Setting up Remote Viewing Using New Cellular Data ISP
Hi. A friend had been using DSL internet service and a Peplink multi-WAN router and remote viewing of SS on his Mac Mini had been working. But the DSL internet was pretty slow and unreliable. He got rid of the DSL service and his new service is from AT&T using an LTE MF279 gateway. He's much happier with the internet connection. Now we're trying to re-establish remote viewing of his SS. We're getting mixed messages from Tech Support about whether port forwarding actually works in the real world using this gateway. If we're unable to get port forwarding working, is it too much threat exposure to set up the Mac Mini running SS as a DMZ Host? This Mac Mini is only used as a SS and home automation server and is not used for any other uses. If we're unable to setup remote access for the Mac Mini, is setting up one outdoor Axis camera as a DMZ Host a reasonable thing to do? From what I've read, it seems DMZ is to be discouraged and is often used only for gaming consoles, as the intrusion risk is limited, etc. I appreciate any feedback.
Comments
DMZ just means that all incoming connections from the Internet on any port at aimed at one particular device. As you say, this is generally discouraged as it's a potential security risk, but if you make sure to turn on your Mac's firewall with just the relevant few ports open, then you should be OK. Do you know if you are actually able to do this?
I'm wondering if you and other visitors here feel that setting up NGROK services is a reasonably secure connection?
https://ngrok.com/product
Again, many thanks!
As far is it working well, it works really well ALL THE TIME. The only issue I have and I'm 99% sure it's not Ngrok related is that my connection over cellular is choppy. Looks like my cameras are running at 1-5FPS when in reality they are running at 30FPS. Really bugs me and I'm thinking of just going back to running blue iris on a PC (even though I purchased an 8 camera SS license
Here’s an update. Our internet service is coming from an AT&T MF279 gateway. The AT&T documentation specifically states that port forwarding is supported. I followed the instructions to forward a port to a specific IP address on the LAN, where we have a Mac Mini running SS on an IP with a DHCP reservation. We were not successful in viewing SS from a remote WAN connection.
An additional complication is double NAT. It seems the MF279 gateway cannot be set in bridge mode. So the gateway is handing out IP addresses to his (heavily configured, pre-existing) Peplink router which is also managing LAN IP addresses. This Peplink has the same port forwarded to the Mac Mini (and this had been working flawlessly with his earlier DSL service.) Other than the ways double NAT could be affecting our remote viewing, it has not been an apparent problem as every single internet service is working much better by LTE than his earlier DSL service ever did.
Out of curiosity I brought one of my Canary video surveillance cameras over to his house, and it seemed to work well.
Any other feedback for me? I would like to confirm correct network setup first before exploring NGROK, etc. Thanks!
I imagine Double NAT is interfering with our port forward testing. The ISP (AT&T) gateway is already a router. I thought about attaching a five port gigabit network switch to the AT&T gateway, sending one ethernet cable to the current Peplink router. This way, everything in the house should work well, as it does now. Then connect the Mac Mini running SecuritySpy and two cameras by ethernet to this gigabit switch- so that they're in front of the second router. Then do a port forwarding test. If it works, I'm not sure, this setup might or might not be agreeable to live with.
But first I'm focused on dialing in motion detection sensitivity, trigger time, and masking. I've been very pleased with how well SecuritySpy's email relay service has been working. As things are right now we can log in to the Mac Mini running SecuritySpy by Teamviewer if we want to see all cameras live. The motion detection based emails will provide notification. We're also experimenting with saving select camera's video files to Dropbox, instantly and conveniently viewable from anywhere.
I will followup again with further developments.
1. Being given a private/local IP address by your ISP rather than a public one (see Carrier-grade NAT). This is common for 4G/LTE connections. One solution for this is to use a VPN that provides you with a public IP address (e.g. Static VPN IP). Another solution is ngrok, which is designed specifically for this purpose.
2. Having two routers on your own local network, each with NAT enabled. The best solution for this is to eliminate one of the routers, or put one of them in bridge mode. Otherwise, for any device behind both routers, the first router needs to be configured to forward incoming connections to the second router, which needs to be configured to forward incoming connections to the device (note: the first router cannot see the device directly, so you can't just add a rule here to forward connections directly to the device).
As noted above, AT&T do seem to have an option to give you a public IP address. See this page: AT&T Custom IP Addressing Solutions. In case the page moves, here is the relevant text:
Private IP addresses: This is the default IP addressing solution on the AT&T data network. If you choose this option, your mobile devices will be dynamically assigned a private IP address for use with your private network.
Public IP addresses: Public IP addresses can be dynamically assigned from a designated range of addresses for a specific business. Choosing a block of public IP addresses allows you to reinforce corporate security by adding a fixed block of wireless device IP addresses to your firewall. By using public IP addresses, your traffic can be routed via the Internet.
Static IP addresses: Business-critical applications that require a fixed IP address can take advantage of AT&T static IP addresses. With static IP addresses, a business can designate a range of public IP addresses to be assigned to their mobile users. Each time a mobile user signs on to the wireless data network, the network assigns the same IP address to the device from the designated range.
This information is about business connections, but hopefully they also provide these option for personal accounts.
So I think, with AT&T, the best option would be to contact them and get a public IP (either static or dynamic - it doesn't matter), then make sure you don't have double-NAT within your own network. Then everything should work.