Community discussions

MikroTik App
 
VanceG
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Mon Mar 19, 2012 3:25 am

Access IP ln Lan outside usual range

Thu Oct 06, 2022 9:54 pm

I have a small remote network using a RB960PGS as core router. There are several wireless clients and a bunch of IP cameras and remote solar system monitors on its LAN side.

Recently, one of the TYCON TPDIN remote voltmeters (original version) I use to monitor legacy solar systems that don't have their own remote monitoring became inaccessible.

Using the various tools in the 960, I found that the static IP for the TPDIN has lost the first digit of the first octet of it's IP address. Instead of 192.168.0.243, it is now 92.168.0.243.

My question is: is there any way to access this "new" address remotely since it falls outside of the 192.168.0.x range I am using? It doesn't ping.

If I reboot the router and then check the log, I can see the router find the incorrect address during the reboot. It also shows up in Tools>>IP scan.

The network is 400 miles away and whatever I try must NOT break things with the 960.

I have a Raspberry Pi inside the network with VNC access for working on this.

Weird thing. Thanks for any help you might offer.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Access IP ln Lan outside usual range

Thu Oct 06, 2022 10:00 pm

Add a "secondary" IP address on that LAN interface / Bridge ?
To my knowledge you can have multiple IP's
So put 92.168.0.254/24 as an additional IP on the Mikrotik/Bridge side ?
 
VanceG
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Mon Mar 19, 2012 3:25 am

Re: Access IP ln Lan outside usual range

Thu Oct 06, 2022 10:23 pm

Thanks for the response.

I had given some thought to something like this but need to be sure that whatever I do I doesn't kill the rest of the network in the process. So, here I am asking for advice.

Let's see if anyone else agrees with you.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: Access IP ln Lan outside usual range

Thu Oct 06, 2022 10:31 pm

Following advice by @jvanhambelgium should not break anything ...

Unless some addresses from the "fake" subnet are vital to operation of your remote site (e.g. your "home" IP address falls into that range and you're trying to do the remote management from home) in which case things will fail (connections will get routed to LAN instead of WAN).
 
VanceG
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Mon Mar 19, 2012 3:25 am

Re: Access IP ln Lan outside usual range

Thu Oct 06, 2022 10:55 pm

Okay, it's gratifying to have this level of expertise.

I believe you are proposing that I add another entry to my IP>>Address category which currently looks like this (minus the #2 entry for the WAN side for security):

+++++++++++++++++++++++++++++++++++++
[admin@MikroTik] /ip address> print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf
address=192.168.0.1/24 network=192.168.0.0 interface=ether2
actual-interface=bridge1

1 address=192.168.1.1/24 network=192.168.1.0 interface=ether1
actual-interface=ether1
++++++++++++++++++++++++++++++++++++++

(The 192.168.1.1 entry allows access to the devices on the WAN that comprise my backhaul)

If I'm understanding this correctly, I need an additional entry like so:

++++++++++++++++++++++++++++++++
3 address=92.168.0.254/24 network=92.168.0.0 interface=ether2
actual-interface=bridge1
++++++++++++++++++++++++++++++++

Or does this belong in a different category?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Access IP ln Lan outside usual range

Thu Oct 06, 2022 11:11 pm

Should be OK to my knowledge. That additional IP would go under the same as the existing 192.168.0.1 interface indeed.
I've just tried it on my RB3011-LAN on the LAN/Bridge side, I've added an IP to my brdige.


[jvanham@GATEWAY] /ip/address> print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=172.29.45.254/24 network=172.29.45.0 interface=Bridge actual-interface=Bridge
5 address=72.29.45.254/24 network=72.29.45.0 interface=Bridge actual-interface=Bridge

[jvanham@GATEWAY] /ip/address> /tool/ping 72.29.45.254
SEQ HOST SIZE TTL TIME STATUS
0 72.29.45.254 56 64 348us
1 72.29.45.254 56 64 307us
2 72.29.45.254 56 64 289us
sent=3 received=3 packet-loss=0% min-rtt=289us avg-rtt=314us max-rtt=348us

[user@GATEWAY] /ip/address> /tool/ping 172.29.45.254
SEQ HOST SIZE TTL TIME STATUS
0 172.29.45.254 56 64 324us
1 172.29.45.254 56 64 300us
2 172.29.45.254 56 64 310us
sent=3 received=3 packet-loss=0% min-rtt=300us avg-rtt=311us max-rtt=324us
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Access IP ln Lan outside usual range

Thu Oct 06, 2022 11:15 pm

The question then is : what are you going to do next....
You might have to make sure the prefix 92.168.0.x/24 get into your global routing ? Because you want to establish connection to this device to adapt is config ?
Can you do this through "telnet" or "ssh" so from the Mikrotik or do you need specific client-software to do this?
 
