Setting up Remote Viewing Using New Cellular Data ISP
  • Hi. A friend had been using DSL internet service and a Peplink multi-WAN router and remote viewing of SS on his Mac Mini had been working. But the DSL internet was pretty slow and unreliable. He got rid of the DSL service and his new service is from AT&T using an LTE MF279 gateway. He's much happier with the internet connection. Now we're trying to re-establish remote viewing of his SS. We're getting mixed messages from Tech Support about whether port forwarding actually works in the real world using this gateway. If we're unable to get port forwarding working, is it too much threat exposure to set up the Mac Mini running SS as a DMZ Host? This Mac Mini is only used as a SS and home automation server and is not used for any other uses. If we're unable to setup remote access for the Mac Mini, is setting up one outdoor Axis camera as a DMZ Host a reasonable thing to do? From what I've read, it seems DMZ is to be discouraged and is often used only for gaming consoles, as the intrusion risk is limited, etc. I appreciate any feedback.
  • The problem with cellular connections is that typically you are not exposed to the Internet directly, but rather you are behind another layer of NAT at the level of your ISP (effectively like you are behind an additional router that you are not in control of). Because you can't configure this NAT layer, you can't open ports to allow incoming connections from the Internet.

    DMZ just means that all incoming connections from the Internet on any port at aimed at one particular device. As you say, this is generally discouraged as it's a potential security risk, but if you make sure to turn on your Mac's firewall with just the relevant few ports open, then you should be OK. Do you know if you are actually able to do this?
  • Ben is correct about the NAT issues. I too use an AT&T cellular connection at home because I live in a rural area and the speed is fantastic. What I use as a workaround is an app called NGROK for secure http tunneling. It works really well in that you can connect to your cameras remotely and it's free for the most part... if you're willing to deal with dynamic host names.... Shouldn't be an issue if you don't restart your computer often.
  • Hello, Ben, hello, htijerina. Thanks both for the feedback and the introduction to NGROK. Our sole ISP is AT&T cellular (also due to rural setting) and we need to access two web servers on a Mac Mini, one for SS and another for Indigo (home automation software.) htijerina, is your setup similar to this? Does your system work well?

    I'm wondering if you and other visitors here feel that setting up NGROK services is a reasonably secure connection?

    https://ngrok.com/product

    Again, many thanks!
  • I'm only using it to access one server at a time, in this case SS. I think it's pretty secure and if you're really concerned about security go with a paid plan (whitelisting, Encrpyted tunneling etc). If you go with a paid subscription which is relatively cheap I believe you can run more than one tunnel at once which would solve your issues with running 2 web servers at a time.

    As far is it working well, it works really well ALL THE TIME. The only issue I have and I'm 99% sure it's not Ngrok related is that my connection over cellular is choppy. Looks like my cameras are running at 1-5FPS when in reality they are running at 30FPS. Really bugs me and I'm thinking of just going back to running blue iris on a PC (even though I purchased an 8 camera SS license :( ). Blue Iris did an excellent job of detecting your connection type and would lower resolution as need be to make sure you got a nice smooth picture. I'm guessing SS is always displaying Stream 1 which in my case is 2560x1440 at 30fps. That may be a little much even with my 30-50Mbps upload. Could also be the Reolink cameras I use... who knows... I say that because I know these reolinks can be a little finicky with their RTSP streams. Monoclecam (Amazon Alexa Skill) for instance doesn't work with my cameras without setting up a proxy server (LAME).

  • I install cellular connected systems for law enforcement. Here is the best answer: Static IP. Verizon will charge $500 up front for a static. (free for LE agencies) However, AT&T only charges an extra $3 per month for a static address. This is the only way I have found to make it work constantly and reliably for mission critical applications.
  • Thanks again, htijerina, and hello TSI. Appreciate your suggestion about a static IP and while that makes sense– and this friend still has an active DYN.com account, which had worked with his earlier DSL internet service– we’re still stuck at port forwarding.

