Note: NW no longer recommends the use of port forwarding, except in certain specific scenarios where it may be required and where other security mitigation measures are in place.
One of the many benefits of IP cameras is their ability to act independently of a PC. Being a standalone device you simply plug it into a broadband enabled router or switch and with a bit of work you can access your camera's video footage and administrator pages from anywhere in the world. It is not uncommon for people to use cameras to keep an eye on their home, elderly relatives, driveways or even pets and they can do so from work, from holiday or even from another country, but external access made available through port forwarding is also necessary at larger scales.
Here at Network Webcams Tech HQ we find that most people run into a basic snag which prevents them from being able to access their camera over the Internet - by default, if you try and gain access to your home network from anywhere on the internet you will find that the firewall in your router will block that incoming access. This is great for your everyday security but not so great when you want to view your camera. 'Port-Forwarding' is rarely, if ever, enabled by default.
In this article I will explain just what that means and point out the things to consider when setting up your IP camera for remote Internet access.
Setting up remote camera access
There are 3 main areas you have to consider when setting up external access to your camera:
- Local Area Network (LAN)
- Firewall / Router
- Wide Area Network (WAN)
A graphical representation of basic port forwarding
I will look at these in order. In the Local Area Network section I will discuss how to set up the camera in preparation for external access. In the Firewall section I will look at configuring your router to allow incoming traffic from the Internet and finally in the Wide Area Network section I discuss how you access your camera from another computer on the Internet.
Local Area Network (LAN)
The Local Area Network is basically the structure of the computer equipment you have at home. This could include one or more computers/laptops, a router which is plugged into the phone line and of course your network camera. On the Local Area Network side of things we need to set up the camera in preparation for external access. Let's take a look at the following items which need to be considered when preparing your camera:
- Set up your camera with a static local IP address
- Input the correct subnet mask and default gateway addresses
- Set up your DNS server addresses
- Configure the port number(s)
1. Static IP
If you allow the network to automatically allocate an IP address to the camera each time you turn it on then chances are the address could change in the future. You really want to 'fix' the IP address in the camera so that it never changes because when you configure the router you will point to the camera's IP address. If this keeps changing then the rules in the router will break and not function. Remember that local IP addresses have to be unique for every device or you may find devices will clash and fail to communicate. You will be able to set a 'static' IP address in your camera. Some cameras will use the word 'static' while other cameras will say something like 'use this IP address'. Consult you camera's manual for the correct configuration.
Note that in some routers it is possible to assign port forwarding against the camera's MAC address. This is useful if you want to keep your camera on a DHCP address and not 'fix' the IP.
2. Subnet Mask / Default Gateway
The subnet mask will almost always be 255.255.255.0 (the default for what's known as a 'Class C' network). This gives the average home user 254 useful addresses to allocate to their home network, which is more than enough (unless you're running a supercomputer made up of 253 Raspberry Pi!).
The Default Gateway (sometimes called Default Router) is nothing more than the local IP address of your router - i.e the last 'hop' before the data leaves your network and travels outwards to the Internet.
Make sure both of these are entered into the camera when you are entering the static IP address. If you miss this step your data will have nowhere to go.
3. DNS Server Addresses
There will normally be 2 of these in your camera (but not always). DNS servers take the names we give websites and translate them to their source IP addresses. It means we don't have to remember lots of complicated numbers and can visit websites and networks by name instead of number. For example the URL http://www.google.co.uk translates to it's original IP: 126.96.36.199. Without DNS translation you will find that your camera will be unable to FTP or email out correctly as it won't be able to translate the domain names to their destination IP addresses.
Your DNS server addresses come from your ISP and should be detailed on the letter you received when you first connected to the service. If you don't know what they are then you can input your router's local IP address in the DNS server 1 (or Primary DNS server) position and the router will do it automatically for you. Google, kindly operate both a primary and a secondary DNS server for public use. the addresses are 188.8.131.52 and 184.108.40.206 respectively.
4. Configure the port number
Typically when one computer communicates with another computer over a network the information is carried using a specific port number. Many ports have specific uses such as email or FTP and a full list of common ports is available on the Internet. It's not so important to know the full list though, you'll be glad to hear...
You will find that the majority of network devices which are accessible using an Internet browser will be set as standard to port 80, including IP cameras and routers etc. This is due to the standard port for HTTP, or information being displayed through an browser, being port 80.
