A Guide to Port Forwarding
It cannot be disputed that since video surveillance moved to a network-based platform, the functionality on offer has gone through something of a sea-change. Even those hawking closed systems which use legacy cabling have to admit that the degree of flexibility on offer from network-based solutions is staggering when compared with what the older technologies could offer. However, despite the growth of advanced solutions, the subject which receives the highest level of calls to technical support departments is a relatively simple one. Here with the help of Adam Radley, Training Manager at Samsung Techwin, Benchmark looks at the issue of port forwarding.
One of the significant advantages of network-based video surveillance is the ability to remotely monitor a site and view live or recorded footage, as well as interacting with all elements of the system and any peripheral devices. The odds are that if you have installed a network-connected video system, you will want to allow authorised users to remotely view and manage it.
The most common reason for establishing a remote connection to a video surveillance system is to allow an end user to view and manage footage via an internet-connected device such as a mobile handheld tablet or smartphone, or a PC at another site. It could also allow a central control room to manage video from remote locations. The connections are achieved through the process of port forwarding.
Ports are virtual connections that allow devices on a WAN (such as the internet) to communicate with devices in a private LAN, even though the latter are behind a router. There are 65,536 ports, which are endpoints for logical connection, allowing connections with specific devices in the security system. Before we look at ports in more detail, let’s start with a very simple look at how port forwarding works.
Routers have two IP addresses. One is an internal private IP address, which typically will fall into one of the common ranges such as 192.168.0.0–192.168.255.255; 172.16.0.0– 172.31.255.255or 10.0.0.0–10.255.255.255.
As an example, Netgear routers have a default IP address of 192.168.0.1. If using a Netgear router, you might then have an NVR with the IP address 192.168.0.10, and cameras might be 192.168.0.21 through to 192.168.0.24. Such a set-up would create a four camera system on a private LAN. This is fine if you don’t want to remotely access the system.
If you do want to configure remote access – and you wouldn’t be reading this if you didn’t – the issue is how to connect to the NVR at 192.168.0.10 from an internet location.
Because the device has a private IP address, and is located on a LAN, to make the connection you need a way to pass through the router and identify the correct device on the LAN. Performing this role is where port forwarding comes in!
We’ve already mentioned that each router has two IP addresses, and one is an internal address for private LAN connectivity. The second is an external IP address, and this is used for WAN connectivity. While the router’s internal IP address is set by default at the factory and can be changed by the user, the external IP address is allocated by the ISP. For our example, the external IP address is 126.96.36.199. Therefore, if the user wants to remotely connect to the NVR, they will need to access the router using the 188.8.131.52 address. However, even in our simple example, there are six devices at that address: the router, the NVR and four cameras. The issue becomes more complex if a site has a larger video surveillance system, and also uses the network for workstations, print servers, telephony systems, etc..
Via the router, ports can be configured to be associated with a specific IP address on the LAN. If, for example, the NVR is allocated port 2001, then any incoming communication to 184.108.40.206:2001 will be sent by the router to 192.168.0.10 on the LAN. This is because the number after the colon represents the port number, and the router will retain a list of port numbers and the associated specific LAN IP addresses.
Because of the way that port forwarding works, each individual port can only be used by one device. However, be aware that ports are not just allocated to specific hardware devices. Ports are also used by services. For example, port 25 is used by SMTP, which is outgoing email, and port 110 is used by POP3 which is incoming email. If you attempt to deploy ports which are already in use, then the communication will fail, and with port issues you don’t get any notification of failure or success!
A support issue?
Port forwarding is not difficult. It’s not an advanced science, it doesn’t require a high degree of IT-based knowledge, and it should be a basic skill possessed by every installer and integrator working with networked devices at any level. Whether installing a complex campus-type solution or fitting a single camera to allow a homeowner to see who is at their front door, port forwarding is something that you should be able to implement without any problems at all.
