Lorex NVR Rule
-
I have a Lorex NVR which only works if I create a rule to allow 10.69.0.135 (NVR IP) on any port and any destination. When I go to Lorex site they say only requires 80, 443, 123, 35000, 35001. When I create the alias for those ports no traffic flows.
When I view the System logs under firewall I see a ton of ports open by what looks to be Amazon IP addresses (whois lookup). Any one have any experience with allowing only specific ports and ips to the NVR or do I just need to allow everything to the one NVR IP address?
Picture attached for examples.
-
@technolust
Seems like you can register (your box) at lorexddns.net , and even change to 8080.
https://help.lorextechnology.com/link/portal/57356/57366/Article/1356/Port-Forwarding-Port-80-blocked-by-ISPFor example, if your DDNS was firstname.lastname.lorexddns.net and you changed your port to 8080, your new DDNS would be firstname.lastname.lorexddns.net:8080.That lorexddns.net seems to have something to do w. google. could even be running at AWS.
whois lorexddns.net Domain Name: LOREXDDNS.NET Registry Domain ID: 1340028436_DOMAIN_NET-VRSN Registrar WHOIS Server: whois.google.com Registrar URL: http://domains.google.com Updated Date: 2021-11-24T05:04:28Z Creation Date: 2007-11-23T20:40:49Z Registry Expiry Date: 2022-11-23T20:40:49Z Registrar: Google LLC Registrar IANA ID: 895 Registrar Abuse Contact Email: registrar-abuse@google.comDid you set that ddns stuff up ??
Do you need it, in order to access the NVR from Inet ?Describe what you whish/want, a bit more ...
-
@bingo600 Thanks for the response! Man everything and everyone seems to be in bed with Google and Amazon these days... Either way I will try to setup the lorex with their ddns. Just frustrating when I don't want to open all ports to Amazon let alone Google...
Did you set that ddns stuff up ?? I did not set this up, before I installed the pfsense firewall it worked fine. However, that was using a Netgear R9000 for firewall and gateway....
Do you need it, in order to access the NVR from Inet ? Yes, I'm not able to access the NVR from the app on my phone.
-
Hey @Technolust and @Andersen,
I've dabbled in the intriguing realm of Lorex NVR configurations before, and I totally get the frustration when things don't align as they should. Your quest to streamline the NVR access is commendable, and I might have a few thoughts to help you in this conundrum.
The Lorex site's recommended port settings are indeed a good starting point, but sometimes these devices can be a bit temperamental. You've already tried creating an alias for the ports without success, which is puzzling.
Considering the swarm of Amazon IP addresses in your firewall logs, it's possible that the NVR might be utilizing additional ports dynamically, especially if it's connecting to cloud-based services like AWS. Instead of locking down specific ports, you might want to consider a more permissive approach.
One idea is to set up a rule to allow traffic from your NVR's IP address on all ports but restrict the destination to your local network only. This way, you maintain some control while still accommodating potential dynamic port usage.
Additionally, your mention of lorexddns.net is interesting. Registering your box there and experimenting with port 8080 could yield positive results, especially if it has ties to Google or AWS, as you hinted. It might be worth exploring further.
-
@alexmay we certainly appreciate your thoughts and insight on this for sure! What I ended up doing because of the sheer capitulation from port mappings… I created an Alias for the NVR and Doorbell (Lorex Devices) allowed all ports to those two devices only. As much as I loath AWS and Google, the dynamic source port mappings far exceeds my capacity to continue allow/deny round robin port maps.
Maybe I could try allowing ports 5088, 5070, 8080 from the source to those ios but I’m not 100% confident on my ability to get this rule correctly on the LAN side…
