Cams in different networks

[Zmjm15]

Okay i had set up another Zm server and was able to access the cam over the internet using the external IP address with the local zoneminder turned off. This is ideal for me, but i was just wondering what the difference was between the ffmpeg and remote option as remote worked and ffmpeg did not.

I now class this as resolved anyway and thanks for all your help. It was just having a problem as it was on the same network unable to loopback, but now as i have installed another ZM server on another network, it does work.

felixr i thank you for your last reply and all the effort you have gone to to give me that information on how to access from within the local intranet.

Many thanks
Jon

[Gary S]

I now class this as resolved anyway and thanks for all your help. It was just having a problem as it was on the same network unable to loopback, but now as i have installed another ZM server on another network, it does work.

It probably won't work from the same network using the outside IP unless your router has NAT loopback. In that case, it should work as the router understands what you are trying to do.

[Zmjm15]

I see,

Thanks for that,

One other pretty unrelated question,

If someone's router does not have port forwarding, is there any other way to forward ports?

Or even if it does have a port forwarding option, but it only specifies the ports to forward but not the IP address, what can i do for this?

Many thanks

[Linwood]

If someone's router does not have port forwarding, is there any other way to forward ports?

Or even if it does have a port forwarding option, but it only specifies the ports to forward but not the IP address, what can i do for this?

Get another router?

I'm not quite sure what this means at the networking level. There are a number of ways to do NAT and an associated PAT, but generally (especially for home systems) all relate to having an address space internally that is larger than your external address space. So something has to change one IP address outside into many inside, and somehow be able to keep track of that.

The only other technique I can think that might answer your question is VPN -- extend the internal address space over an encrypted link to a remote system. That is not a port forwarding per se (especially if it originates in the router), but is even a more sophisticated option, so if you don't have port forwarding you probably don't have VPN support in the router.

[knight-of-ni]

I'm not sure why you want to expose your camera to the Internet. Cameras can have security vulnerabilities just like anything else. I've got an Apexis camera (foscam firmware), that will return the camera configuration, including the camera's admin login credentials, when using a URL described in the API documentation. oops. Better keep that one behind a firewall.

Providing the make and model of your routing device would be most helpful in determining whether or not it supports NAT reflection.

If you are into open source, I can't recommend anything better than pfSense. It does everything, even the stuff you didn't think of, but will think of in the future. If only it would make my coffee in the morning.

Also, something else to try is called split DNS.

What you do is register a DNS name (dynamic or otherwise) if you have not done so already. As you probably know, this will allow all devices external to your network to access the device in question by dns name. Now, for local devices, add an A record to your local DNS server (probably running on your firewall) that remaps that same name to a local IP.

This is how I've got my home server set up so I can access my zoneminder server externally or internally using the exact same dns name. This should work for any network device.

[Zmjm15]

Okay so,

I think I need to learn more about network security when it comes to using cams with zm

I was thinking if just changing the default pw and port on the cam and that should be good enough! ?

Also I would like to implement a vpn at some level but am confused on where to start.

So at my friends house he just has a cam connected to a router and at my house I have an ubuntu server running open vpn. How would I get the cams feed to be vpned to zoneminder?

Also, pf sense looks good, does it make setting up vpns easier?

Thanks guys

[knight-of-ni]

I was thinking if just changing the default pw and port on the cam and that should be good enough! ?

Changing the default port & password is a good first step, but technically, no that is not good enough. A port scanner will pick up the device no matter what port you are using.
There is a Russian website out there (forget the site) which displays nothing but compromised security cameras. There are thousands of them.

Many cameras, at their core, run a Linux kernel. That means they are susceptible to Linux specific vulnerabilities. Did you hear of the Linux Bash bug called Shellshock? While the Linux environment quickly patched that issue, there are many devices out there running firmware with this bug, which will never be fixed. These devices, including some cameras, will always be vulnerable, and what sucks is you may never know it.

