Problem port forwarding HikVision NVR

[cosmo]

I am trying to get external access to my HikVision NVR.

My provider is Comcast, which goes to my cable modem, which goes to my router, which goes to (1) A VOIP unit, (2) the NVR and (3) my PC.

I had to set up port forwarding for the VOIP unit to work. That works fine. People can calll me.

I set up port forwarding for the NVR but no dice.

Here's the strange bit. I used http://www.yougetsignal.com/tools/open-ports/ and http://www.whatsmyip.org/port-scanner/ to check both my external IP address (Which I can ping) and to check the open status of various ports. Both sites say all my ports are closed. Not just the NVR ones (80, 554, 8000 and 8200) but also all the port used by my VOIP device (Which are big ranges BTW, so there's no knowing which are actually listening...)

Further tests:

My NVR is set to a static IP. 192.168.1.122
My router has that IP set aside in it's DHCP list and sees it.
I can go to that IP and get into the Hik web access, so I know Port 80 on the unit is listening.

If the VOIP unit wasn't working, I'd be suspicious that the cable modem wasn't bridging the traffic. But it is working.

I have tried disabling UPnP in both the Hik setup and in the router.

I don't have any DDNS set up.

 

[cosmo]

I should also add:

- IPv6 on my router isn't working - it can't get an address from the cable modem. Not sure if that is required though.
- I do have the correct IP address port forwarded.
- The DMZ is disabled.

It's a Cisco(Netgear) E4200 router. Pretty common.

 

[blake]

Hik nvr's require 8000 and 8554 to be open.

 

[nayr]

Your router has a built in VPN Server, configure it instead of forwarding ports.. all operating systems come with built in VPN Clients, even iOS/Android

 

[cosmo]

Where did you get the information on 8554?

In any event, why wouldn't a port query on any of the other ports respond to opening?

One HikVision NVR manual says 80/554/8000/8200.

The HikVision NVR screen I am logged into right now says 80/554/8000/443.

8200 is supposedly for SDK access. I am not sure that it is required.

80 is HTTP. 554 is RTSP. 8000 is playback and 8200 is remote viewing.

443 is HTTPS.

I am looking for a diagnostic approach. Right now I am at a dead end and don't know where to probe next.

 

[cosmo]

Your router has a built in VPN Server, configure it instead of forwarding ports

Ahhh, why tunnel?

I mean, okay, if it's required, then I'll do it. But tunnelling has overheads. A simple port forward should work for starters. Or DDNS, about which I haven't asked yet.

If I can validate my external IP and my router is already successfully port forwarding and I have port forwarded port 80 to a machine on my internal LAN that I can browse to, it should work unless the ISP is blocking it.

 

[nayr]

to protect your cameras from the internet, they run full blown linux operating systems with no automatic updates.. just putting them right on the internet without some sort of protection is a bad idea.

the overhead is minimal most people dont have to worry about it, a raspberry Pi2 can push aes256 encrypted vpn @ 35Mbps which is far faster than most people's upstream bandwidth and thats a tiny $35 computer.. the throughput overhead is minuscule compared to the feed its self.. if you cant handle the VPN you cant handle the feed.

it also secures all login credentials from being transmitted across the internet in plain text.. and lets you connect internally and externally to the same addresses when you have multiple cameras, makes configuration and access easier.

there are lots of reasons, but the number one is most IP Cameras have backdoor logins that cant be disabled and are not documented. because of OnVif crap

here is a nice article I found today: http://news.softpedia.com/news/remote-code-execution-flaw-found-in-firmware-of-70-different-cctv-dvr-vendors-502096.shtml

simple port forward for starters is dangerous approach, a simple vpn for starters is the smart approach..

unlike your xbox/playstation, the people who made your IP Camera have no vested interest in keeping hackers out.. break a xbox/ps and you can ruin there entire business model.. China already spent the money you paid on the camera, they have no interest in you unless you need more.

 

[cosmo]

Concise. Agreed on all points.

But I'm still having the basic problem of external access to an internal machine. I don't understand why tunnelling would solve that even if it is ultimately the proper way to authenticate and communicate.

(BTW, I develop custom Arduino systems over international GSM connections so I get your point on bandwidth being the bottleneck)

 

[nayr]

well you would be connecting to your router, authenticating and then having full access to the lan behind it..

depending on your ISP they may not allow you to run services on some of those ports, port 80/25 for example is likely blocked if your a residential subscriber.. perhaps more.

 

[cosmo]

Port blocking is suspected but my VOIP which relies on port forwarding, works. Mind you, it does use ports in the range 4000's, 5000's 12,000' etc. I'm going to try some other apps that rely on other ports to see if they work. Maybe even knock up an app that opens ports I ask for. It's still a mystery.

 

[dre]

please guys i need your help, ok guys i am trying to remotely get access to my hikvision ip cam, i don't want to use the nvr, so i connected it straight from my router and ethernet cable and powered the cam separately,i have isms -4200 installed in my MacBook Pro, atm i can see the online device through ivms,but can't get the cam to work, i need help to view it online and configure the cams also want to port forward the settings on my router, pls help, i am not a computer genius but i understand if anyone go step by step, thanks guys your help will greatly be appreciated

 

[rnatalli]

There are lots of ways to setup a VPN server. If you have a NAS, it likely has a VPN Server app. Some consumer routers have VPN capability and some of those can use custom firmware like Tomato, DD-WRTc etc. A Raspberry Pi is another option and of course you can install OpenVPN directly on a Windows machine, but takes so tinkering to setup.

 

[drolling]

Your router has a built in VPN Server, configure it instead of forwarding ports.. all operating systems come with built in VPN Clients, even iOS/Android

Doesn't running a VPN make it extremely inconvenient to quickly check on your cameras from your mobile devices? I run VPN for remote access and administration and it seems tedious to enable/disable VPN when I want to quickly check my video streams. I will check to see if my VPN clients supports split tunneling which would allow VPN to continuously run for my internal non-routed IPs.

Curious what others are doing to balance security with convenience.

 

[MrRalphMan]

Doesn't running a VPN make it extremely inconvenient to quickly check on your cameras from your mobile devices? I run VPN for remote access and administration and it seems tedious to enable/disable VPN when I want to quickly check my video streams. I will check to see if my VPN clients supports split tunneling which would allow VPN to continuously run for my internal non-routed IPs.

Curious what others are doing to balance security with convenience.

It takes me about 20 seconds to start the VPN up and then check the cameras, so it's not the end of the world. If you want to get fancy, use Tasker (On Android anyway) to auto connect to your VPN when you leave the comfort of your home network. Unless you have a low monthly allowance on your home BB this will work and you'll have access to all your normal services as if you were at home.