In reply to a post by Michael_Chare:

Maybe, but I only want to be able to access equipment at home myself. So when away I go myhome.noip.net:54321 which is forwarded to 10.1.1.2:80 and I can then see my camera.

Using this technique I am not aware of any unwanted remote access

Me too but instead of port forwarding I run a vpn server (Wireguard) on my network and access my devices via that.

Edited by spile (Sun 07-May-23 07:46:28)

In reply to a post by spile:

instead of port forwarding I run a vpn server (Wireguard) on my network and access my devices via that.

Thats probably the best way but even limiting port access to a limited range of IPs has got to be better than leaving the door wide open to all IPs

In reply to a post by prlzx:

This reminds me to learn more about how to search Shodan for testing my own firewalling.

Became aware of that site probably 6 months ago when I came across an article about one brand of camera that has over 10 million unpatched vulnerable cameras out there and I believe that website can help hackers find them.

In reply to a post by Michael_Chare:

Using this technique I am not aware of any unwanted remote access

Pure luck rather than any designed security. Tools such as nmap (and others) can sweep subnets fast looking for open ports.

If you camera has any vulnerabilities (published or not published) then it could be used as an entry point into your home network, "jumping", from that device to others you have power up in the home. e.g. a NAS, or home computers etc.

Its like leaving a large hole open in the front door with a sign on it saying "only my dog is allowed". Its still a hole!

In reply to a post by spile:

In reply to a post by Michael_Chare:

Maybe, but I only want to be able to access equipment at home myself. So when away I go myhome.noip.net:54321 which is forwarded to 10.1.1.2:80 and I can then see my camera.

Using this technique I am not aware of any unwanted remote access

Me too but instead of port forwarding I run a vpn server (Wireguard) on my network and access my devices via that.

I've moved over to ZeroTier for VPN duties. If your router supports its, an absolute breeze to setup. Clients are readily available for most popular computer OS's and phones too.

+1 for Wireguard - I have it on my desktop PC both listening for connections and as a client of other networks.
but also listening on an always-on router sat inside my network which I can use remotely from my smartphone, or to wake up my sleeping PC.

I only need to forward 1 UDP port (per Wireguard listener).

Fritzbox also added Wireguard to their routers alongside IPSec so it is since technically possible to do without a separate box but since the second router has its own firewalling and is used for remote office links I have kept those functions separate for now.

Being dual stack the second router has its own IPv6 address so Wireguard there can also be reachable without NAT;

Edited by prlzx (Mon 08-May-23 00:43:48)