Hi

I have a problem accessing a computer that's on my home network from
the outside world and was wondering if anyone here could help.

The setup as is follows:

I have Comcast internet with a cable modem

The cable modem is connected to a Linksys WRT54G wireless/wired router

I have 3 computers attached to the router via CAT5

The computer I'm trying to connect to from the outside world resides
at address 192.168.1.105 as assigned by the router.

The computer at 192.168.1.105 is a surveillance computer with 2
Defender video capture cards installed and working.

The surveillance software uses ports 3100 (HTTP), 1159 (DATA), and
1160 (Command)

In the router setup under gaming and applications / port forwarding, I
forwarded all 3 of the above ports to 192.168.1.105

I obtained my real world IP address through whatismyip.com which
reports the addy as 76.127.144.xxx

If I open IE on a computer connected to the home network and type in
192.168.1.105:3100 I'm able to access and view the connected cameras

However if I'm on a computer that is outside of my home network and I
type in 76.127.144.xxx or 76.127.144.xxx:3100 the page can't be found.

Can anyone help me figure out why I can't access my surveillance
computer from the outside world?

Any help would be most appreciated.

TIA

Bob

On Sat, 7 Jan 2012 08:58:53 -0800 (PST), bobvalli
wrote:


Can anyone help me figure out why I can't access my surveillance
computer from the outside world?

You need to setup port forwarding for ports 3100 (HTTP), 1159 (DATA),
and 1160 (Command) in the Linksys WRT54G. It's under "Applications
and Gaming" menu:
http://www.youtube.com/watch?v=pKj0KfvIcpg

--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On 07/01/2012 16:58, bobvalli wrote:

If I open IE on a computer connected to the home network and type in
192.168.1.105:3100 I'm able to access and view the connected cameras

However if I'm on a computer that is outside of my home network and I
type in 76.127.144.xxx or 76.127.144.xxx:3100 the page can't be found.


Don't do it that way, you'll soon have hackers swimming around your
network trying one known exploit after another. Your connections will
also drop if the external ISP engages to block or traffic manage these
ports - some do.

If you have a machine permanently running on your network, or you can
make one start remotely, install a VPN endpoint service on it. There are
many to choose from - I use OpenVPN on a linux box.

Then when you are out and about, start the matching VPN client (some
come already built into your OS, or even office router - but sadly not
OpenVPN) and then your packets will route properly into your home network.

It's secure, encrypted communications and in my case with bridging
allows my external device to take on a similar IP address to home.

You can then run IP connections to anything and not worry about port
forwarding this, and setting complicated rules for that.

--
Adrian C

On Sat, 07 Jan 2012 18:19:15 +0000, Adrian C
wrote:

On 07/01/2012 16:58, bobvalli wrote:

If I open IE on a computer connected to the home network and type in
192.168.1.105:3100 I'm able to access and view the connected cameras

However if I'm on a computer that is outside of my home network and I
type in 76.127.144.xxx or 76.127.144.xxx:3100 the page can't be found.


Don't do it that way, you'll soon have hackers swimming around your
network trying one known exploit after another.

Ummm... Please explain to me how opening 3 ports to a specific device
(web camera) can open the entire network to hackers. Unless there is
a security problem in the web camera (it does happen), I don't see how
this can be done.

Incidentally, I'm amazed at how many cheap routers hang with this
rather old tester:
http://www.pcflank.com/exploits.htm

Your connections will
also drop if the external ISP engages to block or traffic manage these
ports - some do.

Most block port 25 (SMTP) to discourage spam relays and users running
their own mail servers. There are also a few that block or throttle
BitTorrent and other forms of file sharing. However, that's done by
sniffing the traffic, not by any specific port number. A few block
port 80 (HTTP) for no rational reason. Except for the various
satellite providers, none that I know about block any other incoming
ports.

If you're worried about outside hackers, they're far more likely to
pound on port 8080 (remote admin) on the assumption that most users
don't bother to change the default password on their router.

