How to get Hikvision camera connected to POE ports of Hikvision NVR to access WAN (WWW) ?

[Shyam]

After all that I'm curious what you actually changed to get it working - do tell.

And by the way - presumably you've realised that the NVR PoE channel needs to be in Manual mod, not Plug&Play, so the NVR doesn't change the camera default gateway back to the non-working value.

I followed what @58chev said:

My NVR LAN PORT 192.168.1.15 GW 192.168.1.1
NVR PoE Switch GW 192.168.254.1
Camera address 192.168.254.2 GW 192.168.254.1

The issue was that I wasn't using the NVR PoE IP as the gateway and i thought "The address is not used" was an error!

 

[Shyam]

I'm back and can see your screenshots properly now.

Just for your (and others) information - the 'Test' button next to the IP address setting in the camera web GUI simply checks to see if the value you are trying to put in has already been used by another device, so you can avoid setting up a duplicate address.
So when it says 'The address is not used' that's good.
It means it's not been used somewhere else , and it's OK to set the camera to it.
Hopefully that makes sense.

Thanks this clears things up, I thought "The address is not used" was an error! Does it mean the camera IP is not used?

 

[alastairstevenson]

Does it mean the camera IP is not used?

Yes, when you press that Test button the camera checks that nothing else responds on the proposed address, if there is no response it shows 'The address is not used'.

 

[Shyam]

Yes, when you press that Test button the camera checks that nothing else responds on the proposed address, if there is no response it shows 'The address is not used'.

Thanks!

Whats the point of the static route? Is that only required if I want to access the camera directly? or is it required for the camera to talk to the outside world (i.e send emails)

 

[alastairstevenson]

Whats the point of the static route?

It's to tell your gateway where to send packets destined for the 192.168.254.0 network which is where the NVR PoE-connected cameras are.
If you didn't tell the LAN gateway that the NVR PoE-connected cameras are only accessible via the NVR, it would send the attempted traffic (eg if you try to access the camera directly from the LAN at their actual address, or any other traffic intended for them) out to the internet over the 'default route'.

 

[Shyam]

It's to tell your gateway where to send packets destined for the 192.168.254.0 network which is where the NVR PoE-connected cameras are.
If you didn't tell the LAN gateway that the NVR PoE-connected cameras are only accessible via the NVR, it would send the attempted traffic (eg if you try to access the camera directly from the LAN at their actual address, or any other traffic intended for them) out to the internet over the 'default route'.

Make sense! So in theory I can now access the camera directly using its IP address instead of the virtual host way?

 

[alastairstevenson]

Make sense! So in theory I can now access the camera directly using its IP address instead of the virtual host way?

Yes, and not just access to the HTTP port, full access.

 

[KristopherE]

Hi All,

Sorry to bring up an old thread. I've read through all the advice as well as the link earlier in the thread on what needs to be done and can successfully ping my cameras (192.168.254/0) though the LAN (192.168.1/0) and get to the cameras directly through the web browser but am unable to get email working or test using NTP from the actual camera itself.

My NVR LAN PORT 192.168.1.250 GW 192.168.1.254
NVR PoE Switch GW 192.168.254.1
Camera address 192.168.254.2 GW 192.168.254.1

The Static Route added to the router obviously works one way (to get from my LAN to the camera's using 192.168.254.2), but it appears to not be working the other way. Could it be an issue with the static route, or is there something else obvious that I could be missing?

Regards,

Kristopher

 

[alastairstevenson]

but it appears to not be working the other way

There are other possibilities, such as DNS, or the router not allowing external NAT for addresses not on it's local segment.

Suggestion:
If the camera firmware has a test button for the NTP settings, try that with a domain name such as time.windows.com and also an IP address (ping the name from the PC to find this).
Assuming the DNS setting in the camera is your router (192.168.1.254) try also Google's DNS on 8.8.8.8
And if the camera firmware can have SSH / telnet able to be activated, connect to it and use ping to check out resolution of domain names such as smtp.gmail.com and connectivity to associated IP addresses. The 'psh' shell should still allow ping.

 

[KristopherE]

Thanks alastairstevenson, I tried the test from the cameras to the time server (pool.ntp.org) and also tried the ip address as the time server and still no joy. The DNS setting in the camera was 8.8.8.8, but I've also tried 192.168.1.254. I've managed to ssh to a camera after switching ssh on using the Device Network SDK and can ping internal ip addresses, but not external ip addresses from the camera, so i'm assuming it could be the router which is a pain.

 

[alastairstevenson]

so i'm assuming it could be the router which is a pain

That's certainly a possibility. If so, a bit poor if a static route can be created that works, but only on the local segment, not out through the NAT interface.

