SpacemanSpiff
Known around here
Sure can
Do any of you actually use Dahua P2P for external access to your cams?
- Thread starter runraid
- Start date
So do phone makers and those that write the OS for them and everything else.
By obsoleting the devices instead of fixing the problems, they abdicate their responsibility for the security vulnerabilities they created.
They pass that cost on to the consumer and since people cannot afford to, or dont wish to change their devices, it creates attack opportunities.
One good thing about open source is that you can if you chose, constantly upgrade the OS and patch things without having to throw them away.
This is a very sweeping statement and in isolation.
Should we create a list of things it would be stupid to put on your LAN ?
Any device made by amazon, apple, google, microsoft, sony and others - which are all harvesting/mining your data and some use your network to transfer the data of others.
Any IoT other device which phones home?
Any ISP provided router, which mostly have backdoor for them to do maintenance to - and whatever else they chose you didn't read the T&C about.
It isn't an exhaustive list by any means but covers things most consumers are carefree about.
P2P helps the majority of people (consumers and installers) gain access to their NVR's without compromising security further through enabling external port forwarding, which is how everyone used to do it.
By just saying "P2P is bad" it offers no suitable user friendly alternative than suggesting no internet access period.
VPN setup is beyond the capabilities of most end users and certainly your ISP router (or even many commercial ones) more than likely doesn't support any user friendly modern solutions (eg. wireguard, openvpn).
Being pragmatic, P2P is the lesser of evils.
Here every category of devices on my LAN is segmented in vlans and each that needs WiFi has a separate SSID.
vlan 'main' for the trusted office computers, printers, scanners, and other AV devices who need to be able to communicate together
vlan 'security' for NVR + IPC and any other security related devices
vlan 'domotics', for all my WiFi relays, but also charging station, robot vacuum and thermostat
vlan 'av' for all audio-video devices
vlan 'guests' for all unknown devices of visitors, friends,...
vlan 'tech' mostly used when I need to prep new devices for customers
vlan 'test' for temporary testing
For my main network I check which devices need Internet access, and any that don't or I absolutely don't want to, are blocked.
For example IPC are always blocked, only the NVR P2P is alllowed to go online, the guest network only allows http(s) traffic, all other ports are blocked.
In case I have a guest needing to use VPN I could simply disable the blocking temporarily.
Domotics are cloud based but also some part could be managed locally, so there I blocked everything and then looked which ports were used and only allowed the ports in use.
Also any other remote unknown ports are blocked, this could be a problem for an NVR sometimes, depending of the number of camera's, as each IPC stream from the NVR uses 1 to 2 ports within a certain port range. So it's tricky if you have multiple users streaming through P2P at the same time.
As for vlan to vlan communication, I only allow a certain group of trusted devices to connect to the NVR and domotics.
A guest would never be able to connect to the NVR and vice versa.
For the main network new devices should be whitelisted before they could access the Internet.
Incoming, no ports are open at all, except sometimes for a letsencrypt certificate renewal. Which by the way would be a great adittion to any NVR...
Is it 100% bulletproof? Not at all... But what else could I do.
vlan 'main' for the trusted office computers, printers, scanners, and other AV devices who need to be able to communicate together
vlan 'security' for NVR + IPC and any other security related devices
vlan 'domotics', for all my WiFi relays, but also charging station, robot vacuum and thermostat
vlan 'av' for all audio-video devices
vlan 'guests' for all unknown devices of visitors, friends,...
vlan 'tech' mostly used when I need to prep new devices for customers
vlan 'test' for temporary testing
For my main network I check which devices need Internet access, and any that don't or I absolutely don't want to, are blocked.
For example IPC are always blocked, only the NVR P2P is alllowed to go online, the guest network only allows http(s) traffic, all other ports are blocked.
In case I have a guest needing to use VPN I could simply disable the blocking temporarily.
Domotics are cloud based but also some part could be managed locally, so there I blocked everything and then looked which ports were used and only allowed the ports in use.
Also any other remote unknown ports are blocked, this could be a problem for an NVR sometimes, depending of the number of camera's, as each IPC stream from the NVR uses 1 to 2 ports within a certain port range. So it's tricky if you have multiple users streaming through P2P at the same time.
As for vlan to vlan communication, I only allow a certain group of trusted devices to connect to the NVR and domotics.
