WAN access for NVR PoE Camera
- Thread starter Kandeman
- Start date
Remember to take notes on the responses you get from ping, these can help. "Reply timed out." differs greatly from "Destination host unreachable."
ok let's play Bamboozel....
Baseline test
PC using DHCP
192.168.0.7 IP
255.255.255.0 SN
192.168.0.1 GW
61.9.134.49 DNS1
61.9.133.193 DNS2
I set the PC to
192.168.0.7 IP
255.255.255.0 SN
192.168.0.1 GW
192.168.0.1 DNS1
8.8.8.8 DNS2
and
192.168.0.7 IP
255.255.255.0 SN
192.168.0.1 GW
8.8.8.8 DNS1
to test different combinations of DNS servers and in all cases I can ping smtp.gmail.com with similar results:
Pinging gmail-smtp-msa.l.google.com [74.125.204.108] with 32 bytes of data:
Reply from 74.125.204.108: bytes=32 time=156ms TTL=42
Reply from 74.125.204.108: bytes=32 time=157ms TTL=42
Reply from 74.125.204.108: bytes=32 time=155ms TTL=42
Reply from 74.125.204.108: bytes=32 time=157ms TTL=42
Ping statistics for 74.125.204.108:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 155ms, Maximum = 157ms, Average = 156ms
Test gateway 1
So then I configured the PC to:
192.168.254.4 IP
255.255.255.0 SN
192.168.0.150 GW
192.168.0.1 DNS1
8.8.8.8 DNS2
and plugged it into a spare PoE port on the NVR
ping 192.168.254.1
Pinging 192.168.254.1 with 32 bytes of data:
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Ping statistics for 192.168.254.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
ping 192.168.0.150
Pinging 192.168.0.150 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=17ms TTL=63
Reply from 192.168.0.1: bytes=32 time=16ms TTL=63
Reply from 192.168.0.1: bytes=32 time=12ms TTL=63
Reply from 192.168.0.1: bytes=32 time=10ms TTL=63
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 17ms, Average = 13ms
ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ping smtp.gmail.com
Ping request could not find host smtp.gmail.com. Please check the name and try again.
Changing the DNS to any combination of DNS servers didn't effect the result.
Test gateway 2
IP 192.168.254.4
subnet 255.255.255.0
gateway 192.168.254.1
DNS1 192.168.0.1
DSN2 8.8.8.8
exactly the same results as above
Changing the DNS to any combination of DNS servers didn't effect the result.
Test gateway 3
IP 192.168.254.4
subnet 255.255.255.0
gateway 192.168.0.1
DNS1 192.168.0.1
DSN2 8.8.8.8
Pinging 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ping 192.168.0.150
Pinging 192.168.0.150 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.150:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ping 192.168.254.1
Pinging 192.168.254.1 with 32 bytes of data:
Reply from 192.168.254.1: bytes=32 time<1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Ping statistics for 192.168.254.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ping smtp.gmail.com
Ping request could not find host smtp.gmail.com. Please check the name and try again.
Changing the DNS to any combination of DNS servers didn't effect the result.
Baseline test
PC using DHCP
192.168.0.7 IP
255.255.255.0 SN
192.168.0.1 GW
61.9.134.49 DNS1
61.9.133.193 DNS2
I set the PC to
192.168.0.7 IP
255.255.255.0 SN
192.168.0.1 GW
192.168.0.1 DNS1
8.8.8.8 DNS2
and
192.168.0.7 IP
255.255.255.0 SN
192.168.0.1 GW
8.8.8.8 DNS1
to test different combinations of DNS servers and in all cases I can ping smtp.gmail.com with similar results:
Pinging gmail-smtp-msa.l.google.com [74.125.204.108] with 32 bytes of data:
Reply from 74.125.204.108: bytes=32 time=156ms TTL=42
Reply from 74.125.204.108: bytes=32 time=157ms TTL=42
Reply from 74.125.204.108: bytes=32 time=155ms TTL=42
Reply from 74.125.204.108: bytes=32 time=157ms TTL=42
Ping statistics for 74.125.204.108:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 155ms, Maximum = 157ms, Average = 156ms
Test gateway 1
So then I configured the PC to:
192.168.254.4 IP
255.255.255.0 SN
192.168.0.150 GW
192.168.0.1 DNS1
8.8.8.8 DNS2
and plugged it into a spare PoE port on the NVR
ping 192.168.254.1
Pinging 192.168.254.1 with 32 bytes of data:
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Ping statistics for 192.168.254.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
ping 192.168.0.150
Pinging 192.168.0.150 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=17ms TTL=63
Reply from 192.168.0.1: bytes=32 time=16ms TTL=63
Reply from 192.168.0.1: bytes=32 time=12ms TTL=63
Reply from 192.168.0.1: bytes=32 time=10ms TTL=63
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 10ms, Maximum = 17ms, Average = 13ms
ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ping smtp.gmail.com
Ping request could not find host smtp.gmail.com. Please check the name and try again.
