You need to setup port forwarding for ports 3100 (HTTP), 1159 (DATA), and 1160 (Command) in the Linksys WRT54G. It's under "Applications and Gaming" menu:
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Don't do it that way, you'll soon have hackers swimming around your network trying one known exploit after another. Your connections will also drop if the external ISP engages to block or traffic manage these ports - some do.
If you have a machine permanently running on your network, or you can make one start remotely, install a VPN endpoint service on it. There are many to choose from - I use OpenVPN on a linux box.
Then when you are out and about, start the matching VPN client (some come already built into your OS, or even office router - but sadly not OpenVPN) and then your packets will route properly into your home network.
It's secure, encrypted communications and in my case with bridging allows my external device to take on a similar IP address to home.
You can then run IP connections to anything and not worry about port forwarding this, and setting complicated rules for that.
Ummm... Please explain to me how opening 3 ports to a specific device (web camera) can open the entire network to hackers. Unless there is a security problem in the web camera (it does happen), I don't see how this can be done.
Incidentally, I'm amazed at how many cheap routers hang with this rather old tester:
Most block port 25 (SMTP) to discourage spam relays and users running their own mail servers. There are also a few that block or throttle BitTorrent and other forms of file sharing. However, that's done by sniffing the traffic, not by any specific port number. A few block port 80 (HTTP) for no rational reason. Except for the various satellite providers, none that I know about block any other incoming ports.
If you're worried about outside hackers, they're far more likely to pound on port 8080 (remote admin) on the assumption that most users don't bother to change the default password on their router.
Yep. That's secure. It can also be done on the WRT545G using alternative firmware (i.e. DD-WRT). The problem is that the WRT54G lacks sufficient CPU power to run more than one VPN tunnel at a time. Seems a bit too complicated a solution to secure just a web camera.
Incidentally, both my office and home networks are on static addresses (also known as the perfect target), and probably have 15 assorted ports forwarded to various devices on the LAN's. I also run a VPN between the two networks. It's been roughly like this since about
1995. No problems with hackers, except when I left IPP wide open, and someone printed a ream of paper on my laser printer. My firewall logs show plenty of automated scans, probes and attacks, but no successes. (Hint: I erratically run my own vulnerability tests.)
Ever measure performance through a VPN tunnel? I don't have the numbers handy, but as I vaguely recall, there was quite a large performance hit on thruput in both directions.
Yep. Small warning about selecting the IP address block for the home network. You're probably using the default IP address block supplied with the WRT54G, which is 192.168.1.xxx. If your remote VPN client just happens to be using the same IP block, there a very real chance that the IP addresses delivered from the VPN server IP address pool will result in a duplicated IP address. It probably won't be the client that is duplicated, but it may duplicate a printer, NAS box, or in this case, a web cam. If you're going to play VPN, set your home network to something other than 192.168.[0-2].xxx. Zero is common on Netgear, 1 is Linksys, 2 is Belkin. I use 192.168.111.xxx and setup my customers for other creative numbers.
True. You don't need port forwarding with a VPN. However, I think a VPN is a far more complicated solution than simple port forwarding.
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Thanks for all your help guys. The VPN does seem awfully complicated considering my quest to accomplish this has taken oh so long. Reading the last message makes me feel better about leaving a couple ports open. I did manage to get it to work ( a friend of mine was able to connect and view). Turns out the firewall software on the surveillance computer needed the ports forwarded also. I'm so psyched about this. I've been running the security DVR for years but never managed to figure out how to make the remote view from the outside world work.
Yup, security issues in firmware. It does depend on the hardware, and frequency that manufacturers apply firmware updates for security issues. A buffer overrun is a common exploit to crash hardware things, and inject software that could do some further exploration, find access passwords or inflict some damage. Laser Printers have been shown to be particulary vunerable to exposing sensitive commercial information, but that's really a risk for the office enviroment.
