Need some help. UPnP vs port forwarding for security camera remote access.

sram

[H]ard|Gawd
Joined
Jul 30, 2007
Messages
1,699
Hi, how is it going?
This may seem very basic to some people but bear with me. In the past, I used to set up port forwarding and DDNS to remotely access my security IP cameras installed at home. It has been sometime since I have done it last time. Now, I'm doing a new setup for a new home security system but there is something that I don't get right. I just discovered that you can use UPnP instead of port forwarding to access your cameras from outside. Some of the new cameras I bought have their UPnP enabled by default and this somehow missed me up. As I'm talking everything is working fine but something doesn't add up and let me tell you what it is. I discovered that when UPnP is enabled in the IP camera setting, the UPnP mapping table in my router configuration page will be filled automatically (My router is Netgear R7000) and I will see the internal IP address of the camera along with port number configured for the camera. Now if I enter my ddns host name followed by the specific port number I will be forwarded to the camera web page successfully. If I enable UPnP in another camera, the table in my router will be filled again and forwarding will work successfully. This is what is happening now and all my cameras can be accessed remotely. While UPnP is enabled, I don't seem to be able to set up port forwarding in my router (It says something like: The specified port(s) are being used by other configurations ) even If I want to do it for another device!!!... Is this right or normal?
I wanted to do remote access my old fashioned way via port forwarding page in my router. So I disabled UPnP, and went to configure port forwarding but it didn't work. What should you do anyway? You should choose port forwarding>select the service name (HTTP for example)>enter the server IP address (the camera internal LAN address)> and then input the external / internal start port which is the port number configured for the camera in its web page. I did this but it didn't work. My external ip address is synced with my ddns host name but when I entered my hostname followed by the port number used by the camera it didn't forward me to the camera page. I don't know why! And why can't I set up port forwarding for a different device (For example my NAS device) which obviously uses a different LAN ip address when UPnP is enabled for some other devices? I'm missing something. Can't UPnP and port forwarding be used simultaneously?

Can I use UPnP for one camera and port forwarding for another ?
 
Any "firewall" that supports UPnP is not a firewall. Devices inside your network should NOT be able to open pinholes into your network. Disable that crap and use manual port forwarding.
Okay, one step in the right direction guess. I see your point. I'm exposing my network. I will disable it and see how I can configure port forwarding manually. Thanks.
 
Any "firewall" that supports UPnP is not a firewall. Devices inside your network should NOT be able to open pinholes into your network. Disable that crap and use manual port forwarding.
Second this--upnp is the biggest security hole ever created. Do your manual set up like you did before. You may not need to enter the port number. I would also try with your direct public IP first and then try the ddns provider name.
 
  • Like
Reactions: sram
like this
How come it is possible that an ip device changes my router configuration by having one of its setting enabled? I don't see how this is possible. If UPnP is this insecure, why let it roam free in our routers. An ip device once connected can mess up your router settings! Really weird.

I just tried it, I disabled upnp and tried to setup port forwarding but it didn't work. I must be doing something wrong although it seems really easy. What is up with internal port and external port? Should they always be the same? The internal port is the port set for my device in its configuration page, but how do I select external port?
 
I think that some of you are being a bit over-critical of UPnP. I agree that it would have no place in a corporate network, but in a home where you have direct control over which devices are on the network, it's a bit different. If you're worried about a particular device causing security issues via UPnP, then why did you bring that device into your home network in the first place? On the flip side, UPnP can allow some very handy features that can potentially increase your security, such as allowing a program or device to randomize the port it uses, automatically changing the port it uses on a regular basis. It's also obviously possible to simply look at the port mappings on your router, and easily identify which ports are being mapped via UPnP, making it trivial to identify devices that might be a problem.

What is up with internal port and external port? Should they always be the same?

No they don't have to be the same. For example, maybe you have two different web servers on your network both using Port 80 on their separate internal IP addresses. You only have one external IP, so you can only map one of those to the external port 80. You could map the other to a different external port.
 