    Here’s an update. Our internet service is coming from an AT&T MF279 gateway. The AT&T documentation specifically states that port forwarding is supported. I followed the instructions to forward a port to a specific IP address on the LAN, where we have a Mac Mini running SS on an IP with a DHCP reservation. We were not successful in viewing SS from a remote WAN connection.

    An additional complication is double NAT. It seems the MF279 gateway cannot be set in bridge mode. So the gateway is handing out IP addresses to his (heavily configured, pre-existing) Peplink router which is also managing LAN IP addresses. This Peplink has the same port forwarded to the Mac Mini (and this had been working flawlessly with his earlier DSL service.) Other than the ways double NAT could be affecting our remote viewing, it has not been an apparent problem as every single internet service is working much better by LTE than his earlier DSL service ever did.

    Out of curiosity I brought one of my Canary video surveillance cameras over to his house, and it seemed to work well.

    Any other feedback for me? I would like to confirm correct network setup first before exploring NGROK, etc. Thanks!
  • Still working on this, in case this could be helpful to others, I'll share our progress.

    I imagine Double NAT is interfering with our port forward testing. The ISP (AT&T) gateway is already a router. I thought about attaching a five port gigabit network switch to the AT&T gateway, sending one ethernet cable to the current Peplink router. This way, everything in the house should work well, as it does now. Then connect the Mac Mini running SecuritySpy and two cameras by ethernet to this gigabit switch- so that they're in front of the second router. Then do a port forwarding test. If it works, I'm not sure, this setup might or might not be agreeable to live with.

    But first I'm focused on dialing in motion detection sensitivity, trigger time, and masking. I've been very pleased with how well SecuritySpy's email relay service has been working. As things are right now we can log in to the Mac Mini running SecuritySpy by Teamviewer if we want to see all cameras live. The motion detection based emails will provide notification. We're also experimenting with saving select camera's video files to Dropbox, instantly and conveniently viewable from anywhere.

    I will followup again with further developments.
  • There seem to be two different things being discussed above:

    1. Being given a private/local IP address by your ISP rather than a public one (see Carrier-grade NAT). This is common for 4G/LTE connections. One solution for this is to use a VPN that provides you with a public IP address (e.g. Static VPN IP). Another solution is ngrok, which is designed specifically for this purpose.

    2. Having two routers on your own local network, each with NAT enabled. The best solution for this is to eliminate one of the routers, or put one of them in bridge mode. Otherwise, for any device behind both routers, the first router needs to be configured to forward incoming connections to the second router, which needs to be configured to forward incoming connections to the device (note: the first router cannot see the device directly, so you can't just add a rule here to forward connections directly to the device).

    As noted above, AT&T do seem to have an option to give you a public IP address. See this page: AT&T Custom IP Addressing Solutions. In case the page moves, here is the relevant text:

    Private IP addresses: This is the default IP addressing solution on the AT&T data network. If you choose this option, your mobile devices will be dynamically assigned a private IP address for use with your private network.

    Public IP addresses: Public IP addresses can be dynamically assigned from a designated range of addresses for a specific business. Choosing a block of public IP addresses allows you to reinforce corporate security by adding a fixed block of wireless device IP addresses to your firewall. By using public IP addresses, your traffic can be routed via the Internet.

    Static IP addresses: Business-critical applications that require a fixed IP address can take advantage of AT&T static IP addresses. With static IP addresses, a business can designate a range of public IP addresses to be assigned to their mobile users. Each time a mobile user signs on to the wireless data network, the network assigns the same IP address to the device from the designated range.


    This information is about business connections, but hopefully they also provide these option for personal accounts.

    So I think, with AT&T, the best option would be to contact them and get a public IP (either static or dynamic - it doesn't matter), then make sure you don't have double-NAT within your own network. Then everything should work.
  • Thank you, Ben, for taking time to contribute again to the thread, especially considering how far afield we are from conventional SecuritySpy support. I appreciate and have noted the clarifications and suggestions you made. For independent reasons, this project is on a brief hiatus but when we return and move forward with next steps, I will followup again briefly to outline our advances. Cheers and thank you, everyone.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!