Remote Access - Beginners Guide to the Interweb...

General discussion about Blue Iris
Post Reply
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Remote Access - Beginners Guide to the Interweb...

Post by HeneryH »

Gathered up my notes in case it might help someone understand things like port forwarding.

IP Addresses
Your home is connected to the internet through your ISP and you most likely have one router/modem that is the interface between the internet (world wide) and intranet (your home). Understanding the difference between your net (LAN) and the Internet (WAN) is the first hurdle.

Technically every device in your home could have its own world wide available IP address but for a number of reasons that just isn't practical. Your router/modem is the ONLY device that ends up getting assigned a publicly visible IP address on the WAN. The router assigns private reusable addresses on its LAN side. The router funnels all outgoing connections through is one single address. No problems there. But inbound requests are the challenge.

Google "what is my ip address" to see what your single address currently is. Remember that all outbound connections are channeled through your single IP on your router.

All of your internal devices get private addresses that are reused by everyone. They are usually of the form 192.168.x.y or maybe 10.10.x.y but you need to understand that my 192.168.1.12 is not the same as your 192.168.1.12 and our internal addressing is only valid on our own networks.

Easy way to tell if someone understands this: Ask them their IP address and if they tell you 192.168.x.y or 10.10.a.b then they don't understand yet.

Ports and Protocols
The way computers talk to each other is by first identifying their IP address of the computer that is accepting connections, then secondarily identifying the sub-address (ports) withing that computer that will be accepting connection, then thirdly agreeing on what protocol they expect to chat with.

The analogy here is calling a big company on the phone with departments using extensions. This isn't as common as it once was, but call Comcast's main phone number (IP address) then dial extension 204 (department or person) then start chatting in a language you both understand. If you call AT&T by mistake, you have the wrong IP address. If you call the wrong department (port) they won't understand. Also if you don't talk the same language (protocol) they won't understand.

For ease of use, there have been some standards that have been agreed to that the port should be usually equal to the protocol. Port 80 = web. Port 443 = secure web. Port 25 = email. etc etc etc. Ports below approximately 1024 are reserved while above that can be relatively safely reused. Of interest is that some folks think that they can 'fool' scammers by running their services on non-standard ports (ie running web on port 81 instead of 80) but that is a foolish idea because scammers can scan all ports in milliseconds to running web on non-standard will stop no one.

Modern apps now usually make assumptions about the ports that people want to use. When you use a browser it assumes you want to connect to 80 or 443 depending on whether the URL begins with http:// or https:// . FYI if you want to connect to web on a non-standard port you use the format http://domain.com:yy where yy is the non-standard port.

How web connections usually work...
Connect to web server at CNN by going to the web URL http://www.cnn.com your computer looks up the IP address of "www.cnn.com" and since we prefaced the URL with http:// then we assume we are going to use port 80. The data center at CNN is accepting incoming connections on their main firewalls on port 80 and serving up a nice pretty web page in the agreed upon protocol.

Connecting from the Internet to your Home devices...
Now let's think about your home rather than CNN... First, what domain name or IP address shall we use???? And what is your IP address???

This is always the first battle and is usually answered by using a Dynamic DNS service and a domain name assigned by that service. I think BI has some service for this but frankly I never used it and am not sure. You don't need a DDNS but you'd always need to know your current IP address.

However you get the valid IP address of your home router, we then move to the second challenge... All incoming connections form the internet will hit your router/modem which by default... doesn't know what the heck to do with the incoming request. Your router gets a web request and barfs without setup steps.

Port Forwarding
To make progress you will need to be able to log into your router/modem and have access to its configuration pages.

What we need to do is set up some rules on your router to instruct the router what to do with incoming connection requests. This is the port forwarding rule. They will look something like this
Basic data -
  • Incoming port connection request to port X, should get forwards to LAN computer A on port Y.
There are some additional custom settings you can make to make it more complex but this is the basic rule.

Saving quickly now but I will update this paragraph.

Security
In general, exposing devices to the internet exposes them to the jungle of world wide scammers. Some devices are notoriously less secure and have long histories of being hacked by vulnerabilities. IP cameras are one of those notoriously insecure devices.

Your router/modem is your safety device between you and all of the skanks on the internet!!! (I changed my crude reference to something more tame :) )

NEVER setup your router to allow connection requests from the internet to be forwarded to your cameras or any other device that you don't have complete confidence in.

Some devices ARE more secure and can be set up to securely allow internet connection requests.

VPN - Virtual Private Networks are very secure and once a VPN connection is made, make it seem like you are actually home when you are away. You virtually tunnel through the VPN server and you are like home awaqy from home. The only problem is that they are more advanced to set up and use on a day to day basis.

