Can Monocle gateway work from a 2nd house with appropriate firewall port(s) opened? [ANSWERED]



  • Background: I have cameras on my primary house and on a small vacation house. I have Monocle Gateway installed and running at my primary house. Rather than using local IP addresses for the rtsp feeds, I use a dyndns.org URL and I’ve opened the rtsp ports on my firewall. This lets Monocle gateway access both the rtsp feeds of cameras within the house (the router handles this just fine) and the vacation house (across the internet using the opened firewall ports). When using my Echo Spot, Show, & Show 5 within my primary house, all is great.

    I just brought an Echo Show 5 to my vacation house and tried to view the cameras. This time, it doesn’t work at all, presumably because the myproxy.io URL (e.g. c5b4w3q2-bv4f-4sdf9-dsf-28a852ecae54.mproxy.io) is returning a local IP (e.g. 192.168.1.6) to my primary home network which cannot be accessed from the vacation home.

    Is it possible to have Monocle Gateway specify a URL for an external IP address, such as another dyndns.org address, so that I could open yet another firewall port to allow the Echo Show 5 in one house access the Monocle Gateway running in a second house?

    I do appreciate that Monocle Gateway has been designed to restrict access to only the internal/local network, which is the best default from a security perspective. However, can it be optionally configured to handle my use case, with an Echo Show 5 trying to access Monocle Gateway in another house?

    As a possible alternative, I don’t have a computer running 24x7 at my vacation house, though I could if necessary buy a Raspberry Pi. However, the issue is then I’d be trying to run two instances of Monocle Gateway, both connecting to the same account. Would that work, if it’s not possible to connect to the one Monocle Gateway in the other house?



  • There is a really effective way around this. Consider creating a VPN between the two homes. That way Alexa will think she is dealing with a single contiguous network and your voice commands will work.



  • That is a great idea, but would require me to buy a newer/better/more stable router at the vacation house which would be more expensive than a Raspberry Pi :=) I’d also need to change from using 192.168.1.x at both houses.

    In thinking through the complications of my idea, if the myproxy.io URL (today to the local IP address) could be created as a cname dns record to something I control (e.g. through dyndns.org or something similar), would the SSL connection still work from an Echo? If it does, great. If not, then my suggestion is much harder and perhaps not practical since the whole reason we need gateway for the Echo Show 5 is because Amazon requires the SSL connection.



  • @carteriii

    Yes it can be made to work with some specialized configuration.

    In time we certainly plan on supporting multiple instances of Monocle Gateway running at separate locations to handle your exact use case. At least its in the roadmap … However … at the present time support for multiple gateways is not available. If more than one gateway is detected on your account, the last one connected wins and all requests are sent to it. (as a side note, multiple gateways are supported today to handle failover conditions at a single location.)
    I think you have the following options:

    Option 1: VPN Tunnel
    As @vmsman suggested, you can certainly run a VPN tunnel between your two local networks. Clearly this has the advantage of keeping things more secure and limiting the number of open ports you expose over the Internet. This is probably the best option – but is perhaps a bit more complex.

    Option 2: 2 Separate Monocle Accounts and 2 Separate Gateways
    This is probably the least attractive option, but you could create two separate Monocle accounts and configure each of your cameras under each account then have a monocle gateway running at each location each using a discrete account (token). This of course requires duplication of all configuration which could get annoying. You would also have to use separate Amazon/Alexa accounts for each location to link to the separate Monocle account, so this really make this solution ugly.

    Option 3: Expose Monocle Gateway over the Internet
    You could expose port 443 on your router to the Internet and point it internally to your single Monocle Gateway instances. Second you would have to configure Monocle Gateway via a properties file to override the default detected IP address with the public IP address assigned by your ISP. See the configuration details here: https://monoclecam.com/monocle-gateway/custom-configuration

    Is it possible to have Monocle Gateway specify a URL for an external IP address, such as another dyndns.org address, so that I could open yet another firewall port to allow the Echo Show 5 in one house access the Monocle Gateway running in a second house?

    Yes, in theory it should be possible to use a Dynamic DNS provider, however, it would also require you obtaining your own SSL certificate for your custom DNS hostname and configuring Monocle Gateway to use custom certificates. If this is a path that you would like to pursue, please let me know. We may have to make some changes to the Monocle Gateway to allow overriding the certificates.

    NOTE:
    When attempting to stream over the Internet, if you have any cameras using the @proxy tag, those may have to use @proxy-tcp instead to avoid UDP streaming and force them to use TCP streaming.

    Thanks, Robert



  • @carteriii

    Your cname suggestion is interesting. Basically when you ask Alexa for a camera stream, we provide her with the unique mproxy.io DNS hostname to resolve to your local Monocle Gateway instance (when the camera is tagged with either @proxy, @proxy-tcp, or @tunnel). So you would need the DNS to resolve to your local gateway instance in each location. If the IP address of the gateway were the same (fixed, static) in each location, then maybe you don’t need a cname at all? If the IP addresses were different, you would need each local network to resolve the DNS record to the correct IP for the local gateway instance. Well … you could even pull this off today if your router allows you to override a DNS entry. I know I can do this on my PFSense router. I can put in DNS override hosts and dictate what it will resolve to on each network.

    There is one caveat. The Monocle API server handles multiple gateway instances connected to your account with failover behavior where one instance gets promoted and all other get demoted until needed. I think we could easily add some new configuration to allow for multiple concurrent gateway instances if this is something you want to pursue and help test out.


    ON SECOND THOUGHT

    On second thought … the DNS overrides and independent gateway instances still would not allow you to access the IP cameras behind each private network from the other. So I think the single gateway solution is still the best option. (#3 above)

    Thanks, Robert



  • @carteriii said in Can Monocle gateway work from a 2nd house with appropriate firewall port(s) opened?:

    In thinking through the complications of my idea, if the myproxy.io URL (today to the local IP address) could be created as a cname dns record to something I control (e.g. through dyndns.org or something similar), would the SSL connection still work from an Echo? If it does, great. If not, then my suggestion is much harder and perhaps not practical since the whole reason we need gateway for the Echo Show 5 is because Amazon requires the SSL connection.

    I don’t think a CNAME will work unless the SSL certificate included it when it was generated as a secondary name.

    However, if you wanted to use your own SSL certificate, we could add provisions for you to simply use your own public DNS record and SSL certificates completely bypassing the *.mproxy.io domain. This might be useful if you are hosting the Monocle Gateway publicly on port 443 to point to your Dynamic DNS hostname to dynamically handle public IP address changes from your ISP. Otherwise, any public IP address change from your ISP would result in needing to manually re-configure the Monocle Gateway.


Log in to reply