How to browse NO-IP domains with custom ports using OpenWrt Router

Installing and Using OpenWrt
1

I usally get internet plugging a USB 3G Dongle (Huawei E173) into a Router , connected afterwards by a Lan cable to my Windows 7 PC.
I have been using TP-Link TD-W8968N v4 Routers for this purpose (with OEM TP-Link firmware) with good results to view IP Cameras located in a VILLAGE , remotely from a CITY by wan access.

VILLAGE config:

I use to connect 2 IP Cameras to the TD-W8968N router Lan Ports, and once tested software working , I remove the PC and router keeps on sending 24h/7d the video streaming by wan and 3G with little power consumption.
For the LAN config I set fixed IP in camera 1 as 192.168.1.111 and camera 2 as 192.168.1.112
I use a free N0-IP account to remotely access both cameras -> http://pueblecito.ddns.net
I arrange port forwarding in the router to access each camera this way
http://pueblecito.ddns.net:4441 -> to view camera 1 (router forwards 4441 to 192.168.1.111 )
http://pueblecito.ddns.net:4442 -> to view camera 2 (router forwards 4442 to 192.168.1.112 )

CITY config:

Using a second TD-W8968N (also with 3G Usb Dongle plugged) , connected to my Windows 7 PC, I can see the live captured video from village just putting following in Internet Explorer browse zone:
http://pueblecito.ddns.net:4441 -> browse -> user + pw -> live video appears of IPCam1
http://pueblecito.ddns.net:4442 -> browse -> user + pw -> live video appears of IPCam2

Here comes OpenWRT -> I wondered if I could do with a OpenWRT router same as with TP-Link Router.

After Installing perfectly OpenWRT 19.07.3 into a "Comtrend AR-5315u" Router (16mb 64mb 333mhz) , adding 3G Usb packages and testing 3GWan works, I tried to see the cameras from Internet Explorer replacing the TP-Link Router by (OpenWRT Router with 3G USB Dongle plugged).

Here comes the hard problem for me -> although OpenWRT router allows browsing of normal sites as "https://www.ebay.com" , REFUSES "special" previous browsing paths:
http://pueblecito.ddns.net:4441 -> no browse
http://pueblecito.ddns.net:4442 -> no browse

Advanced firewall management is not easy in OpenWRT. Up to what I have understood this peculiar problem could not be solved by port forwarding in luCi.

I imagine this "special" browsing could be done by setting adequate traffic rules, but have not found any example to experiment.

I would highly appreciate some help about how to do this browsing
Cordial regards.

2

This should be relatively straightforward, and you should be able to do it via LuCI if that is most comfortable for you.

Let’s start with the IP address of the WAN on the village router - if it is not a public ip, it will not work. Can you post the first two octets of that IP address (aaa.bbb.ccc.ddd - just the a and b numbers)?

3

Of course , here are the aaa and bbb octets or my currently WAN IP address of my village router :

10.201.ccc.ddd

My 3G / 4G internet provider of this WAN is a reseller of ORANGE main provider in Spain.

I hope it helps.

4

The village router is behind a NAT layer, presumably from the ISP, and so the router does not have a public IP address (the entire 10.0.0.0/8 block is part of the RFC1918 address space). Because of this, port forwarding will not work.

You have a few options, but nothing a simple as port forwarding:

  1. you can ask the ISP if they can issue you a public IP address
  2. you can use a cloud-based camera system where the cameras establish a connection to the cloud service (rather than you trying to establish a connection to the cameras).
  3. you can set up a VPN server on a cloud based hosting service and the configure your village router to be a client to that server. From there, you can connect to the VPN from your other locations and you should be able to route to your network.
5

Thanks, my ISP can't issue me a public IP , but your suggestions 2 and 3 seem more proffesional and secure that my basic way explained -> I will try to find the time to experiment with this 2 suggested options in next months.

Comming back to the explained option I started explaining in this topic:

  • It works if I plug the internet source (USB 3G dongle) into a TP-Link TD-W8968N with original TP-Link firmware and feed the Win7 PC with this router -> Internet Explorer browses the 2 path and I see the village cameras.
  • But if I replace the TD-W8968N Router with original firmware with the "Comtrend AR-5315u" Router with OpenWRT firmware (3G dongle plugged in OpenWRT router now)-> Internet Explorer refuses to browse.
  • Even if I plug directly (no Router at all) the 3G USB dongle into the PC and use a Software that detects the modem (as Mobile Partner) -> -> Internet Explorer browses the 2 path and I see the village cameras.

I am not an expert at all in routers software, but previous options are a way of probe by the trial / fail method that:

  • TP-TD-W8968N Router firmware must have a method to solve the NOT public IP address problem with the WAN IP so that using this router the paths can be browsed.
  • Mobile Partner software must have a way to solve the NOT public IP address problem with the WAN IP so that using directly the 3G dongle the paths can be browsed.
  • Comtrend AR-5315u Router with OpenWRT firmware doesn't come from direct install adapted to solve the NOT public IP address problem with the WAN IP so that using this router the paths can NOT be browsed.

As I said I think the OpenWRT Router I tried to use in the CITY comes with a filtering protection that prevents users to browse rare ports (different from normal http port 80) , as 4441 and 4442 in my explanation.

ALTHOUGH NOT RECOMMENDED for normal Router use (router could be highly exposed to abuse or hacking), I wonder what would happen if ALL firewall filtering options were removed from OpenWRT Router -> ¿would then the router allow my internet explorer browse the rare paths?