VanceG
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Mon Mar 19, 2012 3:25 am

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 12:00 am

Thanks to all of you - it worked!

All I needed to do was add this entry to IP>>Addresses:

3 address=92.168.0.254/24 network=92.168.0.0 interface=bridge1
actual-interface=bridge1

I have a spare TPDIN I had brought back from the remote site to upgrade firmware here with me, so to try things locally, I set it to 92.168.0.243, then added the above to the mAP I am using here. And was successfully able to access the TPDIN.

After proving that it didn't take out anything (especially WAN access to the router), I plugged that rule into the remote 960. Was then able to reconfigure the remote TPDIN.

Now, I need to figure out what happened as this is not the first time. The very same thing occurred in August to a solar charge controller - the 192.168.0.x entries for IP, Gateway, and DNS 1 and 2 were all truncated to 92.168.0.x. I fixed that by connecting to the CC locally with a USB to RS-232 cable which does not care about IP's.

Having this happen multiple times is weird. I will readily admit I didn't have password protection on the TPDIN and didn't disallow network setting changes on the charge controller. I have done that now.

The changes that were made are so consistent they almost seem automated...if someone found their way in to those devices and wanted to mess with me, I would have thought they would do something more drastic. Just changing the IP would have been enough. Why change the Gateway and DNS address as well?

One thing in common between the two devices - they are all running very basic Web servers to display settings and use SoC devices like the Microchip PIC18F97J60:

https://www.microchip.com/en-us/product/PIC18F97J60

Have any of you heard of any exploits going on for that subset of hardware?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 890
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 12:12 am

Edit: After posting this, I saw that problem was solved in the mean time... so you can ignore this.

If you are worried about breaking stuff on the RB960PGS and you have a Raspberry Pi in the LAN with the TYCON TPDIN, I would focus on the Raspberry Pi.

The spec sheets for the TYCON TPDIN only talk about Web and SNMP, no ssh or even telnet, adding a secondary address to the RB960PGS is going to be of limited value. Is this the device you are talking about? Edit: The first time I tried to download the userguide I got a dns failure, but after I downloaded the spec sheet, and after I posted this the first time, I was able to download the user guide and it does claim to support telnet.

If the Raspberry Pi has a static ip address, adding a secondary address should be straight forward. On the other hand, it the Raspberry Pi is getting its ip address via dhcp, then it will be more invoved. A quick google search for add secondary ip address linux on interface with dhcp client found this serverfault post Set up two IPs (one using DHCP and other static) over the same Interface

I am not sure how you determined the TYCON TPDIN had ip address 92.168.0.243. Dropping a leading decimal digit for the dotted decimal ip representation doesn't have a nice binary explanation, i.e. it wasn't a bit flip. How is the TYCON TPDIN obtaining its address? Is it a dhcp client, or is it statically set? If it is a dhcp client, and the lease time is relatively short, then can you verify that the dhcp server is giving it the correct ip address?

Do you know what the mac address of the TYCON TPDIN is?
 
VanceG
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Mon Mar 19, 2012 3:25 am

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 12:34 am

Yep, it's fixed, but I wouldn't mind chasing some reasons WHY it happened if it's OK with you.

The IP, Gateway, and DNS 1 and 2 addresses were all set manually in the Network page of the TPDIN Web interface years ago and haven't been touched since then.
The link you found for it is the current Rev. 3 version - I have several of the "legacy" versions:

https://tsi.tyconsystems.com/doc/SpecSh ... _Sheet.pdf

I determined the "changed" address by using WebFig and Tools>>IP Scan and looking in the system log after a reboot of the 960. Since this happened once before, I kinda knew what I might be looking for which helped.

I have had problems in the past due to incorrectly coded telemetry Web pages that didn't deal properly with signed/unsigned ints before - similar to your "bit-flip" issue. But it doesn't seem to apply here. Dropping the leading digit after all this time on two disparate devices is very strange.

Excellent info on adding a secondary IP to the rPI. Similar to multihoming, which I haven't used for years. I'll keep this info handy. It is useful beyond words to have a device like the Pi within the remote LAN that I can VNC into to fix stuff. "Just like being there", as they say.

