rtsp - can someone explain how to use multiple cameras via portforwarding?
- Thread starter blentz
- Start date
Same as one camera but organizing Port Forwarding accordingly. External ports can be almost anything, following is just a nice numbering scheme for easy understanding and it works.
Lets say you have cameras starting from .21 (192.168.1.21, 192.168.1.22, 192.168.1.23...)
On a router you forward external port 1554 to 192.168.1.21 port 554, 2554 to 192.168.1.22 port 554, 3554 to 192.168.1.23 port 554... TCP.
To view from inside your network you use /Streaming/channels/1 or /CH001.sdp where number is channel 1 (main) or 2 (sub). I have these on my Raspberry Pi 2 mounted to remote control buttons for live viewing.
rtsp://[usr]:[pwd]@192.168.1.21:554/CH001.sdp
rtsp://[usr]:[pwd]@192.168.1.22:554/CH001.sdp
rtsp://[usr]:[pwd]@192.168.1.23:554/CH001.sdp
To view from outside use DDNS service to gain external access to your address. Then above internal commands change to:
rtsp://[usr]:[pwd]@[external_ip]:1554/CH001.sdp
rtsp://[usr]:[pwd]@[external_ip]:2554/CH001.sdp
rtsp://[usr]:[pwd]@[external_ip]:3554/CH001.sdp
For HTTP you would do the same for external ports 180, 280, 380 ... forwarded to .21:80, .22:80, .23:80 and external command would be (e.g. for camera .23):
http://[usr]:[pwd]@[external_ip]:380/Streaming/channels/1/picture
This is for multiple cameras as you asked, not for NVR.
Lets say you have cameras starting from .21 (192.168.1.21, 192.168.1.22, 192.168.1.23...)
On a router you forward external port 1554 to 192.168.1.21 port 554, 2554 to 192.168.1.22 port 554, 3554 to 192.168.1.23 port 554... TCP.
To view from inside your network you use /Streaming/channels/1 or /CH001.sdp where number is channel 1 (main) or 2 (sub). I have these on my Raspberry Pi 2 mounted to remote control buttons for live viewing.
rtsp://[usr]:[pwd]@192.168.1.21:554/CH001.sdp
rtsp://[usr]:[pwd]@192.168.1.22:554/CH001.sdp
rtsp://[usr]:[pwd]@192.168.1.23:554/CH001.sdp
To view from outside use DDNS service to gain external access to your address. Then above internal commands change to:
rtsp://[usr]:[pwd]@[external_ip]:1554/CH001.sdp
rtsp://[usr]:[pwd]@[external_ip]:2554/CH001.sdp
rtsp://[usr]:[pwd]@[external_ip]:3554/CH001.sdp
For HTTP you would do the same for external ports 180, 280, 380 ... forwarded to .21:80, .22:80, .23:80 and external command would be (e.g. for camera .23):
http://[usr]:[pwd]@[external_ip]:380/Streaming/channels/1/picture
This is for multiple cameras as you asked, not for NVR.
nayr
IPCT Contributor
Good for you, now stop.. hammer time!
Forwarding Ports to your cameras is a completely foolish thing to do, your cameras are running full blown operating systems with no automatic updates.. putting them on the internet is just asking for them to get hacked.
DO NOT FORWARD PORTS TO YOUR CAMERAS, USE A VPN
Forwarding Ports to your cameras is a completely foolish thing to do, your cameras are running full blown operating systems with no automatic updates.. putting them on the internet is just asking for them to get hacked.
DO NOT FORWARD PORTS TO YOUR CAMERAS, USE A VPN
OMG, I did not know this is so dangerous! I shall immediately pull the power cord from my TV as it is on my my network and I do not want some nasty hacker watching my new TV!
Seriously, I hate people with partial knowledge making exclusive, final statements. Normally I do not spend any time answering to such "experts" wise claims, but this one bugged me as it is a very dangerous one. Actually, my wife made me answer, as she was horrified by that reply - even though she is working toward her medical PhD, but uses computers and VPN for years, under my wing. And, as I can type faster than speak...
I learned something about advices as they are part of my profession: if someone gives you advice that MUST exclusively be followed without giving and asking for any further info, ignore that advice and never ask that person for any advice. This is just uninformed opinion of that person. Typically, repeating what others said (who also do not know). Example: Which car should I buy. "Expert" replies immediately: This one (imagine any name here). How does this "Expert" know if I need a two seater or a van, terrain or sport car, truck or a bus? But, they always know the one single answer! As a rule, it is the wrong one. Just ask them: Why - and they crumble.
VPN is secure! Are you kidding me? Ridiculous and very dangerous statement! People who do not know better, who need help and guidance will read that and might believe it. It is simpler that way, does not need learning or thinking.
So, you claim PPTP VPN is safe?!? Everybody agrees that PPTP traffic is to be considered unencrypted (absolutely unsecured). Anyone can unencrypt it online, without any knowledge at all! Please, do not trust me, just google e.g. "how to crack pptp". If anyone is using PPTP for VPN, it is worse than using nothing because you THINK you are protected. Stop NOW and use something better!
