How to enhance the Security CCTV home system for Web access and protect using a firewall.
You could consider this as a continuation of the Weekend Fun Project post. The Weekend Fun Project post describes the hardware (cameras) installation, the software NVR installation for the creation of a Local Network Video Recorder, and SMS configuration for alerting when suspicious activity is detected.
That post, however, overlooks two important topics:
- The configuration required to access the Local NVR from the internet and
- Firewall protection
Typical Network Setup
In a typical configuration, (when I say typical, I mean the budget is not an issue and all required hardware and software can be purchased) the configuration looks like this:
- Right after the ISP router installed at the location, the hardware firewall is installed and configured
- A network switch is installed where all network equipment is connected
- A WiFi router is also used for all WiFi equipment to connect two, including the WiFi cameras
In our case and using the Weekend Fun Project scenario and set up the design looks like this:
- We have the ISP router
- Then the network switch
- The WiFi router connected to the network switch
- The PC/Laptop connected to the network switch. The PC/Laptop however plays a dual role, the firewall, and the NVR roles.
Note: If you have a spare PC you can use, it is advisable to install the NVR software on this machine and use the other PC just for the firewall.
Therefore, we need to rearrange the way our equipment is connected to achieve our goal and establish decent protection. To provide adequate security using a software firewall, our PC/Laptop should have two Ethernet ports. One of the ports will be connected to the ISP router and the other one will be connected to the internal router.
NVR setup verification
If you have configured your system and cameras as described by the Weekend Fun Project, then proceed with the following steps to configure your Firewall and Router to allow access from the internet and be able to access your NVR and check what is going on. You need to configure your ISP firewall to allow access to the NetCam Studio server already installed. Read the Weekend Fun project post for details.
To be able to configure the Firewall and the router you need to see how NetCam is configured and what port is being used. Do the following:
- Open the NetCam Studio X server
- Make sure your cameras are configured and streaming as expected.
- At the bottom of the NetCam Studio X server window, you will find Online @ http://127.0.0.1:8100. Click the URL to open in your default browser.
- Type in the user name and password. The default user name and password is admin/Admin
- Once you log in and verify that the NetCam server is working properly and can be accessed using a browser, change the URL http://127.0.0.1:8100 to point to the one the NVR workstation is using. To find out what the correct IP address is, open a command window and type ipconfig and look for the IPv4 Address. Let’s say it is 192.168.0.10 then the browser URL becomes http://192.168.0.10:8100. Once you log in, you should see the video of your camera.
- If you have another PC connected to your local network, you can use the same URL (http://192.168.0.10:8100) to verify that CCTV system access is allowed.
IP Addressing Notes
Most likely your ISP router comes with a basic firewall enabled and configured. We know that the IP address of the NVR server is 192.168.0.10 and the IP port used is 8100. We need to make sure traffic to that IP address and IP port is allowed through the firewall.
Before we go on with the firewall and router changes, I think a brief discussion on IP routing is in order. IP addresses are divided into 4 categories: Class A, B, and C. and each class has a range of IP addresses that are non-routable. In other words, they are intended for private networks and anybody can use them. These IP addresses per class are the following:
- Class A: 10.0.0.0/8
- Class B: 172.16.0.0/12
- Class C: 192.168.0.0/16
Since these IP addresses are for private use the routers do not route them and that is the reason for the term non-routable IP addresses.
So, how do we access the server behind a firewall that uses a non-routable IP address? The easiest way is to find out the public IP address the ISP Router/Firewall is using and that is easy. You can either login into your ISP Router/Firewall and review the configuration. The public IP address should be under the WAN configuration and it should not be one of the non-routable ones. Let’s assume, for the sake of this post that the public IP address is 220.127.116.11
ISP Firewall configuration
We now have all the required information to configure the ISP Router/Firewall to redirect traffic from the internet to the internal NVR NetCam Studio server:
- NVR Server IP address: 192.168.0.10
- IP Port: 8100
- ISP Router/Firewall public IP address: 18.104.22.168
The ISP Router/Firewall I am using is the IRRIS TG860. Once you log in, you should configure the following two options:
- A virtual server
- A Port trigger
Both options can be found under the Firewall tap.
Virtual Server configuration
- Description: NetCam You can use anything here. I used NetCam to remind me what it is for.
- Inbound Port: from 8111 to 8111. It would be the port used for inbound requests. Actually, it can be anything you like assuming it is not a port used by some other application such 8080
- Format: TCP. It is usually TCP but if for some reason it is not working try both. Both is an option available in the drop-down list.
- Local Port: from 8100 to 8100. This is the port the CanNet Studio server is using and it must be the same as the one the NetCam server is using
Port Trigger configuration
- Description: NetCam. You can use anything here.
- Outbound Port: From 8100 to 8100
- Format: TCP
- Inbound Port: 8111 to 8111
Note1: The Inbound IP port of the Virtual Server must be the same as Inbound Port of the Port trigger
Note2: The Local Port of the Virtual Server must be the same as the one used by the NetCam server and it must be the same for the Port Trigger Outbound Port
That’s all the configuration needed to access remotely your NVR that is behind the ISP Router/Firewall.
Really? But what is the URL I need to access the internal NVR server? It is the ISP router public IP address using the IP PORT the NetCam Studio server is using: http://22.214.171.124:8111
The configuration of a local CCTV system to be accessed remotely is not that complicated. As it was demonstrated above, it is really simple. However, I should point out the above set up is to get you engaged and interested in building your own CCTV system using available equipment and free of the internet applications.
I hope you enjoyed it and you found it interesting. If there is anything unclear, please let me know and I will gladly clarify it.