Need some help. UPnP vs port forwarding for security camera remote access.

Honestly, you want a DEAD simple VPN where you just download apps and connect?
Go get Tailscale:
https://tailscale.com/
It's a stellar service for exactly this use case. You install Tailscale on your synology, and phone or whatever. Log into it from both devices. Then you can either use the VPN IP address, or set it up to expose your internal network across the VPN. All done. No need to share configs or certs or anything.
I tried this as well and it worked, but you have to have it installed in all your devices and get them into your node by running the app and logging in. Good but the old fashioned traditional way is better.

To vpn into your lan: Your home router is pre-configured. From the device you are using while away, you run the client software and this device instantly becomes another device in your LAN. What do I carry with me all the time? My phone is always with me, and I take my laptop with me when I travel for more control/options and they both have the client software installed and configured so it is like I'm always home. I'm the one who initiates the connection, and nothing needs to be done at home. I can even ping my kid's nintendo switch if it is connected to WiFi. Whereas with tailscale, you need to make sure every device you want to access have tailscale software installed and logged in.
 
Nice! Welcome to business style remote access. :)

When you want to upgrade to business class remote access, all you have to do is change your router, use your existing one as an access point and then just use native clients on all your devices since everything supports ipsec vpn. :)
Can you please expand on this little more??? What business router you recommend? And why should I keep my current router? And what would be the advantages?
 
Whereas with tailscale, you need to make sure every device you want to access have tailscale software installed and logged in.
uhhh no. I have the app installed on my phone, and then I have it on my server at home. I can access everything at home just like a "normal" VPN. It's just wireguard with ez mode auth pinned on top, and a lot of quality of life features.
 
  • Like
Reactions: sram
like this
uhhh no. I have the app installed on my phone, and then I have it on my server at home. I can access everything at home just like a "normal" VPN. It's just wireguard with ez mode auth pinned on top, and a lot of quality of life features.
I don't have a server setup at home. It is just a workgroup network. So when you say everything, you mean things which don't have the app installed and added to your node? From what I saw, you have to add each device in the admin page in the website. You know better I guess. I'll have to play with it little more later.
 
Definitely never use UPNP. It is a security risk disaster. If your router supports it you should disable it ASAP.

Port forward is OK - but better to port-forward to a reverse-proxy server in your network than directly to the NVR. Something like Traefik or HA-Proxy. Lots of examples of how to do this out there. Google and YouTube are your friend!

Lastly, for something even better than just a raw port forward to a look at Cloudflare Tunnels. They are a free service that gives you VPN-like capabilities to pull traffic into your network. It hides your true IP address, provides reasonable DDoS protection, and a number of other advantages over port fowarding. For example, g., if you are using something like 5G Horne service and your ISP is hiding your router behind a CG-NAT you can’t do port-forwarding. But Cloudflare’s tunnel service still works.
 
Can you please expand on this little more??? What business router you recommend? And why should I keep my current router? And what would be the advantages?
So generally openvpn needs a specific client installed on a device. This is usually fine for devices which have a client version available. But when using a router that does IPsec tunnels, you can use the built-in IPsec clients on most devices and not have to install anything. Plus, because these type of routers are built for vpn, they tend to be much faster.

The world of smb and enterprise routers is vast and more complicated than the consumer realm because of some of the licensing and model differences. Personally, I like watchguard and fortigate because of their simplicity, although what may be simple for me may be tough for someone else, so other brands such as juniper or cisco may be someone else's cup of tea. Bottom line is that these class of products more or less do the same thing in terms of IPsec vpn tunnels as that's a standard feature. And that they can be found much cheaper than used consumer products with inferior protections in comparison.

You would want to keep your existing router to use as an access point for wifi since most good business/enterprise routers don't have built-in wifi.

If you want to play around with the idea of using a business router, something like the watchguard m200 is a steal and really gets your feet wet since even though eol, is completely functional in terms of IPsec capability and has really good documentation:
https://www.ebay.com/itm/1955571179...8ukwXcEOTBDieF/vYs+HIPDcE5|tkp:Bk9SR969rZLCYQ

I also forgot that sophos allows you to run their firewall for the home for free, and it should have IPsec capability:
https://www.sophos.com/en-us/free-tools/sophos-xg-firewall-home-edition

The advantages is that this type of setup is pretty much industry standard for decades now and comes with a vast amount of experience of dealing with threats and security, so if you're using aes256 and group14 with a key life of an hour or less, you're pretty much unhackable from a brute force attempt, even with the quantum hacking equipment in china and russia. The other advantages are ease of setup (once you get the hang of it) and performance as you can't have 'slow' in the enterprise or people won't use it.
 
