Network Firewall Rules for Dahua Remote Access

[davidbann]

Hi all,

I am busy securing my camera network. I have put my NVR, cameras, VTO and VTH on their own VLAN without internet access.

I have managed to get them all working on the local network, but now I want to get the DMSS app to work remotely so that I can view the cameras remotely, and so that the VTO can ring my mobile when someone's at the gate.

Please let me know what firewall rules I need to create to allow this.

The only thing I have done is create a rule to allow outbound NTP (UDP port 123).

Here are some outgoing connections being blocked - I'm not sure if I should just open each of these ports, or if I need to be more careful which I open?

Destination
www.easy4ipcloud.com UDP 8800
devaccess.easy4ipcloud.com TCP 443, 8683, 9898, 10000, 10080, 28080, 33702, 48800
47.254.176.103 TCP 15301
148.153.240.150 UDP 8800
47.253.194.71 TCP 443
47.253.198.49 TCP 12337

Thanks
David

 

[davidbann]

Ok I've been monitoring the logs and there are so many ports that are being blocked, and of course when I try to access from outside the network, then it blocks my mobile as well. What is the best approach to this? I'm running a Unifi setup. I could use WiFiman to create a VPN connection from my mobile to the UCG-Ultra so that I can view video feed, if that is the better approach. Just adds an extra step when I want to view the feed... But either way I need to be able to get calls from the gate station when someone rings the intercom, even if I am not on the VPN.

 

[bigredfish]

Try just allowing easy4ipcloud.com and push.messagepush.org

May also need to allow the discovery server, mine uses 165.154.178.105

I’m not a network guy but that’s what I see in my firewall logs

 

[sienjoe5]

Hi all,

I am busy securing my camera network. I have put my NVR, cameras, VTO and VTH on their own VLAN without internet access.

I have managed to get them all working on the local network, but now I want to get the DMSS app to work remotely so that I can view the cameras remotely, and so that the VTO can ring my mobile when someone's at the gate.

Please let me know what firewall rules I need to create to allow this.

The only thing I have done is create a rule to allow outbound NTP (UDP port 123).

Here are some outgoing connections being blocked - I'm not sure if I should just open each of these ports, or if I need to be more careful which I open?

Destination
www.easy4ipcloud.com UDP 8800
devaccess.easy4ipcloud.com TCP 443, 8683, 9898, 10000, 10080, 28080, 33702, 48800
47.254.176.103 TCP 15301
148.153.240.150 UDP 8800
47.253.194.71 TCP 443
47.253.198.49 TCP 12337

Thanks
David circular hat hang tags

When setting up network firewall rules for Dahua remote access, it’s essential to configure permissions that allow secure communication between the Dahua device and external clients.

 

[alastairstevenson]

Bot stating the obvious?
Prove me wrong.

 

[davidbann]

For anyone stumbling on this in the future, this is what I ended up doing in order to have remote mobile access to my camera feeds, as well as the gate station for incoming calls.

• I put all my cameras, the gate station and monitor on a separate VLAN without internet access (I'll call it the Security VLAN).
• I isolated the Security VLAN from other VLAN's.
• I created a firewall rule on the Security VLAN to allow outgoing NTP access (UDP port 123) so that all cameras can poll the time server.
• To create the P2P link to the mobile app, I created a Wi-Fi on the Security VLAN, and connected my mobile phone to it (you must have the mobile on the same network as the monitor to connect them).
• I temporarily enabled outgoing internet access from the Security VLAN, and followed the P2P link steps on the monitor, connecting the phone to the monitor.
• I disabled internet access on the Security VLAN.
• I created a device-level firewall rule to allow the monitor and the gate station outbound internet access.
• I removed the Wi-Fi SID linked to the Security VLAN - I don't have any Wi-Fi cameras, so it is not needed other than to pair the mobile app.
• To avoid port forwarding, I put my NVR on the main VLAN with internet access.

With the above, I am able to receive incoming calls from the gate station on my mobile, answer calls, see the video feed and open the gate, and view all camera feeds, all from outside my network.