Other common choice is OpenVPN. Safe? Are you kidding me? Please, everybody, google the word: Heartbleed. Read the page http://heartbleed.com. Possibly the most catastrophic hole ever! Made by a PhD student who does not know basic rules of programming. You think this is the only problem? Check https://www.openssl.org/news/vulnerabilities.html.
I claim that anyone saying: "VPN is safe." is very dangerous person and does not know that they are saying!
You say Port forwarding is dangerous. Educate us which problems it can cause. Assume that only port 554 is forwarded from external ports > 50000, only cameras with no default passwords, with ssh and telnet disabled and the firewall blocks more than 5 scans in 60 sec (which is the minimum any person should do). To make it easy, assume Hikvision as the most common here. Please, give us at least 3 clear examples what an expert like you can do and how?
Regarding security access to own home network, the responsible answer
Regarding security access to own home network, the responsible way would be to write something like the following:
VPN can be the most in security you can get, and you should use it to access your home network. PPTP VPN should never be used as it is absolutely not safe in any way for the last 15+ years. OpenVPN must be used exclusively. But, while using OpenVPN, one must check occasionally (at least 1-2 times a year) if some security aspect has been compromised and then upgrade compromised items.
If you are now using the OpenVPN, please check OpenSSL versions you are using and upgrade if necessary. At least to avoid the catastrophic Heartbleed. All info is presented clearly on Openvpn.net Community Downloads page where you would download the needed. Changelog for your (OpenVPN server) router firmware or NAS will show versions. If it does not, use something else.
If you just want to experiment with watching your cameras, port forwarding 554 is OK. You setup DDNS and a watchprogram in a phone or computer, and it works. You can easily check if someone is attacking you (activate log in a router showing accepted). No need to panic about hackers attacking your router. After experimenting and verifying things work, I would move on to OpenVPN for future prolonged use.
The main real life problem I see with port forwarding is: when you use unknown WLAN (WiFi at caffe, airport, mall...), you make your sent passwords available for any kid lurking there (snooping net traffic using free tools) and then emit open video. Btw, check the Chinese www.shodan.io. If port forwards are used, add to the router a nat-start script with the forwarding block if more than 3 attempts were made in the last 60 seconds (instead of standard 5).
You are far more likely to get compromised if you do not have whitelist firewall on all your connected devices - phones particularly. Or by infecting yourself from the web or e-mail. Any literate kid can infect and steal anything from you using free tools, e.g. MSFVenom. Terrible idea is to have WPS and UPnP enabled in a router (typically by default). Use of default passwords? What security measure will help Apple phones users who were buying infected apps from their store for years when these apps installed something evil to monitor anything they type on their phone and send that info to evil people? VPN not, firewall could.
If you want a better way to access your home network from outside, you need an OpenVPN server installed in your network (VPN enabled router is the best choice). Then add OpenVPN clients and certificates to all computers and phones which will be connecting remotely to your home network. All free. DD-WRT router software is not suited for regular people. Probably the easiest way to an excellent OpenVPN server is any Asus router supporting the Asuswrt-Merlin firmware.
But, with VPN it will get more complicated. Any phone must have a Firewall and VPN will force you to root your phone to install it. You will have to both connect to VPN and deactivate it manually to access your LAN from outside. You will not be able to use just any computer to peek at your cameras. Also, you will need to learn about issuing and revoking keys, certificates - likely a major pain. But, you will be safe.
Nothing is absolutely secure! Any single measure will never protect you completely in every situation (car crash, burglary, hackers, health...)!
Given that, if you have a firewall in whitelist mode installed on each Internet connected device (firewall on a router is implied), learn a few basics, have well deployed OpenVPN and are checking the news - you have the best you can get and you are extremely secure.
Please, do not trust me or anything you find on the internet before you properly check the author! Too many dangerous "experts" exists, making claims lacking explanation. Check my words, too.
Regarding security access to own home network, the responsible way would be to write something like the following:
VPN can be the most in security you can get, and you should use it to access your home network. PPTP VPN should never be used as it is absolutely not safe in any way for the last 15+ years. OpenVPN must be used exclusively. But, while using OpenVPN, one must check occasionally (at least 1-2 times a year) if some security aspect has been compromised and then upgrade compromised items.
If you are now using the OpenVPN, please check OpenSSL versions you are using and upgrade if necessary. At least to avoid the catastrophic Heartbleed. All info is presented clearly on Openvpn.net Community Downloads page where you would download the needed. Changelog for your (OpenVPN server) router firmware or NAS will show versions. If it does not, use something else.
If you just want to experiment with watching your cameras, port forwarding 554 is OK. You setup DDNS and a watchprogram in a phone or computer, and it works. You can easily check if someone is attacking you (activate log in a router showing accepted). No need to panic about hackers attacking your router. After experimenting and verifying things work, I would move on to OpenVPN for future prolonged use.
The main real life problem I see with port forwarding is: when you use unknown WLAN (WiFi at caffe, airport, mall...), you make your sent passwords available for any kid lurking there (snooping net traffic using free tools) and then emit open video. Btw, check the Chinese www.shodan.io. If port forwards are used, add to the router a nat-start script with the forwarding block if more than 3 attempts were made in the last 60 seconds (instead of standard 5).