Last edited:
I think that some of you are being a bit over-critical of UPnP. I agree that it would have no place in a corporate network, but in a home where you have direct control over which devices are on the network, it's a bit different.

It most certainly does not belong in any network. A network is a network and all networks should be secure. This treatment of home vs business network is precisely the cause that has lead us to inferior networking protocols in home networking that only work on a single network.
 
How come it is possible that an ip device changes my router configuration by having one of its setting enabled? I don't see how this is possible. If UPnP is this insecure, why let it roam free in our routers. An ip device once connected can mess up your router settings! Really weird.

I just tried it, I disabled upnp and tried to setup port forwarding but it didn't work. I must be doing something wrong although it seems really easy. What is up with internal port and external port? Should they always be the same? The internal port is the port set for my device in its configuration page, but how do I select external port?
That's the danger of upnp--it does allow any device to 'request' ports to be opened and the router will grant it. It has always been one of those 'isn't this great?' ideas that never for a single second thought about the consequences by someone acting malicious--personally, I think this mindset is the cause of 90% of security holes out there. :rolleyes:

Something is acting funny as upnp shouldn't mess with regular port forwarding or vice versa. But this doesn't surprise me on consumer routers as they can be quite buggy. I would try to factory reset and set up your manual port forwards without touching upnp and see if that works. If not, upgrade/downgrade to a different firmware and try again--one of the firmware versions shouldn't have this bug.

Oh, and on internal/external port--this allows you to do things like run more than one ftp server by having multiple external ports for example and the same internal port number on different IPs or vice versa. Generally, you don't mess with the ports, but some setups might need it.
 
This treatment of home vs business network is precisely the cause that has lead us to inferior networking protocols in home networking that only work on a single network.
Yep, the division of computing into 'home' vs business was one of the turning points in the entire IT sector--inferior quality devices and methodologies invented just for the 'home' market that were perfectly served by the business products and services, but people at home whined about cost. And yet, there are now $400 home routers in existence when enterprise routers are less. And crappy non-sense marketing to fool idiot home consumers such is what is used for wifi speeds or powerline speeds. And of course, garbage drives designed for 'home' use versus what used to be the norm--24x7 with a proper MTBF spec.

Of course a lot of this is in the past, but still pisses off my old self. Oh...and get of my lawn!

Bottom line is that if you want something to be secure or 'done right', see what is being done in the enterprise or business and emulate that the best you can. For example, you don't port forward in business--you use an IPsec vpn tunnel to have a device securely tunnel into the network and then connect with a local device like it's local. Or the local device transmits up to 'the cloud' where some sort of secure platform allows one to login and review whatever it is. This second approach is used by a lot of consumer companies in poor implementations that either lock in a user or potentially expose their data or both.
 
Okay it is working now with normal port forwarding. Thanks for all the help. No more UPnP, it is disabled.
 
Okay it is working now with normal port forwarding. Thanks for all the help. No more UPnP, it is disabled.
Sweet! Glad we could help. :) And I'm sure you learned something too. :)
 
You still have a security flaw. You have exposed devices that are more at risk of being attacked (usually because of slow/no security updates or patches for their software/firmware). Port Forwarding isn't the answer with security cameras IMHO. The best way to do this is some type of VPN into your network from outside instead of exposing your internal network. Update the router to one that can run a VPN server, if yours cannot. VPN in and access via local IP
 
You still have a security flaw. You have exposed devices that are more at risk of being attacked (usually because of slow/no security updates or patches for their software/firmware). Port Forwarding isn't the answer with security cameras IMHO. The best way to do this is some type of VPN into your network from outside instead of exposing your internal network. Update the router to one that can run a VPN server, if yours cannot. VPN in and access via local IP
You are right, I know I'm still exposing my network. Remote access is not mandatory as the cameras are working fine and their videos are being recorded in my synology NAS for whatever period I want (I chose one month), and that's all you want from a camera security system but I wanted little more and wanted to have an eye at home while away. I thank you for your warning. Let me enjoy my port forwarding skills for the time being! My router supports VPN service and I have an account with expressVPN. I guess that will be my next step.

