Page 1 of 1
UPnP and Blue Iris
Posted: Sat Feb 15, 2020 2:08 am
by Thixotropic
I used the Remote Access Wizard to set up the webserver built in to BI. I'm using a Nighthawk X4S AC2600 Smart WiFi Router, Model R7800.
As part of the process I set the port from '81' (the default) to '500', so I access my BI server remotely with something like 75.75.75.75:500 (obviously not my real IP)
Everything works fine, but as part of the process the wizard used UPnP to set one of the params, and it succeeded because UPnP is turned on in the router by default. So far so good, but....
I see lots of posts all over the web warning that UPnP is a potentially serious hazard, and from what little I've read that seems absolutely correct. Based on that, I'm thinking I should to turn UPnP off in the router. I found the setup page where you can do this in the router, a single checkbox.
My question is, will turning UPnP off now (after everything is set up) cause an issue with BI? It seems like it shouldn't but I thought I'd ask here and see what people say.
I've heard that it could cause issues with Skype (which I use) and with torrenting (which I don't).
In addition to any possible side effects with BI (??), what other kinds of issues or problems might I see if I turned off UPnP now?
Re: UPnP and Blue Iris
Posted: Sat Feb 15, 2020 9:42 am
by TimG
Hi,
As I understand it, upnp is only used during initial set up, so turning it off shouldn't cause any problems if it's already working. I have it turned off, but then I'm using OpenVpn on the router, so I simply don't need it.
My first internet computer was a massively expanded Amiga A1200, so I got used to setting things up manually
Re: UPnP and Blue Iris
Posted: Sat Feb 15, 2020 3:36 pm
by HeneryH
uPnP is talked about negatively because 99% of the population doesn't understand it and it can be used maliciously by bad actors.
You sound like you know enough about router rules and networking to protect yourself.
I have a small marina with about 12 boat slips. I logged into my router one day and found port forwarding rules set up for some Chinese cheapo camera that one of my clients installed on his boat. That one cheapo Chinese camera introduced a stealth (had I not noticed it) tunnel into my network.
Re: UPnP and Blue Iris
Posted: Sat Feb 15, 2020 5:16 pm
by Thixotropic
HeneryH wrote: ↑Sat Feb 15, 2020 3:36 pm
You sound like you know enough about router rules and networking to protect yourself.
Thank you, but I don't really understand it except at a basic level.
I went in to turn it off and noticed it had a bunch of entries, but I don't know if they were there by default or from something else adding them. After turning it off they all disappeared.
I turned it back on as a test and the list was as follows (there were fewer than before, about half as many, but I think they were all going to the same IP):
Code: Select all
Active Protocol Int. Port Ext. Port IP Address
YES TCP 9010 34940 192.168.1.10
YES TCP 9020 36255 192.168.1.10
YES UDP 9030 34114 192.168.1.10
YES UDP 9031 36008 192.168.1.10
YES UDP 9032 33283 192.168.1.10
YES UDP 9033 35870 192.168.1.10
192.168.1.10 is the static IP that's assigned to the RCA video doorbell; I don't know if that indicates a problem with it trying to phone home or if it did that during setup, or what. I turned uPnP off now and it'll stay that way unless I find a problem.
I also checked to see that no ports were being forwarded, and the only entry I saw was for FTP.
Re: UPnP and Blue Iris
Posted: Sat Feb 15, 2020 11:40 pm
by HeneryH
The video doorbell must have a web service offering and to get that service to work the doorbell had to punch a hole through your router. It basically set up a port-forwarding without you knowing about it.
Re: UPnP and Blue Iris
Posted: Sun Feb 16, 2020 12:15 am
by Thixotropic
HeneryH wrote: ↑Sat Feb 15, 2020 11:40 pmThe video doorbell must have a web service offering and to get that service to work the doorbell had to punch a hole through your router. It basically set up a port-forwarding without you knowing about it.
That's probably it.
It seems to work fine with uPnP turned off, but I'll know for sure in a day or two. It'll either keep working and sending alerts or not. Maybe it's time to dump it and just use a dedicated BI cam to sense people approaching and send an alert.
I'm still looking for a good PoE doorbell cam. There are a few out there that look like possibles but the last one I tried wasn't real PoE and required some silly adapter to work. But like I say, maybe it's time to just use a regular cam to alert me to people and packages.
Re: UPnP and Blue Iris
Posted: Sun Feb 16, 2020 5:30 pm
by Thixotropic
Okay, so I'm not sure what's going on, but here's what's going on..lol
I turned off uPnP and it seems to have cleared any uPnP forwarding that was active, meaning that BI is no longer reachable from the outside world.
I turned it back on and stepped through the wizard and got it working again. Turned off uPnP and yes, it appears to wipe out the port that was forwarded.
So I guess it's time to manually add a PF rule and go from there.
Re: UPnP and Blue Iris
Posted: Mon Feb 17, 2020 5:41 pm
by Thixotropic
I got this figured out, no thanks to the incompetent clowns at Netgear 'support'. I swear, the people at Netgear support couldn't pour milk out of a boot with the instructions written on the heel.
Any way, here's the setup to enter in the Port Forwarding screen. Select "Add custom service", and in the next screen select "TCP" from the Protocol dropdown.
- portforward1.png (17.26 KiB) Viewed 10110 times
Service Name: put whatever you want here
External Ports: put the port number to be forwarded and visible to the outside world
Internal Ports: put the port number to be forwarded and visible to the host PC that BI is running on
Internal IP address: put the IP address that the BI box is connected to on your LAN.
After saving, you can check to see if the port is visible on the internet by going to
https://www.canyouseeme.org and entering the port number (in this case, '500').
If it's visible, you'll see a message stating the following:
"Success: I can see your service on 169.55.13.238 on port (500)
Your ISP is not blocking port 500"
.