You are far more likely to get compromised if you do not have whitelist firewall on all your connected devices - phones particularly. Or by infecting yourself from the web or e-mail. Any literate kid can infect and steal anything from you using free tools, e.g. MSFVenom. Terrible idea is to have WPS and UPnP enabled in a router (typically by default). Use of default passwords? What security measure will help Apple phones users who were buying infected apps from their store for years when these apps installed something evil to monitor anything they type on their phone and send that info to evil people? VPN not, firewall could.
If you want a better way to access your home network from outside, you need an OpenVPN server installed in your network (VPN enabled router is the best choice). Then add OpenVPN clients and certificates to all computers and phones which will be connecting remotely to your home network. All free. DD-WRT router software is not suited for regular people. Probably the easiest way to an excellent OpenVPN server is any Asus router supporting the Asuswrt-Merlin firmware.
But, with VPN it will get more complicated. Any phone must have a Firewall and VPN will force you to root your phone to install it. You will have to both connect to VPN and deactivate it manually to access your LAN from outside. You will not be able to use just any computer to peek at your cameras. Also, you will need to learn about issuing and revoking keys, certificates - likely a major pain. But, you will be safe.
Nothing is absolutely secure! Any single measure will never protect you completely in every situation (car crash, burglary, hackers, health...)!
Given that, if you have a firewall in whitelist mode installed on each Internet connected device (firewall on a router is implied), learn a few basics, have well deployed OpenVPN and are checking the news - you have the best you can get and you are extremely secure.
Please, do not trust me or anything you find on the internet before you properly check the author! Too many dangerous "experts" exists, making claims lacking explanation. Check my words, too.
nayr
IPCT Contributor
Where did I make the claim that VPN was safe and secure? I said port forwarding was foolish.. I dont believe I have ever said any software was ever safe.. Your putting a bunch of words in my moth.. I dont give a fuck about your TV.. unless it has a camera in it its not recording you.
Example 1: When developing software against a Hikvision camera I found out when I sent a malformed authentication header it let me in.. the credentials were entirely invalid, it should have never let me connect.. but it did and gave me access to everything.. and that was a pure accident.
Example 2: Many IPCameras have hardcoded backdoor logins that cant be disabled and are not documented. Even on the RSTP Stream, I own some just like this. If I am looking for cameras I am connecting right to port 554 without bothering with a full scan to trigger your firewall that nobody has configured in such a way.. Are you sure your cams dont have any backdoor logins? how are you sure? taking someone's word for it huh? OpenVPN's code is avilable and its been audited, dont take there word for it.
Example 3: Remote access implies your on an untrusted network, sending your credentials in plain text so anyone within wireless range can now break through your network.
Example 4: When VPN or a router gets a published security issue an update is posted near instantly, so you can fix the issues quickly and move on your way... when exactly is your Hikvision going to get an anti-poodle firmware? lol enjoy your brick when they do.. OpenVPN has a CERT response team that fixes security issues quickly and correctly, where is Hikvisions CERT response? it dont exist.
Example 5: Your cameras run full blown operating systems with no automatic updates, and practically zero updates to ever speak of.. you tell me mr smarty pants is this a good thing to expose to the internet?
Example 6: Did your camera force you to change the default passwords before allowing you to do anything else with it? no? are devices designed to be exposed to the internet supposed to be designed like this? no! most people dont even bother with the changing the passwords and thats a huge problem.. If they cant make any efforts to do secure-by-default then they obviously did not make any serious effort to secure anything... what exactly is OpenVPN's default login again? I forgot.
Chill the fuck out, I said forwarding Ports was a foolish idea.. and it is, nothing you have ranted about has changed that fact... no security is perfect, but VPN is much more ideal than whatever shit software is on your ipcam.. I'll take OpenVPN and all the OpenSSL issues any day over any of that stolen junk china code running on my cams.
Ive gone out of my way to do big ass detailed security evaluation like that, but nobody reads them... I'd of gladly helped the OP if they had came back and asked for advice on setting up a VPN, what type of vpn, why to use a vpn, etc.. but they didnt, so a big ass fuck all security rant was nothing anybody needed.. if someone cant be bothered to do basic research on what a VPN is then I cant be bothered to help them deploy it.. security is an active thing, someone cant do it for you and you remain ignorant.. a lock on a door is useless if the user does not understand what it does and how to use it.
Last edited by a moderator:
Benjamin Blanco
n3wb
- Joined
- Mar 14, 2016
- Messages
- 12
- Reaction score
- 3
Pretty much stopped reading after this--your TV isn't accessible outside of the network, unless you forwarded some port on your router to your TV...
Slow scan, random ping, I'm sure there are other methods. SSH and telnet being disabled doesn't matter outside the local network, btw, unless the services were all available through the same port for some reason. Anyway, I don't think arguing that portforwarding your camera is "safe" is any better than arguing VPNs are "secure", at least going by what you yourself wrote. I should consider it uninformed opinion.