If you have a machine permanently running on your network, or you can
make one start remotely, install a VPN endpoint service on it. There are
many to choose from - I use OpenVPN on a linux box.

Yep. That's secure. It can also be done on the WRT545G using
alternative firmware (i.e. DD-WRT). The problem is that the WRT54G
lacks sufficient CPU power to run more than one VPN tunnel at a time.
Seems a bit too complicated a solution to secure just a web camera.

Incidentally, both my office and home networks are on static addresses
(also known as the perfect target), and probably have 15 assorted
ports forwarded to various devices on the LAN's. I also run a VPN
between the two networks. It's been roughly like this since about
1995. No problems with hackers, except when I left IPP wide open, and
someone printed a ream of paper on my laser printer. My firewall logs
show plenty of automated scans, probes and attacks, but no successes.
(Hint: I erratically run my own vulnerability tests.)

Then when you are out and about, start the matching VPN client (some
come already built into your OS, or even office router - but sadly not
OpenVPN) and then your packets will route properly into your home network.

Ever measure performance through a VPN tunnel? I don't have the
numbers handy, but as I vaguely recall, there was quite a large
performance hit on thruput in both directions.

It's secure, encrypted communications and in my case with bridging
allows my external device to take on a similar IP address to home.

Yep. Small warning about selecting the IP address block for the home
network. You're probably using the default IP address block supplied
with the WRT54G, which is 192.168.1.xxx. If your remote VPN client
just happens to be using the same IP block, there a very real chance
that the IP addresses delivered from the VPN server IP address pool
will result in a duplicated IP address. It probably won't be the
client that is duplicated, but it may duplicate a printer, NAS box, or
in this case, a web cam. If you're going to play VPN, set your home
network to something other than 192.168.[0-2].xxx. Zero is common on
Netgear, 1 is Linksys, 2 is Belkin. I use 192.168.111.xxx and setup
my customers for other creative numbers.

You can then run IP connections to anything and not worry about port
forwarding this, and setting complicated rules for that.

True. You don't need port forwarding with a VPN. However, I think a
VPN is a far more complicated solution than simple port forwarding.

--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Jan 7, 3:49*pm, Jeff Liebermann wrote:
On Sat, 07 Jan 2012 18:19:15 +0000, Adrian C
wrote:

On 07/01/2012 16:58, bobvalli wrote:

If I open IE on a computer connected to the home network and type in
192.168.1.105:3100 I'm able to access and view the connected cameras

However if I'm on a computer that is outside of my home network and I
type in 76.127.144.xxx or 76.127.144.xxx:3100 the page can't be found.

Don't do it that way, you'll soon have hackers swimming around your
network trying one known exploit after another.

Ummm... Please explain to me how opening 3 ports to a specific device
(web camera) can open the entire network to hackers. *Unless there is
a security problem in the web camera (it does happen), I don't see how
this can be done.

Incidentally, I'm amazed at how many cheap routers hang with this
rather old tester:
http://www.pcflank.com/exploits.htm

Your connections will
also drop if the external ISP engages to block or traffic manage these
ports - some do.

Most block port 25 (SMTP) to discourage spam relays and users running
their own mail servers. *There are also a few that block or throttle
BitTorrent and other forms of file sharing. *However, that's done by
sniffing the traffic, not by any specific port number. *A few block
port 80 (HTTP) for no rational reason. *Except for the various
satellite providers, none that I know about block any other incoming
ports.

If you're worried about outside hackers, they're far more likely to
pound on port 8080 (remote admin) on the assumption that most users
don't bother to change the default password on their router.

If you have a machine permanently running on your network, or you can
make one start remotely, install a VPN endpoint service on it. There are
many to choose from - I use OpenVPN on a linux box.

Yep. *That's secure. *It can also be done on the WRT545G using
alternative firmware (i.e. DD-WRT). *The problem is that the WRT54G
lacks sufficient CPU power to run more than one VPN tunnel at a time.
Seems a bit too complicated a solution to secure just a web camera.

