Port Forwarding not working Sky Q Router

b1nuzz

Here’s a thought that may or may not be related.
My CCTV NVR which I am trying to connect to is connected to a WiFi bridge. As are all the cameras and a few other hardwired devices.
None of them show up in the ‘attached devices’ list on the router.
Does it have to ‘see’ the device to open the port?

mickevh

No, it doesn't. Devices are not "attached" to routers in any meaningful way - it is an entirely "stateless" (a term that has specific meaning in data networking) paradigm. Routers don't need to "know" about devices up/downstream of them, it's all about the addresses on the packets...

A router processes network traffic packet by packet, it will simply examine any incoming (or outgoing) packet, determine which port it need to egress through to get to it's destination, then examine things like any Access Control Lists (ACL) and things like firewall rules to determine whether the packet is allowed to proceed.

It's a bit like to posties working in a sorting office, they don't need to have any knowledge of the goegraphy of the world, they just need to read the addresses on the mail and chuck it in the correct bin to move it towards it's destination.

There are (of course) a few caveats and exceptions:  For example uPNP includes a mechanism that allowed clients on the LAN side of you firewall to dynamically request ports to be open, but this wouldn't work "the other way around" - clients on the "outside" of the firewall cannot get ports opened.

Also, it's possibly a device connects inbound on one port, then the target device established a "new" connection "in the other direction" using different ports - which succeeds because SOHO routers have a particularly lapse default state of "allow everything outbound."

If I were testing such things, I'd want to attach an ethernet switch upstream of you router's WAN port, connect a laptop and use that to perform testing. Often you can telnet to the target on the requisite port and see what the response it, though whether that works depends somewhat on the port and protocol.

I would then disable all the rules and introduce them one by one testing each one as we go until we get the functionality required.

Better kit might also allow the ability to "log" rule usage so that you can examine the system logs to determine whether a rule being triggered or not.

maf1970

Default outgoing on the firewall only allows up to port 1024.
Try adding a rule for CCTV8000 to the outgoing rules.

b1nuzz

Tried this. It made no difference sadly.
Still no further forward.

maf1970

OK, Lets go back and start with basics.
Can you provide a diagram of your local network and ip addresses.
What is your make and model of CCTV system?

b1nuzz

Thanks. I have attached a network drawing. I appreciate it isn't 'proper' but should make sense.
Everything after the wireless bridge doesn't report an IP address on the router, so I only know what the IP addresses are of the CCTV kit as those are all static.

The CCTV NVR is a HIKVISION DS-7604NI-K1/4P.

Thanks again,

ChuckMountain

Ok so a little bit more complication than previously described.

Does the scan report port closed, open or no reply? Normally for it to be open something had to respond, you might well be getting a timeout because your router isn't routing for some reason across the wireless bridge.

Is there any chance of temporarily connecting a cable from router to NVR?

maf1970

What are the makes and models of the wireless bridge and poe switch ?
Could you indicate where all the kit is in your house ??
Do you know how the devices are getting their addresses ? from DHCP ? Static ?

Following ChuckMountain's suggestion, can you get a network cable from the router to the POE switch ??

b1nuzz

Thanks both.

Yes, I can temporarily get a wired connection to the NVR and cameras.

Devices are being given addresses by DCHP from the router, for everything apart from the NVR, NAS and cameras where I have assigned the IP address.

Router and NAS is in hallway, and the bridge, NVR etc is in the office upstairs.

Ports are reporting back as ‘closed’.

I’ll get the wires connection tomorrow and see if anything changes.

Thanks

b1nuzz

Done this today and it hasn't made any difference.
Still no external access.
I'm very confused and short of ideas.