BR1 Mini and Hikvision ip cam remote access

Hi,

I own 4 Br1 Mini that I am using with portable security devices. I want to access hikvision ip cam from my phone and I and our technician cant find a way to do it. We are connected to rogers.

Any idea how we can do this ?

Thanks

Most cellular network operators provide connectivity over carrier grade NAT. This means that the IP address that gets allocated to the cellular WAN of the BR1 is actually a private address that is not directly accessible over the internet.

Outbound traffic from devices on the LAN of the BR1 works fine because the traffic goes over the private address space and breaks out to the internet via the operators NAT gateway/router. However when you try and access the BR1 using any identified public IP address, that inbound traffic will get blocked by the operator.

The most common way to get remote access is to host a VPN server in the cloud on a public IP and connect your BR1 Minis to that. You can then connect your phone via VPN to the same VPN server and access the LAN devices on the remote BR1s.

Alternatively you can look for a cellular service that offers public IP addressing (normally more expensive than the usual dynamic private addressing). When each BR1 mini has a statuc public IP you will be able to port forward inbound traffic from that IP to LAN side devices,

I always host a cloud based VPN server for this kind of requirement (I use a combination of Peplinks FusionHub and other 3rd party VPN servers), because I hate the extra cost of fixed public IPs and the inherant risks of having cellular devices directly accessible over the internet.

2 Likes

I’ll give you a slightly different “take” on what @MartinLangmaid said, above. We have two installations where HikVision equipment is in use. We don’t have a lot of trust in this gear due largely to the ownership of the company. We’d never consider opening a port to it, for example. We’ve constructed a PepVPN between the router behind which the Hikvision stuff is located. The other end-point is another Peplink router (obviously). The 2nd Peplink router is located behind a NON-mobile ISP and we use a free DDNS service so the first Peplink device can always find the 2nd and establish the VPN. Then, the users log into the 2nd Peplink router via L2TP. No monthly fees – just two relatively inexpensive Peplink routers.

In one of the cases I mentioned, there are actually Hikvision NVRs behind both LAN segments – behind both Peplink routers. When the Peplink VPN is formed the routes are updated so a user who “L2TPs in” can view cams at both locations simultaneously.

I think @MartinLangmaid’s solution is more thoughtful, sophisticated and elegant. Ours is for “dummies” – but it works nicely and there are no “cloud costs.” :sunglasses:

3 Likes

Think I’m the dummy for not suggesting a remote management device :wink: @Rick-DC 's method above makes a lot of sense. The only caveat is that if you are streaming video from the remote cameras make sure that whatever connection the management device is connected to (that you are doing a client vpn to from your mobile phones) has enough upload bandwidth to support the required number of simultaneous video streams.

1 Like

Hi Martin,
Thank you for your help but Rogers gave me a static ip after explaining them what i wanted to do. Now what do i need to do to be able to see my camera remotely?
The router already changed the ip and apn by itself.

Please let me know what would be the next steps

Thanks

Pierre Paris,Cadd
Industrial Drafter
SmartPOLE Division

Complete Security Installs
O: 778 294 0400 | F: 778 294 0450
C:778-990-2424
pierre@completesecurityinstalls.com

Construction Site Security•Portable Audio-Video Surveillance Device Rentals•Integrated Security Systems • Camera Systems • Video Verification • Alarm Systems • Access Control

We appreciate referrals!

Visit our website & recommend us! http://completesecurityinstalls.com

good stuff. you need to open some ports…

1 Like

Hi Pierre,

We are a Rogers Elite Partner so might be able to offer some insight. When you said the APN changed by itself, that’s not typical as generally even SIMs with Static IP will use the ltedata.apn which assigns a dynamic IP. You generally have to change the APN manually to ltestaticip.apn which then changes the IP to the static one. Is that the APN that the device is using?

