Lesst 0 Posted November 7, 2010 I have been fooling with IP cameras for a few years now. I have very little network training, and have learned by watching, and asking here, along with lots of web reading as I set up various cameras/DVR/NVR's. I have tried to create a standard IP and camera port numbering system that I use on every install to keep things organized. I always require that my systems include my router/switch wiring, that I manage, and just make a single connection to their home or business network. One mentor said to start your Ports after 10000, so here is what I have been doing. Camera 1, has an IP of 192.168.0.111, and Port:11111, cam 2 is 192.168.0.112 port:11112, and so on. FYI, I prefer to hit 11111 rather than 10101 and have to jump from 1's to ZEROS across the laptop keyboard that doesn't have a numeric keypad layout. Is there any flawed logic here or a better way that you think I should consider? Any other network set up ideas / tricks? Change IP Blocks or Subnet?? Share this post Link to post Share on other sites
thewireguys 3 Posted November 7, 2010 So you use routers to plug into your customers networks? Why? Also only change ports if you have to. What do you use to document all the IP and password info from your install? Share this post Link to post Share on other sites
rory 0 Posted November 7, 2010 So you use routers to plug into your customers networks? Why? I think he means their routers or if they dont have one he puts one in place. Share this post Link to post Share on other sites
Lesst 0 Posted November 8, 2010 Yes I replace the client's router with mine (Gigabit Wireless N). I'll use a Gigabit switch with POE too, sometimes if I have IP cameras needing that. If the client needs multiple wired connections, I set them up a switch separately from my camera switch and just feed the 'one line' from the router to the "house" switch My Network 101 lesson, I only need to open 1 port and just assign distinct IP's for each IP device. Les Share this post Link to post Share on other sites
Soundy 1 Posted November 8, 2010 Thewireguys is right, in most cases there's no need to change port numbers on cameras. Some cameras use multiple ports, which could only add to the confusion, and with some the port will vary depending on the protocol used. For a switch, take a look at the likes of the Cisco/Linksys SFE1000P - eight 10/100 PoE ports and two gigabit ports. No cameras currently available use gigabit (at least none that I'm aware of), so you can usually save some money by NOT getting an all-gigabit switch (this one retails for around $300 here); the two GbE ports are perfect for connecting your DVR/NVR and adding a NAS, or uplinking to the rest of a GbE network. If you have more cameras than that, the SFE2000P is a 24+2 version of the same concept. Share this post Link to post Share on other sites
cglaeser 0 Posted November 8, 2010 For a switch, take a look at the likes of the Cisco/Linksys SFE1000P According to the specs, it's also fan-less, which is high on my list of priorities. 1U fans are annoying, and I try to avoid them when possible. Best, Christopher Share this post Link to post Share on other sites
Lesst 0 Posted February 1, 2011 I do need to assign each camera its own port number after all. Since I use IP cameras, each one needs its own distinct Port # so it can be logged onto directly from the outside Internet. I use a DDNS (Dynamic Domain Name Server) to make each job easier to find. So to go to the DVR at a site I'll use http://www.whateverdynamicname.com. To login into camera # 2 at that site I go to http://www.whateverdynamicname.com:11112. I wanted to reply so that others reading will know why different ports may be necessary Good Luck Les Share this post Link to post Share on other sites
thewireguys 3 Posted February 1, 2011 I do need to assign each camera its own port number after all. Since I use IP cameras, each one needs its own distinct Port # so it can be logged onto directly from the outside Internet. I use a DDNS (Dynamic Domain Name Server) to make each job easier to find. So to go to the DVR at a site I'll use http://www.whateverdynamicname.com. To login into camera # 2 at that site I go to http://www.whateverdynamicname.com:11112. I wanted to reply so that others reading will know why different ports may be necessaryGood Luck Les Yes this makes sense if your logging into the cameras directly but if your using VMS this is not needed. Also if you have a computer on site you can log into the computer then log into the cameras from that machine. Opening up ports to each camera is an unnecessary security risk. Share this post Link to post Share on other sites
cglaeser 0 Posted February 1, 2011 Opening up ports to each camera is an unnecessary security risk. What are the odds that cameras have back doors by design or otherwise? Fairly high, I would guess. Best, Christopher Share this post Link to post Share on other sites
Soundy 1 Posted February 1, 2011 Opening up ports to each camera is an unnecessary security risk. What are the odds that cameras have back doors by design or otherwise? Fairly high, I would guess. Best, Christopher Worst case, someone could view and maybe mess with the camera settings... won't give them access to anything else on your network. Share this post Link to post Share on other sites