Controlled and Limited Web Port Forwarding - If you trust your BI machine to be secure, you can expose just incoming web connection request to the internet. You do this by going into your router and configuring a rule to say that any incoming connection request to your home on port 80 (or 81) shall be forwarded to your BI computer on the same port 80 (or 81).

There are lots of alternatives in this area but you will NEED to grasp these basics first.
User avatar
Housewolf
Posts: 6
Joined: Fri Jul 31, 2020 3:49 pm

Re: Remote Access - Beginners Guide to the Interweb...

Post by Housewolf »

THANK YOU HeneryH!

Looking forward to the sequels.
Intel Core i5-3470 CPU @ 3.20GHz 6.0 GB RAM 64 bit Win 7 Pro ** Reolink RLC 520, Reolink E1 Pro, Axis 221 cameras **
Blue Iris 5.4.7.11 (6/11/2021) x64 *** Location: Space Coast, Florida, USA :mrgreen:
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: Remote Access - Beginners Guide to the Interweb...

Post by HeneryH »

I was thinking that a discussion of the security ramifications / difficulty of implementation for
  • Port forwarding to cameras
  • Port forwarding to BI
  • Reverse Proxy
  • VPN
Might be a good topic.
Matts1984
Posts: 496
Joined: Fri Apr 10, 2020 1:12 pm
Location: Maryland, USA

Re: Remote Access - Beginners Guide to the Interweb...

Post by Matts1984 »

I think that would be a really good discussion. Quantifying difficulty of implementation might be tough but I think you're the man for the job *nudge**nudge* ;) ;)

I'm using the Reverse Proxy method to BI, which if I showed you how easy it was, you'd probably be surprised but so much of it depends on the type/quality of the systems in between.
Blue Iris 5.8.8.x | Server 2022 VM | Xeon X5650 @ 2.67GHz - 12 Cores | 12GB RAM | 7TB RAID | Sophos UTM WAF | 4x SV3C 5MP Bullet A | 1x SV3C 5MP PTZ HX | 1x SV3C 5MP Bullet HX | 1x SV3C 5MP Dome HX | 2x Amcrest 5MP Bullet
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: Remote Access - Beginners Guide to the Interweb...

Post by HeneryH »

I use reverse proxy as well. But easy to you and me may not be easy to everyone.

I had a separate thread dedicated the pros/cons of Reverse Proxy and how to set it up. One could literally copy/paste the steps from the instructions.

You basically create a Linux Virtual Machine and fire up Nginx with a specific configuration file. This gets you the security of a linux with free Let's Encrypt ssl certificates.
User avatar
kayfersmum
Posts: 58
Joined: Tue Jun 18, 2019 10:09 am
Location: Surrey, UK
Contact:

Re: Remote Access - Beginners Guide to the Interweb...

Post by kayfersmum »

Thank you HeneryH for taking the time to write this. It is very much appreciated 🙏
spacerust
Posts: 3
Joined: Mon Oct 18, 2021 11:52 pm

Re: Remote Access - Beginners Guide to the Interweb...

Post by spacerust »

As of 10/18/2021 I got a rented Comcast modem.

All was working fine on my Blue Iris. Remote from the Android App, etc. I have No-IP. Now that I switched to a rented Comcast modem, I can't access my Blue Iris using my cellular data. (from outside my network). Do I need to set something on the Comcast modem? I have the latest Comcast modem.

Thanks
Matts1984
Posts: 496
Joined: Fri Apr 10, 2020 1:12 pm
Location: Maryland, USA

Re: Remote Access - Beginners Guide to the Interweb...

Post by Matts1984 »

It sounds like you were using port forwarding. If so, you'd need to configure that again... which might be fun, if I recall, Comcast has a limited functionality interface. Not that it's impossible, but it might be tricky.

Basically No-IP is publishing a DNS entry to get traffic to your router outside interface. You need to configure the router to allow and map that traffic to your BI server. In doing so, make sure you are implementing appropriate security measures to your accepted risk level.
Blue Iris 5.8.8.x | Server 2022 VM | Xeon X5650 @ 2.67GHz - 12 Cores | 12GB RAM | 7TB RAID | Sophos UTM WAF | 4x SV3C 5MP Bullet A | 1x SV3C 5MP PTZ HX | 1x SV3C 5MP Bullet HX | 1x SV3C 5MP Dome HX | 2x Amcrest 5MP Bullet
spacerust
Posts: 3
Joined: Mon Oct 18, 2021 11:52 pm

Re: Remote Access - Beginners Guide to the Interweb...

Post by spacerust »

Oh yea this modem does do port forwarding. It was pretty easy in their newest modem. Normally dealing with rented Comcast stuff is a pain and does not work. I am using ports 80 and 81. So I did two port forwards on the Comcast modem. Presto! Works again! Thanks for the response.
Post Reply