If it is using the right APN you might want to call Rogers support to ensure the port you are using for the cameras isn’t blocked, as we have Static IP on some of our SIMs and even with Static IP Rogers seems to block lots of ports which really removes the benefit of the Static IP! For example UDP port 500 is always blocked on our SIMs even with Static IP, so I’d check with them to be safe.

1 Like

Sorry for this long message, but my knowledge on this is pretty limited. I was wondering if anything has changed regarding the recommended methods described here to remotely access a Hikvision NVR via a Max BR1 Mini? Our group was about to go spend $500 for the static IP from Verizon with port forwarding, but then saw this thread. This is just for a single remote installation but it would be accessed from multiple remote sites. We do not currently have a cloud VPN, so if we went with the VPN method I think we would have to purchase it using AWS or another provider. I also saw something in another thread that firmware 8.0 (beta) has an OpenVPN option, so not sure if that changes things. I am not very familiar with using L2TP and we only have the one Max BR1 Mini, but can any router be configured to the access via L2TP and would it require a router at each user access location? Thanks

We still do it the way I posted – above. We get behind the firewall (Balance, BR1 – makes no difference) via PepVPN and/or L2TP. A static address is not needed – unless you are behind a carrier-grade NAT. Example: If you refer to Verizon 4G, you may well need a static address; if Verizon FIOS, probably not.

L2TP: Setting this up is a two-part procedure. First you define the users you wish to allow to connect in the router (again – makes no difference as to which Peplink/Pepwave device you are using – all do it and do it well.) Then, you configure your clients, one by one, to connect to the router via that protocol.

When firmware is released for production that supports OpenVPN that will be an option as well – and likely a good one. Regardless, you should not have to purchase a 3rd party VPN solution. That’s what you bought a first-quality router for! :grinning:

2 Likes

The connection to the Max BR1 Mini is over cellular using Verizon 4G LTE.

OK. You are almost certainly behind their NAT. Check out @MartinLangmaid’s discussion, above. Solid advice. You can also create an outbound PepVPN connection from the BR1/Verizon installation to another Peplink router and connect as I’ve described to the 2nd router – assuming you have a static address or DDNS (the latter involves no cost.)

2 Likes

Wouldn’t I need a 2nd router at each location where users wanted to access the Outbound PepVPN connection from the BR1/Verizon cellular installation? If so, that would not be a good option for our group, since we need access from multiple location. @MartinLangmaid’s suggestion would still be viable, but again we then need to purchase and setup a cloud VPN.

So I think the static IP with port forwarding is probably the simplest solution even though there may be some security risks. Note Verizon is running low on IPv4 addresses and asked if the device could use an IPv6 address, but I understand we need an IPv4.

To build on Rick’s architecture: You can install a FusionHub Solo (free) on a cloud server (there are lots of offers out here - $5/month will get you there) and then set up a PepVPN connection between the FusionHub and your on-site router. That way you get the fixed-ip access (to the FusionHub instance) you (may) want. Then (with judicious use of port forwarding and/or mapping) all your users can access your camera through the FusionHub IP address.

The main cost is the added complexity of two routers (Fusionhub + the on-site router) + $5/month for the virtual instance + whatever arm&leg Verizon charges for your bandwidth.

See the thread FusionHub and Cloud Platform integration (AWS, Azure, Google Cloud) for example set-ups.

3 Likes

I would like to give the FusionHub (solo) and PepVPN configuration a try since it is more secure. Since the BR1-Mini is remotely accessed via Verizon 4G LTE, do I need the static-ip or do I need a DDNS solution or neither?

I see Fusionhub is supported on Amazon Web Services, Google Cloud Engine, Microsoft Azure and Vultr. So if I went with AWS, I think it requires AWS EC2. This appears to have a free 12-month trial. So would that be the way to go?

Is the OpenVPN option with firmware 8 a better choice? Does it eliminate the need for Fusionhub and the whole cloud server?

This all new territory for me, but hopefully I can set this up by following the available directions. -thx

1 Like