Networking - Remote Access

This forum has articles regarding decisions and implementations surrounding BI that need to work.
What hardware is needed to run the BI server?
How should the network be set up?
Post Reply
varghesesa
Posts: 61
Joined: Thu Jul 11, 2019 9:52 pm

Networking - Remote Access

Post by varghesesa » Tue Aug 17, 2021 3:10 am

Introduction

Remote access is a key component of BI functionality. Users want to see their cameras and alerts remotely either through a browser or their mobile apps. In order to do so, your home or office network needs to be setup so your mobile apps or browsers can connect to your BI server residing in your home or office.

The choices for doing so seem to be growing. The Network setup section shares the options available so users can decide what works best for them.

The Remote device tests section provides easy tests to confirm what components are working and not working to help troubleshoot. If you need support, knowing the results of your tests is important to diagnose the issue.

Network setup

This article complements the Remote access chapter in the Help file. It's a step by step practical guide on how to setup your network for remote access.

Port forwarding and NGROK (DDNS)

The Networking and Router Configuration section in Help provides a nice overview of Port forwarding and NGROK. Port forwarding was the original way of setting up your network for Remote access. Network saavy folks still use port forwarding, but for many, setting up port forwarding is challenging.

The Remote Access 101 webinar guides you through the process of setting up your network using Port forwarding and NGROK. The webinar begins by explaining the concept of port forwarding and walks you through an example. Troubleshooting your network and port forwarding is beyond BI support. Research the forum/internet and/or contact a local managed IT services company or security company.

The webinar then closes by explaining how to implement NGROK for remote access. NGROK is one of many DDNS solution for remote access. Furthermore, NGROK provides https support for free so not only is it easy to deploy, but also provides strong security/encryption. The webinar complements the NGROK section in the Help files.

I personally started with port forwarding but have since switched to NGROK after purchasing an Orbi mesh router and not wanting to deal with cascading routers. Most users are using NGROK (ddns) these days since it's easier.

The only gotcha is if the Windows server running BI restarts, you have to restart NGROK and re-enter the url in the mobile app(s). The paid version gives you a persistent URL. However, the NGROK section in Help provides detailed instructions on how to start NGROK automatically and get Remote access working again.

Other third party solutions

This section shares other networking solutions for remote access that seems to be catching on with users.
ZeroTier
ZeroTier sounds like a more robust DDNS tunneling solution that also bypasses port forwarding.
ZeroTier comes with a free version. It also provides encryption.
Works with the Starlink network from SpaceX.
See details on YouTube.

Web server settings

Once you have the network setup, you can now setup the BI server. Global settings -> Web server tab
The Help button goes to the Web server topic in Help. This is a good time to review Help to get an overall understanding of the fields in the dialog.

Port forwarding
This section talks about the key fields when you choose to setup remote access via port forwarding.
Web server port: You can leave the default 81 or choose another port based on how you setup port forwarding on your router.
Adaptors: BI listens on all available adaptors so leaving selection as is should be fine. See Help for more info.
WAN: Use the refresh button to populate the WAN address. Check the router connected to the internet to confirm the address is correct.


Port forwarding + SSL(HTTPS)
Many users that have implemented port forwarding also want https / encryption for better security. If you are interested in maintaining your own SSL certificates for encryption, see the SSL and HTTPS section in the BI Help file. STunnel is one solution. Keep in mind, Android recently changed their policy on public certificates.
The Android gotchas article lists examples of fixes to meet these new requirements.


NGROK

Follow steps below to setup BI properly to work with NGROK.
The below instructions provide an https remote connection.

NGROK Server
Start the NGROK server if not done so already. Below is the console window after doing so. I told NGROK to use port 7000.

networking_ngrok console.png
networking_ngrok console.png (34.84 KiB) Viewed 111 times

Web server settings
Since NGROK provides https for free, I took advantage of it. Simply copy the https address into the WAN field.

networking_web server_NGROK.png
networking_web server_NGROK.png (52.28 KiB) Viewed 111 times

Note STunnel/NGROK is selected.
Note Refresh external IP at startup and again every is unchecked.


Mobile app - Server settings

What's great about BI is if your Global settings -> Web server tab settings are set correctly, the Lookup key will correctly populate the server settings in the mobile app!

networking_mobile app settings.png
networking_mobile app settings.png (46.39 KiB) Viewed 110 times

Note https choice for WAN with the ngrok address which corresponds to the https setup in the Web server tab above.
For the LAN, I chose to keep my IP address with http, so the router can access the BI server faster when home.


Remote access wizard

BI comes with a diagnostic tool to determine whether you have successfully setup your network and the BI server for remote access.
Global settings -> Web server tab -> Remote access Wizard.
Start the Wizard and in parallel read the Remote Access Wizard section in Help. The Help documentation explains the checks associated with each page and helps you resolve issues.