I do know the MAC address. An OUI lookup yields:

00:04:A3 Microchip Technology Inc.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 890
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 12:51 am

Having this happen multiple times is weird. I will readily admit I didn't have password protection on the TPDIN and didn't disallow network setting changes on the charge controller. I have done that now.
Hopefully you are not port forwarding to devices in the "inside" that are not security hardened. I would not consider many "SCADA" devices to be security hard in general. That's why they are often on a highly protected dedicated network with a gatekeeper (firewall/gateway) to prevent unauthorized access.

Are you using vpn (or even something like zerotier on the Raspberry Pi) to provide remote access? Here's an example on Tom Lawrence's youtube channel where he is using a "portable raspberry pi 4" that he can use with a client for remote access to their network (for security scans). He's using Kali, but you can load Zerotier on Raspberry Pi OS (aka Raspbian) as well. If you do a google search for raspberry pi zerotier you will find many tutorials. How To Access a Raspberry Pi Running Kali Linux Anywhere with ZeroTier
 
VanceG
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Mon Mar 19, 2012 3:25 am

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 3:12 am

I am guilty of a few remaining port forwards that are leftovers from when i set things up in 2008 and was using consumer satellite Internet (Starband) as a backhaul. It was so slow that PF's were the only mechanism that allowed remote access that didn't time out.

Things are different now and with some computing power on the inside that can be used as a gateway, I have eliminated most of them. I will be inspired now to get rid of all PF's.

I hadn't heard of ZeroTier. I am currently using RealVNC to get inside to do network chores as it *seems* to be pretty secure. I'll start research ZT. Do you have an opinion on one vs. the other?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 8:34 am

I hadn't heard of ZeroTier. I am currently using RealVNC to get inside to do network chores as it *seems* to be pretty secure. I'll start research ZT. Do you have an opinion on one vs. the other?
ZT is pretty neat. Look at it like "a / your own switch in the cloud" . No "centralised" thing (eg. star-topology where you create VPN's or full-mesh thing)
You can run your own ZT "node" on your (VM) infra if desired
Basically you "plug" (virtually) all your ZT-endpoints on "your own cloud switch" wherever they are in the world. Like this you could create some sort of '(management) LAN" for you to access globally.
All communications are encrypted off course.
Then make some IP-plan to go along with it and you are set with you own "network"
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 890
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 11:50 am

I wouldn't use any VNC or RDP directly exposed to the internet myself. Perhaps RealVNC is safe, I just don't know, as I always use a VPN or zerotier for remote access. Primarily I use RDP over VPN to do work related stuff from home.

The "problem" with zerotier is it is easy for someone to create unauthorized remote access with it, since it is the thing that "opens" the connection to the outside. If you watched the Tom Lawrence video, you can see that he didn't open up the firewall or forward any ports to allow remote access. Same problem with any of the remote access tools like teamviewer, or many IoT devices that "phone home". The point is, like discovery protocols, they can be very useful to a network admin, but equally useful to a malware infected pc. Standard stateful firewall rules blocking new connections from the outside do not protect against rogue devices establishing connections to outside and then allowing remote access back in. That's the primary reason for putting IoT devices on their own vlan, at least it helps contain any remote access into the "inner walls".

Convenience and security have different goals, and they usually don't mix well. And remember that software vendors sell based on user convenience and features, and security is usually an after thought, and is seen as an annoyance by many users. If you enforce MFA you will know that users don't consider it a userful feature, they just see it as something that wastes their time. Same with choosing good passwords, and not reusing them at multiple sites. And retrofitting security after the design is complete usually takes the back seat until it is too late.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 11:58 am

The "problem" with zerotier is it is easy for someone to create unauthorized remote access with it, since it is the thing that "opens" the connection to the outside. If you watched the Tom Lawrence video, you can see that he didn't open up the firewall or forward any ports to allow remote access.
How would that be easy ? I have a ZT network created, I need to manually ALLOW you to join that network through the admin-interface on my.zerotier.com
Sure if you create a "public" network all you need is the network-ID to join and you are connected.
 
VanceG
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Mon Mar 19, 2012 3:25 am

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 7:20 pm

I'll need to read up some on the things you are bringing up. Especially my use of VNC.

While I completely understand that it is not a panacea, I have things that I need to administer inside the network all using non-standard ports, which helps some with the script kiddies. This includes RealVNC Server and all 'Tik equipment.

I think I can eliminate all PF's, but I haven't yet figured a way for this one:

I have several IP cameras that serve up still images on demand simultaneously to a single Web page. The cgi-bin command used to get the image from the cam is restricted to the user "viewer" that has no privileges except to view. This all works fine, except that anyone can find the IP addresses of the cameras with a few clicks in their browser.