That was just an idea based in the trial / error question for my peculiar problem, but never a final solution ovbiously -> my browsing refuse situation probes that OpenWRT firmware comes more secure for the PC , and with it internet traffic when browsing is less exposed

6

Check the WAN address that is issued when you use the original TP-Link firmware. Maybe something is different with respect to how the drivers are configuring the 3G dongle (perhaps the 3G dongle is actually the source of the NAT that I mentioned previously and the original TP-Link firmware disables that?? just speculation)

Or perhaps if you take the MAC address from the TP-Link router and clone it in the Comtrend one, maybe it would give you a public IP address (if the ISP was issuing you a public IP on the TP-Link).

Was there a particular reason you switched away from the TP-Link router? Although it doesn't appear to be supported by OpenWrt, if it was a working solution, maybe it makes sense to go back to it.

7
  • Was there a particular reason you switched away from the TP-Link router? Although it doesn't appear to be supported by OpenWrt, if it was a working solution, maybe it makes sense to go back to it.

I am still using only the TP-Link router in the VILLAGE.

The access to the cameras from the CITY can be done ovbiously by my 2nd TP-Link mentioned, but ALSO from other_CITY/other_router or even a mobile phone (as the WAN IP of the village cameras Router is got from the NO-IP domain by browsing from every place in the world with intenet access).

My main particular reason for trying to use a OpenWRT router for that purpose was to learn OpenWRT and explore afterwards the OpenWRT capabilites that go large beyond TP-Link mentioned router.

For example TD-W8968N Router can get the internet from a 3G USB dongle , but NOT from an Android phone by USB tethering with a USB data cable -> you have to go to a much more expensive TP-Link Router (as TP-Link Archer VR900 AC1900) to achieve Interner this way.

BUT with the wonderful OpenWRT firmware, an unexpensive Comtrend AR-5315u router YES can EASILY get internet from an Android phone by USB tethering with a USB data cable.

I read OpenWRT allows user scripting methods for user to program custom tasks -> one of the good info I get from my NO-IP account control panel is that my village WAN IP rarely changes more than 2 times per day:

  • So using an OpenWRT router for the VILLAGE job of the cameras and programming an adequate script into it, the script could check every minute current WAN IP to send me an eMail to my google account every time WAN IP change is detected
  • When in the CITY I would want to see the village cameras I could check the last eMail received with last wan ip (lets say 10.201.22.34) and browse for the cameras this way:
    http://10.201.22.34:4441 -> browse camera 1
    http://10.201.22.34:4442 -> browse camera 2
  • Putting this wan into the browser is what in reality NO-IP domain does, so this rudimentary technique WOULD AVOID even the necessity of NO-IP account (All this is just theory and would become very uncomfortable if the internet provider of the village changed the WAN IP 60 or more times per day as eMail account would become invaded).

Previous ideas can in theory be possible with the OpenWRT router, but NOT with the TD-W8968N routers as they do not allow programming this kind of user scripts.

I thought that if I was able to customize 2 OpenWRT routers to do in the CITY and in the VILLAGE what current TP-Link router do to view the IP cameras , I could go beyond afterwards trying to get from the OpenWRT "special" capabilities that previously mentioned that TP-Link routers don't allow.

I thought replacing first the TP-Link router in the CITY would be easier than replacing the TP-Link router in the VILLAGE by their equivalent OpenWRT routers -> for this:

  • In the CITY OpenWRT router I would only have to get internet from the 3G USB dongle (achieved) and browse the cameras in the PC (NOT achived YET).

  • In the VILLAGE OpenWRT router I would have to install ddns to NO-IP , and do port forwarding to the 2 LAN cameras -> thought harder to do and not even tried (NOT even tried YET).

  • In

8

Good news. SOLVED.
Or better said "almost" SOLVED.

I have finally succeeded to see from the CITY (with OpenWRT router) the IP Cameras placed in the VILLAGE (still with original TP-Link TD-W8968 router).

As I explained I get the internet in the CITY and in the VILLAGE by 3G USB way.

  • TP-Link TP-Link TD-W8968 router in the VILLAGE gets the internet by a USB 3G Dongle
  • Comtrend OpenWRT Router with OpenWRT 19.07.3 in the CITY gets the internet by a USB 3G Dongle , but also (TODAY's text) by an USB Cable from Android phone by theteriing -> for this purpose I created in OpenWRT luCi a special interface that I called TWAN (from Thetering WAN).

To finally see the cameras I had to do the following just from luCi in 2 basic steps:

Step1 : luCi -> Network -> Firewall -> Zones, row (LAN -> WAN) -> Button "Edit"

(sorry not allowed this image as only 1 allowed for novices)

Step2 : In the new window "Firewall -> Zone Settings" -> Label "Covered Networks" ensure "TWAN" is checked to appear

STEP_2
STEP_21024×900 99.9 KB

Finally after pressing the Button "Save & Apply" -> I got into Internet Explorer and SUCCEDED watching cameras this way:
http://10.201.22.34:4441 -> browse camera 1 -> success
http://10.201.22.34:4442 -> browse camera 2 -> success

I posted another WAN here for security reasons, but using the true WAN got from my NO-IP control panel of the VILLAGE router -> finally browsing WORKS.

I said "almost SOLVED" because if instead of using the real WAN , I use the NO-IP domain , browsing is STILL refused
http://pueblecito.ddns.net:4441 -> no browse
http://pueblecito.ddns.net:4442 -> no browse

But I don't need 100% success and the WAN address method works , so enough for me for the CITY.

This means that now I finally can start the second hard job of trying to replace in the VILLAGE the second original TP-Link Router by the second Comtrend AR-5315u OpenWRT -> as already mentioned -> will need PORT FORWARDING and getting and installing the packages of DDNS to NO-IP.