ZoneMinder Forums

I'm having problems accessing zm from the public side. zm is installed on machine 192.168.1.x. it is connected to an internal router that has a wan side of 10.10.10.x. 10.10.10.x is connected to a dsl router on the 10.10.10.x network. the internal router has firewalling and a port forward set up to the http port (both tcp and udp) on the 192.168.1.x machine. the dsl router has no firewalling and no port forwarding. is this the right approach or am i on the wrong track?

Is 10.10.10.x your public IP???
If not then it is using NAT
Now on your router you have in 10.10.10.x and out 192.168.1.x
Is that set up as another NAT? 1st potintial problem.
If you can turn off nat on the router (other wise this will not work) did you set up your routes?
One sub net has no knowledge of the other unless you set it in the route table.

You might try searching another forum that deals more on routers and routing tables.

Regards,
Corey

10.10.10.x is the lan side of the public dsl router(vendor supplied) and the wan side of the internal network router. i have a public ip address on the wan side of the dsl router and that is what I'm trying to access from the outside. the dsl router does the nat while the firewall and port forwarding is done on the internal router wan interface. i guess one of the things i'm asking is if i have two routers set up like this, do i need to do the port forwarding on both or just one? i did try setting up a port forward on the dsl router to the internal router and that didn't work either.

you will need to forawrd form you ext ip through to your internal router forward through that to your zm box. But a lot of isp's block port 80, so try another port

thanks. that is kind of what i thought and is how i set it up originally. i'll give it a try again. i am using another port besides 80 fot http.

ok

You can't really have two NATs like that. One NAT doesn't normaly know how to deal with the next and port forwarding will not work in that setup.

You will need to drop your router out of the middle, or if it's possible reconfigure the dsl router for transparent bridging so your router gets the public IP.

Okay, Thats fine and dandy, but (much easier now that we have a common diagram to referance) If R1 Is Configured to NAT (by which the original packet is encapsulated with a new address to or from R1 LAN port. If R2 is tring to do the same thing it may not work (not nessesarly meaning that it will not work, It can but depends on the equipment R2). Some cheaper equipment don't handle this to well.

I have seen it work (Linksys seems to do good with this), but I have seen it fail as well.
It will depend on R2 being able to handle it.

I sure you know that R1 has to be forwarded to (192.168.1.2)<-R2 ->10.10.10.x
then R2-> forwared to your machine ->(192.168.1.5)

Now if that don't work and you can disable NAT in R2 (You can leave DHCP turned on and still have a different subnet)
You can add a route in R1 10.10.10.0 -> 192.168.1.2
and route in R2 192.168.1.0 -> 10.10.10.1

This would allow R1 to handle the Nat and Port forwarding.
R1 forward port 80 to 192.168.1.5

Regards,
Corey

well there you go i didnt know that. Learnt something else. So nat is a once only thing?

still doesn't work. i think the routing is ok since i can browse and do other things out of this connection. im using an ultra cheap airlink + router on the inside of the network so that could be an issue. i think i will take the zm machine out from behind that unit, put a firewall on the zm machine, and try it right behind the dsl router with a port forward.

First I have subscribed to NO-IP.com so that I always have a DNS name and where the outside IP doesn't matter.

Typically all firewalls NAT (network address translation) one external internet IP to an entire internal subnet or just a few IPs. You can do this manually or by using the built in firewall DHCP server. I personally only use about 5 DHCP addresses and statically assign all of the rest of the devices in my subnet. So as an example you can:

Create a small subnet internally like 192.168.246.240/28 255.255.255.240

Your internal side of the router would have a gateway and DNS address of :

192.168.246.241 255.255.255.240

Your network devices would have IPs of:

192.168.246.242 to 192.168.246.254 (9 devices)

You could statically assign these or use DHCP.

I have configured my firewall to let UPD/TCP port 8XXXX in and out.

I have left my ZM's Web interface at port 80.

I have set my firewall to UDP/TCP port forward from source IP/Port of 80 to port 8XXXX outside. It doesn't matter what my outside IP is as I am using DNS. I also do another port forward outside in the internet at the NO-IP site by port forwarding port 80 to port 8XXXX. This way all I am concerned with is the DNS name and directory. IE to get to my ZM from the Internet I use:

HTTP://XXX.GOTO.ORG/ZM

The path looks like this:

ZM Server IP: 192.168.XXX.XXX port 80 ====>
Firewall internally open and port forwarding IP and port above to:
TCP/UDP port 8XXX ======>
Firewall external interface only allows an IN/OUT UDP/TCP port of 8XXX

Dynamic DNS gets IP and assigns it a DNS name.

I take another DNS name from the same service and port forward it the above DNS name IE:

XXX.GOTO-1.ORG port 80 === XXX.GOTO-2.ORG port 8XXX

Two sections of my firewall are involved.

Section one is for the port forwarding
Section two is for the externally allowed access.

I think Linksys or generic routers tend to all be the same.

Typically DSL or Broadband modems are the same. They usually have one ethernet interface internally. This ethernet interface would go to the WAN interface on your firewall router. The WAN interface would use NAT internally to the rest of the network. Another way to pass the ZM traffic is to create a "pinhole" thru your firewall. This pinhole would say to allow all incoming traffic on port 80 to your ZM server IP and port. I don't think though this is really safe. Yet another way is to create a DMZ. This is a separate network between your firewall and your internal network. Each side of the network can access the DMZ but the DMZ protects you from the outside of the network and vice versa.

Hope this helps some.