I remember this line from one networking teacher I learned from: There is no way to access devices behind a NAT firewall in a local LAN from an external device unless until you open a connection from inside to outside OR something along these lines.
 
You are right, I know I'm still exposing my network. Remote access is not mandatory as the cameras are working fine and their videos are being recorded in my synology NAS for whatever period I want (I chose one month), and that's all you want from a camera security system but I wanted little more and wanted to have an eye at home while away. I thank you for your warning. Let me enjoy my port forwarding skills for the time being! My router supports VPN service and I have an account with expressVPN. I guess that will be my next step.

I remember this line from one networking teacher I learned from: There is no way to access devices behind a NAT firewall in a local LAN from an external device unless until you open a connection from inside to outside OR something along these lines.

Ok, now that you learned the port forwarding part, end it and secure your network because, I just looked up your router, didn't have time before and it supports VPN thru OpenVPN. You don't need to pay anyone (ExpressVPN or the like) for VPN you have one. So there is 0 reason to do port forwarding.

FWIW all of my devices (iphones, pads et al), are auto connected to VPN when they leave the house regardless of network they are connected to.
 
Ok, now that you learned the port forwarding part, end it and secure your network because, I just looked up your router, didn't have time before and it supports VPN thru OpenVPN. You don't need to pay anyone (ExpressVPN or the like) for VPN you have one. So there is 0 reason to do port forwarding.

FWIW all of my devices (iphones, pads et al), are auto connected to VPN when they leave the house regardless of network they are connected to.
Oh I see. There is obviously some more learning that I need to do. I'll look into it when I have time. Thanks.
 
Couldn't resist I'm doing it now although it is 1:30 am where I'm. So let get this straight.

You enable DDNS in your router and then you go enable VPN service in your router. From your router page you can download some windows vpn configuration files which I did . You then go and follow this:

https://kb.netgear.com/23854/How-do...on-my-Nighthawk-router-with-my-Windows-client

and install the openvpn software on the client and load the config files downloaded earlier. Then what? This client computer ( If it exists somewhere else on the internet) will be able to access my lan securely via a vpn tunnel? What should you do after the openvpn software is installed on this client computer? Input my DDNS hostname in a browser window?

Little help from you guys will do. Thanks.
 
Honestly, you want a DEAD simple VPN where you just download apps and connect?
Go get Tailscale:
https://tailscale.com/
It's a stellar service for exactly this use case. You install Tailscale on your synology, and phone or whatever. Log into it from both devices. Then you can either use the VPN IP address, or set it up to expose your internal network across the VPN. All done. No need to share configs or certs or anything.
 
Couldn't resist I'm doing it now although it is 1:30 am where I'm. So let get this straight.

You enable DDNS in your router and then you go enable VPN service in your router. From your router page you can download some windows vpn configuration files which I did . You then go and follow this:

https://kb.netgear.com/23854/How-do...on-my-Nighthawk-router-with-my-Windows-client

and install the openvpn software on the client and load the config files downloaded earlier. Then what? This client computer ( If it exists somewhere else on the internet) will be able to access my lan securely via a vpn tunnel? What should you do after the openvpn software is installed on this client computer? Input my DDNS hostname in a browser window?

Little help from you guys will do. Thanks.

Start the VPN, creat user name(s) and passwords, and the config files. I use Google drive or similar to transfer config files. On client, download openvpn software, upload config file, insert user/pw. Ensure the server name is either your external IP or your external fqdn that is configured in your ddns provider.


Honestly, you want a DEAD simple VPN where you just download apps and connect?
Go get Tailscale:
https://tailscale.com/
It's a stellar service for exactly this use case. You install Tailscale on your synology, and phone or whatever. Log into it from both devices. Then you can either use the VPN IP address, or set it up to expose your internal network across the VPN. All done. No need to share configs or certs or anything.