I have a network here that is exposed to BitTorrent/P2P transfers. After a session of that, the router is not that stable and needs restarting. Buffer overrun or over heating suicide? Router firmware is up to date, caps changed in PSU and the box has a fan (bit weedy though). I probbably need to change the router.
They do. I occasionally use Mobile Broadband when I'm about where I find some ports blocked beyond SMTP. Some UK ISPs (mobile & fixed line) traffic manage all sorts of ports applying different QoS priorities to keep some of their users happy. Some even peg down Usenet traffic as it could be (and is) used for huge binary transfers, to the detriment of those like me who use text groups.
That is if the router is showing a login page WAN side. I know our ones don't :)
OK, there are easy VPN solutions. OpenVPN is my choice, a little tricky to configure but then I'm a bit of an OS configuration geek.
Whoops.
My firewall logs
I test a lot and find scary things I can't wibble about (which is why I'm down the VPN route).
Yeah, it sucks a bit. But my data (email, RDP) is not that voluminous to worry about it. Got CCTV DVR stuff here, the pictures are small on the streaming so again not much bandwidth. It would be bad for something more realtime, say like Slingbox.
Yup. Ours hangs out somewhere in 10.x.x.x land.
Depends. Once setup I rarely have to fiddle with it, but then I'm using bridging which is easy to setup. Everything just works. Another VPN setup where the internal IP range is not exported requires fiddling with route tables, and maybe is a little faster but fiddly. The route table inside my Windows 6.5 mobile phone drove me nuts - don't go anywhere near Windows mobile products folks if ye are into hacking AND productivity :-|
You're opening too many parallel streams at one time. Each stream requires a buffer in the router. If you limit the number of streams, the router will be less likely to hang. This is rather old, but quite informative:
Who does? I've chased various accusations of port blocking by ISP's over the years and found little substance. Instead, when I actually talk to someone at the ISP with a clue, they mention that they would shed users by the hundreds if they ever admitted to doing port blocking. The closest approximation was when Comcast started using Sandvine technology to throttle BitTorrent users and started a court battle on what constituted defending their network from abuse.
Sigh. I don't know anything about how it's done outside of the US.
Traffic shaping, traffic management, QoS, and other forms of prioritization are not really port blocking.
Now that you mention it, the local hospital and a few corporate LAN's that I deal with have various rule sets for blocking traffic. For example, on the public access part of the hospital network, all UDP traffic is blocked. Were the OP to setup his web camera on such a network, it wouldn't work. However, the hospital is not an ISP.
I'm lazy and just read the security advisories:
I gotta remember not to read them before going to sleep as it gives me nightmares. I also have to remember to read them BEFORE I buy the product.
Here's the damage report for the WRT54G:
Hmmm... SSL key leak. Not good for VPN's, but fixed in 2005.
I have my various security cameras setup to belch one frame per second. I would do it even slower, except that the dim light that conceived the firmware never considered that a problem. The default most is for the camera to use every bit of bandwidth it can possibly hog, insuring 100% utilization and 100% constipation.
That works well except that many corporate LAN's use 10.xxx.xxx.xxx net. I cleverly setup one LAN on 10.10.10.xxx, and soon discovered that the company had a remote office on the other side of the planet using the same Class C subnet. IP Management? Surely you jest. (Note: I've been playing with IPv6. It's so much nicer not to have to worry much about IP address collisions and NAT complications).
I have static routes setup all over the place in various routers. Sometimes, it's simply to access a DSL or cable modem on the wrong side of the router NAT. Some of my ham radio stuff goes to
44.xxx.xxx.xxx but that's uncommon. I have an isolated LAN in the office (for testing virus infected machines) that requires a static route to access. Once setup, I rarely have to fiddle with it, until something else breaks it. That's about 2-3 times per year when I borrow some new toys or drag in some customers nightmare.
Thanks. I have several WM devices and have learned to hate them.
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.