Whenever Benchmark meets with the technical support teams for manufacturers and suppliers, we always ask what the most common subjects for support requests are. Port forwarding is typically in the top five, and in some cases it is the most common question. It is also a repetitive subject, in that the same people will regularly ask the same questions.
In some cases, technical support people admit they simply talk the caller through the menu settings without explaining what is happening, and why it’s happening. A few even admit that their documentation makes certain assumptions about the knowledge of those reading it. It’s worth noting that the assumption of knowledge often refers to the configuration of the specific product, rather than the task of port forwarding.
Whilst port forwarding is not a difficult task, it is worth highlighting a few issues which can make it complex! The installer or integrator carrying out the process is reliant on a number of third parties to ensure that port forwarding is successful. If the manufacturer supplies accurate and clear information about the specifications and configurations of their product, if the end user supplies the right information about the connectivity configurations and if the infrastructure on site is suitable, then the job shouldn’t present any issues.
Of course, the world doesn’t always quite work that way…
There are three elements in port forwarding. These are the router, the host video device (such as an NVR) and the client device (a remote PC or smartphone, for example). Before a connection can be attempted, the router and host video device need to be configured. Obviously, the potential combinations of video surveillance devices and routers are staggering, which is why every configuration will be different.
There are two steps that can be taken to lessen the impact these numerous variables can have on the set-up process, and both involve the gathering of necessary intelligence. The first step is to have an understanding of what the configurations you are changing actually do, and how they affect the system. This article is aimed at explaining this part of the process. The second step, which is specific to each different installation, involves the gathering of relevant information prior to attempting a configuration.
Effectively, the process of port forwarding involves opening specific ports, which are then mapped to individual IP addresses on the local system. Starting with the NVR, the sheer number of devices available makes a definitive attempt at identifying which menus to use pointless. However, the manufacturer should provide details of the various settings and default configurations for their NVR.
There will be a need to configure a number of ports for video transmission. There will usually be a port for the viewer, and additional ports for data connections. Multiple data ports will be used to allow for two-way data transmission and error checking. Some devices will use an additional port for communications with mobile devices.
Before attempting to configure the NVR, ensure you know how many ports will be used and what defaults are in place. Many NVRs are very sensitive to activity on ports, and even something as simple as using a port which an anti-virus program is ‘listening’ on can cause the process to fail. Also be aware that some ISPs block certain ‘well known’ ports to enforce a layer of security. Well known ports are those typically assigned to specific tasks, and if issues occur it can be prudent to avoid using these.
If you are not sure which ports are already in use (and these might be allocated to software services as well as hardware devices), there may be a necessity to change the defaults to a different range of ports, such as in a range where there won’t be issues with other services.
Once the configuration of the NVR (or other device) is complete, the next task is to replicate the settings at the router and some of the settings at the remote device. To configure the router, you will need three pieces of information: the static internal IP address of the router, plus the user name and the password to access the router’s menus. One issue here can be that some users will not know the IP address of their router. Some will have the default IP address written on the casing, and may even show the default log-in information too.
It is not uncommon for users to give the log-in information for Wi-Fi connectivity rather than for the router itself. It pays to ensure that you have the right information, as the SSID and wireless password won’t enable you to configure the device. If the information cannot be ascertained, you might need to carry out a reset of the router, which can be a problem if the user doesn’t have the full set-up details!
One resource is http://portforward.com. Whilst this web-site is very much aimed at gamers, and does offer ‘quick config’ tools for sale, it also has a substantial database of routers including default IP addresses, log-in details and instructions to configure ports for forwarding. This allows you to check the process prior to arriving on site.
Some proprietary routers from the larger service providers have been designed to thwart attempts at port forwarding. Some use command strings rather than menus. By being pre-warned, you will know what you’ll be facing on site. In some cases, it might be prudent to change the router for a more suitable model!
Menu names can vary wildly. Some routers will have a Port Forwarding/Triggering menu, others put the config menus under Gaming or Services. A little research into the router in use – if it is not supplied by you – will make for a seamless and stress-free time on site!