Remote device tests

You can now test whether your network is setup correctly by using the UI3 browser and the Mobile apps.

Test 1: Localhost

This test is good because it takes the network out of the equation.
Open a browser window on your BI server.
Go to your BI web server. localhost:<port number>
Does the login page pop up?

networking_login.png
networking_login.png (109.19 KiB) Viewed 1175 times

When you login is the interface responsive? Do the camera streams appear smooth and healthy?
If not, either the BI web server is not running well or your camera streams are not setup correctly.

Camera streams
Confirm streams are smooth and healthy in the console. Garbage in = Garbage out.
If not, see Camera Stream Gotchas article.
If the cameras do not connect, i.e. no video, see No Signal Error article.
Check your anti-virus and firewall settings. See Windows Tuning article.

Web server
The Remote Access Wizard will help you determine whether your web server is running ok.

Windows Firewall & Anti-virus
Sophos is an example of anti-virus software that held the video stream for something like 30s before releasing the data to UI3.
See Windows tuning article on how to setup proper exemptions.

Test 2: LAN & UI3

After test 1, this test helps determine if your LAN network is setup correctly.
From a device on the LAN (laptop or mobile phone), connect to UI3 using the web browser.

Network configuration
Does the login page appear? If not, your network is not setup correctly.
You need to determine why your remote device on the LAN cannot talk to the BI server. You will need to check your Router(s) settings and any equipment that has to do with the routing.

Login
Login to UI3 if the login page appears.
If you cannot login see login gotchas.

Network latency
Is UI3 responsive? Are the video streams smooth and current?
Run through the Windows Tuning article just to make sure Windows is not in conflict with BI. Pay attention to Anti-virus and Firewall sections.
This is frequently the biggest cause of poor performance or poor remote access.

UI3 provides the ability to alter video streams to lower the network bandwidth to meet the constraints of your network!

Endpoint
BI also provides the ability to examine the endpoint device. In UI3, you can right click on Stats for Nerds and observe the stats on the endpoint.
Latency = Network delay + Player delay
If either delay is above 1000ms it could indicate an issue.

High network delay normally indicates a network problem but could also happen if the BI server is overwhelmed and unable to encode the stream properly.

High player delay means there is something wrong with the computer running UI3 (too slow, bad video driver, etc).

If there is 5-11 seconds of video delay that cannot be attributed to the delays in Stats for nerds, then I would suspect internet security software is intercepting the video stream and trying to scan it for viruses for a while before releasing it.

Test 3: WAN (internet) & UI3

Turn off Wifi on your mobile phone, i.e. connect to your cellular network.
Can the mobile browser on your phone still connect to the login page?
If not, your router or network is not setup so devices on the internet can communicate with your BI web server.
Revisit Network Setup above.

Test 4: WAN (internet) & mobile apps

Confirm Mobile App Server settings.
Login to the web interface from the phone while on your cellular network.
  • You can be confident your network is setup correctly.
  • Your web server is configured properly to work with your mobile app.
  • You know the LAN/WAN addresses needed to connect to the server are correct.
  • You confirmed a Username / Password by logging into the web interface.
If you have a mobile app, connecting the app to your server should be easy. You now have all the critical pieces of information needed to connect your mobile app. The Mobile Devices article walks you through setting up your phone.


Network hardware tests

This section explains how to determine whether your networking equipment and cables are functioning.

The easiest way to confirm the network is working is by seeing if the cameras connect with another 3rd party application.
Details on using VLC here.

If another 3rd party player cannot access the camera
  • either the network is not setup correctly
  • the camera/device does not allow 3rd party access
  • there is hardware failure with the network and/or the camera


Below are examples of network failures from past customers that led to resolution.

Network hardware
Many customers have a hard time believing their networking hardware is bad or incorrectly configured. Below are a list of issues to provide clues on how to investigate your network.
  • Router: If some cameras work and others do not work, switch the router ports at the router of the non-working cameras with working cameras. Rule out the router has gone bad.

    I had a user with 5 cameras, most of which were high resolution (4 MP+). The issue was the router which was eventually replaced. The problem was not obvious. 4 of the cameras worked for the most part (but they too would lose signal on occasion). The 8 MP camera (PoE) was the most problematic. Even more strange the lower resolution wireless cameras worked better than the 8 MP camera. The user had no issues after replacing his router. Troubleshooting network issues is beyond BI support.
    No, only one camera was initially causing trouble. I have 4 reolink and the amcrest. Interestingly, the wireless reolink worked great. The poe 810A was the most problematic,..and I think also the highest resolution. Hence, perhaps some timeouts or something with my old / bad modem. No problems since I replace the modem.
  • Cables: If you have a camera that you know works well, replace a problem camera with the good camera temporarily. If the good camera also stops working, then you know that particular cable has a problem.