I would advise that you alter the default port number in the camera to something which is not being used in the list of common ports. We do this for a number of reasons. Like local IP addresses, port numbers have to be unique. If you have your camera on port 80 and your router on port 80 you will only be able to access one of these devices from the Internet using this method. It is also to promote security to your network. It will keep the camera safer if someone was to attempt to maliciously enter your network, as it won't be available on the standard port and they will move on to the next router after finding nothing. Don't worry though, even if someone did find a camera on your network it will be password protected and almost impossible to access without the password, provided you don't use the default password and do keep the firmware up to date.
Important - when changing to a custom port number the URL for your camera will change both internally and externally. For example if we changed our camera on http://192.168.0.90 from port 80 to port 4440 we would have to use http://192.168.0.90 to connect to the camera, specifying the port number explicitly at the end of the IP address. This is the same for accessing the camera externally.
The firewall in your router does a great job of blocking unwanted traffic to your network. A good analogy is to think of it as a reception desk in a hotel. To gain entry to your room you must first speak to reception who will check you in and give you a key. If you attempt to enter a room unauthorised you will be stopped and ejected from the building (unless you sneak in through the backdoor, or dressed as a maid, but that's a whole other blog post ;-) ).
What we ultimately want is to allow access to your camera from anywhere on the internet but stop all other unsolicted attempts to access your network. We do this by adding a firewall rule to your router.
Now we're afraid there just isn't enough room on this blog entry to provide port-forwarding instructions for every make and model of router but the general principle is the same for all. That principle is:
For any WAN user accessing your camera port >> allow access and forward them to the camera's local IP address
You will be able to find instructions for your specific make and model of router from PortForward.com:
And you can see full instructions for a Netgear DG834 router below as an example:
Wide Area Network (WAN)
The Wide Area Network (WAN) is essentially the Internet. When it comes to accessing your camera from the Internet you need to know what your external IP address will be. This will be your unique address for your network which you can use from anywhere on the Internet and it is known as your 'public IP address'.
You can find out what your public IP address is by asking your ISP as they allocate you one when you sign up for your Internet service, or each time you connect. You can also find out for yourself by visiting the following website: www.mycamip.com. The site will show you the public IP from the network you view the site from.
Dynamic IP vs Static IP
Unfortunately most home domestic broadband accounts will have a dynamic public IP. This means that your address will change periodically which could prove problematic when trying to access your network from the internet.
There are two ways to get around this problem:
- Static IP
- Dynamic DNS
1. Static IP
The ideal scenario is that you receive a static IP address from your ISP. They can normally do this pretty easily but there will probably be a small charge for the service. This would mean that your public IP address would never change, so you should have no trouble connecting to your network externally.
2. Dynamic DNS
This provides you with a means to give your public IP address a meaningful name while in the background it will automatically track any changes to your public IP address.
A wide range of routers will support this function and offer connections with leading dynamic DNS services on the Internet such as DynDNS or No-IP. These services are normally free to use.
Alternatively, some IP camera manufacturers build their own dynamic DNS services into their devices and can be activated as part of the initial set-up procedure of the camera.
Accessing your camera
Once you know your public IP address then accessing your camera should be easy from here on. Simply type in your address from anywhere on the Internet, remembering to specify the port number if it's anything other than 80, and you should have access to your camera! An example would look something like: 'http://mycamera.viewnetcam.com:4440' which would be a Panasonic IP camera configured for access on Port 4440 and set up using Panasonic's dynamic DNS service 'Viewnetcam.com'.
One last thing to note. When accessing your camera using your public IP address you may run into a small problem known as NAT Loopback. What this generally means is that if you try to access your camera using your public IP address from the same network the camera is plugged into then you will find that you may not be able to connect. This is fairly normal and it's quite common for your router to block this kind of traffic.
The only real way to remedy this is to have a router which supports a NAT Loopback function, such as a Draytec Vigor 2600, so the first thing to do is check for that. If it doesn't then you will have to use your local IP address to access your camera from the local network and use your public IP address to access your camera from anywhere else on the Internet.
And that forms the basics of port forwarding. Nowadays, with on-the-go access a standard demand, port forwarding is more relevant than ever - we all have mobile phones and tablets - and more and more of our devices have remote access features built in. Port forwarding needs will diminish over the coming years as more and more manufacturers embrace https tunnelling (a whole other topic!) which eliminates the need for port forwarding.
One final thing. With hacks on the rise and the prevalence of cameras which are less than mature in their software development, we would recommend thinking carefully before opening ports and allowing remote access. Consider whether it's really necessary for your needs and also consider whether you need access from one or a few locations (and can perhaps allow access only from a limited set of IP addresses).
As usual, if you have any questions please leave your comments below.
[Note: this post was updated October 2017]