Need to access cameras behind Dahua NVR

haselnut

n3wb
Joined
Aug 15, 2023
Messages
12
Reaction score
1
Location
Estonia
Hi

I have Dahua NVR DHI-NVR4108-8P-4KS2 (firmware V4.001.0000005.1) and 8 Dahua cameras connected to POE ports.
NVR has an ip 192.168.1.108, cameras are on different subnet 10.1.1.X managed by the NVR.

I am trying to control the LED's on my cameras programmatically instead of the cameras own day/night function.
So to be able to make an api request to one of the cameras, I use 192.168.1.108:10080 (or 10081 etc port for other cameras) as an address.

BUT for this to work I first have to open NVR's web interface with a browser, navigate to the Camera section and click IE icon for every camera to activate the port forwarding or whatever going on there. Otherwise I will get "ECONNREFUSED 192.168.1.108:10080".
And unfortunately the ports "deactivate" after a while and I can not make any request to cameras without clicking the IE icons in the web interface.

Does anybody know if there is some solution to keep port forwards to camreas active all times or is it possible to activate port forwarding by some api call?
I did not find anything useful from the offical API doc.

Regards
 

looktall

Getting comfortable
Joined
Sep 3, 2022
Messages
494
Reaction score
714
Location
Australia
Set up a static route in your router so that anything on the 10.1.1.x network goes via the 192.168.1.108 address.

You will be able to access all your cameras directly.
 

haselnut

n3wb
Joined
Aug 15, 2023
Messages
12
Reaction score
1
Location
Estonia
I added route on my OpenWrt router but it does not seem to work.

Code:
config route
    option interface 'lan'
    option gateway '192.168.1.108'
    option target '10.1.1.70/24'
Does firewall need configuration also?
 

looktall

Getting comfortable
Joined
Sep 3, 2022
Messages
494
Reaction score
714
Location
Australia
I added route on my OpenWrt router but it does not seem to work.

Code:
config route
    option interface 'lan'
    option gateway '192.168.1.108'
    option target '10.1.1.70/24'
Does firewall need configuration also?
Would the target not be 10.1.1.0/24?
 

haselnut

n3wb
Joined
Aug 15, 2023
Messages
12
Reaction score
1
Location
Estonia
Sorry, yes, current target is 10.1.1.0/24. I just tried different solutions and pasted here the wrong version.
On ithe IPC web interface I see my router is the default gateway too.

image.png

Still can't reach 10.1.1.70
Code:
root@OpenWrt:~# ping 10.1.1.70
PING 10.1.1.70 (10.1.1.70): 56 data bytes
^C
--- 10.1.1.70 ping statistics ---
10 packets transmitted, 0 packets received, 100% packet loss

root@OpenWrt:~# traceroute 10.1.1.70
traceroute to 10.1.1.70 (10.1.1.70), 30 hops max, 46 byte packets
1  *  *  *
2  *  *  *
3  *  *  *
 

looktall

Getting comfortable
Joined
Sep 3, 2022
Messages
494
Reaction score
714
Location
Australia
Why is the gateway on the camera your router and not the NVR on the 10.1.1x subnet?
The camera doesn't have a route back to your router because it's plugged into the NVR so the gateway needs to match.
 

haselnut

n3wb
Joined
Aug 15, 2023
Messages
12
Reaction score
1
Location
Estonia
It's like this by default. I have not touched these settings. What should the gateway be, how do I know if NVR is 10.1.1.1 or something else?
 

haselnut

n3wb
Joined
Aug 15, 2023
Messages
12
Reaction score
1
Location
Estonia
Well I assume 10.1.1.1 is the NVR as a gateway in 10.1.1.x subnet, it answers to ping.
I changed IPC gateway to 10.1.1.1 but no success.

Code:
root@OpenWrt:~# ping 10.1.1.1
PING 10.1.1.1 (10.1.1.1): 56 data bytes
64 bytes from 10.1.1.1: seq=0 ttl=64 time=4.682 ms

root@OpenWrt:~# ping 10.1.1.70
PING 10.1.1.70 (10.1.1.70): 56 data bytes
^C
--- 10.1.1.70 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
Also found Switch section in NVR web ui. 10.1.1.1 is the gateway.
Screenshot 2023-09-30 at 17.43.21.png
 
Last edited:

looktall

Getting comfortable
Joined
Sep 3, 2022
Messages
494
Reaction score
714
Location
Australia
The fact you can ping the Lan side of the NVR and get a reply suggests your static route in your router is working.

