Solved

Viewing a security DVR from outside the LAN

Posted on 2008-10-31
12
2,566 Views
Last Modified: 2012-05-05
One of my clients has just installed a security system with four cameras feeding into a Honeywell HRDP DVR.  The DVR connectes by Ethernet to a port on the office switch (a NetGear FSM726).  The switch, in turn, is connected to a Netopia 3347NWG DSL modem with DSL service through AT&T.

We can see the video feed from the other computers on the LAN by putting in the DVR's LAN IP in a web browser.  My issue is that I need to be able to have the video feed available to be monitored from an employee from their home (in case there is an alert or alarm at night on over the weekend).  I am not 100% sure how to go about this.

If I log into the Netopia, I see the Local WAN IP address and the remore gateway address.  I can also see the primary and secondary DNS addresses.  When I go over to IP Passthrough section of the Netopia setup, it is disabled, but I also do not see the DVR's IP address or name in the list of devices.
0
Comment
Question by:JoeBryce
  • 5
  • 4
  • 2
  • +1
12 Comments
 
LVL 32

Expert Comment

by:harbor235
ID: 22856789


Typically your edge device (netopia) is doing NAT, so you must do port forwarding to the webserver builtin on the DVR on port 443
most times. SSL or port 443 uses encryption which is good for remote access, you don't want someone else using your DVR.

harbor235 ;}
0
 

Author Comment

by:JoeBryce
ID: 22857121
So does that mean to access the DVR from outside the office LAN we simply use the IP of the edge device plus the port (xxx.xxx.xxx.xxx:443) or do I have to do IP passthrough on the Netopia?  When I log in to the Netopia router in my list of devices to do a passthrough, I don't see the DVR.
0
 
LVL 32

Expert Comment

by:harbor235
ID: 22857389


If you have overload nat setup then yes, you may have to setup the port forward to the inside though

on Cisco I would overload nat setup and I would add a translation to the inside ip, like this

static (inside,outside) tcp interface 443 10.1.2.3 netmask 255.255.255.255

inerface = outside interface
443 = https
 10.1.2.3 = inside IP

You may be doing this via gui

harbor235 ;}
0
 
LVL 9

Expert Comment

by:Press2Esc
ID: 22857585
JB, no problem, I've config'd a few of these bad boyz...
Q: Did at&t provide the acct a single or multiple (/29) IP?
Q: Is there an add'l router, firewall or switch attached to the netopia?
     Depending on your response to above Q's,Ii would likely recommend ip passthrough mode.  This would essentially place the CCTV/DVR system in the DMZ.
P2E
0
 

Author Comment

by:JoeBryce
ID: 22857615
Press2:

I am not sure about the number of IPs provided by AT&T.  I will have to check on that.

The Netopia is connected on one end to the Internet via the DSL enabled phone line.  The other end of the Netopia connection is into the #1 port on a NetGear FSM726 switch.  The rest of my network (computers, printers, and DVR) attach to the FSM726 via the various other ports on the 726.
0
 
LVL 9

Expert Comment

by:Press2Esc
ID: 22866842
How is the DVR WAN IP configured - with DHCP, a public IP, or private IP? If you are using a public IP - what is assoiated netmask?
At the Netopias LAN Discovery (ExpertModem > Troubleshoot > SystemStatus) or ARP section, does the router see the DVR attached?
This info will determine the best configuration to acceess the DVR via the net
P2E
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:JoeBryce
ID: 22867435
When the DVR was set up, it was given a static IP on the LAN - 192.168.1.xxx with a subnet of 255.255.255.0.  I do not know if there was a WAN option or not.

On LAN Discovery, the router does see the DVR on the correct LAN IP address, and it shows up correctly in the ARP table as well.

When looking at the WAN setup in the Netopia, it has a local address and a peer address, shows that NAT is on and that WAN users are unlimited.
0
 
LVL 9

Expert Comment

by:Press2Esc
ID: 22868428
in order that you consistantly access the dvr via the internet - get/use a single static IP.  with at&t dsl, there is likely no add'l fee.
once you obtain a public statip ip address & the dvr is configure properly, the following steps will get the system online...
under ExpertMode, click "IP Maps > Configure > Advanced > IP Maps > Add @ Internal Address - enter 192.168.x.x & under External Address - enter your static ip > Submit > click Alert (!) > Save & Restart.
P2E
0
 

Author Comment

by:JoeBryce
ID: 22876534
One last (hopefully) dumb question.

I talked to AT&T and I actual;ly have 8 static IPS on this account.  xxx.xxx.xxx.16 through xxx.xxx.xxx.23 with .18 through .22 available for use.  I understand from your post above that I need to go in and map the DVR's internal IP to one of my 5 available external static IPs.  Is there a need to set a port, or include a port in the IP address when accessing from the outside, or will hitting strictly on that static IP be enough?
0
 
LVL 9

Accepted Solution

by:
Press2Esc earned 250 total points
ID: 22880488
Due to the design limitations, you can NOT configure ports on the netopia using mulitple static IPs (MSIPs).  While configuring mulitple statics are more complicated, the config is primarily the same.  

At the Netopia menus, under ExpertMode, click > Configure > Advanced > IP Maps: Add 192.168.1.200 for Internal Address & x.x.x.18 for the External Address > Submit...
For purposes of clarity, I would recommend configuring the DHCP Server (Advanced > DHCP Server) on the Netopia with a start to stop addresses of 192.168.1.50. to 192.168.1.75, respectively.
Finally, set the stateful inspection params for your MSIPs.... click Security > Stateful Inspection > Exposed Addresses > Add: enter Start / End address to x.x.x.18 to x.x.x.22, respectively.  Click Submit > Alert (!) > Save & Restart.

On your DVR, configure the wan side ip to 192.168.1.200 witha netmask of 255.255.255.0 & 192.168.1.254 (gateway) address.
your cctv should be viewable via x.x.x.18...
P2E
0
 

Author Closing Comment

by:JoeBryce
ID: 31512136
Thanks so much.  It is up and running on the outside IP.
0
 

Expert Comment

by:kimjae04
ID: 24698121
Hello

I know this sound dumb but I been trying to configure my AT T DSL Router (Netopia 3000) with my CCTV Unit

Here are my setting Please Help

I have 5 static IP

DHCP Server Address: xxx.xxx.xxx.192 to xxx.xxx.xxx.197

I can access my router thought this IP address xxx.xxx.xxx.198

 I setup Pinholes as follows:
TCP
External Port start: 80
External Port End: 80
xxx.xxx.xxx.196
Internal Port 80

I also setup IP Maps

Internal IP Address: xxx.xxx.xxx.196
External IP Address xxx.xxx.xxx.196


DVR Static IP is as follows

Ip Address: xxx.xxx.xxx.196
Sub Net Mask is: 255.255.255.248
Gateway is xxx.xxx.xxx.198


Please Help. Thank you very Much
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now