Hikvision POE LAN segment - access to cameras without virtual host or extra wiring.

alastairstevenson · Dec 20, 2015

Re: Hikvision POE LAN segment - access to cameras without virtual host or extra wirin

Does your camera have access to NTP or email SMTP servers on WAN?

Yes, the cameras can access the WAN.
You must have the camera default gateway already set as 192.168.254.1 as you can access them from the LAN. And the static route set in your LAN default gateway (your router).
What do you have for the camera DNS server? The normal target would be your router on 192.168.1.1, but anecdotally Hikvision devices work well on the Google DNS 8.8.8.8
But that doesn't affect your laptop. When you changed the IP address for the laptop, to connect to the PoE segment, what did you use for the DNS address?
On the laptop, at a command prompt, try:
ping www.microsoft.com
and see if it resolves.
If not - try
tracert 104.71.215.174
and check it goes out via your router.

If your camera firmware still allows telnet or SSH access, trying pinging a WAN destination by IP address, and also by name, for example:

Code:

login as: root
[EMAIL="root@192.168.254.11's"]root@192.168.254.11's[/EMAIL] password:

BusyBox v1.19.3 (2014-07-11 11:25:54 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# ping [URL="http://www.microsoft.com/"]www.microsoft.com[/URL]
PING [URL="http://www.microsoft.com/"]www.microsoft.com[/URL] (184.87.179.64): 56 data bytes
64 bytes from 184.87.179.64: seq=0 ttl=56 time=25.172 ms
64 bytes from 184.87.179.64: seq=1 ttl=56 time=25.558 ms
64 bytes from 184.87.179.64: seq=2 ttl=56 time=24.904 ms
^C
--- [URL="http://www.microsoft.com/"]www.microsoft.com[/URL] ping statistics ---
4 packets transmitted, 3 packets received, 25% packet loss
round-trip min/avg/max = 24.904/25.211/25.558 ms
# cat /etc/resolv.conf
nameserver 192.168.1.1
nameserver 0.0.0.0
#

zzxxyy · Dec 21, 2015

Re: Hikvision POE LAN segment - access to cameras without virtual host or extra wirin

alastairstevenson said:
If not - try
tracert 104.71.215.174
and check it goes out via your router.

It can resolve the ip when I set 192.168.1.1 as my DNS.
Here's what I see on my laptop when it's behind the NVR:

Code:

[FONT=Menlo]Traceroute has started…[/FONT]
[FONT=Menlo]
[/FONT]
[FONT=Menlo]traceroute to google.com (216.58.192.46), 64 hops max, 72 byte packets[/FONT]
[FONT=Menlo] 1  192.168.254.1 (192.168.254.1)  1.057 ms  0.584 ms  0.626 ms[/FONT]
[FONT=Menlo] 2  dd-wrt (192.168.1.1)  1.020 ms  1.054 ms  0.835 ms[/FONT]
[FONT=Menlo] 3  * * *[/FONT]

It looks like it's not an DNS issue.

I also tried SSH my camera and pinged WAN. It looks like it can resolve the ip, but no response.

is it possibly caused by firewall on NVR? Though NVR doesn't have iptables command.

alastairstevenson · Dec 21, 2015

Re: Hikvision POE LAN segment - access to cameras without virtual host or extra wirin

Maybe something on your router:
As you say, clearly DNS is working OK - when you have the LAN address of your router in use.
Does it still work if you use an external DNS?
Your traceroute shows no traffic outside the LAN. Did you allow it to fully complete, via the intermediate hop timeouts?
Your ping to a WAN address from the camera does not work.

As far as I know, there is no firewall on a 78xx NVR between the 2 network interfaces, iptables does not feature.
Unlike on the cameras, where dropbear (the SSH client) runs all the time, and telnet and SSH are enabled/disabled via iptables settings commands.

zzxxyy · Dec 22, 2015

Re: Hikvision POE LAN segment - access to cameras without virtual host or extra wirin

solved. it's my router. It does not allow NAT traffic from WAN

Code:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

But it's weird that when I use my other router(airport extreme) as a subnet gateway it works without opening the firewall for NAT..

alastairstevenson · Dec 22, 2015

Re: Hikvision POE LAN segment - access to cameras without virtual host or extra wirin

Well done for figuring it out.
That comes from using something fancy like DDWRT ...

DaveFromPeg · Aug 25, 2016

Re: Hikvision POE LAN segment - access to cameras without virtual host or extra wirin

My DS-7108N-SN/P doesn't appear to have an option for enabling telnet
The nvr is using V3.0.17 build 150804

Curious as to what version you are using

alastairstevenson · Aug 25, 2016

Re: Hikvision POE LAN segment - access to cameras without virtual host or extra wirin

This method has been superseded somewhat by the introduction of the Virtual Host facility, which implicitly activates the IP_forward setting.
After which the static route and setting the right camera gateway makes it all work.

DaveFromPeg · Aug 25, 2016

Re: Hikvision POE LAN segment - access to cameras without virtual host or extra wirin

Thanks for the reply
I would much prefer the virtual host feature but that isn't supported on this 7108, at least with the current firmware. Appears obtaining the latest firmware for most hikvision nvr is a challenge with all the guesswork involved. From what I gather reading posts there is also the concern of having a good working English setup turn into Chinese in a hurry

alastairstevenson · Aug 25, 2016

Re: Hikvision POE LAN segment - access to cameras without virtual host or extra wirin

You are absolutely right - Hikvision firmware updates are so much more troublesome and uncertain than they should be.

zzxxyy · Aug 25, 2016

Re: Hikvision POE LAN segment - access to cameras without virtual host or extra wirin

V3.0.10 build 141128

I was using 150804 and no telnet option either. Have to down rev it to older firmware to make it work.

wilkcards · Feb 10, 2017

With the latest firmware go to Network/advanced settings/other/ and check "enable virtual host".
ip of each camera= {nvr-ip}:6500* *=camera channel
ex: 10.0.0.220:65001 (channel 1)
10.0.0.220:65010 (channel 10)

I know it's been mentioned but reading through this it wasn't just written out simple like this...you could also set up port forwarding to hit each camera from WAN if you wanted to

alastairstevenson · Feb 10, 2017

At the time of writing this thread - November 2014 - 'Virtual Host' did not exist in the firmware of the time, and didn't for quite a few revisions.

wilkcards · Feb 10, 2017

alastairstevenson said:
At the time of writing this thread - November 2014 - 'Virtual Host' did not exist in the firmware of the time, and didn't for quite a few revisions.

Yes, I know. I have read the whole thread and this answer really wasn't here. I was thinking someone else searching and reading this thread like I was would be helped by my comment.

alastairstevenson · Feb 11, 2017

Having 'Virtual Host' (or at least the implicit 'IP_forward' facility) opens up lots of possibilities associated with direct access to the cameras, not just via the NAT facility of Virtual Host itself.
eg connecting to the cameras from another NVR, the cameras sending email alerts (decent sized pic attachments), recording or FTPing to a NetHDD destination, sending home automation API commands etc etc
Lots of posts on the topic, quite accessible with the pretty good search facilities that now exist in the new forum software.
Example:
Hikvision DS-7608NI NVR, PTZ control

Search

Hikvision POE LAN segment - access to cameras without virtual host or extra wiring.

alastairstevenson

zzxxyy

n3wb

alastairstevenson

zzxxyy

n3wb

alastairstevenson

DaveFromPeg

n3wb

alastairstevenson

DaveFromPeg

n3wb

alastairstevenson

zzxxyy

n3wb

wilkcards

n3wb

alastairstevenson

wilkcards

n3wb

alastairstevenson