Incidentally, both my office and home networks are on static addresses
(also known as the perfect target), and probably have 15 assorted
ports forwarded to various devices on the LAN's. *I also run a VPN
between the two networks. *It's been roughly like this since about
1995. *No problems with hackers, except when I left IPP wide open, and
someone printed a ream of paper on my laser printer. *My firewall logs
show plenty of automated scans, probes and attacks, but no successes.
(Hint: *I erratically run my own vulnerability tests.)

Then when you are out and about, start the matching VPN client (some
come already built into your OS, or even office router - but sadly not
OpenVPN) and then your packets will route properly into your home network.

Ever measure performance through a VPN tunnel? *I don't have the
numbers handy, but as I vaguely recall, there was quite a large
performance hit on thruput in both directions.

It's secure, encrypted communications and in my case with bridging
allows my external device to take on a similar IP address to home.

Yep. *Small warning about selecting the IP address block for the home
network. *You're probably using the default IP address block supplied
with the WRT54G, which is 192.168.1.xxx. *If your remote VPN client
just happens to be using the same IP block, there a very real chance
that the IP addresses delivered from the VPN server IP address pool
will result in a duplicated IP address. *It probably won't be the
client that is duplicated, but it may duplicate a printer, NAS box, or
in this case, a web cam. *If you're going to play VPN, set your home
network to something other than 192.168.[0-2].xxx. *Zero is common on
Netgear, 1 is Linksys, 2 is Belkin. *I use 192.168.111.xxx and setup
my customers for other creative numbers.

You can then run IP connections to anything and not worry about port
forwarding this, and setting complicated rules for that.

True. *You don't need port forwarding with a VPN. *However, I think a
VPN is a far more complicated solution than simple port forwarding.

--
Jeff Liebermann * *
150 Felker St #D * *http://www.LearnByDestroying.com
Santa Cruz CA 95060http://802.11junk.com
Skype: JeffLiebermann * * AE6KS * *831-336-2558

Thanks for all your help guys. The VPN does seem awfully complicated
considering my quest to accomplish this has taken oh so long. Reading
the last message makes me feel better about leaving a couple ports
open. I did manage to get it to work ( a friend of mine was able to
connect and view). Turns out the firewall software on the surveillance
computer needed the ports forwarded also. I'm so psyched about this.
I've been running the security DVR for years but never managed to
figure out how to make the remote view from the outside world work.

Thanks very much again

bob

On 07/01/2012 20:49, Jeff Liebermann wrote:

Ummm... Please explain to me how opening 3 ports to a specific device
(web camera) can open the entire network to hackers. Unless there is
a security problem in the web camera (it does happen), I don't see how
this can be done.


Yup, security issues in firmware. It does depend on the hardware, and
frequency that manufacturers apply firmware updates for security issues.
A buffer overrun is a common exploit to crash hardware things, and
inject software that could do some further exploration, find access
passwords or inflict some damage. Laser Printers have been shown to be
particulary vunerable to exposing sensitive commercial information, but
that's really a risk for the office enviroment.

Incidentally, I'm amazed at how many cheap routers hang with this
rather old tester:
http://www.pcflank.com/exploits.htm


I have a network here that is exposed to BitTorrent/P2P transfers. After
a session of that, the router is not that stable and needs restarting.
Buffer overrun or over heating suicide? Router firmware is up to date,
caps changed in PSU and the box has a fan (bit weedy though). I
probbably need to change the router.

Your connections will
also drop if the external ISP engages to block or traffic manage these
ports - some do.

Most block port 25 (SMTP) to discourage spam relays and users running
their own mail servers. There are also a few that block or throttle
BitTorrent and other forms of file sharing. However, that's done by
sniffing the traffic, not by any specific port number. A few block
port 80 (HTTP) for no rational reason. Except for the various
satellite providers, none that I know about block any other incoming
ports.