Often the process is as simple as selecting Port Fowarding, typing in the Port you want to open (or a range of ports if multiple ones are required), allocating the IP address of the device, and clicking Finish! Once the process is complete you can use a software tool to check the ports are open. There are a wide variety of such tools on the internet.
Finally, you will need to configure your remote device to connect with the router’s external IP address and the relevant port number. In our example, this would be http://220.127.116.11:2001, and once connected the user will need to carry out authentication at the NVR, such as entering a password.
One word of warning is that you will not be able to test port forwarding from another device, such as a PC, on the LAN. Many systems prevent a loopback as a security feature. A PC on the LAN will be able to connect to the NVR using http://192.168.0.10, but not by using http://18.104.22.168:2001. To test the remote connectivity you must be on another network. A 3G or 4G mobile device can be used for this, or a different network should be used.
One potential problem can arise after port forwarding has been set up. A connection can be working fine for hours, days, weeks or even months, and it suddenly ceases to be functional. Many ISPs do not offer static external IP addresses to users unless they have paid an additional fee. Some providers do not offer static external IP addresses at all! If a user is unsure whether or not they have a static external address, then assume they do not.
Where a static external IP address cannot be implemented, it may be necessary to use a DDNS (dynamic DNS) service. This allows a system to effectively operate as if it has a static IP address. Communications between the router and the DDNS service allow changes to the external IP address to be catered for. There are a number of DDNS providers, and these typically charge a small annual fee for the service, which can be quickly set up on-line.
Ensure that you research the DDNS service providers to ascertain their reliability and redundancy. Some of the low cost services can have delays in updating records, or may experience downtime which can result in a lack of connectivity for your system. Some security manufacturers will offer their own DDNS services, but again ensure they can provide the redundancy necessary for security applications.
Port forwarding is not rocket science. It can be a simple process if installers and integrators take time and care to ensure they are armed with the right information. There will be a reliance upon the surveillance equipment manufacturer to deliver accurate and clear information about the number of ports they require and what the default settings are. The user should also be able to provide information about the router configuration and the type of connection they are using.
Time spent researching the router will pay dividends when in the field. It is also worth keeping records about the various service providers, as some have policies about blocking certain ports. Where an ISP provides a proprietary router which may be difficult to work with, have an established and proven alternative to offer the customer.
With an understanding of what the process entails, how the devices interact and what the potential pitfalls are, port forwarding should become a simple, quick and repeatable task across all of your installations.
Port Forwarding Checklist
When implementing a system which uses port forwarding, often the biggest hurdles come from missing or incorrect information. By ensuring all of the relevant material is accurate and available, the likelihood is that the process will be as simple and straightforward as it should be. The following will need to be obtained:
• Make and model of router
• Internal IP Address of the router
• External IP Address of the router
• Type of External Address Allocation (dynamic or static)
• Username and Password for the router
• IP Address of the video device
• Default Port for video device HTTP
• Default Ports for video device RSTP
• Default Port for video device mobile connection
• List of Ports currently in use on system
• Separate internet connection for testing
• Links for IP and Port checking tools
Well Known Ports
There are 65,536 software ports which are endpoints for logical connections. They allow the identification of certain servers and programs on a network. Some ports in the range of 0-1024 are pre-assigned, and may therefore be in use. These are referred to as ‘well known ports’.
The following are some of the widely used well known ports.
• 20: File Transfer Protocol (FTP)
• 21: File Transfer Protocol (FTP)
• 22: Secure Shell (SSH)
• 23: Telnet remote login service
• 25: Simple Mail Transfer Protocol (SMTP)
• 53: Domain Name System (DNS) service
• 80: Hypertext Transfer Protocol (HTTP)
• 110: Post Office Protocol (POP3)
• 119: Network News Transfer Protocol (NNTP)
• 143: Internet Message Access Protocol (IMAP)
• 161: Simple Network Management Protocol (SNMP)
• 194: Internet Relay Chat (IRC)
• 443: HTTP Secure (HTTPS)
• 465: SMTP Secure (SMTPS)