Changing the DNS to any combination of DNS servers didn't effect the result.
Test gateway 2
IP 192.168.254.4
subnet 255.255.255.0
gateway 192.168.254.1
DNS1 192.168.0.1
DSN2 8.8.8.8
exactly the same results as above
Changing the DNS to any combination of DNS servers didn't effect the result.
Test gateway 3
IP 192.168.254.4
subnet 255.255.255.0
gateway 192.168.0.1
DNS1 192.168.0.1
DSN2 8.8.8.8
Pinging 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ping 192.168.0.150
Pinging 192.168.0.150 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.0.150:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ping 192.168.254.1
Pinging 192.168.254.1 with 32 bytes of data:
Reply from 192.168.254.1: bytes=32 time<1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Reply from 192.168.254.1: bytes=32 time=1ms TTL=64
Ping statistics for 192.168.254.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 8.8.8.8:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
ping smtp.gmail.com
Ping request could not find host smtp.gmail.com. Please check the name and try again.
Changing the DNS to any combination of DNS servers didn't effect the result.
alastairstevenson
Staff member
Gateway 2 are the settings to be explored - the others are not valid- but best with the PC IP address outside any referenced in the NVR config, suggest 192.168.254.100
The router can be pinged OK, so routing is working fine, but traffic is not flowing out to the internet.
That's the core of the problem.
You could also check DNS operation for the router -
nslookup smtp.gmail.com 192.168.0.1
I'd expect that to work.
And -
nslookup smtp.gmail.com 8.8.8.8
I'd expect that to fail, as 8.8.8.8 will be unreachable.
Due to -
ping 8.8.8.8
failing.
Presumably there are no 'block rules' in place?
Basically, the router is not supporting packets from the 192.168.254.0 network going out to the internet.
The router can be pinged OK, so routing is working fine, but traffic is not flowing out to the internet.
That's the core of the problem.
You could also check DNS operation for the router -
nslookup smtp.gmail.com 192.168.0.1
I'd expect that to work.
And -
nslookup smtp.gmail.com 8.8.8.8
I'd expect that to fail, as 8.8.8.8 will be unreachable.
Due to -
ping 8.8.8.8
failing.
Presumably there are no 'block rules' in place?
Basically, the router is not supporting packets from the 192.168.254.0 network going out to the internet.
This is somewhat confusing too, why does the NVR not reply to ping, but forwards traffic correctly router behind it that does reply?
Maybe the router cannot NAT the traffic properly for internet connectivity to work. And so there is no way back to the PC behind NVR.
So on my PC on the normal network:
ipconfig /all
IPv4 Address. . . . . . . . . . . : 192.168.0.7(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 61.9.134.49
61.9.133.193
nslookup smtp.gmail.com 192.168.0.1
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.0.1
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
nslookup smtp.gmail.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: gmail-smtp-msa.l.google.com
Addresses: 2404:6800:4008:c06::6c
64.233.188.108
64.233.188.109
Aliases: smtp.gmail.com
If I change the DNS to only 192.168.0.1 it fails any DNS request but if 8.8.8.8 works fine. That's new information but doesn't really help but worth a try
I then changed the PC back to:
192.168.254.100
255.255.255.0
192.168.254.1
8.8.8.8
and plugged back into the PoE port and it's the same result as before so I think your theory of "Basically, the router is not supporting packets from the 192.168.254.0 network going out to the internet." appears true.
No block rules in place but the Telco (whom I work for) have locked the modem down quite considerably so I expect that something they have done is preventing this from working. I'll make some inquiries internally to see what I can find out.
ipconfig /all
IPv4 Address. . . . . . . . . . . : 192.168.0.7(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 61.9.134.49
61.9.133.193
nslookup smtp.gmail.com 192.168.0.1
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.0.1
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
nslookup smtp.gmail.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name: gmail-smtp-msa.l.google.com
Addresses: 2404:6800:4008:c06::6c
64.233.188.108
64.233.188.109
Aliases: smtp.gmail.com
If I change the DNS to only 192.168.0.1 it fails any DNS request but if 8.8.8.8 works fine. That's new information but doesn't really help but worth a try
I then changed the PC back to:
192.168.254.100
255.255.255.0
192.168.254.1
8.8.8.8
and plugged back into the PoE port and it's the same result as before so I think your theory of "Basically, the router is not supporting packets from the 192.168.254.0 network going out to the internet." appears true.