They do. I occasionally use Mobile Broadband when I'm about where I find
some ports blocked beyond SMTP. Some UK ISPs (mobile & fixed line)
traffic manage all sorts of ports applying different QoS priorities to
keep some of their users happy. Some even peg down Usenet traffic as it
could be (and is) used for huge binary transfers, to the detriment of
those like me who use text groups.

If you're worried about outside hackers, they're far more likely to
pound on port 8080 (remote admin) on the assumption that most users
don't bother to change the default password on their router.

That is if the router is showing a login page WAN side. I know our ones
don't


If you have a machine permanently running on your network, or you can
make one start remotely, install a VPN endpoint service on it. There are
many to choose from - I use OpenVPN on a linux box.

Yep. That's secure. It can also be done on the WRT545G using
alternative firmware (i.e. DD-WRT). The problem is that the WRT54G
lacks sufficient CPU power to run more than one VPN tunnel at a time.
Seems a bit too complicated a solution to secure just a web camera.

OK, there are easy VPN solutions. OpenVPN is my choice, a little tricky
to configure but then I'm a bit of an OS configuration geek.

Incidentally, both my office and home networks are on static addresses
(also known as the perfect target), and probably have 15 assorted
ports forwarded to various devices on the LAN's. I also run a VPN
between the two networks. It's been roughly like this since about
1995. No problems with hackers, except when I left IPP wide open, and
someone printed a ream of paper on my laser printer.

Whoops.

My firewall logs
show plenty of automated scans, probes and attacks, but no successes.
(Hint: I erratically run my own vulnerability tests.)

I test a lot and find scary things I can't wibble about (which is why
I'm down the VPN route).


Then when you are out and about, start the matching VPN client (some
come already built into your OS, or even office router - but sadly not
OpenVPN) and then your packets will route properly into your home network.

Ever measure performance through a VPN tunnel? I don't have the
numbers handy, but as I vaguely recall, there was quite a large
performance hit on thruput in both directions.

Yeah, it sucks a bit. But my data (email, RDP) is not that voluminous to
worry about it. Got CCTV DVR stuff here, the pictures are small on the
streaming so again not much bandwidth. It would be bad for something
more realtime, say like Slingbox.

It's secure, encrypted communications and in my case with bridging
allows my external device to take on a similar IP address to home.

Yep. Small warning about selecting the IP address block for the home
network. You're probably using the default IP address block supplied
with the WRT54G, which is 192.168.1.xxx. If your remote VPN client
just happens to be using the same IP block, there a very real chance
that the IP addresses delivered from the VPN server IP address pool
will result in a duplicated IP address. It probably won't be the
client that is duplicated, but it may duplicate a printer, NAS box, or
in this case, a web cam. If you're going to play VPN, set your home
network to something other than 192.168.[0-2].xxx. Zero is common on
Netgear, 1 is Linksys, 2 is Belkin. I use 192.168.111.xxx and setup
my customers for other creative numbers.

Yup. Ours hangs out somewhere in 10.x.x.x land.


You can then run IP connections to anything and not worry about port
forwarding this, and setting complicated rules for that.

True. You don't need port forwarding with a VPN. However, I think a
VPN is a far more complicated solution than simple port forwarding.


Depends. Once setup I rarely have to fiddle with it, but then I'm using
bridging which is easy to setup. Everything just works. Another VPN
setup where the internal IP range is not exported requires fiddling with
route tables, and maybe is a little faster but fiddly. The route table
inside my Windows 6.5 mobile phone drove me nuts - don't go anywhere
near Windows mobile products folks if ye are into hacking AND
productivity :-|

--
Adrian C

On Sun, 08 Jan 2012 11:07:39 +0000, Adrian C
wrote:

I have a network here that is exposed to BitTorrent/P2P transfers. After
a session of that, the router is not that stable and needs restarting.
Buffer overrun or over heating suicide? Router firmware is up to date,
caps changed in PSU and the box has a fan (bit weedy though). I
probbably need to change the router.