A guest would never be able to connect to the NVR and vice versa.
For the main network new devices should be whitelisted before they could access the Internet.
Incoming, no ports are open at all, except sometimes for a letsencrypt certificate renewal. Which by the way would be a great adittion to any NVR...
Is it 100% bulletproof? Not at all... But what else could I do.
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,903
- Reaction score
- 21,275
Phone makers are notorious for not providing updates. That is why you should look to makers who do provide regular and timely updates like samsung (on their higher end phones) and google. The real solution is pure android on every phone as an option so we can get updates straight from google, just like we get updates from MS on windows.
Using your NVR's P2P is dangerous and stupid. These a china companies KNOWN for security issues. It is malpractice to set it up and could and should open your up to liability. If you are using the NVR's p2p and even if using other methods outlined below, you should be setting up a vlan that is completely isolated from the primary network (except maybe an inbound firewall rule to access same)
This forum is full of ways to gain easy access to NVR's remotely including zerotier, tailscale and the like.
Lesser of 2 evils does not make it right or secure.
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,903
- Reaction score
- 21,275
Its not complicated. Its easy peasy. zerotier, tailscale and the like.
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,903
- Reaction score
- 21,275
This is why this forum exists. To protect end users from installers who have zero technical skill and simply port forward or use p2p and fail to disclose the security implications to their sucker clients.Which is great, but you are not a typical end user nor installer.
Be proud of that
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,903
- Reaction score
- 21,275
Those are free solutions......seems like you didnt bother to look at them..
Also dahua p2p is not free. You are paying for it by lack of security.
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,903
- Reaction score
- 21,275
You are the one who raised the cost issue - there is none. Two separate internet connections is abnormal - for 99.99999 percent of users with one connection Dahua (china) p2p is a security vulnerability. For someone raising a cost issue, two internet connections is the epitome of cost.
Lol, the dude already deleted his account it seems... Maybe he should look into Starlink as main connexion and LTE as back-up.
On shodan.io you can simply see a high number of Dahua NVR & IPC connected directly to the Internet. Millions of portforwarded devices are at risk.
It's my own company & private network, haven't done that except for one customer, but in most cases overcomplicating things like that is a no go.Which is great, but you are not a typical end user nor installer.
Be proud of that
For most 'simple' installers also known as 'simple' electricians who install easy out of the box systems this is actually difficult. I do have customers who require vpn etc. But if the installer is a one-man job, or small scale, I don't see them doing it tommorrow.
The problem is nowadays many installers rely on OLD information found on for example YouTube or some outdated websites where portforwarding and DDNS is explained as the ONLY solution. Even at distributors of Dahua & Hikvision, many trainers still advice to use portforwarding... So, no, customers of such installers are really far from being safe against vulnerability attacks.
On shodan.io you can simply see a high number of Dahua NVR & IPC connected directly to the Internet. Millions of portforwarded devices are at risk.
Dear @wittaj, @fenderman and @tigerwillow1
I'm interested and then which of the two evils (Dahua P2P or public static IP address with port forwarding ) is safer and less vulnerable?
Thanks!
I'm interested and then which of the two evils (Dahua P2P or public static IP address with port forwarding ) is safer and less vulnerable?
Thanks!
Last edited:
I have fiber optic Internet at home with a public static IP address (speed 1000/100Mbps) and the provider gave me an ONT router ZTE F680 to use.
And now, whenever I access the NVR from the outside and want to watch a live stream or already recorded material via a mobile phone and packet data on DMSS or via SmartPss from my work where I also have fiber optic internet, the video I watch all the time and always chops, stops and is not smooth .
Whereas when I'm at home and on my home Wi-Fi or LAN network, everything I watch through DMSS or SmartPSS is smooth and fluid!
And it always happens with both P2P and port forwarding, always when I access from outside, the video clip freezes and is not smooth!
The equipment I own is stated in my signature and the settings in all cameras are:
1. Codec: H.264H, General
2. Bitrate: 8092Kbps
3. Framerate: 15fps
Does anyone have a possible solution or guess as to what is causing this problem?
And now, whenever I access the NVR from the outside and want to watch a live stream or already recorded material via a mobile phone and packet data on DMSS or via SmartPss from my work where I also have fiber optic internet, the video I watch all the time and always chops, stops and is not smooth .
