Can Monocle gateway work from a 2nd house with appropriate firewall port(s) opened? [ANSWERED]
-
Your
cname
suggestion is interesting. Basically when you ask Alexa for a camera stream, we provide her with the unique mproxy.io DNS hostname to resolve to your local Monocle Gateway instance (when the camera is tagged with either@proxy
,@proxy-tcp
, or@tunnel
). So you would need the DNS to resolve to your local gateway instance in each location. If the IP address of the gateway were the same (fixed, static) in each location, then maybe you don’t need acname
at all? If the IP addresses were different, you would need each local network to resolve the DNS record to the correct IP for the local gateway instance. Well … you could even pull this off today if your router allows you to override a DNS entry. I know I can do this on my PFSense router. I can put in DNS override hosts and dictate what it will resolve to on each network.There is one caveat. The Monocle API server handles multiple gateway instances connected to your account with failover behavior where one instance gets promoted and all other get demoted until needed. I think we could easily add some new configuration to allow for multiple concurrent gateway instances if this is something you want to pursue and help test out.
ON SECOND THOUGHT
On second thought … the DNS overrides and independent gateway instances still would not allow you to access the IP cameras behind each private network from the other. So I think the single gateway solution is still the best option. (#3 above)
Thanks, Robert
-
@carteriii said in Can Monocle gateway work from a 2nd house with appropriate firewall port(s) opened?:
In thinking through the complications of my idea, if the myproxy.io URL (today to the local IP address) could be created as a cname dns record to something I control (e.g. through dyndns.org or something similar), would the SSL connection still work from an Echo? If it does, great. If not, then my suggestion is much harder and perhaps not practical since the whole reason we need gateway for the Echo Show 5 is because Amazon requires the SSL connection.
I don’t think a
CNAME
will work unless the SSL certificate included it when it was generated as a secondary name.However, if you wanted to use your own SSL certificate, we could add provisions for you to simply use your own public DNS record and SSL certificates completely bypassing the
*.mproxy.io
domain. This might be useful if you are hosting the Monocle Gateway publicly on port 443 to point to your Dynamic DNS hostname to dynamically handle public IP address changes from your ISP. Otherwise, any public IP address change from your ISP would result in needing to manually re-configure the Monocle Gateway. -
I’m not sure if any changes have been made to Monocle since the previous post, but I did have this working a short while back. My setup is 3 properties all using the same Amazon account, with various Amazon tech and cameras at each. A unique RTSP port is configured on each camera and ALL routers forwarding ALL these ports internally and dynamic DNS being used to accommodate any changes in external ip. This allows me to move cameras between properties without changing any configuration. However I was able to ask Alexa to show me a Hikvision feed on an Echo Show 10 at each location regardless of where the source camera was. I have since implemented the gateway on a RasberryPi at one property to allow tech such as a FireTV 4K Cube to work. With this setup I can still view all cameras from this device, but I suspect now not from Amazon devices in the other properties. I’ve not yet had cause to try it, but came across this post thinking I might need to forward 443 in some way or setup some sort of static routing or use a VPN, but the later requires equipment at each property that I don’t have, in fact there is nothing except routers at the remote properties, so I was hoping some sort of routing and port forwarding could be used. However the point to note is that full flexibility was possible when not using the gateway.
-
On thought is that perhaps I could setup two different feeds in monocle for each camera, one using the gateway and one not. Then in properties that don’t have the gateway, only use Amazon tech that does not require it, and only ask them to display the non-gateway feeds.
-
@VBasys said in Can Monocle gateway work from a 2nd house with appropriate firewall port(s) opened? [ANSWERED]:
On thought is that perhaps I could setup two different feeds in monocle for each camera, one using the gateway and one not. Then in properties that don’t have the gateway, only use Amazon tech that does not require it, and only ask them to display the non-gateway feeds.
Yes, this should work fine. Except you would only be able to access the cameras behind the Monocle Gateway at that location unless you either exposed port 443 to the Internet or had a VPN connection between the properties. If you expose port 443, then you would also need to make some tweaks to the Monocle Gateway properties file to use your public IP address or a public DNS.
Another option would be to setup your Monocle Gateway on a public server such as Linode/Amazon EC2 and have each of the camera’s publicly accessible to this gateway.
If you are deeply interested in finding a solution, in the new year we could experiment with trying to create some concept of multi-location awareness that supported multiple running gateway instances. Or perhaps some inter-gateway bridging/proxy where gateway instances could proxy the camera connection to other gateway instances.
