Best Practice For Remote Viewing Of 3 Hikvision NVR's Behind Firewall

Greetings. I recently picked up a customer who has 3 Hikvision 7716 NVR's and he wants to be able to view all 3 on his phone.

** Info on setup **

the 7716's each have their own POE switch (16 port) that the cams are plugged into. These are effectively 3 separate networks from the main net that the NVR's are plugged into.

The first thing that seems obvious is to change the ports on 2 of the NVRS so that there are 3 different HTTP / RTSP ports, and setup 3 forwards under NAT in the firewall..

Seems a bit greasy, plus I don't have access to the firewall config, and will have to work with their Network admin to get anything done in the firewall.

It would be nice if the NVR's had an "uplink" port so that multiple units could easily see each other and be viewed from a single address as one.

Another option would be a cloud P2P service, but I'm not sure if the 7716's support that.

So, any thoughts / suggestions ?

thanks much


First off you don't have to change the ports on the NVR's

Since they each have their own IP address, you just have to set three separate outside ports to point to the internal 8000's

So: (public IP) 000.000.000.000:8000 > 192.168.1.200:8000

000.000.000.000:8001 > 192.168.1.201:8000

000.000.000.000:8002 > 192.168.1.202:8000

It would be nice if the NVR's had an "uplink" port so that multiple units could easily see each other...

Aren't they all connected to the same 'main' network?

I normally, in this instance, configure the units with unique ports. If you use the Hikvision DDNS service, it will send the unique port number for setup in the ivms-4200 and ivms-4500 applications.

Some firewalls/routers do not direct different port numbers (for instance 8001 from WAN to 8000 LAN IP ?.?.?.?). Maybe yours does. If you do this, though, you would need to set-up the NAT information in the Hikvision units so it sends this information to the DDNS (if you use this).

Some firewalls/routers do not direct different port numbers (for instance 8001 from WAN to 8000 LAN IP ?.?.?.?). Maybe yours does.

WRONG...

All firewalls that support NAT have port forwarding as a feature.

Some routers call this port mapping, where different outside ports go to the same inside ports. For example, outside ports 8000, 8001, 8002 map to port 80 on each NVR internally. Makes internal use of the NVRs easier.

So routers definitely do NOT have this function, and require you to map 8000 = 8000, 8001 = 8001, etc...

I personally prefer port mapping vs. traditional port forwarding.

Due to undisclosed 2's absolute declaration of

All firewalls that support NAT have port forwarding as a feature.

your job should be easy. A single counter-example will suffice.

On the other hand, I haven't seen one that doesn't allow internal and external ports, and this instructional article showing the most common routers doesn't help your case.

Well, again, I don't have access to the firewall, so I don't know what features it does or does not have.

Firewall features aside: whether it's mapped, or forwarded, you are only talking about port 8000. What about the RTSP port??

I guess what I was hoping from the community was something I was missing. perhaps a feature in the firmware that allowed them to see each other BEHIND the firewall, so that I only had to see one. A "master", if you will .

Why can't they see each other behind the firewall already?

They are multi-homed and each have one interface on a shared LAN, no?

because they are on 3 SEPARATE LAN's ( the 16 POE ports on the back of each NVR)

IF I could disable DHCP on 2 of the NVRs I could, in theory link them on the same net segment. but I don't see any way to control the IP scheme that the POE ports use ..???

because they are on 3 SEPARATE LAN's ( the 16 POE ports on the back of each NVR)

I understand that, but they also have a LAN port, shown below. This is a DIFFERENT LAN from the 16 POE and if the three NVRs are connected to the same switch and are setup on this same IP segment then they can see each other.

In short, your NVR should have TWO networks, one (16 ports) for the cameras (private) and one for the clients (LAN) (1 port).

Right. well TECHNICALLY they can see each other but the HIKVISION software doesn't allow for it.

So, YES, I can PING each NVR from a device on the LAN, but simply connecting to ONE of the NVRs via the IVMS doesn't allow me to see the other ones.

I have to tunnel through the firewall to each NVR separately to see the respective cameras.

I've attached a quickie diagram of the setup with a "proposed" additional switch. What I'm thinking is if I use the 4 port switch to connect to a single port on each of the NVRs, and can setup the IP of the cameras to avoid conflicts, I should then be able to add a MILESTONE VMS server that can see ALL the cameras ..

Is there any reason THAT won't work ??

THANKS!

Well like you say the challenge is going to be avoiding IP conflicts on the camera networks. Have you tried using SADP (from a PC) to change the network or the IP of the cameras? i dont have my hik nvr running right now, but I remember SADP was key.

if you cant disable dhcp, see if you can change the network segment of each nvr to a different subnet. then you could triple home the workstation.

Also, which system will 'own' the cameras, i.e. are you just using Milestone to view the streams, not to control or configure?. If so, some Hik nvrs and dvrs will stream their cameras from the nvr which can be added to Milestone. Ethan made a video for doing it with HD Analog cameras, maybe it would work for your NVR... Milestone Super Low Cost HD Solution

WOW... Ethan's video hit on a very attractive solution !... If the 7716's will connect the same way the ones in the video did then most of my problem is solved.

To answer your question. Yes, the MILESTONE is just for compliance with a requirement for an offsite viewer. The HIK's would "own" the cameras.

In looking at the latest IVMS software I see that there IS an option for setting the IP address for the POE ports. I never noticed that before so I'm thinking it's new to the latest version .. ?? It may not even do what I *think* it does LOL!.

Well, I guess I have some testing / fiddling to do. Thanks for the pointers !