Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Lorex NVR Ports Not Opening

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 3 Posters 2.6k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      Technolust @viragomann
      last edited by Technolust

      @viragomann If I want the source device to get to the outside world don’t I need this opened on the destination? At least that’s how I was understanding it because on the source I allowed all ports thinking the source device can see all ports but outside coming in would only see the ports I allow in the destination.

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @Technolust
        last edited by

        @technolust
        Yes, but the logs you've posted above don't show any block of the destination port range 40000 - 40100.
        You can see only entries with 40058 as source port, not as destination. So you can not say, that it would be blocked.

        T 1 Reply Last reply Reply Quote 0
        • T Offline
          Technolust @viragomann
          last edited by

          @viragomann Ok I'm confused now. What should it look like?

          Allow ports 10000 & 15301 on the destination and remove 40000:40100?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ Online
            johnpoz LAYER 8 Global Moderator @Technolust
            last edited by

            @technolust what ports do you need to get to? Those are destination ports. Source ports are normally some random high port that the client uses to make the connection to the destination ports. You almost never have anything in there than any. It is very few applications or services that use a defined source port for making a connection.

            Your log shows trying to go to ports 10000, and port 15301, are those the only 2 you would need. Then those would be the destination ports you allow, with source port being any.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            T 1 Reply Last reply Reply Quote 0
            • T Offline
              Technolust @johnpoz
              last edited by

              @johnpoz I made the change so that source ports are any now but I have the hosts specified.

              3ae9c3b4-fa4b-4cd5-9c9a-c2e5287f5225-image.png

              I have changed the ports to only the destination ports I found in the logs.

              44f7804d-5dae-4500-bce7-dcbdbb7760a0-image.png

              I feel like every time I add a port to the list a different port is being used. I just don't want to do any on the source and destitation but I might just have to for the specified IP Addresses.

              johnpozJ T 2 Replies Last reply Reply Quote 0
              • johnpozJ Online
                johnpoz LAYER 8 Global Moderator @Technolust
                last edited by johnpoz

                @technolust what ports does the thing require? It should be listed on the website.. 52819 seems like a odd port..

                That 8800 ports seems like a more normal port something would use outbound... You sure you were not looking at sorce ports in the firewall log..

                What I would do is allow it all ports outbound. Log this rule.. And then if you want to lock it down to those ports after its been working for a while.. You will have a list of ports it uses.

                Your not wanting any inbound unsolicited traffic? I would contact the maker of the thing to get a clear and concise list of what is needed inbound (if anything) and what ports does it use to talk to the internet too.. These ports would all be destination ports. Then setup the rules correctly for how you want them.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                T 1 Reply Last reply Reply Quote 0
                • T Offline
                  Technolust @Technolust
                  last edited by

                  @technolust I was thinking the exact same thing. I removed the last three. The only ones on their site is 80, 443,123, 554, 35000, 35001, and 5050. I did those and no luck. I'm going to go back to allowing all but only the specific ip addresses. It worked but I don't feel comfortable.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • T Offline
                    Technolust @johnpoz
                    last edited by Technolust

                    @johnpoz Now I have it on any ip for destination and any port. Source IP is the NVR only but now its working.

                    a40aeda3-9893-4bbe-a735-511d87603173-image.png

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator @Technolust
                      last edited by johnpoz

                      @technolust I never understand, so you trust it enough to use it on your network. But you think what its going to be sending your video to china or something? It could do that on 1 port.. Your just making your life harder trying to lock it down to specific ports if you ask me.

                      Do you have your normal network locked down to specific only ports outbound, so you need to allow for these odd ports?

                      Locking down outbound ports is almost always an exercise in futility.. Lets say something is comprised - is the compromise guy that wrote the code just an idiot? Why would he not just use say 443? Thus hiding is traffic in with all the other normal internet traffic, etc.

                      Sure locking down outbound ports might stop some badly written whatever - but its too late already to be honest because the thing is already on your network, or infected whatever on your network already, etc.

                      If anything I would be worried about it talking to other stuff on the network, because if it was compromised - atleast it can't compromise any of my other stuff.. To the internet - have at it.. Unless you were just going to block all of its internet, specific ports seems like added busy work for no real bang in anything extra.

                      Better option would be to just log, and look now and then for -- hey WTF is that, that is odd.. And then if odd enough look into what it is.. This is for sure a less problematic in stuff not working, etc.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      T 1 Reply Last reply Reply Quote 0
                      • T Offline
                        Technolust @johnpoz
                        last edited by Technolust

                        @johnpoz Well that is good to know that I'm not the only one who is like this is a SH*T ton of work. Partly because I want to learn (be better) at firewall administration. I was trying to pull off the zero trust but your right, an attacker is going to come in any path they can take. I use a different brand at work and don't have time to do just that so I figured I would learn building one at home.

                        Right now, I allow ports to specific devices. This is the only one that has given me such a huge headache. XBox was a bit hairy but I figured that one out. Has been a good learning experience.

                        Right now I allow all traffic to all devices internally. I'm going to take heed to your warning about that but how do I go about locking internal traffic down? As of now, I', going to just manage the logs its far easier.

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ Online
                          johnpoz LAYER 8 Global Moderator @Technolust
                          last edited by

                          @technolust This is what normally happens in the enterprise.. When we take over a customer, they normally have no clue to what ports are used by what.

                          So we log all the traffic for a while. Then at go through the ports, and say is this something want to allow?

                          Always better when bringing up something new to log and figure out what it uses before locking it down. Unless the maker/owner can provide a concise list of all ports and or IPs needed to talk too. The problem with many of these sorts of devices, and especially in games. Is they throw out a list of ports, but don't clarify if inbound or outbound, etc.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                          T 1 Reply Last reply Reply Quote 0
                          • T Offline
                            Technolust @johnpoz
                            last edited by

                            @johnpoz Exactly what I have been experiencing! Thank you so much for the help/information/confidence; I've been struggling and thinking how horrible I am at this. There is a lot to learn and building this pfsense out has been fun and eye opening. The community here certain is one of the best!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.