Thanks, Robert
-
@Monocle Many thanks for the response Robert I will certainly have a play with exposing 443 and tweaking the Monocle Gateway properties file to use my public public DNS. I was hoping something exactly like this might be possible. I did think of running the gateway on Amazon EC2 to have each of the camera’s publicly accessible, but got bogged down with all the various features and costings, so thought I would try the port 443 tweak first. However I’ve been looking for an excuse to get into AWS for a while, so may well give that a go later. Amazon do seem to offer a basic signup with various features permanently free and others free for the first year if under certain usage limits, but I couldn’t quite work out if running monocle would be free, cheap or expensive. I am hoping free because I assume there is only a small amount of traffic through the gateway at the start of each request with nothing through the gateway there after. I did wonder if this might even allow yourself to develop some sort of globally shared gateway with little to no running costs but I’m guessing you would have already done that if possible. Anyway I’ll have a play with 443 and report back in due course.
-
I agree on trying to test it out locally before moving to the cloud (if possible).
You could certainly use the Amazon AWS EC2 instances eligible for the free tier (1 year). The Monocle Gateway does not need much in terms of processing power or memory. The network usage would mostly be limited to the active streams when you are viewing them via Alexa. If you decide to go the AWS route, after your free period expires you can use the option to pay for a reserved instance and pay for it all up front (1yr or 3 yr) to save a significant amount over the on-demand instance pricing.
https://aws.amazon.com/ec2/pricing/reserved-instances/pricing/
For example a T3-micro instance can cost as little as $103 for 3 years. A T3-nano is only $51 for three years. I suspect the nano instance would be sufficient but you may just have to try it out to see. The newer T4G series instances are even cheaper.
Thanks, Robert
-
Hi Robert, after much experimentation I am pleased to report that tweaking port 443 actually seems to be working perfectly.
With only a single gateway instance running at one property, I am able to display streams from any Hikvision cameras on any of my Amazon devices, regardless of where the cameras or Amazon devices are located.
As we had hoped, all one needs to do is set the rtsp.register.host entry in the monocle.properties file to ones external IP address and setup a port forward on your router of 443 to the device you are running the gateway on.
Initially I made the mistake of providing a dynamic domain name instead of my external ip, run the gateway and found my local amazon devices worked, and saw (what I thought) was the correct address being resolved in the various debug/traces, which tricked me into thinking it had been accepted. However after travelling around I still found that none of the remote amazon devices worked with gateway streams. So I then played around in the dark a bit and opened a few extra ports that I could see being used, which of course had no effect, but by further studying the traces I gained a better understanding of what was going on and realised I was rather stupidly providing my own dynamic domain as the IP address for the proxy dynamic domain, and the reason why everything still worked locally and looked good in the traces was simply because my domain was being ignored and the last valid setting was still being used. So I then thought well that rtsp.register.fqdn seems appropriately named, maybe that’s exactly what I’m looking for, so I set it to my dynamic domain, but the gateway wouldn’t even initialise properly. So eventually I just used my external IP address for the host value, and everything suddenly worked like a dream.
Of course I will have to keep updating that address as and when my ISP assigns me a different one, but to be honest that’s not very often, and I can always get a fixed IP again (had one for years but dumped it a while back) or I could write a little script to run in the background to update the properties file and restart the gateway as and when necessary. However I wonder if this might not be a very useful gateway feature, and I’m even still thinking the fqdn setting is exactly this, after all it seems to replace the unique.mproxy.io domain which resolves to the same address, but like I said I couldn’t get this to work at all. So if the fdqn setting is indeed for for something else, then perhaps in the future, you could allow us to specify our own dynamic domain for the gateway to use, or at least have the gateway monitor it and update the host value as and when the domains ip changes.
One really useful trick to note, it was a pain to keep travelling between remote properties to test every little change out, until I realised all I needed to do was create a few routines in Alexa to display the various cameras on the various remote devices, then sit back and watch the gateway trace as each routine was run. On that point someone here asked if they could get a stream up on a device without asking Alexa to do it, well you can to a point, by creating routines to mimic what you would say to each device, then running them manually via the app (If I find that post I’ll pop a response up accordingly).
-
For anyone using the gateway that wants to view any camera from any device at any location, this is the setup that works for me…
I use one Amazon account across all properties.
I use a unique dynamic domain name for each camera, note that www.noip.com are the only ddns service I can get working on Hikvision cameras.
On each router (at each property) I configure every camera with a unique fixed internal IP address, say 5 cameras at 101, 102, 103, 104, 105.