Gotchas

The gotchas section is about learnings from past tickets.

Gotcha 1: Mobile apps no longer connect

Issue: The mobile app or web browser can no longer connect to the BI server.
You may have not done anything. Maybe router restarted? Maybe your ISP provider rotated your WAN address?
Easy to confirm. Email your support info to yourself. Click on the WAN URL. Does the web login page pop up?
If not, something has changed. The Remote Access Wizard will also tell you if there is an issue.

This gotcha ONLY applies to port forwarding setups.
port forwarding.png
port forwarding.png (49.91 KiB) Viewed 1147 times

The above diagram was used in the Remote Access Webinar to explain port forwarding. If the above is confusing, first review the webinar which is based on the Remote Access section of the BI Help file. The Help file with the webinar is a good start to understanding Remote Access.

Based on diagram, the ISP provider originally assigned 97.56.23.168 as your WAN address. Based on diagram, the router assigned the BI Server 192.168.1.7 as the LAN address.


After the router restart:
  • ISP could have assigned a new WAN address. 97.56.23.168 -> 97.56.28.15
    Consequence: Mobile devices will no longer be able to connect to the BI server from the WAN.
    Fix: Logout of BI Mobile App -> Edit (server) -> Lookup key (iOS) / Get IPS button (Android). You should observe the WAN address update.

    This will only work if Global settings -> Web server tab -> Refresh external IP at startup... is checked.
    refresh external IP.png
    refresh external IP.png (13 KiB) Viewed 1147 times

    For Commercial accounts where the ISP provides permanent IP Addresses, this feature can be unchecked. Commercial accounts are usually guaranteed the same WAN address
    For residential accounts, WAN addresses are usually NOT guaranteed. The Refresh external IP... feature comes in handy to get the mobile apps reconnected.
  • Router could have assigned BI a new IP address. 192.168.1.7 -> 192.168.1.15.
    Consequence: The router's port forwarding is broken.
    Fix: Update the router's port forwarding to the new IP address. Also change the router setting to provide a Static IP Address to the BI server so it never changes again to prevent future issues.

Gotcha 2: Android & STunnel

Issue: I can connect to my server using UI3 on the mobile web browser. However, my mobile app will not connect.

Android / Google came out with tighter certificate restrictions recently. You need to make some changes to your Stunnel config file. The Android Gotcha article documents how other customers resolved issue.

Gotcha 3: Ad blockers

Ad-blockers work by blocking IP addresses they suspect are connecting to serve ads.
Ad-blockers have confused valid BI connections from a web browser or mobile app as ad servers, thus disrupting connections.

Users, for example, would never get the login page.

networking_ad blocker.png
networking_ad blocker.png (34.36 KiB) Viewed 556 times
Thanks, I figured it out. My host based adblocker, for some reason, started blocking the connection. Whitelisted the blueiris IP and all is well.
The ad-blocker (Adguard) on an Android device caused the mobile app to crash. Error message was lost connection to service 2.

Gotcha 4: Multiple Ethernet Adapters

Many users setup their BI servers to have multiple ethernet adapters. A common setup is to use the ethernet adapter exclusively to talk to cameras. Users want to keep their cameras completely off the internet for security reasons. However, they use the WIFI adapter to setup remote access, i.e. to view cameras from the mobile app or remote browser.

In general, BI will listen on all adapters.
Global settings -> Web server tab

networking_ethernet adaptors.png
networking_ethernet adaptors.png (20.39 KiB) Viewed 374 times

Service
However, if you are running BI as a service, on occasion Windows can start services before the ethernet adapters are set. Delay the start of the BI service. Select Delayed Start from Windows Services for the BI service. This way Windows has time to set the adapters before starting the BI service.

networking_delay start.png
networking_delay start.png (1.36 KiB) Viewed 374 times

Even with the delayed start, on occasion the adaptor will not be ready. With 5.5.0.14, the software will now retry the web server connection each 4 seconds after an initial failure until it is successful.

Bind exclusively is not normally needed since the web server will listen by default on all available adapters.


Next steps

We are not networking experts. Nor do we know your ISP provider or their policies.
Basic troubleshooting is to turn features off and reduce complexity (STunnel, VPN etc) and observe whether functionality returns.
Speak with your local experts at Managed IT firms or Video Surveillance firms if your setup is not working.
The forum may be a good place to pose your question. blueirissoftware.com/forum




If you used port forwarding to setup your network, you can go to the Mobile devices article to complete the app setup. If using NGROK, STunnel or other techniques, continue with below steps.
Post Reply