Remote View works on private networks, fails from internet
  • First, let me apologize for the length of this, but it was necessary to fully describe the situation.

    The other night I moved my installation of Security Spy (4.2.3) to a new Mac. Everything works fine, except for Remote View. If I'm on the local network there is no problem, whether I use the app on my iPhone or iPad, or a browser. However, if I'm on the internet it fails. If I test against the original server there is no problem whatsoever. This is the same using either HTTP or HTTPS.

    I've narrowed down some of the issue. The following has been tested with two different iPhones over LTE and wifi, and an iPad using a personal hotspot on an iPhone and wifi.

    Originally, UPnP was enabled, but the problem server does not actually configure it to allow a connection, so I am not able to reach the server at all. I disabled UPnP on my routers and in Security Spy and set up Port Forwarding. This allows me to reach the server from the internet, but I run into a stranger issue. Security Spy will complete the TCP handshake when I'm on the local network, but not when I'm on the internet.

    The setup:

    The new system is an iMac. The ISP router connects to an Eero. The internal network of the ISP router is 192.168.1.0/24. The internal of the Eero is 192.168.7.0/24. Both the new system and the old system (Mac Mini) are on the internal Eero network.

    The new system was originally set up with a bonded connection of two ethernet NICs. To eliminate this as an issue I removed the bond and disabled one of the interfaces so that it was a single NIC.

    The firewall is not enabled on either system.

    If I connect from either the 192.168.7.0 network or the 192.168.1.0 network I am successful. If I connect from the internet I am not.

    I've taken packet captures on the new and old systems:

    If I'm attempting to connect to the new system from the internet (either through the app or from a browser) I see the SYN, but there is no SYN ACK response. Before I removed the bond, I considered that the SYN ACK might be going out on a different interface than the SYN came in on, but no matter where I take the packet capture I see no SYN ACK. As I stated above, I pared it down to one NIC just in case.

    There appears to be virtually no difference in the SYN packets received from the local network vs the internet (other than the source and the MSS). I thought about a malformed packet, but the failure is not malformed.

    Links to packet captures showing the TCP handshake:

    Good server - iPhone over LTE:

    http://bit.ly/2rLdKGd

    Problem server - iPhone over LTE:

    http://bit.ly/2rKACph

    Problem server - iPhone over wifi:

    http://bit.ly/2nkeg8D
  • I'm a bit confused by some of this information. You write: "I disabled UPnP on my routers and in Security Spy and set up Port Forwarding. This allows me to reach the server from the internet" but then you write "Security Spy will complete the TCP handshake when I'm on the local network, but not when I'm on the internet." - could you explain this apparent contradiction?

    If your router is operating on subnet 192.168.1 but your Eero WiFi system is operating on subnet 192.168.7, then the Eero system is acting as a router itself, in addition to your ISP router. This double-router configuration is undesirable, as it will make setting up port forwarding difficult.

    There are two solutions to this: 1. set your Eero system to bridge mode and leave it connected to your ISP router. Or 2: if you have a separate router and modem from your ISP (rather than a combined router-modem device in one box), disconnect your ISP router, and connect the Eero system directly to the modem. In both these scenarios, you achieve one single LAN operating over one subnet, which is ideally what you want.

    Alternatively, if you want to keep your ISP router, then you should connect the Mac running SecuritySpy by wired ethernet directly to the ISP router, rather than to the Eero system.

    The main thing is to make sure that there is only one router between the Mac running SecuritySpy and the Internet, not two.

    Finally, it's not clear from your info whether UPnP was working before with your old Mac. If it was, then it should work with your new Mac, but you may have to restart your router(s) so that it (they) clear their NAT tables and can accept new UPnP commands for the ports in question.
  • ********
    "I'm a bit confused by some of this information. You write: "I disabled UPnP on my routers and in Security Spy and set up Port Forwarding. This allows me to reach the server from the internet" but then you write "Security Spy will complete the TCP handshake when I'm on the local network, but not when I'm on the internet." - could you explain this apparent contradiction?"
    ********

    What I mean is that UPnP was not setting up a way to reach the new server. Neither router give me any insight into UPnP, so I removed it from the equation. I set up the port forwarding so that I could ensure I could reach the server (as evidenced by the SYN packet reaching the server), but the server is not responding to the SYN for the TCP handshake.

    Here's the basic topology - both Macs are behind the Eero.

    ISP Router ----Eero----Mac 1
    |------ Mac 2

    Port Forwarding has been set up on the ISP router to forward the incoming TCP traffic on port 8082 to the Eero on port 8082, and the Eero is set up to forward the incoming TCP traffic on port 8082 to the new Mac. I've tried different ports (like 8001, 8080), as well as using HTTPS and HTTP.



    ********
    "If your router is operating on subnet 192.168.1 but your Eero WiFi system is operating on subnet 192.168.7, then the Eero system is acting as a router itself, in addition to your ISP router. This double-router configuration is undesirable, as it will make setting up port forwarding difficult."
    ********

    Yes, this is correct. The port forwarding is just a second hop, and the forwarding is working correctly for both Macs. I can see the incoming packets coming in to either one, it's just that the new one won't respond. I moved the new Mac to the ISP private side, but the results were the same (see packet capture linked below).

    UPnP was working fine for the old Mac. When I set up the new Mac it was not working (but only for the new Mac). I checked the firewall on the ISP router and found that it was dropping the packets destined for the new Mac, but letting the packets for the new Mac through. Once I configured port forwarding, no packets were dropped and I can see the SYN packets making it to the new Mac. I can make the old Mac work with either UPnP or with port forwarding.

    The ISP router, the Eeros, and both Macs have been rebooted multiple times with no change.

    New Mac on ISP private side (before Eero):

    http://bit.ly/2EjKUiF
  • Is the new Mac running standard macOS, or is it running macOS Server? If the latter, there are additional firewall controls that may have to be configured to allow incoming connections. If the packets are actually reaching the Mac, but it's not responding, then a firewall is the most likely explanation. I presume you've double-checked all the ports, so that SecuritySpy is listening on the correct port that is being forwarded through your routers?
  • That was it! Both Macs are running MacOS Server. I checked and the new Mac was set up to accept connections only on private networks. I suspect I changed that at install time. I entered an exception for the appropriate port and I could immediately reach it and view the cameras.

    I won’t be able to check the other Mac until later, but based on this I’m sure I’ll find that it’s configured to accept the connections.

    Thanks!
  • Great to hear it's now working! macOS Server has many more firewall options than standard macOS so it can sometimes be a bit tricky to configure correctly when you have incoming connections from various legitimate sources but still want good protection by the firewall from nefarious connection attempts.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!