No block rules in place but the Telco (whom I work for) have locked the modem down quite considerably so I expect that something they have done is preventing this from working. I'll make some inquiries internally to see what I can find out.
I found this which applies to my modem but I struggle to understand if a) its the reason and will help 2) how to implement iii) sequences
Netgear C6300BD
Guide to Setup Static Routes on Telstra Gateway Max C6300DB
Purpose
This guide will describe how to workaround a setup for static routes where destination IP addresses are in the same subnet as the gateway itself.
example
If you want to firewall your network, run your own website filter, block connections between particular devices, run bandwidth management, throttling, QoS or other reason.
You end up with network traffic that flows along this path
/<-> Normal Devices
Internet <-> C6300BD -> Your Static Gateway -> Filtered Devices
\<-----optional bypass return+-----</
Note: all devices are still physically connected directly to the C6300DB and can be either wired or wireless, only the data flow direction is altered. For best results,your static gateway should be wired.
Reasoning
The reason for this guide is the poor implementation of Static Routes on the C6300DB. On any other router or operating system this is trivial. Simply set the static route as follows:
Destination: <device ip or first ip in block range>
Netmask: <appropriate netmask for ip or range>
Gateway: <your static gateway>
However on the Gateway Max, priority is given to the automatically determined routes and therefore the routing table doesn't follow the rules for longest prefix match for static routes in the same subnet as the router. Therefore it ignores the static route if the device is directly contactable, this behaviour is what we are working around.
Workaround Instructions
Strategy
We split the standard 192.168.0.0/24 subnet into two /25 subnets, one for normal devices and one for filtered. With a device that is linking the two, your static gateway.
This is the general strategy but you can tweak or modify the size of the subnets as you see fit. You can also choose to have a direct return path to the router so traffic is only filtered in one direction. Otherwise, the return path will be through your static gateway. This will reduce the load if your static gateway only has one ethernet port.
Steps
(optional) Factory reset your device by holding the reset switch at the back of the modem for more than 10 seconds, also note the device must not be in bridge mode, and obviously you wouldn't want it that way if you are following this guide.
DNS
You could disable the built in DHCP server and run your own instead of statically configuring IP addresses for each filtered device. Configure your DHCP server with the following:
Normal Device IPs: 192.168.0.3 – 192.168.0.126
Filtered Device IPs: 192.168.0.129 – 192.168.0.254
Netmask: 255.255.255.0
Gateway: 192.168.0.1 for direct, or, 192.168.0.2 for two way filtering, your choice, you could even split for normal or filtered ip ranges
DNS: <dns instruction above> or your choice
Another alternative is to place the Gateway Max router in bridge mode and purchase another router with a proper static route implementation and connect your network from there.
Disclaimer: use at your own risk, for the most part these instructions will produce the desired results on your network, but I take no responsibility for any loss in productivity if you mess up your network. I do offer this advice, the factory reset switch is on the back press and hold it for more than 10 seconds.
+technically, the optional bypass return, shouldn't work due to the subnet differences between the gateway max and filtered devices, but lets face it, this modem is buggy and it does work. Though your filtered devices may not be able to connect to the normal devices. If that is an issue don't bypass, simply set Your Static Gateway (192.168.0.2) as the default gateway for the filtered devices.
Netgear C6300BD
Guide to Setup Static Routes on Telstra Gateway Max C6300DB
Purpose
This guide will describe how to workaround a setup for static routes where destination IP addresses are in the same subnet as the gateway itself.
example
If you want to firewall your network, run your own website filter, block connections between particular devices, run bandwidth management, throttling, QoS or other reason.
You end up with network traffic that flows along this path
/<-> Normal Devices
Internet <-> C6300BD -> Your Static Gateway -> Filtered Devices
\<-----optional bypass return+-----</
Note: all devices are still physically connected directly to the C6300DB and can be either wired or wireless, only the data flow direction is altered. For best results,your static gateway should be wired.
Reasoning
The reason for this guide is the poor implementation of Static Routes on the C6300DB. On any other router or operating system this is trivial. Simply set the static route as follows:
Destination: <device ip or first ip in block range>
Netmask: <appropriate netmask for ip or range>
Gateway: <your static gateway>
However on the Gateway Max, priority is given to the automatically determined routes and therefore the routing table doesn't follow the rules for longest prefix match for static routes in the same subnet as the router. Therefore it ignores the static route if the device is directly contactable, this behaviour is what we are working around.
