Changed ISP and routers, can't access SecuritySpy web server
  • I'm stumped on this… I've opened up the port (I think), but there's no external access from the Internet back to the server. I've tried both the app and web browser viewcam.me and direct IP addresses — so seems to be issue in the router — or possibly ISP blocking it? I've been trying over cellular (i.e. not on my local network).

    The router is a Fritz!Box 7590. I've gone into Permit Access > New Sharing > Port sharing, set Application=Other, Protocol=TCP, Port to device = 8001 through 8001, Port requested externally = 8001.

    On this screen and the main screen, the Fritz!Box is saying the IPv4 external address is different than whatismyip reports — I don't understand why or if that's relevant. But that address doesn't work either.
  • What external IP address is being reported by the Fritz!Box? If this is a local IP address (commonly 10.x.x.x or 172.16.x.x 192.168.x.x), then you are in a "double NAT" situation, with two routers between the Mac and the Internet, which is why this isn't working.

    So, what is the Fritz!Box plugged into? Is it another router?

    If this is what is happening, please see our advice about double-NAT via this FAQ: I'm unable to access my system remotely - how can I troubleshoot this?
  • The Fritz!Box is reporting 100.67.97.xxx — so not a local network, but iplocation.net does say Carrier-Grade NAT RFC6598. whatismyip.com reports 151.210.164.xxx The Fritz!Box does support mesh Wi-Fi (I’m not using an extender) and is set to Master. The Fritz!Box is plugged into the ISPs cable modem (also replaced when I switched), which I don’t think I have access to.
  • This all indicates that your new ISP employs Carrier-Grade NAT, which unfortunately means that it's not possible to receive incoming connections into your network from the Internet. The solution is to use a tunneling service such as ngrok, which is described in our blog post Remote Access via Mobile/Cellular/Satellite Internet.
  • OK thanks for your help, hadn't encountered CGNAT before; and have confirmed 2degrees is using that. My ISP offers static IPs at NZD10/month, so much the same price as ngrok. Interesting that both my heat pump and alarm system can still be accessed remotely — maybe a future built-in capability for SecuritySpy?
  • I would say that purchasing a static IP would be the best way to go here.

    There are basically two ways to implement remote access:

    1. Port forwarding, so you are connecting into your own network directly to your own device. This requires an incoming connection to your network, so requires that your router have a public IP address.

    2. The device makes an outgoing connection to an intermediary server, and when you want to access it, you are connecting to that intermediary server.

    Option 2 only requires outgoing connections from your network, so is unaffected by things like CGNAT, and it also requires less setup (i.e. no port forwarding). The problem is that it needs server infrastructure to run. So, it's easy for a company to implement option 2 for applications like alarm systems, where the bandwidth is very low, but CCTV involves video streaming, so can be very high bandwidth. This is why these types of services for CCTV either have usage caps and/or paid monthly subscriptions.

    So with SecuritySpy we have chosen option 1. This means we don't have to maintain server infrastructure to provide this functionality, so it means there are no usage caps or monthly fees. It is also more secure for the user - their data never passes through our servers: the remote access connection is directly to their own server. The downside is that on the rare occasion like this, things like CGNAT can prevent this from working.
  • Just stumbled across this and I had a similar problem with access plex when I went to Aussie broad band and I asked them to disable CGNAT I think it was called for me and then it all worked fine for me so could be worth asking your ISP if they can turn it off as Aussie BB can you just have to give them a valid reason why you want to opt out of it.
  • That's a great tip @8urt0 thanks for sharing.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!