Device Network SDK

If ever you need to do that again, the Batch Configuration Tool should be able to enable SSH. Download | Tools - Hikvision

 

[KristopherE]

thanks for all your help Alistair, it is much appreciated

 

[KristopherE]

Sorry to beat a dead horse - I'm ok with networking, but not the greatest and was wondering if you could tell from the below if it is the router causing my issues (before I look at forking out money on a new router)? I've connected a laptop to the NVR POE Switch and set the same IP Range. I've then tried tracert which times out after getting to 192.168.1.254, and netstat -rn shows the following, which means nothing to me, but might to others?

192.168.254.16 being the laptop, DNS was also set to 8.8.8.8

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.254.1 192.168.254.16 291
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.254.0 255.255.255.0 On-link 192.168.254.16 291
192.168.254.16 255.255.255.255 On-link 192.168.254.16 291
192.168.254.255 255.255.255.255 On-link 192.168.254.16 291
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.254.16 291
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.254.16 291
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.254.1 Default
===========================================================================

 

[alastairstevenson]

I've then tried tracert which times out after getting to 192.168.1.254,

On the assumption that the target was out on the internet - that does suggest that the router is not creating a NAT association with the source on the 192.168.254.0 network and the target out on the internet.
Which is consistent with what you are seeing on the PoE-connected cameras.
Does the router support have an ability to answer a question that will be beyond the 1st-level tech support? It may be worth trying.

 

[KristopherE]

Thanks again. I've logged a support call with Netcomm, will see what happens

 

[MrFlood]

Any clue on how to get this working on a PFSense Firewall?

NVR Model# DS-7608NI-Q2 / 8P

NVR LAN IP#192.168.1.75
NVR PoE IP# 192.168.254.1


In PFSense I have done the following:

• Created a new gateway for the NVR 192.168.1.75
• Created a static Route between the PoE network 192.168.254.1 & NVR PoE IP#192.168.1.75

I can ping the NVR and Camera's, however the Camera's still don't have internet access. I know I'm missing something silly, but dont know what. Any help would be appropriated.

 

[alastairstevenson]

My guess, if the cameras were added under Plug&Play, is that the NVR set the camera default gateway to the NVR LAN interface IP address. It should be set to 192.168.254.1
You'll need to change the PoE channel mode to manual to stop the NVR changing the camera gateway back.

 

[MrFlood]

My guess, if the cameras were added under Plug&Play, is that the NVR set the camera default gateway to the NVR LAN interface IP address. It should be set to 192.168.254.1
You'll need to change the PoE channel mode to manual to stop the NVR changing the camera gateway back.

Thanks, the Camera's are set to plug and play, but I manually edited the Gateway to 192.168.254.1.

I ended up getting it working. Here are the complete steps for those wanting to use PFSense in the future.


NVR LAN IP#192.168.1.75
NVR PoE IP# 192.168.254.1
NVR Camera IP's# 192.168.254.3-6

On Cameras

• Manually Update the Gateway on each Camera to the NVR PoE IP (192.168.254.1)

On PFSense Router

• Create a new gateway for the NVR 192.168.1.75 (System/Routing/Gateways)
  • Interface LAN
  • Gateway IP = NVR LAN IP (192.168.1.75)
• Create a static Route between the NVR LAN & NVR PoE (System/Routing/Static Routes)
  • Destination Network = PoE IP Range (192.168.254.0/24)
  • Gateway - Point to Gateway Created in step Above (192.168.1.75)
• Adjust Outband NAT Settings (Firewall/NAT/Outbound)
  • Interface = WAN
  • Source = Network, Enter IP Range of NVR PoE (192.168.254.0/24)
• Create Firewall Rule to allow Outbound traffic (Firewall/Rules/LAN)
  • Clone "Default allow LAN to any Rule"
  • Source = Network & IP of PoE (192.168.254.1/24)

Hoping this helps someone in the future.

 

[alastairstevenson]

I ended up getting it working.

What internet resources do the cameras need to be able to access?
Most folk on here want to block access as opposed to allow it.

It sounds like you're familiar enough with PFSense to know that it's NTP and DNS services work pretty well, and help to make it practical to block the internet for devices that might access destinations you'd rather they didn't.

 

[MrFlood]

What internet resources do the cameras need to be able to access?
Most folk on here want to block access as opposed to allow it.

It sounds like you're familiar enough with PFSense to know that it's NTP and DNS services work pretty well, and help to make it practical to block the internet for devices that might access destinations you'd rather they didn't.

To be honest, I am not a PFSense pro. Got help from someone with much more experience.

In my case, i am not concerned about access. My Cameras do not cover any sensitive or indoor area's. Based on this conifig, the camera's are also not reachable outside of my LAN. (Which I can only access external via VPN)

Any reason I should be concerned about the setup?