Workaround Instructions
Strategy
We split the standard 192.168.0.0/24 subnet into two /25 subnets, one for normal devices and one for filtered. With a device that is linking the two, your static gateway.
This is the general strategy but you can tweak or modify the size of the subnets as you see fit. You can also choose to have a direct return path to the router so traffic is only filtered in one direction. Otherwise, the return path will be through your static gateway. This will reduce the load if your static gateway only has one ethernet port.
Steps
(optional) Factory reset your device by holding the reset switch at the back of the modem for more than 10 seconds, also note the device must not be in bridge mode, and obviously you wouldn't want it that way if you are following this guide.
DNS
- login to the Gateway Max
- click 'Advanced View'
- click 'Broadband Connection'
copy the IPs of the Primary and Secondary DNS servers
- log into your Gateway Max, accessible from http://192.168.0.1, default is 'admin' and 'password'
- click 'Advanced View'
- click 'Games and Services' then 'Static Routes'
- click to add a route
Destination: 192.168.0.128
Netmask: 255.255.255.128
Gateway: 192.168.0.2 - click 'Apply' to add it to the table and then 'Apply' to submit the form
- click 'Local Area Network'
- alter the subnet, starting and ending ips
Subnet Mask: 255.255.255.128
Starting IP: 192.168.0.3
Ending IP: 192.168.0.126 - click 'Apply' the router will reboot
- now configure Your Static Gateway with
IP: 192.168.0.2
Netmask: 255.255.255.0
Gateway: 192.168.0.1
DNS: <dns instruction above> or your choice - then configure your filtered devices with
IP: 192.168.0.129 – 192.168.0.254
Netmask: 255.255.255.0
Gateway: 192.168.0.2 or optionally bypass for a direct return with 192.168.0.1+
DNS: <dns instruction above> or your choice
You could disable the built in DHCP server and run your own instead of statically configuring IP addresses for each filtered device. Configure your DHCP server with the following:
Normal Device IPs: 192.168.0.3 – 192.168.0.126
Filtered Device IPs: 192.168.0.129 – 192.168.0.254
Netmask: 255.255.255.0
Gateway: 192.168.0.1 for direct, or, 192.168.0.2 for two way filtering, your choice, you could even split for normal or filtered ip ranges
DNS: <dns instruction above> or your choice
Another alternative is to place the Gateway Max router in bridge mode and purchase another router with a proper static route implementation and connect your network from there.
Disclaimer: use at your own risk, for the most part these instructions will produce the desired results on your network, but I take no responsibility for any loss in productivity if you mess up your network. I do offer this advice, the factory reset switch is on the back press and hold it for more than 10 seconds.
+technically, the optional bypass return, shouldn't work due to the subnet differences between the gateway max and filtered devices, but lets face it, this modem is buggy and it does work. Though your filtered devices may not be able to connect to the normal devices. If that is an issue don't bypass, simply set Your Static Gateway (192.168.0.2) as the default gateway for the filtered devices.
alastairstevenson
Staff member
Wow! It does sound like that router isn't able to behave like you'd expect it to.
Definitely worth asking about that of there is someone knowledgeable - your use case is easy enough to describe.
Whether it's a routing or a NAT restriction is guesswork.
With a Natted connection out to the internet, the router needs to maintain the mapping table linking the external address to the internal one, in this case on the POE subnet.
Definitely worth asking about that of there is someone knowledgeable - your use case is easy enough to describe.
Whether it's a routing or a NAT restriction is guesswork.
With a Natted connection out to the internet, the router needs to maintain the mapping table linking the external address to the internal one, in this case on the POE subnet.
alastairstevenson
Staff member
Yes, we expect all interfaces to respond to ICMP packets - but they don't have to, it's not mandatory. This will be down to the internal configuration of the kernel in the NVR.
alastairstevenson
Staff member
I spoke with some techs from work and the issue with the modern is not solvable without putting it into bridge mode and running a seperate router, given we are close to changing to docsis 3.1 I'll be due for a new modem soon
So I've been able to get an SMTP relay working on my NAS and can send email from my phone via the relay but the NVR still fails "Testing Failed"
I have tested NTP with the IP of my NAS time server and that works but email doesn't.
I have it setup as simply as I can e.g. no mail encryption and no authentication
Not sure what to try now.
I have tested NTP with the IP of my NAS time server and that works but email doesn't.
I have it setup as simply as I can e.g. no mail encryption and no authentication
Not sure what to try now.
I put my existing gateway into Bridge Mode and added an ASUS router and email now works fine from the camera's using virtual host and a static route. Thank you Alastair for all your help.
alastairstevenson
Staff member