Foscam R2 with Lenovo Smart Tab [SOLVED]
-
Demo Proxy (Showed splash page, connecting to Demo Proxy, 5 seconds later, “Camera Doesn’t Support That”)
Note, i performed the two full times in the capture because i was in the other room the first time so i wanted to be sure to capture the behavior
From Firewall (USG)
https://1drv.ms/u/s!AsWlCkfB-HIupU0PijjS-dPLjdT2?e=9goaH9From Access Point (UAP)
https://1drv.ms/u/s!AsWlCkfB-HIupU45oMRbeFJetz7t?e=5MMG4UI do see the UDP port errors but i will take a closer look at the captures as it looks to have significantly more information than the previous console dumps.
Thanks again
-
So in my analysis (its been a while since my CCNA has expired) comparing Demo Direct to Demo Proxy on the Access Point Capture:
We see the handshake process appears to succeed in both demo proxy and demo direct however we see the previously noted UDP port unreachable error shortly after. The Direct one starts flowing video UDP frames where the proxy appears to get disconnected from the amazon server which appears to be proxying or tunneling everything.
No direct connections anywhere. Very interesting.
-
@skarragallagher said in Foscam R2 with Lenovo Smart Tab:
Yes, that’s what I was starting to think as well. The Demo Direct stream is hosted on an Amazon EC2 server, but not using the IP address or EC2 hostname that you are getting in the capture log. Also, I’m certain that we are not exposing any UDP ports from this demo server, only TCP ports 443 and 554.
So it “feels” like some middleware is connecting to the stream and then re-proxying the stream via UDP to your Alexa tablet. That seems far fetched to me, but would explain what we are seeing.
In that light … as a test, you could try exposing your Monocle Gateway instance publicly over the Internet and then we can see if the tablet can then establish a connection to your gateway instance and access the camera streams. To do this you would need to be able to expose port 443 on your Internet gateway/router and point it internally to the gateway instance. Additionally, you would need to configure the Monocle Gateway with your custom public IP address instead of the auto-detected private/internal IP of the gateway server. Please see: https://monoclecam.com/monocle-gateway/custom-configuration#override-auto-detected-ip-address
On restarting the gateway, it should display a config like this:
------------------------------------------------- MONOCLE RTSP SERVICE - INITIALIZED ------------------------------------------------- FQDN = 46224620-b4e1-424d-abce-1ddb866d01f8.mproxy.io HOST = X.X.X.X (YOUR PUBLIC IP ADDRESS) PORT = 443 -------------------------------------------------And if you attempt to resolve
46224620-b4e1-424d-abce-1ddb866d01f8.mproxy.ioit should resolve (DNS) to your public IP. Please note that it may take an hour or so for the DNS IP change to fully propagate.
As for your offer to send along a Lenovo Smart Tab, I appreciate the offer but would certainly prefer if we can figure this out without all that hassle. So lets hold off on that and see if we can learn a bit more about what’s really going on with this EC2 server and UDP packets.
Thanks, Robert
-
@Monocle
Thanks Robert,
I have a dynamic IP address assigned to my public interface. I use a Dynamic DNS provider. Can I use a namespace instead of the public address since it will change when DHCP refreshes? -
I opened up a port forwarding rule for port 443
Edited the config and adjusted the host with my current public IP****************************************************************** * __ __ ___ _ _ ___ ___ _ ___ * * | \/ |/ _ \| \| |/ _ \ / __| | | __| * * | |\/| | (_) | .` | (_) | (__| |__| _| * * |_| |_|\___/|_|\_|\___/ \___|____|___| * * * ****************************************************************** ------------------------------------------------- MONOCLE RUNTIME ENVIRONMENT ------------------------------------------------- VERSION = 0.0.4-3 OS/ARCH = win32\x64 PROCESS = monocle-gateway (PID=31116) TIMESTAMP = 2020-01-24T18:33:24.579Z ------------------------------------------------- MONOCLE GATEWAY SERVICE (Version: 0.0.4-3) ------------------------------------------------- [Monocle Starting] [Monocle Connecting] [Monocle Started] [RTSP Server Starting] [RTSP Server Listening] 0.0.0.0:8555 (RTSP) [RTSP Server Listening] 0.0.0.0:443 (RTSP-TLS) [RTSP Proxy Started] (PID=34472) [RTSP Server Listening] 0.0.0.0:8554 (PROXY) [RTSP Server Started] [Monocle Connected] [RTSP Server Registered] ------------------------------------------------- MONOCLE RTSP SERVICE - INITIALIZED ------------------------------------------------- FQDN = 46224620-b4e1-424d-abce-1ddb866d01f8.mproxy.io HOST = 108.231.61.93 PORT = 443 -------------------------------------------------DNS is showing correct for internal and external
C:\>nslookup 46224620-b4e1-424d-abce-1ddb866d01f8.mproxy.io Server: ubnt Address: 192.168.1.1 Name: 46224620-b4e1-424d-abce-1ddb866d01f8.mproxy.io Address: 108.231.61.93 C:\>nslookup 46224620-b4e1-424d-abce-1ddb866d01f8.mproxy.io 8.8.8.8 Server: dns.google Address: 8.8.8.8 Non-authoritative answer: Name: 46224620-b4e1-424d-abce-1ddb866d01f8.mproxy.io Address: 108.231.61.93I will wait a couple hours to make sure DNS propagates before testing. I will produce some pcap files as well from the access point
-
Boooom! we have Demo Proxy working
-
WOW. Just WOW. I can’t believe they are proxying the stream like this. This is not the case for any other Alexa devices that we have worked with. This of course adds latency and is potentially very undesirable from a security standpoint as your audio and video data is getting passed through some server. The packets are encrypted, but still.
