My 5231R-ZE keeps port forwarding itself?

nbstl68

Getting comfortable
Joined
Dec 15, 2015
Messages
1,314
Reaction score
274
I see this IP in port forwarding now and then. I delete it but it eventually comes back.
It belongs to my Dahua HDW5231R-ZE.
I have UPNP P2P (easy4IP), DDNS and PPPOE unchecked in options... How can the camera do this if I turn off the functionality or am I missing something else in the camera that needs to be disabled?
Why is it doing this? None of my other Dahua 5231RZ cameras do this.

Also I have another IP doing the same thing. It is not associated with one of my cameras and I do not know how to identify what it is. When I try to go to that IP the browser just displays a "Access Error" message.

BI_PortFWD.png


5321Zupnp.JPG 5321Ze4p.JPG 5321Zddns.JPG 5321Zpppoe.JPG
 

Camit

Pulling my weight
Joined
Feb 7, 2017
Messages
412
Reaction score
121
Is upnp turned off in the router ? Make sure, did you set firewall rules for cameras?
 
Joined
Apr 26, 2016
Messages
1,046
Reaction score
742
Location
Colorado
Definitely confirm UPNP is disabled on the router, hopefully you don't have anything that breaks as a result but thats a huge risk allowing internal devices to open ports for themselves!

Feels to me the Dahua might not be respecting that UPNP setting on the camera, and the router has UPNP enabled atm.
 

Camit

Pulling my weight
Joined
Feb 7, 2017
Messages
412
Reaction score
121
In your camera setting which the gateway to 0.0.0.0 also dns if it won’t let you some won’t just copy your static lan ip into the gateway and dns then the camera doesn’t no where to phone home to. Still make sure firewall is setup and your blocking all traffic for ANY cameras. Use a vlan ect.. wiki
 

Mike A.

Getting comfortable
Joined
May 6, 2017
Messages
950
Reaction score
840
DIE UPnP DIE!

Disable UPnP and WPS in your router's settings.
This. Just because you click a box, doesn't mean that whatever will follow that. Lots of things either intentionally or otherwise ignore various settings. Stop them at the router regardless by disabling it. Also block internet access completely for the cam at the router if you can and set the gateway and DNS on the cam to itself or other nonsense values.

If it's already opened the port then turning UPnP off and in the cam won't fix what's already there. You need to go in on the router and delete the port forward that it created.
 

nbstl68

Getting comfortable
Joined
Dec 15, 2015
Messages
1,314
Reaction score
274
OK, I'll be home and able to check out the router tonight. I just assumed if you turn that off in the camera, the camera should no longer do it...That's what I get for assuming. I have 6 Dahua cameras and the newer ZE is the only camera doing this....No idea what the mystery 0.58 IP address doing it even is though! How the heck can I identify what that IP goes to? ( Besides the camera I have a VOIP phone and some wifi connected TVs and another AP.)

Can I log into my DSL router remotely?
 

Mike A.

Getting comfortable
Joined
May 6, 2017
Messages
950
Reaction score
840
OK, I'll be home and able to check out the router tonight. I just assumed if you turn that off in the camera, the camera should no longer do it...That's what I get for assuming. I have 6 Dahua cameras and the newer ZE is the only camera doing this....No idea what the mystery 0.58 IP address doing it even is though! How the heck can I identify what that IP goes to? ( Besides the camera I have a VOIP phone and some wifi connected TVs and another AP.)
On a desktop, open a command window and type:

arp -a [IP address]

That will give you the MAC address. Enter that here (or into whatever other MAC vendor search):

MAC Address Lookup Tool

Or you can try another network scanner like Fing or similar and run that. Sometime they'll give more manufacturer info. That should narrow things down some.

Or you can just start a continuous ping (ping [IP address] -t) and start unplugging likely things until you see it drop off.

Can I log into my DSL router remotely?
Hopefully not. If so, then turn that off too unless you absolutely need it. In the router setup it will be called "remote administration" or something along those lines.
 

nbstl68

Getting comfortable
Joined
Dec 15, 2015
Messages
1,314
Reaction score
274
I used Fing as suggested above. Nice little phone app.
xxx.0.58 IP turned out to be my little cheap-o (Well, still $50 bucks) closeout Samsung PT camera I recently picked up at Costco.
Handy for around the house, (currently watching an upstairs hallway to figure out which cat is not using the litter box. :facepalm: ) but nothing great...biggest problem is I don't see an option to even turn off Upnp in it yet as it has no web UI, only app controlled. And although it has RTSP streams and BI scan says it detects it, I cannot get it to connect in BI for recording unfortunately.
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
10,837
Reaction score
11,224
Location
Evansville, In. USA
I used Fing as suggested above. Nice little phone app.
xxx.0.58 IP turned out to be my little cheap-o (Well, still $50 bucks) closeout Samsung PT camera I recently picked up at Costco.
Handy for around the house, (currently watching an upstairs hallway to figure out which cat is not using the litter box. :facepalm: ) but nothing great...biggest problem is I don't see an option to even turn off Upnp in it yet as it has no web UI, only app controlled. And although it has RTSP streams and BI scan says it detects it, I cannot get it to connect in BI for recording unfortunately.
I'd take that sucker back and replace it with one of these: https://www.amazon.com/Amcrest-HDSeries-Wireless-Surveillance-IPM-721S/dp/B017L1JOX4/ref=sr_1_24?ie=UTF8&qid=1548452559&sr=8-24&keywords=amcrest+ptz
It's @TonyR approved!
 

nbstl68

Getting comfortable
Joined
Dec 15, 2015
Messages
1,314
Reaction score
274
Thanks. That kind of looks like my old Foscam...so should work with BI?wish they had a little optical zoom too.
 

eengineer

n3wb
Joined
Jul 17, 2018
Messages
14
Reaction score
7
Location
Europe
Definitely do not use UPNP... disable it everywhere you can, but most importantly in your egress/internet-facing router. You can get away with ACL UPNP in some cases, but that should be restricted to media-only VLANs (ex. gaming consoles) and together with static ARP and other measures in place....
You guys need to invest on a minipc like those Qotom units, and put pfSense or OPNsense in it...
 

nbstl68

Getting comfortable
Joined
Dec 15, 2015
Messages
1,314
Reaction score
274
So finally had time to get into the router and disabled upnp
Below it was also enabled upnp nat-t. I Google it but don't quite understand what that is but when turning off upnp Tha disappeared as well.

I went to the port forwarding section and there was one IP set to port forward; a completely different Daua camera I have and have no recollection of setting up the port forward?
Is it possible for a camera to auto- port forward itself or am I losing it and just don't remember doing it for some reason?
 

eengineer

n3wb
Joined
Jul 17, 2018
Messages
14
Reaction score
7
Location
Europe
NAT-T is NAT traversal.

uPNP's purpose is blasting holes through firewalls... if you leave it enabled, and especially without ACLs, anything in the network can open anything in your router.

And as a note: multicast UDP can also jump through network hops (check the TTL section here: Multicast over TCP/IP HOWTO: Multicast Explained.). Little known trick! Odds are low that you will find any providers that won't nuke multicast UDP with absurd TTLs.... but not so long ago that used to be a dumpster fire. It remains an issue in consumer/mom and pop networks, though.
 
Top