As an eBay Associate, HardForum may earn from qualifying purchases.
  • Like
Reactions: sram
like this
Definitely never use UPNP. It is a security risk disaster. If your router supports it you should disable it ASAP.

Port forward is OK - but better to port-forward to a reverse-proxy server in your network than directly to the NVR. Something like Traefik or HA-Proxy. Lots of examples of how to do this out there. Google and YouTube are your friend!

Lastly, for something even better than just a raw port forward to a look at Cloudflare Tunnels. They are a free service that gives you VPN-like capabilities to pull traffic into your network. It hides your true IP address, provides reasonable DDoS protection, and a number of other advantages over port fowarding. For example, g., if you are using something like 5G Horne service and your ISP is hiding your router behind a CG-NAT you can’t do port-forwarding. But Cloudflare’s tunnel service still works.
Is their tunnel service paid or is it 'free' and you are the one being sold?
 
Is their tunnel service paid or is it 'free' and you are the one being sold?

Unknown, really. You have to sign up with a CC , or used to. Service is based on usage bandwidth, number of users, and features. It's free up to 50 users. CF did this so devops could take place.

I'm well under 50 users, my bandwidth has never exceeded their quota etc. Of note their are restrictions on use, one big one is you can't use a tunnel for a plex server, or anything similar.
 
... one big one is you can't use a tunnel for a plex server, or anything similar.
But of course I do and they have yet to comment to me about it. Likely because it is used very lightly and, overall, I am still more than 10x below their overall usage limit. If you were more aggressive about it they would likely assert their TOS and bill you and/or kick you off.

Like almost all TOS issues - their real interest is to prevent actual abuse. As long as you are reasonable about how you use it they will likely be reasonable about how they enforce it. Don't forget that almost every US-based "consumer" ISP plan (including Comcast, Verizon and AT&T) still has a clause in their TOS that you can't host any "servers" using their connection. Just imagine if that was enforced!
 
Last edited:
So generally openvpn needs a specific client installed on a device. This is usually fine for devices which have a client version available. But when using a router that does IPsec tunnels, you can use the built-in IPsec clients on most devices and not have to install anything. Plus, because these type of routers are built for vpn, they tend to be much faster.

The world of smb and enterprise routers is vast and more complicated than the consumer realm because of some of the licensing and model differences. Personally, I like watchguard and fortigate because of their simplicity, although what may be simple for me may be tough for someone else, so other brands such as juniper or cisco may be someone else's cup of tea. Bottom line is that these class of products more or less do the same thing in terms of IPsec vpn tunnels as that's a standard feature. And that they can be found much cheaper than used consumer products with inferior protections in comparison.

You would want to keep your existing router to use as an access point for wifi since most good business/enterprise routers don't have built-in wifi.

If you want to play around with the idea of using a business router, something like the watchguard m200 is a steal and really gets your feet wet since even though eol, is completely functional in terms of IPsec capability and has really good documentation:
https://www.ebay.com/itm/195557117945?hash=item2d881ccff9:g:HcUAAOSw8gpjwfqL&amdata=enc:AQAHAAAA4ETBuaicANRWYYLABvkxqWW935ahh1OP9PvzQ3hmquT+68+rNgnPtxuti1tYFuLrmww3Zeh6EAAS4yY9diqHdmulxt9ST4ivpKrfGptNrvxoyReYPwwYPvs6Fk2D1NN/fBoTTgGFLojtzQkxCVRQa5Raup6exhSi5ZeupbIwoQgujX+PN++pHBcqA31oVbzyrEB2dSV7txu0/FITmhGV1KtH0aALEqDtvZiz1nm0uSgMXe4FtrhmTjhw69ZM0KhcVnYmEoxzNQTx81kXLl8ukwXcEOTBDieF/vYs+HIPDcE5|tkp:Bk9SR969rZLCYQ

I also forgot that sophos allows you to run their firewall for the home for free, and it should have IPsec capability:
https://www.sophos.com/en-us/free-tools/sophos-xg-firewall-home-edition

The advantages is that this type of setup is pretty much industry standard for decades now and comes with a vast amount of experience of dealing with threats and security, so if you're using aes256 and group14 with a key life of an hour or less, you're pretty much unhackable from a brute force attempt, even with the quantum hacking equipment in china and russia. The other advantages are ease of setup (once you get the hang of it) and performance as you can't have 'slow' in the enterprise or people won't use it.
1-When you say: "they tend to be faster" What will be faster for my use case? Remote access will be faster? It will be smoother?
2- I have many other access points connected to my main router, so even if I don't keep the router I can still have wifi.
3- With my knowledge of consumer standard routers, will I be able to configure the business router right away? Or do they look different? The first thing I will try to set up if I get a new router is internet access, so will that be straightforward as in selecting your connection type and inputting your username and password? This is an example.
4- Is there away to navigate the web interface of a similar router before actually buying one? A simulated one that is. Maybe load something into a VM I guess.
4- The idea of using an older pc as a dedicated router/firewall is nice.