It is simple. It is also peer to peer, where openvpn will give you access to your entire home network as if home. This means things like custom DNS , or any home network device can be accessed etc and be used remotely.
 
Honestly, you want a DEAD simple VPN where you just download apps and connect?
Go get Tailscale:
https://tailscale.com/
It's a stellar service for exactly this use case. You install Tailscale on your synology, and phone or whatever. Log into it from both devices. Then you can either use the VPN IP address, or set it up to expose your internal network across the VPN. All done. No need to share configs or certs or anything.
Well, that's cool. Everyone likes easy stuff, but since I started the old way I want to finish it for the sake of learning. I will come back to this later. Thanks.
 
Start the VPN, creat user name(s) and passwords, and the config files. I use Google drive or similar to transfer config files. On client, download openvpn software, upload config file, insert user/pw. Ensure the server name is either your external IP or your external fqdn that is configured in your ddns provider.




It is simple. It is also peer to peer, where openvpn will give you access to your entire home network as if home. This means things like custom DNS , or any home network device can be accessed etc and be used remotely.
I will try it and probably come back with more questions.
 
It is simple. It is also peer to peer, where openvpn will give you access to your entire home network as if home. This means things like custom DNS , or any home network device can be accessed etc and be used remotely.
You can set it up to allow whole network access as well a la traditional VPN if you like. It's basically just wireshark, with a couple extra layers on top to make implementation easy and a smidge more resilient.
 
It is simple. It is also peer to peer, where openvpn will give you access to your entire home network as if home. This means things like custom DNS , or any home network device can be accessed etc and be used remotely.
Incorrect on OpenVPN, OpenVPN gives you access to what you tell it to allow, whether an entire subnet, or even a single IP with in a subnet.
 
I will your suggestions in order.

I'm now doing this:
https://kb.netgear.com/23854/How-do...on-my-Nighthawk-router-with-my-Windows-client

To vpn into my internal network remotely. I have some questions.

This is my router page:

4s0ySk7.jpg


and this is the steps for vpn setup:

Ti7bF1f.jpg



My question is that the clients referred to in my router page is the same computer in which you install the open vpn software shown in the steps in the 2nd image? I mean, you install the open vpn software in a computer connected to the internet somewhere else in the world and when you run the open vpn software in this computer you can access your internal lan as if you are setting at home? And the link is of course secure since it is a vpn?

Is this how it is supposed to be?
 
You need the OpenVPN software on the devices you want to use, to connect into your VPN. Once it is installed, the zip file downloaded from your NetGear route page, gets extracted to said devices and that is the configuration info to connect to the VPN.

The 2 options listed there are refered to as:
  • Full Tunnel VPN (Internet and Home) - when you connect to this VPN, ALL traffic will route through it and out to the internet
  • Split Tunnel VPN (home network) - Only traffic destin for your internal network (LAN) will go over the VPN, all other traffic will go out directly to the internet.
 
You still have a security flaw. You have exposed devices that are more at risk of being attacked (usually because of slow/no security updates or patches for their software/firmware). Port Forwarding isn't the answer with security cameras IMHO. The best way to do this is some type of VPN into your network from outside instead of exposing your internal network. Update the router to one that can run a VPN server, if yours cannot. VPN in and access via local IP
This is the best way, but it's a lot more set up than most people are willing to do.
 
  • Like
Reactions: sram
like this
You are right, I know I'm still exposing my network. Remote access is not mandatory as the cameras are working fine and their videos are being recorded in my synology NAS for whatever period I want (I chose one month), and that's all you want from a camera security system but I wanted little more and wanted to have an eye at home while away. I thank you for your warning. Let me enjoy my port forwarding skills for the time being! My router supports VPN service and I have an account with expressVPN. I guess that will be my next step.

I remember this line from one networking teacher I learned from: There is no way to access devices behind a NAT firewall in a local LAN from an external device unless until you open a connection from inside to outside OR something along these lines.
The VPN he's talking about isn't a service like that (but uses the same transport methodology). The easiest way to explain it is that your router is like the service (server) and your phone/tablet/whatever is the client that connects to your server to create a secure connection to your network. Then whatever you want to do inside your network you can do.

