Access Cameras Inside Lan from Phone - Rules ? NAT ? Forward ? Alias?
-
Hello All,
I am sure it has been asked and explained many times. I just cant find my scenario.
I need to be able to access the cameras from Inside the LAN with an Iphone.
I have the ports I need to open according to the camera guy. 554,443,5152
forwarding rules to NVR from outside work.(not my idea, the alarm/camera guy, owner good with it). Can access the cameras from Phone from outside.
Inside LAN we can access the cameras from a hardwire desktop with the camera software.
Inside LAN we cannot access the cameras from a phone connected to LAN Wifi.
I have tried creating NATs, Alias, Forwards, and I cannot get it to work.
So question is... what do i need to create to make this work ?
I have read the documentation over and over. just not working.
Any help is greatly appreciated. -
The solution, as always :
Set up an OpenVPN server on pfSense.
Install the OPenVPN connect app on your phone, and import the OpenVPN access file.
This part is well covered by a couple of thousand video's. Start here : Youtube => Netgate => OpenVPN video's.Before accessing your camera's (from the outside) :
Activate the OpenVPN connection on your phone.
Start your camera app using it's RFC 1918 IP.edit :
Typically, services that need a public access, like mail or web server, need a direct, NAT, connection.
Services that are considered private should be protected : VPN is good way to do that. -
@gertjan said in Access Cameras Inside Lan from Phone - Rules ? NAT ? Forward ? Alias?:
The solution, as always :
Set up an OpenVPN server on pfSense.I totally agree.
Exposing your cams to "Public" only makes "Shodan" happy./Bingo
-
@dmcgurn said in Access Cameras Inside Lan from Phone - Rules ? NAT ? Forward ? Alias?:
Inside LAN we cannot access the cameras from a phone connected to LAN Wifi.
So your wifi is on the same network as this lan computer that can access it, or its another vlan, or its behind a nat via some wifi router on the network?
If your pc is the same network as camera and your using some sort of L2 discovery that would explain why you can access the camera from the PC. If your wifi is on different network than the camera then no discovery would not work. You would need to make sure this other network your wifi is on is allowed to talk to the camera IPs on the ports used, but discovery wouldn't work you would need to directly access the camera or nvr via its IP, etc. Or setup a fqdn on your local network that resolves to that IP. Depending on the discovery method used - it might be possible to setup say avahi to allow for the discovery, and then you would just need to allow the traffic through the firewall.
As others have mentioned already - its a bad idea to expose cameras to the public internet.. Just bad! If you want to view your camera feeds while remote - vpn to your network first.
owner good with it
Most likely because he doesn't know any better ;) If your helping him, you should explain to him why this is bad, and its not a good idea at all.. And there are more secure ways to access the feeds while remote.
You might ask your doctor if its a good idea to eat a carton of ice cream every morning for breakfast. If he doesn't warn you that its a bad idea, and offer better options for breakfast - he isn't doing his job, or he is a horrible doctor ;)
-
Wifi and Lan are same VLAN. Only 1 network going on.
In the midst of setting up OVPN now. Owner will appreciate security as they do not know any better. They have been going on Camera/Security guy suggestion for years.
So from Outside
OVPN to NVRWhat do I need to do for the inside for phone connected to wifi to see NVR?
Rules ? NAT ? Forward? Alias? or should it just work ? -
@dmcgurn said in Access Cameras Inside Lan from Phone - Rules ? NAT ? Forward ? Alias?:
What do I need to do for the inside for phone connected to wifi to see NVR?
Rules ? NAT ? Forward? Alias? or should it just work ?If its on the same network it should just freaking work.. Since the pc does makes no sense another device on same network wouldn't
What would make sense for why wifi not working if same network, is isolation mode setup.. AP or Client isolation are two common terms used.. This normally prevents wifi clients from talking to each other or wired devices.
Or guest wifi network vs normal wifi network as well. But this normally not really an option when just using wifi router as AP which is what should be done when using pfsense.