Anyways, this will be a good project for the summer break.
 
As an eBay Associate, HardForum may earn from qualifying purchases.
This is true if you're using the tunnel as your Internet, but if you're rdping into a machine, then it will be faster if the connection on the other end is faster since the tunnel will only have rdp data and not the full payload.
It still has to transfer the additional "rdp" data as well as often flashing ads or videos and browser performance on top of that, so now you get VPN over head, RDP lag....I RDP from home to work systems, I have a 1Gb fiber link and VPN into a client site, and RDP to a system and browser performance on static sites, sure, good, but as soon as there is anything else you get some lag...and these are VM's running on a multi-million dollar VxRail cluster with all the hardware in the world behind them
 
1-When you say: "they tend to be faster" What will be faster for my use case? Remote access will be faster? It will be smoother?
2- I have many other access points connected to my main router, so even if I don't keep the router I can still have wifi.
3- With my knowledge of consumer standard routers, will I be able to configure the business router right away? Or do they look different? The first thing I will try to set up if I get a new router is internet access, so will that be straightforward as in selecting your connection type and inputting your username and password? This is an example.
4- Is there away to navigate the web interface of a similar router before actually buying one? A simulated one that is. Maybe load something into a VM I guess.
4- The idea of using an older pc as a dedicated router/firewall is nice.

Anyways, this will be a good project for the summer break.
So I guess I already answered my own questions except for the first one. Remote access will be faster??? I need to test again, but I noticed it is slow even though my home internet is fast (500/200) and the external client is using 4g data with a very good connection/signal. How can I speed it up?

Thanks.
 
So I tried to copy a file from my NAS to the remote client while VPNing into my LAN, and I got like 1 MB/s file transfer speed. When I connect locally I get like 5 MB/s. When I ping devices I get like 100 ms ping time. Do I look normal? How can I improve remote access speed?

Thanks.
 
My home internet connection is 500/200.
PlA9GhK.jpg


But I used my phone data connection for the client which is 90/8. Depends on the signal.
 
So I tried to copy a file from my NAS to the remote client while VPNing into my LAN, and I got like 1 MB/s file transfer speed. When I connect locally I get like 5 MB/s. When I ping devices I get like 100 ms ping time. Do I look normal? How can I improve remote access speed?
 

Okay. Thank you. I know it would be slower but didn't know it would be by this much. So, there isn't much you can do for file transfer while using a VPN, but how about remote desktop?
 
Okay. Thank you. I know it would be slower but didn't know it would be by this much. So, there isn't much you can do for file transfer while using a VPN, but how about remote desktop?
How is the remote desktop behaving? Mobile connections are pretty bad when it comes to latency and overall data quality. Not sure you can do anything about it other than trying other remote programs and/or lowering settings.
 
How is the remote desktop behaving? Mobile connections are pretty bad when it comes to latency and overall data quality. Not sure you can do anything about it other than trying other remote programs and/or lowering settings.
You may be right. The mobile connection is the reason because of the higher latency but I don't have any other wired connection to test with while at home. I will need to wait until I get somewhere with a good internet connection and try to remote into my LAN from there. Thanks.
 
Hmmm. I'm away from home at my hometown spending some time with the family. I tried it again with my mobile phone connection. It is bad. It gets unresponsive very often. My NAS shared drive is even hard to browse sometimes. Just to browse it, no file copy! I will try to connect tomorrow again with a wired fiber connection and see if it makes a difference.

It is still good though for viewing cameras. This at least works.
 
I just tried it with a proper connection. It is remarkably faster, both remote desktop and file copy. You feel more like at home, and this is over wifi using my laptop. Maybe machine connected directly via wire will be even better. Thanks to all.
 
Unknown, really. You have to sign up with a CC , or used to. Service is based on usage bandwidth, number of users, and features. It's free up to 50 users. CF did this so devops could take place.

I'm well under 50 users, my bandwidth has never exceeded their quota etc. Of note their are restrictions on use, one big one is you can't use a tunnel for a plex server, or anything similar.
I'd read the TOS very carefully when handing over a CC number like this. There's always a catch of some sort, either now or in the future.
 