On each router (at each property) I forward a dedicated RTSP port for every camera, for example 5441 to port 544 of camera 101, 5442 to port 554 of camera 102, and so on.
In a similar way you may also want to open up some dedicated camera management ports and also restrict this access to certain ip addresses.
I do all the above to allow me to move cameras between properties without changing configuration. If you are not going to move your cameras then you only need to configure the ports on each router for the cameras that are always connected to them.
On each camera I created a special user account with view only permissions for use by Monocle.
In Monocle I created the cameras with their respective RTSP feed urls, for example rtsp://camera1.ddns.net:5441/Streaming/Channels/102.
In the above URL camera1.ddns.net is the dynamic domain, 5441 is the dedicated RTSP port reserved for this camera, 102 specifies the cameras second stream. I use first, second or even third streams on the various cameras, with various resolutions, depending upon the processing power of each camera and the broadband speed at each location. I would suggest you start with 640x360 if available because it’s a nice low resolution with 16x19 ratio that works well on all Amazon devices, then up the resolution later when you have everything working reliably. I would also suggest you disable any sound as well to start with as this can cause issues. Note that on the latest Hikvision cameras with three streams, you don’t have much choice of resolution on the second stream, they limit you to just a few low resolutions, but the third stream is not limited so you can choose say 1080p on that while keeping the main stream at max for other uses. I have a projector with Fire TV Cube so like to keep the streams high for the big screen. However you could always setup a camera in Monocle for each stream and just ask Alexa to show you whichever works best on that particular device.
Once the cameras are configured in monocle don’t forget to add them using the Alexa app.
At this stage, depending upon what Amazon devices and cameras you have, all might work for you. It did for me to a certain extent, some cameras worked fine on some devices, for example I could view them on an Echo Show 10 located at any address, but I certainly could not view any camera on a Fire TV 4K Stick or a Fire TV 4K Cube because these device require the Monocle Gateway.
Initially I installed the gateway upon an Apple iMac but could not get it to work, probably because there are other programs using port 443. However I had a RasberryPi not being used anymore so decided to install the gateway on that instead, which is a much better solution anyway because it can be dedicated to running the gateway (no port conflicts) and run 24x7x365 without sleeping. This turned out to be very easy, I simply followed the Monocle guide and had it up and running in a couple of minutes, so I would reccomend this route.
Next add your @tunnel tags to the camera configurations in Monocle to make them use the gateway.
Now if you only ever want to view camera feeds on Amazon devices located within the same network as the gateway then you’re done.
But if you want to view any camera from any device at any location, then you need to forward port 443 on the gateway’s router to the device that is running the gateway.
Then follow the Monocle guide on a custom configuration and edit the monocle.properties file to set “rtsp.register.host” to your external IP address (don’t forget to remove the # comment identifier at the beginning of the line).
Stop the gateway and restart it to register the change.
You may need to wait a little while to allow this change to propogate across the domain name system. On a RasberryPi you can check this by using the host command to check your unique fully qualified domain has updated. First find your unique fully qualified domain by using “sudo monocle-gateway —tail” to examine the gateways output. You will see an entry under “MONOCLE RTSP SERVICE - INITIALISED” looking something like “FQDN = 6f5eb25a-82e1-3c8f-9a14-bcf1291bdbf2.mproxy.io”. You will also see a HOST entry with your updated address, this should be what you set in the file, but it might not yet have propagated fully. So to be absolutely sure, copy the domain name and exit the trace with Control+C, then type “host “ and paste the domain name just copied. For example “host 6f5eb25a-82e1-3c8f-9a14-bcf1291bdbf2.mproxy.io”. The output from this command should be your external IP address. If not wait until it is.
Once done you should be able to view any camera sited at any location from any device at any location.
If your external ip address changes, then you have to update the monocle.properties file accordingly and restart the gateway. There may be a better way to do this now or maybe in the future but I will let Robert come in on that.
-
With regard to being able to specify ones own dynamic domain, I am not an expert on these things but having read through these posts again, I am wondering if we could alleviate any requirement for a certificate by simply getting the gateway to monitor such a domain and change the host address accordingly?
-
With regard to forwarding port 443 to the gateway running on a raspberrypi I forgot to mention the importance of configuring both your root and user accounts properly with strong passwords and suggest you use something like a managed switch to isolate the gateway device from other more important equipment.
-
A couple of other points worth a mention…
When forwarding an RTSP feed on your router choose the TCP protocol (not both TCP and UDP).
When changing the resolution of a camera you not only need to update the monocle configuration but you also need to delete and re-add the camera in Alexa.