Anyhow, if you do not have a specific reason to expose your camera to the Internet, or any device for that matter, don't ever do it. It is just not safe. Even if the device in question does not have any known vulnerabilities, today, it might in the future.

I know it probably sounds like I'm trying to scare you. However, I'm really just trying to help you make an educated decision is all. Maybe this camera is not all that important, and you feel the risk of exposing it is acceptable.

Also I would like to implement a vpn at some level but am confused on where to start.

Yes, pfsense supports multiple flavors of vpn. It uses openswan for vpn access from (mobile) clients, and you can also create a permanent ipsec tunnel between two devices. See the documentation on the pfsense site.

So at my friends house he just has a cam connected to a router and at my house I have an ubuntu server running open vpn. How would I get the cams feed to be vpned to zoneminder?

Wait, is that what this whole thread has always been about? You are trying to record your friend's camera? Your friend knows about this, right?

You can certainly set up a von tunnel between your two networks (just follow the instructions for the vpn product you choose to use). However, having the camera at one house and the recording device at the other is not ideal. It will constantly use up your friend's upload bandwidth, which on an asynchronous home broadband connection is a precious commodity.

A better solution in terms of bandwidth efficiency, would be to put the server at your friend’s house. You can still set up a vpn for security, and you will still be able to watch the camera whenever you want. The difference is that you will only be consuming your friend's upload bandwidth while you are watching the camera through your browser instead constant streaming 24/7.

[Zmjm15]

Thanks for your reply,

Haha yes he does know about it he asked me to put it in there and as i had a spare server lying around i just threw it in installed and ran off, now remotely administering it i am looking at other ways to secure it etc.

So for the upload issue, im guessing if the router supports it, i can put a rule in (QOS or something?) to say the cam's data is the most important and this will stop any slowness?

So say the cam didnt have the linux bugs you mentioned, how else would an attacker get into it? Bruteforcing? If i have a stupidly complicated password would that secure it? can someone Dos it to get into it or anything?

Also,

As you were saying the upload bandwidth was going to be an issue on an adsl connection, do you know how much upload bandwidth your average ip cam would use just for 1? for example a 1mp cam using 720p ~ 20fps, what would you say you would be uploading per second?

Many thanks

Your input is appriciated.

[Linwood]

So for the upload issue, im guessing if the router supports it, i can put a rule in (QOS or something?) to say the cam's data is the most important and this will stop any slowness?

It depends entirely on your provider (and if you have the same one), but I would not assume just because you are physically close that you can communicate without delay. It is possible you are routed directly from your nearest switch; it is possible your data flows through Cleveland before coming back to your neighbor. QoS generally does not harm in the internet, but also frequently does no good; it might prioritize flow through your router, but is not all that likely to be honored end to end.

If you both have very fast networks this might work, but in general video is not well supported by home networks in the UP direction (from your neighbor). Someone with (making up numbers) 20 megabits of download might have only 1 megabit of upload capacity. On purpose -- they don't want you being a server.

But -- it might work. If I were setting up something like this (server in one place, client/camera in another) I would probably want to build a VPN between them, as almost certainly the reciprocal access is going to be needed, e.g. to look at the saved data on your server from their house. This (effectively) keeps all the traffic inside, and keeps you from having to expose camera or servers on the internet.

But seriously, and I hope you take this as constructive -- what you are doing is not exactly the type of thing someone should do as a first network project. While I love to encourage DIYers, once you start opening up stuff to the outside world, you are in dangerous territory, and you really want to consider someone local to help, who can see ALL of what you are doing and make sure there are no gaping holes. Home networks tend to stay safe just because by default stuff outside doesn't come in unless pulled in (e.g. by a web browser). Once you start poking holes, it becomes a LOT harder to make sure the holes are well protected.

[Zmjm15]

Thankyou for all your input on this, you've all answered my questions with more than i expected.

I will be sure to donate very soon!

Many thanks
jon