Whereas when I'm at home and on my home Wi-Fi or LAN network, everything I watch through DMSS or SmartPSS is smooth and fluid!
And it always happens with both P2P and port forwarding, always when I access from outside, the video clip freezes and is not smooth!
The equipment I own is stated in my signature and the settings in all cameras are:
1. Codec: H.264H, General
2. Bitrate: 8092Kbps
3. Framerate: 15fps
Does anyone have a possible solution or guess as to what is causing this problem?
Last edited:
First safest solution is VPN connectivity between your device with DMSS and NVR.
Second safest is obviously P2P with any portforwarding disabled. But in case Dahua P2P services are down, which could happen sometimes, you won't be able to connect.
Third and most insecure option is port forwarding.
Never expose any service directly on the Internet ! Dahua or any other NVR or camera brand are vulnerable at all times and could be hacked now or in the future.
1) With P2P no static IP is needed, so you could even downgrade your Internet sub. Why overpay for a fixed IP if not needed for other services?
2) Strange, all depends of your data connexion on your mobile device too. Maybe you don't have good and stable signal at locations you are watching? When for example I would watch with my smartphone from within my basement or in the middle of knowhere in a forest through 3G, 4G/LTE, my signal is bad and yes chops-stops.
As soon as I use WiFi, it's much better. There is too many variables when you connect from outside.
3) You could add your NVR two times in your DMSS & SmartPSS app, one with only a local IP connexion (for Internal use), and the other with P2P (for External use).
4) Try again with P2P only, without any portforwarding set, sometimes the DMSS app will try to connect directly to the NVR if portforwarding is enabled and detected instead of using P2P, which results in unstable connexion.
Dear @hesiod,
thank you for your quick response!
1. When I use the P2P service (SN/scan) in DMSS, I never set port forwarding in the ZTE F680 router.
2. When I do port forwarding in the router F680, then in DMSS I set that DMSS connects exclusively via IP/Domain and then I enter my fixed IP address, username and password.
3. When I access from the outside, the Wi-Fi signal from the router at work is always stable and full, and also the mobile operator's signal is also strong and good, so the problem is definitely not that...
When I'm at home and on my Wi-Fi, that choppy and stuttering video never happens, regardless of whether I run DMSS via P2P or a static IP address with port forwarding!
I say again that I will give up the additional payment for a fixed public IP address, because it is obvious that DMSS does not work for me either with a fixed static IP address (set up port forwarding), or with P2P (not set port forwarding), because as I said before, whenever I access it from the outside, the video chops, stops and does not run smoothly ...
Last edited:
Can't help, since it's not working fine from outside in any way it could either be a routing problem between your Internet service provider and the Dahua P2P services (which I doubt), or a capacity / traffic shaping problem on the network of your mobile service provider.
On your work location there could be a firewall which blocks certain traffic... As you can see it can be many reasons... The only way would be to check, replace and test one by one (home router + test from another phone with another service provider...).
On your work location there could be a firewall which blocks certain traffic... As you can see it can be many reasons... The only way would be to check, replace and test one by one (home router + test from another phone with another service provider...).
I am using Android Samsung A71 while my wife is using iPhone 11 but the problem is identical on both phones and it happens in any location and any other city when we are using our provider's mobile data!
But i say the problem always happens when we access from outside and not in our home network and our home Wi-Fi network...
I should also mention that I turned off the P2P service on all six IP cameras, and that P2P is enabled only on the NVR and through which I access it with DMSS or SmartPSS.
I believe that I set it up correctly, and that the P2P service should not be enabled on the IP cameras, but only on the NVR, maybe I'm wrong in that setting and I should enable P2P on all cameras as well?
looney2ns
IPCT Contributor
You only need to turn on P2P on the NVR, not the cameras.
Yes, that's what I did from the beginning, but the problem exists as I described in previous posts...
It's all strange and I'm starting to doubt even the provider and its internet speed, but again, whenever I measure the speed on the speedtest, the speed is always ok.
Speedtest by Ookla - The Global Broadband Speed Test
Use Speedtest on all your devices with our free desktop and mobile apps.
And I doubt a VPN would solve this problem either !?
Last edited:
fenderman
Staff member
- Joined
- Mar 9, 2014
- Messages
- 36,903
- Reaction score
- 21,275
You can either use the built in openvpn on your asus router or install zerotier on an always on device on your network.
Your second question is not clear.