rory 0 Posted February 1, 2011 Opening up ports to each camera is an unnecessary security risk. What are the odds that cameras have back doors by design or otherwise? Fairly high, I would guess. Best, Christopher Windows by default is a security risk. If they can gain access to an IP camera .. they can certainly gain access to the NVR (unless its setup properly) Share this post Link to post Share on other sites
hardwired 0 Posted February 1, 2011 Opening up ports to each camera is an unnecessary security risk. What are the odds that cameras have back doors by design or otherwise? Fairly high, I would guess. Best, Christopher Worst case, someone could view and maybe mess with the camera settings... won't give them access to anything else on your network. There are exploits out that let someone do a remote NMAP scan of a local network through a HP printer... And HP probably has better written code than a lot of IP camera manufacturers out there. I'm for opening as few holes as necessary to the WAN, and using VPN applications wherever possible. Share this post Link to post Share on other sites
Soundy 1 Posted February 2, 2011 I do need to assign each camera its own port number after all. Since I use IP cameras, each one needs its own distinct Port # so it can be logged onto directly from the outside Internet. Actually only necessary if the router doesn't properly support port forwarding. One that does will allow you to forward one outside port to a different inside port - for example, assuming the cameras use port 80 internally, you could have the router forward port 11111 on the WAN to port 80 at 192.168.0.111; port 11112 on the WAN to port 80 at 192.168.0.112, and so on. Another reason to NOT change the ports: courtesy to the next guy who comes along and has to service the things. I recently ran into a site where the installer had assigned odd ports to the IQEye cameras, and for whatever reason, the camera utility (iqfinder) wouldn't actually display the port number, and wouldn't let me change the settings ... since I didn't know the port he had used, I had to use the hard button to do a factor reset on the camera, so I could then access it on the default port (80). Share this post Link to post Share on other sites
Lesst 0 Posted February 2, 2011 I'm glad I brought this up again, great comments guys. I've have been working with video cameras since 1970, but I'm still way to green in the networking department. My current job is in a homeowners association, with cameras and non Windows DVR's at front and back gates with router on DSL, and in the clubhouse on a separate IP from the office network. How is this vulnerable? Also, I cannot VNC into a computer on the local network to 'address' the cameras. So I don't see a way to do this any other way, or don't understand enough if alluded to in above comments. I think I understand Soundy's comment to have all cameras on port 80, and internal IP's :111 :112 ….. but how could I get to each camera separately from outside the local network without being able to address each camera {port} directly? I use all Avermedia DVR's that has a CMS (VMS) but it doesn't connect to any controls of the Axis cameras that I use. Thanks for your additional comments and insights. Share this post Link to post Share on other sites
thewireguys 3 Posted February 2, 2011 I'm glad I brought this up again, great comments guys. I've have been working with video cameras since 1970, but I'm still way to green in the networking department. My current job is in a homeowners association, with cameras and non Windows DVR's at front and back gates with router on DSL, and in the clubhouse on a separate IP from the office network. How is this vulnerable? Also, I cannot VNC into a computer on the local network to 'address' the cameras. So I don't see a way to do this any other way, or don't understand enough if alluded to in above comments. I think I understand Soundy's comment to have all cameras on port 80, and internal IP's :111 :112 ….. but how could I get to each camera separately from outside the local network without being able to address each camera {port} directly? I use all Avermedia DVR's that has a CMS (VMS) but it doesn't connect to any controls of the Axis cameras that I use. Thanks for your additional comments and insights. If your using Aver for your VMS why do you need to access the cameras directly? Share this post Link to post Share on other sites
Lesst 0 Posted February 2, 2011 I need to log into cameras so I can "Play" or make any adjustments. I'm using some of these cameras be able to read License Plates, and I have been changing the lighting and shutter speeds to see different results. They seem to do a good job at this. I'd rather play with the settings at home during the night rather than sit in a small cold empty room with an equipment rack, not much fun playing there I can understand the logic better now, that you (industry standard good practice) would prefer to set up like Soundy suggested (?) so you can only login on local network. Referring to local connection I do set up a wireless network and name the SSID the local police name to confound, confuse, and hopefully deter too if someone is sniffing. Share this post Link to post Share on other sites
