Remote access to a DVR on my local network

Security Firewall Rules
1

I recently ordered and installed a Tablo Quad Digital Video Recorder (DVR). My daughter wants me to activate the Tablo Connect Remote Access feature that allows users to view the videos remotely.

To get the feature working I need to poke two holes in the firewall for the two ports that need to be forwarded to the Tablo device. And I am a bit worried about this.

This is the info from the Tablo instructions:

  • Tablo’s private IP address: 192.168.0.25
  • Public Port 21010 > Private Port 80
  • Public Port 21011 > Private Port 8887

This is what I set up as an IPFire Firewall Rule for one port (port 21010 to 80):

45%20PMb
45%20PMb2000×1858 203 KB

With another rule for the second port (port 21011 to 8887).

So my questions are:

  • Is there a better (safer?) way to accomplish the same thing?
    • like adding her MAC address as the Firewall Source address?
    • or adding a GeoIP for the US?
    • (Neither which sound all that safe…)

For reference - here are the Tablo instructions:
Tablo Connect and Port Forwarding

EDIT: added firewall rules image

10%20PM
10%20PM2000×292 44.8 KB

2

You can access via VPN, creating an OpenVPN roadwarrior account. But you have to enable it before fire up the app. Most of the people don’t like that, but if the remote part of the connection is a network, not device, maybe you can route a VPN to connect both networks without expose your device.
You can put the DVR into Orange segment. Same level of security for the DVR, but if it gets compromised you won’t have the same compromission of GREEN network.This will lead an extra work for firewall rules between green and orange but… a few test should ease the issue.
Adding the MacAddress as firewall source address won’t work unless it’s phisically connected, via internet MACAddress is not transported.
Adding GeoIP as source will help to reduce the footprint of the number of the addresess that can try to connect.

Anyway: it’s just a tool for recording TV, not surveillance device. I cannot make feel you safe, but i think that it’s not the most critical thing into the green network.

1 Like
3

I am having the same issue with a tablo device and I don’t believe the firewall rules are working to allow the ports to be visible from the Red Network. After I activated the firewall rule I went to Hidemy.name (previously incloak.com) to verify the port was visible on the internet but it stated the ports were filtered. I nmap scanned for frequently used ports and all were filtered. I tried several different ways to forward the port but none worked. I also tried to use an openvpn port (1194). It too said the port was filtered.
After removing the ipfire box between my router and cable modem those ports worked and were showing open on hidemy.name.

IPFire%20Firewall%20Rule%20Detail
IPFire%20Firewall%20Rule%20Detail674×613 47 KB
IPFire%20Firewall%20Rule%20Summary
IPFire%20Firewall%20Rule%20Summary1023×613 60.7 KB

I’m currently attempting to try another firewall package. Sophos UTM to see if I get a better result.

4

the port 21122 (and port 21123) should not be the Source port. It should be the External port (NAT). See my image above.