An Accepted Solution is available for this post.

Possible routing issue

moonDust1
Newbie
‎10-18-2021 06:58 PM

My parents had switched from Spectrum to Fios. Now their IP cameras, cannot be accessed. I have the same IP cameras at my home. Only when I try to access my cameras on Fios, they do not work. I can access my cameras on any other network, including mobile.

The cameras can only be accessed using the mobile app "mi Home". I installed "BlueStack" to emulate the app on my pc and used "GlassWire" to find all China hosts on my network. Then I used "PingPlotter" to trace the route for the IPs on my parent's network. I found one route that seems broken its to "ThroughTek". "114.67.98.218", "cn-c-master-tutk.kalay.net.cn"

I do not fully understand this, hoping someone with a greater understanding could help me out. I have spoken with various Verizon techs, some helpful, but with limited success. I saw in a different forum, some things hosted in China have issues?

I attached images. Thanks

https://imgur.com/F7aXwC3

https://imgur.com/WyZnHZh

https://imgur.com/usuo8as

imageimageimage

0 Likes
Reply
7 Replies
An Accepted Solution is available for this post.
Cang_Household
Community Leader
Community Leader
‎10-18-2021 07:15 PM

First of all, having devices that rely on resources hosted in a different country is just insecure. I believe the cameras use UPnP to contact the gateway server, then the App contacts the gateway server to slipstream the socket opened on your NAT. Slipstreaming on the NAT opens up the gate for hacking and attacks.

Also, this may not be a routing issue but a carrier grade firewall that blocks mal-intent IPs to protect the consumers. If your cameras can be accessed locally, I recommend you to block cameras from WAN access, if you need to access the cameras when away, VPN to your home network. Of course, this requires the setup of a VPN server on your network.

Reply
An Accepted Solution is available for this post.
moonDust1
Newbie
In response to Cang_Household
‎10-19-2021 10:33 AM

Yeah, having devices hosted in another country is not the best. The cameras aren't mission-critical, just used for seeing if packaged have been delivered and if a cat/dog is in the yard, but would still like to get them to work.

Would using something like "tunnel bear" VPN service on the pc and traceroute be a valid way of testing to see if using a VPN is the solution?

Would you also be able to take a look at the images in my first post, they finally uploaded. In one of the images, it doesn't make it past the router. What does that mean?

0 Likes
Reply
An Accepted Solution is available for this post.
Cang_Household
Community Leader
Community Leader
In response to moonDust1
‎10-19-2021 12:04 PM

Tunnel Bear is a third-party VPN vendor. Tunnel Bear extends their network to you, which has nothing to do with extending your local network remotely. To allow a remote device to be on your local network, you need to host your own VPN server at home.

I had seen your images. Your images need to be approved by the moderators first before other users can see them. The result you are seeing has to do with your traceroute utility. VZ network blocks ICMP traceroute, so you need to use UDP traceroute instead. UDP traceroute is a built-in feature of Linux OS.

Reply
An Accepted Solution is available for this post.
moonDust1
Newbie
In response to Cang_Household
‎10-19-2021 01:17 PM

The cameras can only be accessed through the app. They use "ThroughTek's" p2p encryption? I am not really concerned about security at the moment, would using a VPN of any sort be able to circumvent a carrier grade firewall? "open vpn"?

The images are UDP traceroutes, two of the images are on Fios. The first image is showing the hops from the router to the final destination for another IP that the camera app also uses. The second one is showing the IP in question that stops after the router. The third image shows the same IP in question but on the spectrum network. Could you test the IP "114.67.98.218", "cn-c-master-tutk.kalay.net.cn"

0 Likes
Reply
An Accepted Solution is available for this post.
Cang_Household
Community Leader
Community Leader
In response to moonDust1
‎10-20-2021 08:53 AM

You could use a third party VPN to bypass the carrier grade firewall, but I am not sure you want to spend the  money to be less secure.

I doubt any smart cameras would not include an option for local viewing. I don't see the logic of not creating a platform for locally viewing, unless the provider's first priority is making sure they can spy on your home then making customers being able to monitor their homes.

The pinging on my end shows the IP is accessible above VZ's layer 3 network as well as other major NYM interconnect/peering. When the ping passes through China Telecom, the traceroute does not respond anymore, which is highly suspicious.

Reply
An Accepted Solution is available for this post.
moonDust1
Newbie
In response to Cang_Household
‎10-22-2021 12:03 PM

I did try using tunnel bear on a pc and tracing the route to the ip and it did work. I'm guessing getting on another call with a verizon tech wouldn't really help. I might try and figure out how to get the camera to use a vpn.  Thank you for all your help

0 Likes
Reply
An Accepted Solution is available for this post.
smith6612
Community Leader
Community Leader
‎10-24-2021 05:49 PM

From what I can tell, the whole subnet is not routing. https://bgp.he.net/net/114.67.64.0/18 . Perhaps Verizon's network is not liking the IRR issue that exists with China Unicom's announcement for that subnet. You can see evidence that is a problem with Verizon's Enterprise backbone too, AS701, by using the looking glass: https://enterprise.verizon.com/why-verizon/looking-glass/ . If you submit 114.67.64.0/18 in a BGP Query, nothing returns back meaning Verizon's network doesn't know how to route to it.

I would personally DM Verizon on social media and stress that this is a routing issue someone on their network team needs to look at. Mention the resource on the other end is being used for security cameras.

Reply