The teacher wasn't entirely wrong, but it's also not as simple as that. IPsec vpn for example doesn't have particular ports that are open that aren't already hardened by the mere fact that there's a lot of authentication to start anything on those ports.
 
  • Like
Reactions: sram
like this
Couldn't resist I'm doing it now although it is 1:30 am where I'm. So let get this straight.

You enable DDNS in your router and then you go enable VPN service in your router. From your router page you can download some windows vpn configuration files which I did . You then go and follow this:

https://kb.netgear.com/23854/How-do...on-my-Nighthawk-router-with-my-Windows-client

and install the openvpn software on the client and load the config files downloaded earlier. Then what? This client computer ( If it exists somewhere else on the internet) will be able to access my lan securely via a vpn tunnel? What should you do after the openvpn software is installed on this client computer? Input my DDNS hostname in a browser window?

Little help from you guys will do. Thanks.
Nice! It's never going to work at 1:30am, so I would say sleep. :D Been there done that, lol.

But you have the concepts pretty nailed down. However, good vpn routers don't need any client software aside from what is industry standard and built-into devices. I don't know if openvpn has got to that point. Otherwise, yes, you need to install a client and then make sure you input the right things in the right field for the connection to come up. Then you basically just use the device as you would when locally connected. :)
 
  • Like
Reactions: sram
like this
Honestly, you want a DEAD simple VPN where you just download apps and connect?
Go get Tailscale:
https://tailscale.com/
It's a stellar service for exactly this use case. You install Tailscale on your synology, and phone or whatever. Log into it from both devices. Then you can either use the VPN IP address, or set it up to expose your internal network across the VPN. All done. No need to share configs or certs or anything.
Pretty neat. But I'd be worried about when they get hacked and then hackers have access to everything.
 
  • Like
Reactions: sram
like this
You need the OpenVPN software on the devices you want to use, to connect into your VPN. Once it is installed, the zip file downloaded from your NetGear route page, gets extracted to said devices and that is the configuration info to connect to the VPN.

The 2 options listed there are refered to as:
  • Full Tunnel VPN (Internet and Home) - when you connect to this VPN, ALL traffic will route through it and out to the internet
  • Split Tunnel VPN (home network) - Only traffic destin for your internal network (LAN) will go over the VPN, all other traffic will go out directly to the internet.
Good to know that's what these mean--stupid that they label them this way. I always go for a full tunnel so there's nothing that can get in the middle. Plus, if your internet access is faster at home than wherever you're at, rdp into a computer on your local network and browsing will be significantly faster.
 
  • Like
Reactions: sram
like this
Oh Samir you posted new stuff. I was busy lately, but I'll do this VPN thingie for sure when I'm free and not at 1 am. Thanks for everything.
 
Just thought of something. There is this camera app i'm using in my iphone to view the camera feeds while i'm away. I can access them internally and externally using ddns and port forwarding. So if I vpn into my LAN using my iphone instead of using a windows client pc, the iphone will access the cameras as if it is a local device in my LAN, right?

Right now I just open the app and see all cameras. With VPN, there will be one more step. I have to run the vpn software, access my lan securely and then open the camera app, and see the camers as if I'm at home. This is how it is I think.
 
Just thought of something. There is this camera app i'm using in my iphone to view the camera feeds while i'm away. I can access them internally and externally using ddns and port forwarding. So if I vpn into my LAN using my iphone instead of using a windows client pc, the iphone will access the cameras as if it is a local device in my LAN, right?

Right now I just open the app and see all cameras. With VPN, there will be one more step. I have to run the vpn software, access my lan securely and then open the camera app, and see the camers as if I'm at home. This is how it is I think.
Yep, you nailed it. Basically, the only extra step is connecting to the vpn--then it's just like your phone was at home, so even apps that wouldn't work when you're away from home will--and that's the real advantage as you can make things that were never meant to be remotely accessible, remotely accessible.
 
