "standard procedures". Even: ""But, you cannot go yourself into your NVR" you don't have the permission. Eh???? I refuse to be a sitting duck. Sure, I will install a VPN.

Answer of Telenet is understandable: if THEY open the wrong port to the wrong internal IP address, it's their fault. So they will never do it.
Answer of your security firm is not acceptable. Even if someone would give me a "device" for free, I would never ever connect it to my main lan if I don't know what's the device doing (eg without having console access). That's the reason why I advice, not only on this forum, to create vlans on your home network, so that your fridge, google home, smart TV, all can be separated from your NAS, because way too often, some cryptolocker travels from an infected device to your NAS, eats all the files (from kids, school, holidays - all is digital and GONE in 1 SECOND!). Secure your gear, secure your network. We all have access to these tools, they don't cost more than a leg, but loosing all will cost you more. I read in Datanews that even professional DSLR's with wifi can be cryptolocked! Go figure.

So bottom-line: start with VPN, read about vlans, and you'll have a top notch "meeluistervrij" network

Enjoy the rain drops in A'pen!
CC

 

[Ludo Van der Stock]

Today the camera techician was back. He supposed that Telenet had reset the modem. We openend the designated ports via the Telenet website and restarted. Everything works again.
The NVR is secured with a strong pasword. A good hacker can enter anyway, I study to install a VPN.

 

[catcamstar]

Today the camera techician was back. He supposed that Telenet had reset the modem. We openend the designated ports via the Telenet website and restarted. Everything works again.
The NVR is secured with a strong pasword. A good hacker can enter anyway, I study to install a VPN.

Hallo Ludo,
I'm happy that all "works again".
One sideremark: a strong password is a good start, but there have been cases in the past that even with strong passwords, people got their NVR hacked (eg "hidden" system account with default passwords). Does your camera guy know your password? Still uncertain to me why your NVR needed port forwarding to function.

Good luck crunching the VPN concept!
CC

 

[Ludo Van der Stock]

The camerasystem technician said that there is no other way than forwarding the ports in order to be able to see the cameras via the internet (with 4G or on another WiFi). I wisely didn't start a discussion on VPN.
Nobody (except my wife ) knows my password. I'm the only superuser on the NVR.
Again, hartelijk dank for the help.
Ludo