Another wan from lan issue NAT loopback
-
If you want it to be the same URL inside and outside you will have to:
Make two hostnames inside (pointing one at each camera) and two hostnames outside (both pointing at your outside IP).
Change the camera listening ports so the same port outside goes to the same port inside.
Then http://blah123.no-ip.org:123/ and http:/blah456.no-ip.org:456/ (for example) will work from inside or outside.
-
i already had each camera on a different port using the same external no-ip.org address and works fine outside the network…
So i have logged into my website host and set a subdomin ipcam1 and another called ipcam2.
forwarded these to my blahblah.no-ip.org address.
so they will always be pointing to my external ip . and changed the camera link on my phone to cam1.mywebhost:1234 and cam2.mywebhost:2345
so now work internal and external using the Split DNS as suggested above.....
This is a workaround tho , as NAT loopback should work correctly but it doesnt....
-
NAT reflection is an ugly hack. Take comfort in knowing you did it right instead of easy.
-
"This is a workaround tho"
No your idea that you should send traffic from the lan side of your firewall to the public side to be forwarded back in with a source IP that came from your lan side is as stated an UGLY hack!!!
This can cause asymmetric routing, its pretty much security concern. So your firewall is allowing traffic when it says it came from internal private network? Did it really, or was the source spoofed?
So your client sends traffic to 1.2.3.4, which is off his network so he sends to gateway.. Shouldn't it be concerned that return traffic came from 192.168.1.x ?? When server at 192.168.1.x sees the inbound traffic that says it came from 192.168.1.y
Nat reflection is hack that really shouldn't even be there.. Nobody in networking would ever expect that nat reflection should be a viable option.. Only people not knowing what they are doing would expect such a thing to be a solution.
-
You know what I recommend?
First - Never expose it directly to the internet - use a VPN.
Second - Address it directly by IP
Thats what I do.
Port forwarding to a IP cam from web is begging for a hack.
-
Just try nat+proxy it must do the job
-
https://forum.pfsense.org/index.php?topic=86803.0
-
You know what I recommend?
First - Never expose it directly to the internet - use a VPN.
Second - Address it directly by IP
Thats what I do.
Port forwarding to a IP cam from web is begging for a hack.
as said earlier, my cam is locked down firstly with a decent password, secondly i only allow my work IP, my mobile phone subnet to access the IP. all other IP trying to connect to that port is blocked by the firewall. so firstly they would need to hack the firewall before they can get to the cams.
2ndly, cant have VPN on all the time as i access them from work and from my phone, cant have phone on VPN all the time not practical.
I have a dynamic IP, so using the IP will not work as it changes from time to time
-
Sounds like it super secure then. Problem solved.
-
"cant have phone on VPN"
Who said it had to be on all the the time? It takes seconds to connect to vpn from the phone. As to from work - again I vpn into my home network from work all the time. Nice thing about openvpn is you can bounce off a proxy like many work networks require ;)
-
oh yeah i know its easy to turn off and on, but i have a widget on my home screen, so that means i would have to have it on all the time otherwise the widgets wouldnt work, but its not a major problem.
And with my work, no need to bounce via proxy ..
