socat lets me connect from off-site directly to stream rtsp PLUS defeat 5 min limit

[Kenneth Anderson]

That sounds pretty resource intensive given the cameras have motion and intrusion detection, and can easily be interfaced for alerts over protocols like ONVIF. But of course whatever you think works best for you.

I suspect the connection limitation is not caused by the Hikvision cameras in this case. The non local subnet detection and corresponding forced connection drop out by the cameras themselves I think is a red herring. As many have said, streaming from the cameras for hours or days to a public IP is common place.

FYI I myself use Linux as a router between public WAN and private LAN using iptables, NAT etc.

This ONVIF is all new since I installed the cams for their first existence. Not that it didn't exist at all, but it just wasn't a front and center thing back then. How would bash scripting interface to the event detections? That would be a very good thing for me to learn.

 

[watchful_ip]

You might want to try the command (I added with an edit probably after you read it) - I think that may potentially shed light on why you had issues with 300 second timeouts.

For ONIVF a perl or python script is more helpful than bash.

 

[Kenneth Anderson]

That sounds pretty resource intensive given the cameras have motion and intrusion detection, and can easily be interfaced for alerts over protocols like ONVIF. But of course whatever you think works best for you.

I suspect the connection limitation is not caused by the Hikvision cameras in this case. The non local subnet detection and corresponding forced connection drop out by the cameras themselves I think is a red herring. As many have said, streaming from the cameras for hours or days to a public IP is common place.

FYI I myself use Linux as a router between public WAN and private LAN using iptables, NAT etc.

You might want to check the below command on your linux router

sysctl -a 2>/dev/null | grep -e "net.* 300$"

You haven't given me enough context about your setup to continue here.

 

[Kenneth Anderson]

You might want to try the command (I added with an edit probably after you read it) - I think that may potentially shed light on why you had issues with 300 second timeouts.

For ONIVF a perl or python script is more helpful than bash.

I can talk in terms of any scripting language you're familiar with. Just show me some code that taps into the alerts the cams send to an NVR.

 

[watchful_ip]

I can talk in terms of any scripting language you're familiar with. Just show me some code that taps into the alerts the cams send to an NVR.

After 20+ years of being a systems administrator, that's quite a list. I think I'll simply wish you well and leave it there.

 

[Kenneth Anderson]

I do receive your kind sentiments. Thank you!

 

[Securame]

I assume you use fewer re-purposed components in your system or otherwise buy some of them, like NVR software? Maybe even an NVR box? If so, we would obviously have different experiences.

You can remove all the components from that equation, and just use the camera. You can open the web/RTSP ports on your router to one of those cameras, connect from the outside world to your public IP (using web interface or RTSP, whatever), and you will see there is no time limitation either using web interface or RTSP.

No idea which one of all the pieces you are adding between you and the camera is adding (or was adding) that limitation.

 

[Kenneth Anderson]

You can remove all the components from that equation, and just use the camera. You can open the web/RTSP ports on your router to one of those cameras, connect from the outside world to your public IP (using web interface or RTSP, whatever), and you will see there is no time limitation either using web interface or RTSP.

No idea which one of all the pieces you are adding between you and the camera is adding (or was adding) that limitation.

Oh I'm quite happy the way things are with the socat line. Just went all night long with all four cameras streaming to me over the internet, a happy milestone! I have a very plausible explanation and have no reason to question it. It is not all that easy to firewall off Communist Momma Hikvision while allowing the camera to stream to an external address, so I'm pretty sure you'll need some help replicating the ruleset, if I could get you to be the one to try something. Could you get access to a setup on which you could try the scenario I suggest? One step in the process might involve logging addresses that the camera tries to notify whenever an external IP device requests an rtsp stream from it, then maybe doing a whois on that address then blocking it from being a destination or source or both. I could be more detailed if I knew some specifics of what you've got going as far as hardware, OS, software, admin freedom, etc.