I have found several examples of using VPN's to access one camera at a time, but none (so far, still looking) for simultaneous multiple cams.

Any thoughts?
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 8:25 pm

I have found several examples of using VPN's to access one camera at a time, but none (so far, still looking) for simultaneous multiple cams.
Any thoughts?
Well ... are these camera's located on different sites ? Or multiple camera's on 1 location ? Or a combination ?
Do you have a consistent IP-numbering scheme or have you "overlap" complicating things when deploying VPN ?
Apart from that I don't see the problem, you could have a VPN from X locations connecting to 1 Mikrotik centrally and from there you can access everything.
Much more detail is needed to assist you on such topology/design.
 
VanceG
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Mon Mar 19, 2012 3:25 am

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 8:58 pm

Okay. Bear with my ignorance on the details.

All cameras are on the same non-routable subnet. All have unique non-std. IP ports.

The images need to be displayed on a public-facing Web page on an external website.

I would prefer to run the VPN stuff on the rPi inside the network if possible.

Cameras>>------(internal network)------->>VPN hardware/software>>------(WAN)------>>Web page

Probably still leaving out something you need to know. I claim no expertise here. My only experience with VPN's was setting up a server on the remote 'Tik for admin purposes.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 9:54 pm

So these camera's effectively serve screenshot by making a request to the camera itself OR do these device perform some FTP "upload" every X time for a still picture?
Can you talk about the "entrypoint" in terms of Internet. You speak about an "external website" (do you host that yourself, is this "Internet" available on that same location)
An RPi could easily be used as a VPN-gateway indeed.

These integration can become quite complex and without visual representation its always a bit guessing.

For security I would make sure that if this webserver is compromised that there is no entrypoint further into the infrastructure. That could be accomplished by pushing screenshot/stills OUT onto some share space where the webserver can pick them up, without the possibility to enter in the opposite direction. ("diode" , sort of 1-way)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11452
Joined: Thu Mar 03, 2016 10:23 pm

Re: Access IP ln Lan outside usual range

Fri Oct 07, 2022 10:09 pm

If you're going to run rPi in the cam LAN, then you can run a decent reverse proxy on it as well (e.g. haproxy) ... which will hide individual web cams behind distinct path parts of URL ...
 
VanceG
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Mon Mar 19, 2012 3:25 am

Re: Access IP ln Lan outside usual range

Sat Oct 08, 2022 12:43 am

So these camera's effectively serve screenshot by making a request to the camera itself OR do these device perform some FTP "upload" every X time for a still picture?
Can you talk about the "entrypoint" in terms of Internet. You speak about an "external website" (do you host that yourself, is this "Internet" available on that same location)
An RPi could easily be used as a VPN-gateway indeed.

These integration can become quite complex and without visual representation its always a bit guessing.

For security I would make sure that if this webserver is compromised that there is no entrypoint further into the infrastructure. That could be accomplished by pushing screenshot/stills OUT onto some share space where the webserver can pick them up, without the possibility to enter in the opposite direction. ("diode" , sort of 1-way)


Now there's something I forgot about - FTP the images periodically to a directory on the web server where the page lives. I help admin that so I have the creds. It's a homeowner's association site of which I am a member.

Let me poke the camera UI and see if I can twist its arm into doing this. I can live with the "near-real time" periodic image update. If I need real-time and/or live video, I can get that by VNC'ing into the rPi.

To answer your other question, the way I am getting images now is:

xx.xx.xx.xx:40003/cgi-bin/viewer/video.jpg?resolution=320x240&quality=4

and variations thereof. I know this is a horrible way to do things which is why I am diligently trying to change it.

Excellent info.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 890
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Access IP ln Lan outside usual range

Sat Oct 08, 2022 1:20 am

How would that be easy ? I have a ZT network created, I need to manually ALLOW you to join that network through the admin-interface on my.zerotier.com
Sure if you create a "public" network all you need is the network-ID to join and you are connected.
Think about the trojan horse. I was saying that if a rogue device is connected to your "trusted" network, it can act as a proxy for access to the "trusted network" without any changes to most firewalls.

I was not claiming that someone could connect to your zerotier device without being allowed, just that they could connect to their zerotier device connected to the inside of your network. Those are two very different things.

Did you ever wonder why some IoT devices scan the network they are connected to?
 
VanceG
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Mon Mar 19, 2012 3:25 am

Re: Access IP ln Lan outside usual range

Sat Oct 08, 2022 2:33 am

Okay, periodically uploading the images to a directory on the web server then displaying them in a Web page works. No trace of where they actually came from (that I could find, anyway).