Is it working now for your real Foscam camera stream? Make sure to use
@tunneland the camera has “Foscam” listed as the manufacturer in the Monocle web portal.I have a dynamic IP address assigned to my public interface. I use a Dynamic DNS provider. Can I use a namespace instead of the public address since it will change when DHCP refreshes?
Not without some changes – but it should be possible. The Alexa system will only connect to DNS hostnames with valid SSL certificates. Do you want to setup a real SSL certificate for your domain? Apart from acquiring the SSL certificate, we would also need to provide some configuration method to allow your to include your own certificate and private key to the Monocle gateway on startup.
Thanks, Robert
-
Very interesting indeed and ironically different than any other alexa device is even more boggling.
thank you for working with me on this, i really appreciate it.
I think a simpler solution would be to configure my IP with a static. I think direction i would go with this. I keep getting these nagging monthly mails to update my DNS record etc… so it would do away with that.
I expect more of these devices like this to come out though. Would be nice to see continued development on this. At least we have a workaround at this point.
-
Yes btw the foscam works!!!
-
Glad to hear the Foscam is working.
If we are going to leave port 443 open to the Internet it would be prudent for us to add some form of authentication to the monocle service to prevent unauthorized access. The current exposure is pretty limited but security by obscurity is really not a good solution. At the moment any consumer would need to know the unique STREAM ID and SESSION ID to be able to get access to any camera streams but a proper authentication mechanism would be better.
Thanks, Robert
-
Yes i agree. I will work on adding the Static IP address to my internet plan. I am assuming that auth would be handled on the gateway which would mean the a new version would need to be developed by you?
If i can assist in any way by testing or whatever you need, i happy to do so. I really appreciate the help in getting this to work.
Many Thanks!
Ryan -
Yes we will need to add support for this in the software … let me look into this next week and maybe we can get a copy out to test with .
Thanks, Robert
-
Thanks, i have most of cameras working now. My doorbird is not working and then a few combined views from BlueIris but i haven’t spent time investigating.
I created a couple other support threads in the lenovo forums
https://forums.lenovo.com/t5/Lenovo-Smart-Tablets-with-Amazon/Lenovo-smart-tab-m10-Camera-Streaming/m-p/4633642/highlight/falseWe will see if the can escalate this and resolve this as well although we have a workaround.
No rush, but once you have a version you would like to test let me know here and i will give it a go.
-
Just a small update … we have added support for a configuration property to automatically detect your public IP address instead of you having to manually define it.
Please see: https://forum.monoclecam.com/topic/485/access-cameras-from-2nd-site-solved/10Plan on looking into the authentication improvement this week.
Thanks, Robert
-
Thank you for tagging me here. I implemented this and it seems to be working with that new function.
Looking forward to testing whenever you are ready. Thanks for following up
-
Im not seeing a way to get the log file. I saw the article on this but the logfile is not created
-
Well … its should be creating a log file (
monocle-gateway.log) adjacent to (in the same folder as) themonocle-gateway.exewhen running on a Windows machine. That is if you are running it as a service. If you are just launching the executable directly, then there is no log file but the same contents should be printed on screen while the executable is running in a command shell.Thanks, Robert
-
-
Well, that is confusing :-)
I wonder if it’s getting written to a working directory instead. Can you do a search for “monocle-gateway.log” and see if its getting written somewhere else?
It’s possible it’s not getting written anywhere, but that is a function of the “nssm.exe” utility that turns this monocle-gatesway.exe into a service.PS, working on gateway authentication and security today.
Thanks, Robert
-
I will do a search, i was thinking it was being written somewhere else.
