Hikvision 2CD3145 - Remote configuration impossible

[sebastien]

Hi,

recently I installed 3 Hikvision DS-2CD3145 on a site (indonesia) using a 4G router.
I discovered the ISP operator (XL 4G aviata) is using NAT on his network.
I open port on router, make translation using port to access to the cams. But it did not work properly.

So I decided to use HIK Connect to manage the cams. At this point, I'm able to see the video stream, to know which firmware and if the cam are online, but I can't make a remote configuration... I tried with iVMS 4200 (last version) and Hik Connect (Android version), anyway I have video stream but no access to the remote configuration. I'm going crazy... Do you have any idea about the problem (uPNP, DHCP, and ports are configurated on Cam)

Many thanks for any help
BR
Sebastien

 

[Phil]

I think you will need to set up port forwarding for full remote access to the cameras' configuration areas.

 

[sebastien]

I agree, and that was done.
The router uses the same port as defined on the IP Cam.
For eg, I used 9081 for the HTTP port and 9091 for the service port (defined like that in the CAM and in the Router, not touch the RTSP port).
It works fine on local network; I mean when you are on the router network (connect by wifi on the router).

 

[Magic919]

I suspect you’ll be restricted in terms of ports if the ISP is performing NAT.

 

[Digilec]

As Magic919 suggests, when the ISP is performing NAT you are unable to setup any port forwarding rules as their equipment upstream will be blocking inbound traffic. This is common with satellite broadband systems unless a pro or business package has been selected.

 

[sebastien]

ok thank you, this explain why I can't manage remotely configure the IP Cam. But do you know why the videostream is available ?

 

[Magic919]

I think you’ve just been lucky with that port number.

If you want to do better checks then I’d suggest running Wireshark and making a capture on the PC running iVMS. Perhaps NMAP to scan the remote end. Standard network testing tools.

 

[Digilec]

I’ve not had much experience with Hik-Connect but im pretty sure no port forwarding is required as the cameras/recorders use outbound ports to connect to hikvision servers which then, I believe forward the stream to client devices and likely initiate a p2p connection.

 

[Magic919]

Yes, seeing the video over Hik-Connect makes sense. I’ve also never used it.

Reverse SSH tunnel from the remote end would be my solution. Then tunnel via that to configure.

 

[sebastien]

Hello,

sorry for delay, but I did a lot of tests to see how it works and what's wrong.
Now, after few tests:
- XL axiata (4G ISP) filters all ports except: 21, 53, 554, 1723, 8080 (see with NMAP, and scan with the different IPs of my cams)
- With this IPS, my router gives me another IP than HIK-Connect gives me for each cams (remember my Cams are connected to this router and a NAT is done for each each cameras). The router give me his IP via No-IP. I catch IP of cameras via Hik-Connect
- To make a remote control of a camera, Hik Vision use only the Server Port defines in the camera settings (8000 by default), despite you use Hik Connect. I catched the TCP trame with wireshark. Because my ISP filter the port, and make a NAT, I can't reach the camera to remote control them
- For the video stream, Hik Vision uses UDP trames, and it seams the ISP does not filter them. So I can get Video stream from the cameras (see with wireshark)

So, the conclusion is the camera has to initiate communication (like Hik connect did) or I have to use a tunnel (VPN).
But I didn't find a way on the Hik vision camera to setup a VPN ? Do you know how to do it ?

Thank
BR

 

[Magic919]

I wouldn’t expect the camera to do it. Just stick a Raspberry Pi or similar on the remote network and tunnel via that.

 

[sebastien]

Ok, thank. Do you know a good VPN provider which do not filter the tcp port ?

 

[Phil]

Hi Sebastien,

It is NOT a VPN provider that you need.
VPN providers are typically used to surf the web anonymously, or access services in other countries (by appearing to be within that country).
Services such as these.

You need to set up and configure a private VPN into that site.
The camera alone will not allow you to do this.
There are many modern routers which will allow you to set up VPN access.
You would need to check whether the 4G router that you have at site will permit this.
Or, as @Magic919 suggested add a device to the network that will allow you to setup a VPN, such as a Raspberry Pi.

VPNs are not trivial to setup, they are quite technically complex.
More info with an example of how to configure a VPN with Synology hardware can be found in this post:
HikConnect - In a nutshell how does it work.

 

[sebastien]

Hi Phil,

not sure to understand.

Let me sum up my situation. All my cameras are connected to a router (D link DWR 953). The router used a 4G connection provided by an ISP who makes port filtering (XL axiata).

My router, based on the emacs of each cameras, gives an private IP to each cams. I also add rules for a virtual server (NAT) which gives for a couple (Public IP: Port) the internal point to access (Private IP: Port).
For instance, the rules are for the cam #1:
For the server port of the cam ==> Public IP:9090 to Internal IP:8000
For the http server port of the cam ==> Public IP:9091 to internal IP:80

So, on my internal network (under the router 192.168.x.x) you can access to each camera by default port (8000, 80, and so...) using the internal IP. The router will make the translation based on Public IP: Port to Private IP: port for external access.

Normally, for instance, I can access to a camera using Public IP:Http port defined for cam #1, the router will translate the request on the public ip adresse to the private ip and port (see attached).

But in my case, the ISP makes port filtering. So I can't use this method.
So I think making my own VPN will not solve my problem (if I understand).
But, maybe, connecting my router to a external VPN access point (which should let me access to some open ports) should resolve my problem no ?

 

[Magic919]

I don’t think you are really understanding this.