You're opening too many parallel streams at one time. Each stream
requires a buffer in the router. If you limit the number of streams,
the router will be less likely to hang. This is rather old, but quite
informative:
http://www.roumazeilles.net/news/nw/news0068.php

They do.

Who does? I've chased various accusations of port blocking by ISP's
over the years and found little substance. Instead, when I actually
talk to someone at the ISP with a clue, they mention that they would
shed users by the hundreds if they ever admitted to doing port
blocking. The closest approximation was when Comcast started using
Sandvine technology to throttle BitTorrent users and started a court
battle on what constituted defending their network from abuse.

I occasionally use Mobile Broadband when I'm about where I find
some ports blocked beyond SMTP. Some UK ISPs (mobile & fixed line)
traffic manage all sorts of ports applying different QoS priorities to
keep some of their users happy. Some even peg down Usenet traffic as it
could be (and is) used for huge binary transfers, to the detriment of
those like me who use text groups.

Sigh. I don't know anything about how it's done outside of the US.

Traffic shaping, traffic management, QoS, and other forms of
prioritization are not really port blocking.

Now that you mention it, the local hospital and a few corporate LAN's
that I deal with have various rule sets for blocking traffic. For
example, on the public access part of the hospital network, all UDP
traffic is blocked. Were the OP to setup his web camera on such a
network, it wouldn't work. However, the hospital is not an ISP.

I test a lot and find scary things I can't wibble about (which is why
I'm down the VPN route).

I'm lazy and just read the security advisories:
http://secunia.com/community/advisories/
I gotta remember not to read them before going to sleep as it gives me
nightmares. I also have to remember to read them BEFORE I buy the
product.

Here's the damage report for the WRT54G:
http://secunia.com/advisories/product/3523/?task=advisories
Hmmm... SSL key leak. Not good for VPN's, but fixed in 2005.

Ever measure performance through a VPN tunnel? I don't have the
numbers handy, but as I vaguely recall, there was quite a large
performance hit on thruput in both directions.

Yeah, it sucks a bit. But my data (email, RDP) is not that voluminous to
worry about it. Got CCTV DVR stuff here, the pictures are small on the
streaming so again not much bandwidth. It would be bad for something
more realtime, say like Slingbox.

I have my various security cameras setup to belch one frame per
second. I would do it even slower, except that the dim light that
conceived the firmware never considered that a problem. The default
most is for the camera to use every bit of bandwidth it can possibly
hog, insuring 100% utilization and 100% constipation.

Yup. Ours hangs out somewhere in 10.x.x.x land.

That works well except that many corporate LAN's use 10.xxx.xxx.xxx
net. I cleverly setup one LAN on 10.10.10.xxx, and soon discovered
that the company had a remote office on the other side of the planet
using the same Class C subnet. IP Management? Surely you jest.
(Note: I've been playing with IPv6. It's so much nicer not to have
to worry much about IP address collisions and NAT complications).

Depends. Once setup I rarely have to fiddle with it, but then I'm using
bridging which is easy to setup. Everything just works. Another VPN
setup where the internal IP range is not exported requires fiddling with
route tables, and maybe is a little faster but fiddly.

I have static routes setup all over the place in various routers.
Sometimes, it's simply to access a DSL or cable modem on the wrong
side of the router NAT. Some of my ham radio stuff goes to
44.xxx.xxx.xxx but that's uncommon. I have an isolated LAN in the
office (for testing virus infected machines) that requires a static
route to access. Once setup, I rarely have to fiddle with it, until
something else breaks it. That's about 2-3 times per year when I
borrow some new toys or drag in some customers nightmare.

The route table
inside my Windows 6.5 mobile phone drove me nuts - don't go anywhere
near Windows mobile products folks if ye are into hacking AND
productivity :-|

Thanks. I have several WM devices and have learned to hate them.
http://802.11junk.com/jeffl/xv6700/XV6700.htm

--
Jeff Liebermann
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558