CCTV Articles, HowTo Articles, Indoor Security Cameras, IP Surveillance Cameras, Knowledgebase, Security Camera, Security Systems, Surveillance Systems, Surveillance Sysytems

NAT and Port Forwarding Part 3

This will be the third and final installment of the NAT and Port Forwarding series. It is my hope that these articles will help you gain an overview of networking that allows you to walk into any situation and be able to figure out what the problem is quickly, and know what to do to fix it. Networking is not really difficult when you know some ‘basics’, or rules that must be followed every time. Once you have those tools at your disposal, identifying and fixing issues becomes a LOT easier. In the last article we learned how to discover Double NAT and Triple NAT by using the ‘tracert’ command. We have discovered that we are passing through three routers on our way to the Internet. So now, we need to map our way from the Internet back to our device using Port Forwarding rules to guide our incoming signal.
First rule of multiple routers – Every router MUST have a unique Network ID. The network ID is usually the first three octets in your IP Address, depending on the Subnet Mask. Lets assume that we have just a ‘standard’ setup on each router, where the subnet mask is 255.255.255.0. That mask means your first three octets in the IP address for everything connected to that router must match. Only the last number must be unique. So if your router’s Internal Address is 192.168.1.1, everything on the router must be addressed 192.168.1.xxx. (Where xxx= 001 through 255). The next router in line MUST have a different Network ID. It can be a simple as changing one number in the third octet = 192.168.2.xxx, or it can be completely different = 10.10.10.xxx. The rule being merely, they must be different. So if you run a ‘tracert’ (trace route) command and see replies from our routers, if any of them show the same network ID, then we have to change one of them to a unique ID. The reason for this is, using as example 192.168.1.1 on the first router, if your next router also has 192.168.1.1 as an address, that is called an IP Address Conflict. With 192.168.1.xxx as your IP range, you are limited by that network ID to 254 other devices that your computer can talk to. One of those other 254 devices needs to be a Gateway (router) so you can see other address ranges. (like Internet Addresses) That is called NAT (Network Address Translation) and since your router is doing that NAT, it allows you to see through to the next router, and everything connected to it. That gives you 254 more devices with the same address as the ones on the first router, hence the Network IP Address Conflict.  Think of the Highlander series where Duncan MacLeod says “There can be only one!” Routers always have a ‘LAN Setup’ where you set the Internal Address of the router – that address determines the Network ID of the LAN.
Here is an example of two routers in line behind a modem/router with a camera attached to the last router.
tripleNAT
Notice that each router has a unique Network ID =
Modem LAN   = 192.168.1.1
Router 1 LAN = 192.168.2.1
Router 2 LAN = 192.168.3.1
IP Camera is on the third router with an IP address of 192.168.3.2 and uses 3 ports = 3301, 3302, 3303.

To Port Forward your connection to the camera =
First make sure you set each router with a WAN (Internet IP or External IP) that works on the next router’s LAN  (Internal Range)
Set the address as ‘Static’ so it never changes. Look closely at the image above – see Router 2.
Router 2’s LAN (Internal IP) is set to 192.168.3.xxx and the camera is attached to that side of the router with a 192.168.3.xxx.address.
Router 2’s WAN (External IP) is set to 192.168.2.2 and is attached to Router 1’s LAN.
Router 1’s LAN is set to 192.168.2.xxx so router 2 can connect to it’s LAN.
Router 1’s WAN is set to 192.168.1.2 so it will connect to the Modem/Router’s LAN.
The Modem/Router’s LAN is set to 192.168.1.xxx
The Modem/Router’s WAN is the Internet Address you will use to connect to the camera.
When all three routers are set up correctly with unique subnet IDs, a PC connected to the same router as the camera will be able to connect to router 2, router 1, and the Modem/router using the LAN address of each device. (Example = open a browser and input 192.168.2.1 = Router 1 should respond with a logon prompt. Enter 192.168.1.1 and the Modem/Router should respond)
When you can connect to every device in line, and get past them to the Internet – you are ready to Port Forward them back to your camera.
Port Forwarding works from the Internet inward to your camera. That is why it is called ‘Forwarding’, it forwards your ‘call’ from the Internet to device to device until it gets to your camera.
To Port Forward the camera in the example above – log on to the Modem/Router first, using 192.168.1.1 (The Modems LAN address).
Find the Port Forwarding section of the Modem Router. (It may be hiding under ‘Security’, Advanced Settings’, ‘Firewall’, Virtual Servers’, Applications and Gaming’, ‘Pinholes’ or other sections)
In the Modem/Router = forward the ports 3301, 3302, 3303 to 192.168.1.2 (The WAN Address of Router 1) Save your settings.
Log on to Router 1 using 192.168.2.1 (Router 1’s LAN address) Forward the same 3 ports to 192.168.2.2 (The WAN Address of Router 2) Save your settings.
Log on to Router 2 using 192.168.3.1 (Router 2’s LAN address)
Forward the same 3 ports to 192.168.3.2 (The camera’s IP address on router 2) Save your settings.
You can see here that the Port Forwarding must be done in ‘Daisy Chain’ fashion from router to router to router, and finally to the camera.
When you have successfully set up Port Forwarding through all three routers – open a web browser and go to www.canyouseeme.org . This website will show you your Internet Address – this is the address you will use from off site to connect to the camera, your Port Forwarding will guide your query through the routers and connect you to the camera. This web site also has a very handy ‘Port Checker’ tool. Put in the port number you want to check and click ‘Test’. If you have forwarded correctly, the test will succeed.
**Note that the test on this site only works for TCP ports. If your camera uses UDP ports, the tool will return a ‘Fail’. If you get a ‘Fail’ on TCP port checking, you will need to double check all your forwarding rules in each router. If all settings look correct – reboot the routers and test again with the port check tool. Routers usually need to ‘reset’ when opening ports, and most inexpensive routers present the message  ‘The router needs to restart’ or similar, and then do a ‘soft’ reboot that fails to accomplish the task.
Also, when checking the ports, make sure your camera is powered up and running and connected to the network so the test can ‘resolve’ or it will fail every time.

To sum up what you did here =
You found three routers daisy chained between you and the Internet by using the ‘tracert’ command.
You identified a private IP range (Network ID) on each router’s LAN that is unique to each router.
You set a static address on the WAN of each sub-router that works in the LAN of the router it is attached to.
You forwarded the required ports from the Modem/Router to the second router, from there to the third router, and from there to your camera.
Then you tested connectivity by going to www.canyouseeme.org and checking your ports.
Those five things are all you need to do to ensure off site connection to your device.
Now that you are a virtual ‘Networking Dynamo’ go out there give it a go! If you run into trouble, never fear, you have the best technical support available anywhere ready to help you out.
Happy Networking!