 

[Kameraad]

It is not all that easy to firewall off Communist Momma Hikvision while allowing the camera to stream to an external address.

No, this is actually pretty easy. You can block them entirely and just use a vpn like almost everybody here on the forum

 

[Kenneth Anderson]

No, this is actually pretty easy. You can block them entirely and just use a vpn like almost everybody here on the forum

No VPN needed for me, like I say. You're the one who said you had "no idea" in your last post, remember? I'm not at all curious.

 

[Kenneth Anderson]

No, this is actually pretty easy. You can block them entirely and just use a vpn like almost everybody here on the forum

So I just looked again into VPN. As I understand it, I would become dependent on yet another third party and their limitations and their future decisions for every single freaking packet. ABSOLUTELY AGAINST MY DESIRE FOR INDEPENDENCE AND SIMPLICITY! Enough said. I'm the one who has to troubleshoot problems when something isn't working as expected, and I don't freaking need more complexity!!! I spent enough years as a system admin not being given enough rights on networks where I had to fix things. We ain't going in that direction again, to bring in a third party where my hands are tied from being able to troubleshoot in envisioned malfunctions.

 

[Kameraad]

No VPN needed for me, like I say. You're the one who said you had "no idea" in your last post, remember? I'm not at all curious.

That wasn't me buddy..

HIKVISION 4MP DS-2CD2345FWD-I DARKFIGHTER FIXED 2.8MM IR CCTV IP CAMERAS TURRET | eBay
(I know VPNs are all the rage, but I've never felt the need for one. [I emphasize the word "felt".] My internet traffic has never struck me as being interesting enough to protect beyond the layperson's level. I hope this won't turn into a discussion of how important VPNs are to everyone life, which I will grant you is very probably the case. I think I looked into the VPN thing and wasn't there a certificate you would have to get and maintain? And doesn't the switch/router have to be capable and configured? That made it not worth my while to learn any more, given my schedule competing frantically against the vandals of the property I'm protecting requiring very tight change control needs, and other things.)

So I just looked again into VPN. As I understand it, I would become dependent on yet another third party and their limitations and their future decisions for every single freaking packet. ABSOLUTELY AGAINST MY DESIRE FOR INDEPENDENCE AND SIMPLICITY! Enough said. I'm the one who has to troubleshoot problems when something isn't working as expected, and I don't freaking need more complexity!!!

You really don't have a clue.. You should really "look into it" again because you obviously have no idea what your talking about and you're making a fool of yourself. With a VPN your not dependable of a third party if you host it yourself, i.e OpenVPN.

 

[watchful_ip]

Though I had intended to leave this thread to it's own devices, I'd like to make it clear to anyone reading it that the limitation asserted by the OP is not present. (Hik-connect excepted).

My setup is likely more adapted than the OPs as I look at the code that actually runs on the cameras, adapt it to my needs, compile software that runs on them with a custom backend that is a linux server + router (not NVR) with custom video extraction (the cameras are NFS servers exporting their storage not clients as is the norm), ONVIF event monitoring and alerting/control that integrate with my media center and lots of other things I won't bore everyone with.

I've explained the OPs 300 second limitation is likely due to their linux router setup (and associated values seen in sysctl) and not an internal/external subnet handicap imposed by Hikvision.

I don't use a VPN, but rather SSH. Nonetheless VPNs are still the recommended solution for a multitude of reasons including that they encrypt everything and don't expose the interface of the camera to the public Internet relying on security through obscurity (e.g. port knocking). VPNs don't have to cost any money nor rely on a third party rather using free open source/publicly audited code and free self signed certificates.

OP: of course do whatever works for you the best, but please stop asserting things that are not true and then encouraging setups that are not best practice based on it. I recognize you genuinely believe them based on your experience with your bespoke setup, but they don't hold true outside of it.

 

[Kenneth Anderson]

The socat solution is merely an alternative one can use. No harm in it. Nothing to fear. Enough said, except that the nohup with '&' might not be necessary when using socat due to it may perform that functionality on its own.