Viola. I have done it!!! Using my Iphone! Because it is an iphone (much easier on android) it was driving me nuts to transfer the configuration files to the openvpn connect app in my iphone. There are four files that the app need to see (Two certificate files, a key file, and the OVPN file). There was a way to do it using iTunes but not anymore. You have to use iCloud or something similar. I used dropbox. I uploaded all files to my dropbox account and opened dropbox in my iphone. You need to open the OVPN file using openvpn connect app but even then it won't work. It will not see the other 3 files. You have to consolidate them all into one file! Little coding syntax was required.
https://www.gaelanlloyd.com/blog/how-to-import-an-openvpn-profile-on-ios-without-itunes/

And it still gave me trouble. I went through this:
https://serverfault.com/questions/649421/openvpn-connect-for-ios-cant-parse-my-ovpn-file
https://forums.openvpn.net/viewtopic.php?t=33558

to fix it. IT WORKED at the end. Stupid openvpn connect app as you can't use it to navigate to the directory containing all files. I relied on my data package to get an internet connection in my phone, fired up the vpn and surprisingly enough I'm in as if I"m a local to the LAN. The camera app also worked. Neat. It should be much easier to do using windows now that I have done it with my iphone.

Thanks to all.
 
Congrats! Getting your first vpn tunnel working is definitely something to celebrate! :) I still remember my first ipsec tunnel and when I got it working I felt like I had done some sort of magic, haha.

Glad you were able to get that openvpn mess sorted--those of us that use an enterprise or smb vpn router can just use the built in clients and it's easier but probably the same hassle though if using certificates.

The great thing is that you see the power of doing it. And the cool thing is, you can even set up windows to do it too so that you have options. And if you have a windows client, you can even rdp into your own desktop without worrying about security and access your files or whatever you may need from away. Neat, isn't it?
 
  • Like
Reactions: sram
like this
Not only neat but very powerful, who needs teamviewer now? In fact what is teamviewer ?? HAHA:D

I did it for windows as well. Had some problems with TLS versions not matching:
https://www.google.com/search?q=openvpn+windows+10+tls+error+unsupported+protocol&client=firefox-b-d&sxsrf=AJOqlzVfoRNFwuxh24NyUq2QypQls7z2Eg:1675109555172&ei=syTYY-ySCtqQ9u8PoM-emAs&ved=0ahUKEwisuPuvjfD8AhVaiP0HHaCnB7MQ4dUDCA4&uact=5&oq=openvpn+windows+10+tls+error+unsupported+protocol&gs_lcp=Cgxnd3Mtd2l6LXNlcnAQAzIFCAAQogQ6CAgAEIYDELADSgQIQRgBSgQIRhgAUOobWIghYPIpaAFwAHgAgAHXAogBsAeSAQUyLTEuMpgBAKABAcgBA8ABAQ&sclient=gws-wiz-serp

But I solved it. Now I can access my home network from my laptop connected to my mobile phone hotspot. Again, thanks to all of you.
Nice! Welcome to business style remote access. :)

When you want to upgrade to business class remote access, all you have to do is change your router, use your existing one as an access point and then just use native clients on all your devices since everything supports ipsec vpn. :)
 
Last edited:
Good to know that's what these mean--stupid that they label them this way. I always go for a full tunnel so there's nothing that can get in the middle. Plus, if your internet access is faster at home than wherever you're at, rdp into a computer on your local network and browsing will be significantly faster.
It wont be faster than going from your main device because you are limited by the connection from your device to your VPN anyways and that speed and VPN adds overhead which can slow things down as well if the router is not powerful.
 
It wont be faster than going from your main device because you are limited by the connection from your device to your VPN anyways and that speed and VPN adds overhead which can slow things down as well if the router is not powerful.
This is true if you're using the tunnel as your Internet, but if you're rdping into a machine, then it will be faster if the connection on the other end is faster since the tunnel will only have rdp data and not the full payload.
 
Back
Top