As for why the camera doesn't respond there might be a setting in either the camera or possibly the NVR which is blocking it.

Set the dns on the camera to match the gateway.
 

haselnut

n3wb
Joined
Aug 15, 2023
Messages
12
Reaction score
1
Location
Estonia
I did set IPC DNS to match the gateway 10.1.1.1 - still can't ping 10.1.1.70
Screenshot 2023-10-01 at 11.51.06.png
I also tried to set DNS on NVR to 192.168.1.1 (default was 8.8.8.8) it did nothing,
Here are other settings on NVR:
Screenshot 2023-10-01 at 11.55.23.png Screenshot 2023-10-01 at 11.55.29.png Screenshot 2023-10-01 at 11.55.44.png Screenshot 2023-10-01 at 11.56.05.png
And on the IPC:
Screenshot 2023-10-01 at 11.56.20.png Screenshot 2023-10-01 at 11.56.32.png
 

looktall

Getting comfortable
Joined
Sep 3, 2022
Messages
494
Reaction score
714
Location
Australia
Do you have other cameras on the 10.1.1.0 network?
Can you ping any of them?

Edit: so you have any firewall settings enabled in the cameras?

My camera has a firewall tab under system->safety
One of the options is ping prohibited.
 

haselnut

n3wb
Joined
Aug 15, 2023
Messages
12
Reaction score
1
Location
Estonia
I have 8 cameras total on the 10.1.1.0 network and I can't ping nor access with a browser any of them.
I have firewall disabled on all IPCs by default on all options: Network access, PING Prohibited, Prevent Semijoin
Screenshot 2023-10-01 at 13.22.22.png Screenshot 2023-10-01 at 13.22.27.png Screenshot 2023-10-01 at 13.22.32.png

On IPC I also tried to enable SSH, Private Protocol Authentication to Compatible, enable LLDP but it didn't have any effect.
Screenshot 2023-10-01 at 13.24.46.png

I managed to log into NVR by ssh and got this:
Code:
#diagnose 6

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
10.1.1.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
But I can't get into shell to do anything else but execute default diagnose commands
Code:
#shell
Domain Accounts:
Domain Accounts  not avaliable
 

looktall

Getting comfortable
Joined
Sep 3, 2022
Messages
494
Reaction score
714
Location
Australia
Everything looks to be ok.
If you can get to 10.1.1.1 you should be able to get to any other address on that subnet.
 

haselnut

n3wb
Joined
Aug 15, 2023
Messages
12
Reaction score
1
Location
Estonia
Unfortunately can not reach any other ip than the gateway itself on the 10.1.1.x

Code:
root@OpenWrt:~# nmap -sn 10.1.1.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2023-10-01 17:08 EEST
Nmap scan report for 10.1.1.1
Host is up (0.0069s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 4.26 seconds
Thank you for all the effort so far, really appreciate it.

If there are any ideas what else to try I'm still here looking for a solution.
 
Last edited:

looktall

Getting comfortable
Joined
Sep 3, 2022
Messages
494
Reaction score
714
Location
Australia
What's the routing table look like from your router?
Specifically what does the static route look like?
 

bigredfish

Known around here
Joined
Sep 5, 2016
Messages
16,511
Reaction score
46,010
Location
Floriduh
This is by design on Dahua PoE NVRs. You're not going to 'fix" it by playing with routing.

The Internal switch sets up a network of 10.1.1.x for the cameras and cannot be accessed without going through the NVR and the IE icons.
It also adds a layer of security for this same reason.

If you dont want to do that, you can simply plug your NVR (using the LAN port) and cameras into an external switch and put them all on the same network as your router is providing now. 192.168.1.X. You dont HAVE to use the internal switch and associated PoE ports.
 

looktall

Getting comfortable
Joined
Sep 3, 2022
Messages
494
Reaction score
714
Location
Australia
Im not a network pro but this may help in your use case if your NVR supports it.
View attachment 173746

The way i understand it, enabling bridge mode on the NVR amounts to the same as doing this...
If you dont want to do that, you can simply plug your NVR (using the LAN port) and cameras into an external switch and put them all on the same network as your router is providing now. 192.168.1.X. You dont HAVE to use the internal switch and associated PoE ports.
Except you're using the switch built into the NVR rather than an external one.
 
Top