  • Like
Reactions: sram
like this
1-When you say: "they tend to be faster" What will be faster for my use case? Remote access will be faster? It will be smoother?
2- I have many other access points connected to my main router, so even if I don't keep the router I can still have wifi.
3- With my knowledge of consumer standard routers, will I be able to configure the business router right away? Or do they look different? The first thing I will try to set up if I get a new router is internet access, so will that be straightforward as in selecting your connection type and inputting your username and password? This is an example.
4- Is there away to navigate the web interface of a similar router before actually buying one? A simulated one that is. Maybe load something into a VM I guess.
4- The idea of using an older pc as a dedicated router/firewall is nice.

Anyways, this will be a good project for the summer break.
  1. It might not make a difference in your use case if the cameras are not using much bandwidth, but generally yes for everything--faster and smoother.
  2. Solid.
  3. Yes and no. You have to learn how the particular enterprise does what you want. Ie, you have to read the manual. Then it's pretty simple because you know the concept and you just have to find out the specific implementation.
  4. Hmmm...best way I've found is reading the manual. Yes, loading something like sophos into a VM is a good way to try.
  5. Yes it is--it's amazing what old hardware can do very well.
 
  • Like
Reactions: sram
like this
Online emulators exists!

https://community.cisco.com/t5/onli.../bd-p/911-discussions-online-device-emulators

That's nice.
Edit: I noticed upnp is enabled by default in some vpn routers!
https://emulator.tp-link.com/Emulator 605v2/index.html
This is definitely a good way to get your feet wet with how different the interfaces will be. However, both of these are more small business than enterprise and there's another level of learning in between these and enterprise ime. (I cut my teeth with ipsec on the cisco rv016 back in the day.)
 
  • Like
Reactions: sram
like this
It still has to transfer the additional "rdp" data as well as often flashing ads or videos and browser performance on top of that, so now you get VPN over head, RDP lag....I RDP from home to work systems, I have a 1Gb fiber link and VPN into a client site, and RDP to a system and browser performance on static sites, sure, good, but as soon as there is anything else you get some lag...and these are VM's running on a multi-million dollar VxRail cluster with all the hardware in the world behind them
It depends on what you're using on the client side. I'm using windows thin clients so the rdp destination can handle video natively faster than the thin client can so it still is faster sending it across. However, if you've got the same hardware on both ends, then yes, with video the rdp will be laggy in comparison. However, I have found ime that with security camera footage, viewing over rdp vs streaming the data to the client is actually faster.
 
  • Like
Reactions: sram
like this
So I guess I already answered my own questions except for the first one. Remote access will be faster??? I need to test again, but I noticed it is slow even though my home internet is fast (500/200) and the external client is using 4g data with a very good connection/signal. How can I speed it up?

Thanks.
I can if the bottleneck is in the client/server. If it's just bandwidth or latency limitations, it won't do much to help that, but will definitely feel better since it's better designed to deal with issues like that.
 
  • Like
Reactions: sram
like this
So I tried to copy a file from my NAS to the remote client while VPNing into my LAN, and I got like 1 MB/s file transfer speed. When I connect locally I get like 5 MB/s. When I ping devices I get like 100 ms ping time. Do I look normal? How can I improve remote access speed?

Thanks.
If you're 1MB/s that's nearly 10Mb bandwidth which is pretty good. When at home you're getting ~50Mb of bandwidth. Those are pretty good to me but might not be optimal if you have more than 50Mb bandwidth available.
 
  • Like
Reactions: sram
like this
Okay. Thank you. I know it would be slower but didn't know it would be by this much. So, there isn't much you can do for file transfer while using a VPN, but how about remote desktop?
It's all about the SMB protocol, once you get away from that, you can get closer to what is capable. Bear in mind though that the vpn implementation also affects transfers too even when not SMB.
 
  • Like
Reactions: sram
like this
I just tried it with a proper connection. It is remarkably faster, both remote desktop and file copy. You feel more like at home, and this is over wifi using my laptop. Maybe machine connected directly via wire will be even better. Thanks to all.
Yep, the closer you're getting to a 'wired' connection like your lan, the closer it will be to the same experience of being at home. But once you're dealing with a wired connection at a fixed based (like your family's place), then you can move to a router to router tunnel (IPsec or otherwise) and then you are literally joining the lans over the Internet. Back in the day this was considered a 'wide area network' and used stuff like private circuits and frame relay to make that wide part work, but today we can tunnel it over the Internet. This is actually what I work with and prefer since each device on each lan can see the other without any knowledge of what's in between. Early on I used this to have employees use the 'scan to ftp' option on our multifunction machines to scan their shift paperwork directly to our file server as their shift was completing. We still collected the paperwork like normal, but it gave us a digital way to quickly check daily paperwork in near-time from anywhere.

There's a lot of neat stuff you can do. I will sometimes print love letters to my wife on the printer at home when I'm away for so long, lol.
 
  • Like
Reactions: sram
like this
Back
Top