Soundy 1 Posted February 2, 2011 I think I understand Soundy's comment to have all cameras on port 80, and internal IP's :111 :112 ….. but how could I get to each camera separately from outside the local network without being able to address each camera {port} directly? Again, the port forwarding on your router SHOULD allow you to designate different WAN and LAN ports for forwarding - ie. instead of setting port 11111 on the WAN to forward straight to port 11111 on the camera's LAN address, you tell it to forward 11111 on the wan to port 80 on the LAN address. Basically what the router is doing then, is instead of http://address.com:11111 ---> router ---> 192.168.0.111:11111 ...it's doing... http://address.com:11111 ---> router - \ \ --> 192.168.0.111:80 What routers are you using? Share this post Link to post Share on other sites
Lesst 0 Posted February 2, 2011 Using Trendnet TEW-6xxx class routers. Current job TEW-652BRP (Version v2.0R) Share this post Link to post Share on other sites
Soundy 1 Posted February 2, 2011 Okay, so in the router settings, if you go to Access -> Virtual Server (assuming the manual I found is the right one), when you set up a port forward... there are options for "Public Port", "Private Port" and "LAN Server". So for each camera, you'd enter the desired port as the "Public Port" (eg. 11111), and 80 for the "Private Port", and of course, the camera IP under "LAN Server" (192.168.0.111). That's with the camera left at the default of port 80. BTW, the 632/652 models SHOULD support DD-WRT, which is an advanced third-party firmware with a lot of additional options, including VPN server support. Share this post Link to post Share on other sites
hardwired 0 Posted February 2, 2011 DD-WRT, which is an advanced third-party firmware with a lot of additional options, including VPN server support. DD-WRT really works well, I use it with the Windows VPN client and Dynamic DNS resolver (I use DynDNS), to dial into my home network. Using a VPN tunnel would allow you to leave the camera port settings unchanged and not forwarded to the WAN, which would probably make things easier (and safer from various forms of outside attacks). Share this post Link to post Share on other sites
mike_va 0 Posted February 6, 2011 This was really confusing to me at first. Here's what I read to do somewhere and this seems to work. Although it seems that perhaps I did not need to change the camera port number on the camera? Anyway this works and I can use dyndns and these port names to access my cameras one at a time when a away from the house. The example below is a linksys router (all ports temporarily disabled) and Axis P3344. Hope this helps someone. To get Vitamin D to see the camera then I use 192.168.1.57:10057/ Share this post Link to post Share on other sites
Soundy 1 Posted February 7, 2011 Mike, I don't have a 54G handy to check (all of mine have been flashed to DD-WRT), but if memory serves, you can use the "Single Port Forward" page to forward a different outside port, to port 80 at the given IP on the LAN, which allows you to keep the standard port 80 on the camera. Simplifies things a bit because you don't have to change all the camera settings, and the NVR settings with it. Share this post Link to post Share on other sites
mike_va 0 Posted February 8, 2011 Mike, I don't have a 54G handy to check (all of mine have been flashed to DD-WRT), but if memory serves, you can use the "Single Port Forward" page to forward a different outside port, to port 80 at the given IP on the LAN, which allows you to keep the standard port 80 on the camera. Simplifies things a bit because you don't have to change all the camera settings, and the NVR settings with it. Thanks Matt, very cool, was not sure how to use that but it's gradually starting to make sense. Share this post Link to post Share on other sites
Soundy 1 Posted February 8, 2011 That's the one... so for the camera displayed, you'd set external port to 10057, internal port to 80, and IP to 192.168.1.57 ... and under Application you could put the name or location of the camera, just to keep things organized. It seems like a little thing, but not needing to keep track of changing ports on cameras really does make life easier... even moreso, as I say, if you're doing a customer's setup, where there's a chance someone else might have to deal with your setup some day. Share this post Link to post Share on other sites
cglaeser 0 Posted July 3, 2011 Actually only necessary if the router doesn't properly support port forwarding. One that does will allow you to forward one outside port to a different inside port - for example, assuming the cameras use port 80 internally, you could have the router forward port 11111 on the WAN to port 80 at 192.168.0.111; port 11112 on the WAN to port 80 at 192.168.0.112, and so on. What are examples of routers that support this feature? Is this commonly supported? I don't think this is supported on the Netgear FVS328 and other Netgear routers. Best, Christopher Share this post Link to post Share on other sites