Yay.

Except now I have another issue - the image is not updating in the page that grabs it after the initial load due to GoDaddy's crappy caching policies:

"Caching Level

By default our Website Firewall will cache certain pages of your site to improve the speed and the experience for your users. You can disable caching here if for some reason you do not want that to happen. It is not recommended, since it can slow down the user experience. If you need certain pages not to be cached, you can add them on the Non-Cache URLs.

NOTE: The following file extensions are cached regardless of the caching level:
js, css, png, jpg, swf, jpeg, svg, gif, ico, txt, mp4, mp3, pdf, woff, ttf, thumb.. "

Dang. Even the "Non-Cache URL's" cache control doesn't work. Lots of online griping about GD in this regard.

Will need to research how to force the page to insist on a new image every reload. The usual stuff in the page code:

<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />

isn't working.

The images are coming in periodically as they are supposed to. I can see that in gFTP. And they overwrite themselves with the same name which is handy.

I guess I can change the overall cache interval in GD to the lowest setting and see how that goes.

Dang, again. This would be a great solution only if...
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Access IP ln Lan outside usual range

Sat Oct 08, 2022 9:02 am

How would that be easy ? I have a ZT network created, I need to manually ALLOW you to join that network through the admin-interface on my.zerotier.com
Sure if you create a "public" network all you need is the network-ID to join and you are connected.
Think about the trojan horse. I was saying that if a rogue device is connected to your "trusted" network, it can act as a proxy for access to the "trusted network" without any changes to most firewalls.
I was not claiming that someone could connect to your zerotier device without being allowed, just that they could connect to their zerotier device connected to the inside of your network. Those are two very different things.
Did you ever wonder why some IoT devices scan the network they are connected to?
I see, its indeed always dangerous to call something "trusted" as time goes on ... it might (have been)/be "trusted" at one point but what about tomorrow ;-)
Further "client isolation" could really help. Something like PVLAN (private-vlan) or some solutions where you can really narrow down at the endpoint/port what can talk to what.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Access IP ln Lan outside usual range

Sat Oct 08, 2022 9:12 am

Dang. Even the "Non-Cache URL's" cache control doesn't work. Lots of online griping about GD in this regard.
Will need to research how to force the page to insist on a new image every reload. The usual stuff in the page code:
Dang, again. This would be a great solution only if...
Like mentioned, these sorts of integrations can become pretty complex/ugly as more components are introduced.
So GoDaddy hosts the webpage/cgi logic of this setup ?
Already good to read the still picture are ending up on a space where they are accessible for the webservice, but now you are bound by the limitations/settings of GoDaddy ;-)

NOTE: The following file extensions are cached regardless of the caching level:
js, css, png, jpg, swf, jpeg, svg, gif, ico, txt, mp4, mp3, pdf, woff, ttf, thumb.. "
 
VanceG
Member Candidate
Member Candidate
Topic Author
Posts: 124
Joined: Mon Mar 19, 2012 3:25 am

Re: Access IP ln Lan outside usual range

Sun Oct 09, 2022 12:20 am

If you're going to run rPi in the cam LAN, then you can run a decent reverse proxy on it as well (e.g. haproxy) ... which will hide individual web cams behind distinct path parts of URL ...

I did a little research into this and am intrigued. And also confused by the plethora of stuff out there on the subject.

I am already running NGINX on the rPi inside the network serving up some PHP for remote solar system monitoring. NGINX seems to have a reverse-proxy capability as well. But all the examples I could find are of folks using it to proxy HTTP camera streams to HTTPS. I only need to run the "get a single image" command like so:

xx.xx.xx.xx:40003/cgi-bin/viewer/video.jpg?resolution=320x240&quality=4

with the target being an img_src of a frame in a Web page:


<td width="320" height="240" bordercolor="#FFFFFF" bordercolorlight="#FFFFFF"
bordercolordark="#FFFFFF"><img
src="http://xx.xx.xx.xx:40004/cgi-bin/viewer ... ;quality=4"
border="3" width="320" height="240"></td>

What I am trying to do is keep folks from seeing the IP's of the cameras and the public facing IP of the network. Since GoDaddy won't cooperate on caching, I will need to run an external web server I think. Where all those IP's will be exposed in the camera page.

I can install vsftpd on the Pi and have the cams FTP images to it as I tried with GD. That will mask the cams, but the URL for the camera page will still have the WAN IP exposed.

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], kolopeter and 37 guests