8 Replies Latest reply on Jan 9, 2013 9:19 AM by PhilM

    Access security cameras


      Hello, and Happy New Year.


      I have a SG560 Ver. 4.0.7


      We had a break-in recently, and are going to install some security cameras. I don't have the details on the hardware from the security firm  just yet.


      I understand that I will need to open a (some) ports on the UTM.


      I assume that since I have a dynamic IP address, that I will need to sort that out with dyndns.org, or something similar.


      Are there papers/instructions here that will help me with this? I don't really have a clue on where to start.




        • 1. Re: Access security cameras



          You're on the right track with regards to sorting yourself out with a dynamic DNS provider. If you go to Network Setup -> DNS -> Dynamic DNS you can see which providers are supported.


          Next I would recommend that you check with the supplier/vendor of the cameras to see which ports are required in order to access them.


          The main logistical hurdle you will need to consider is that if your ISP connection is of the dynamic IP variety you will only have a single public/external IP address to play with. This means that you may have to get a little creative should you need to be able to provide access to more than one camera. When bringing connections in throught the firewall from the Internet, you need to use Network Address Translation (NAT) to make the camera(s) visible to the outside world. At an IP address-level this is normally a one-to-one relationship - so with only one public IP address to play with, that limits this relationship to a single camera. For example:-


          Public IP (on port 80) maps to Internal IP (on port 80).


          To do this you create a port forwarding entry (in the NAT -> Port Forwarding section of the GUI). There's a very handy check-box setting in this screen which automatically creates a corresponding packet filter rule to allow the Firewall to pass the traffic.


          If you need to access more than one camera, and there isn't any kind of central host you can connect to (from which you can then gain access to each camera), I can think of two options.


          The first is to access each camera via a different port number. You don't have to change the configuration of the cameras themselves, but when creating the port forwarding entries you can pick a different source port which is unique enough to allow you to access each camera via the same public IP address (which, in your case, would be accessed using the dynamic DNS host name):-


          Port B (on port 80) maps to (also on port 80)

          Port B (on port 81) maps to (on port 80)

          Port B (on port 82) maps to (on port 80)

          and so on...


          So if the cameras are accessed using a web browser you can use something like the following to access each one:-





          and so on...


          However, option B may be easier. Create a VPN to the SG device and your client machine will then have an internal IP address. You can then access the cameras in just the same way as you would if you were sitting in the same location.


          I hope that helps.



          • 2. Re: Access security cameras

            Thank you very much for taking the time to put all that down Phil.


            It sure gives me an idea on what I need to be looking at. I did hear back from him with a bit more information. The hardware should be here next week, so I can have some manuals to read.


            I believe the 8 cameras will connect to a central device, that I will access from the outside world.


            The ports that need to be open are  TCP 37777 and UDP 37778, as well as 80.




            • 3. Re: Access security cameras

              In which case, you should be able to achieve what you need without too much trouble. This is how I'd do it.


              Step 1 - Sort out dynamic DNS.


              When this is working...


              Step 2 - Go to the Definitions -> Service Groups screen and create a service group. Call it something useful (camera-ports, for example), select the HTTP checkbox (that will handle port 80) and enter 37777 and 37778 in the "Other TCP Ports" and "Other UDP ports" respectively.


              Step 2a (optional) -  If you want to restrict ibound access you may also wish to create IP address defitions and (if you have more than one) create an address group which will then be used to control the source of the connection. Do this in the Definitions -> Addresses screen.


              Step 3 - Go to the NAT -> Port Forwarding screen and create a new port forwarding entry, specifying:-


              • Name - Give it a name
              • Enable - ticked
              • Incoming Interface - Any
              • Source Address - Any (or select your address group entry from step 2a)
              • Destination Address - Port B
              • Click on the "Show Definitions" button next to Protocol/Ports and that section of the screen will update to provide you with access to your pre-configured list, including the service name created in step 2. Select it.
              • To Destination Address - enter the IP address of the central control device for your cameras.
              • Click the "Advanced" button and this will reveal a new checkbox near the top of the screen "Create Packet Filter Rule". With this visible, select the checkbox.


              Click "Finish".


              This should create the port forwarding element and the associated packet filtering rule. You should then be able to access the central device via the dynamic DNS hostname and, fingers crossed, you should be good to go!



              • 4. Re: Access security cameras

                Hi Phil.


                I think I'm really close. My dyndns appears to work. I checked it with nslookup as per some instructions I found on the web.


                I've got one question about your instructions though.


                The Destination Address - Port B is my internet connection. Is that what I'm looking for here?


                I can't really check from the office, as the box that sits at wants to install active X, and I don't think Safari on the iphone will handle that request.


                Thank you so much for the help!




                • 5. Re: Access security cameras
                  The Destination Address - Port B is my internet connection. Is that what I'm looking for here?


                  Yes, that's right. If you had been issued with multiple static addresses from your ISP then you would also select which of the addresses you wanted the connection to terminate on. But in this case, with only a single, dynamic, address all you need to do is to specify "Port B" as the termination point. The "To Destination Address" settings then provide you with the means of translating/re-directing the connection from the Internet-side of the SG to the destination host on your 192.168.99.x network.


                  You are also correct about your other assumption, Safari won't be able to handle the ActiveX request - that's an Internet Explorer-only service as far as I am aware, and if it requires ActiveX it means you will only be able to use this browser to access the service.



                  • 6. Re: Access security cameras

                    Thank you so much for all your help Phil. I can now view the PVR that sits in our office. No cameras installed yet, but soon.


                    What a ride that was. I was trying to sort this out during working hours, with the alarm guy here, as well as getting some security cables glued down to desks.


                    At one point I had the SG management console answering the door. I figured that maybe if I shut down it's access, then 80 would default to the PVR.


                    Well....I shut myself out completely. I started looking for another method to get to it, and then had the bright idea that I could just reset it, and restore from the backup I'd made.


                    I now know that the default setting for these it to erase the backups too! Thanks programmers....NOT


                    When this product went EOL, I figured I had best buy another, or spend years trying to learn a new one. Luckily I plugged my SG560U in, and it 'mostly' worked.


                    Still having issued with the Guest Wireless, but I'm taking a break, and doing some work. I had a couple of backups done to another location, but it was on a computer that was stolen, and on the desktop, and wasn't being backed up.


                    I've changed the backup/erase settings on both boxes, and have backups to a location that is backed up.


                    Again Phil, thanks!


                    • 7. Re: Access security cameras

                      I've got a follow-up. I think I know what to do, but wanted to check first, to avoid any disasters.


                      I can no longer access the web menu on our wireless hub. I'm being directed to the PVR.


                      I think I need to change the port on the PVR to something other than 80, say 88, and reconfigure my packet filter to match. I would then go to camera-xxx.dyndns.org:88


                      Does that sound about right?




                      • 8. Re: Access security cameras

                        Yes, either that or change the port number to access to your wireless hub.


                        Essentially it is as I described in my first response (when dealing with a single public address, how do I access multiple services running on the same port number?).


                        It may be worthwhile taking a look at the wireless hub. Many devices not only provide your with a web-based management mechanism, but also allow you to change the port number it runs on.


                        At the end of the day you can either change the port number that service uses (and keep the like-for-like port number relationship in your NAT policy) or you can so what you are suggesting and "present" the service externally on a different port number and then change the port number in the NAT policy back to port 80.