The simplest way to explain this is as follows. Your external IP address is the address that reaches your router from outside your house. That address is provided by your ISP (Internet Service Provider). It can be a dynamic address or a static address depending on the service you have agreed to with your ISP. If your address is dynamic, it can change at any time. A DDNS service like that provided for your cameras reports your WAN (external) IP address to that DDNS service. When you go to viewnetcam.com it knows what your WAN IP address and can use that to reach your router.

The internal mechanism you set up with static IPs and port forwarding is a way to route the communications from your WAN IP to specific internal devices. Those internal IPs (on your local network) have to be static in order for port forwarding rules to work. Since you only have one external IP address to reach you house from the internet, ports are used to determine how to route communications.

Let’s say that your WAN address is 217.96.111.45 and you have a camera on your local address of 192.168.0.212. If you want to reach that camera from the Internet there needs to be a rule to route traffic coming in on 217.96.111.45 to your local camera at 192.168.0.212. Port forwarding rules can route any external port to any single internal IP at the same or a different port.

The common way to express a port is with a colon following the IP address. With the proper rules in your router you could forward an external address of say 217.96.111.45:8080 to the internal HTTP port of your camera which would be 192.168.0.212:80. Now add into the mix another camera at 192.168.0.213:80 you set up a forwarding rule for another external port say 217.96.111.45:8081. That rule would allow you to access your second camera by using your same WAN IP with a different port number. Port 8080 would route you to camera 1 and 8081 would route to camera 2.

HomeSeer uses two different ports. By default the web browser answers on the standard HTTP port of 80 and HSTouch answers on the same IP address at port 10200. If you use the MyHS service, it takes care of a lot of the routing work without your intervention. If you chose to handle it yourself, you would set up two additional port forwarding rules – one for browser access and the other for HSTouch. The security is only provided by the HomeSeer user passwords you have set up. Since all of this (including your cameras) is taking place over a non-secure HTTP connection you have some vulnerability to external interception of communications to your network.

The MyHS service provides an additional layer of security. A lot of us set up a VPN (Virtual Private Network), so that we can enjoy reasonable security without counting on any cloud based providers.

So the short answer is you have several choices. With regard to a static IP, that falls into two categories, assigning static IP addresses to devices on your internal network, which is required if you use router based port forwarding. The other choice is your WAN IP which can be static or dynamic. If it is dynamic, a DDNS gives you the ability to find your home external address through a domain name, without needing to know the current IP address. Port forwarding will work with a DDNS service just like it will work with a static IP, you just add the port number to the domain name and your forwarding rules take care of routing information to the correct device on your home network.

Your camera access provided by viewnetcam.com probably does some manipulation behind the scenes taking care of port numbers relative to camera names, but always sending communications to your single WAN IP.

This may be clear as mud, but it might narrow the scope of future questions.

Hi Rande, thanks for the detailed response... I followed most of it... But I still have a big question from what mikedr said in an earlier post. See just a couple posts back where he said,

"A question, though -- if you have port forwarding set up, and have a static IP, why do you need to use any type of DDNS service? You can just access any resource via http://X.y.z.aortnum in that case."

that I don't get... As I said earlier, from within my home network I can access my cameras with http://x.y.z.aortnum.

But NOT from out in the world beyond my home network. Out there I HAVE to use the chosen, unique name that I set up with the DDNS service (viewnetcam.com in the case of my Panasonic cameras). Using http://X.y.z.aortnum can't work because it's not at all unique...

So I need help with how one would use local IP addresses to ever connect to anything from outside the network??? Or was mikedr perhaps meaning to use my external IP, the one my ISP assigns and a port number??? That I might believe...

So here are my questions at this point

1. So if someone could help me understand this,

"A question, though -- if you have port forwarding set up, and have a static IP, why do you need to use any type of DDNS service? You can just access any resource via http://x.y.z.aortnum in that case." ???????

Is he talking internal LAN IP's or external WAN???

2. Beyond that, is MyHS a reasonbly secure way of being able to access home automation from out in the world... I want to be able to check on items at home when I'm away, the biggest reason for setting any of this up.

3. I certainly know of VPN's but have never set one up. Would such be recommended??? Easy to set up or no???

4. Last and slightly on a different but related topic. I am about to go ahead and buy a Home Troller Zee S2. I will hook it up via Ethernet for a permanent install but if I buy the $20 wireless adapter, will that allow me to walk the Zee S2 down to where my Z-wave appliances are?? I was told you have to bring items in close proximity to the controller for setup and, as an example, my Trane thermostat isn't gonna move. So it's either a long Ethernet cable or WiFi... Can I use WiFi for setup of devices only??? Then move the S2 back near the router and connect using Ethernet locally???

thanks... bob

I think that mikedr assumed you meant you already had a static external IP on your router. If you aren't sure, then you most likely have a dynamic IP. As Randy said, that's when DDNS is very helpful. You still need to give your cameras and HomeSeer box static internal IPs and make the appropriate port forwarding entries on your router.

Can I use WiFi for setup of devices only???

yes

Then move the S2 back near the router and connect using Ethernet locally???

yes

Here I have my Zee-2 connected via a POE connection.

"A question, though -- if you have port forwarding set up, and have a static IP, why do you need to use any type of DDNS service? You can just access any resource via http://x.y.z.aortnum in that case." ???????

You do not need a DDNS service if you have a static ISP Internet address for the Zee-2.

If you have an ISP assigned WAN DHCP address many times it stays active for a very long time rarely changing.

That said you can choose just about any name with many DDNS providers and personally I use them for short names that I remember and different names for different services I want to access.

I also use the services to mask the IP and for different port entry points.

Is he talking internal LAN IP's or external WAN???[/I]

External WAN

Here internally I use a static IP. You can also typically statically assign a DHCP address via your firewall/router using the MAC address of the Zee-2 if you want.

Not sure if you are familiar with Linux.

Some tools that I utilize here are WinSCP, Putty and Webmin to manage Zee-2.

WinSCP is a Windows only explorer like tool to access your Zee-2 directories.

I still have an account with the Panasonic Viewnet dot com. You can utilize that DDNS name if you want.

Look at the firewall rules you have configured and add whatever ports you want to use or let pass through your firewall.

You could then just get to Homeseer on port 8678 (just made this up) like this:

hxxp://viewnetddnsname.com:8678

Unless your work firewall prohibits the use of html on odd port numbers.

Note as Randy mentions above this is one way to get to Homeseer of a few ways.

So first of all my ISP uses DHCP. But I went out and grabbed what the WAN IP address is for now (might be this same number often) and tried this in a browser,

http://aaa.bbb.ccc.ddd:xx where .aaa.bbb.ccc.ddd is my ISP assigned WAN IP address (for now) and xx is the port number for one of my cameras.

Following the Fixed WAN IP concept from an earlier post (though granted this is fixed only for now) should the above entered into a browser be able to connect to my camera??? Because it can't. It fails... Can't find server... Doesn't surprise me but I'm not sure why. I've never tried this before...

This gets down, for me, to the idea of IP addresses versus ports. I've been told that an IP Address is to an apartment building address as the port number is to a given apartment within. Yes?? No??

And the only thing within my local network at port xx is that one camera. I'm just trying to parallel the idea of not needing to use any form of DDNS if you have a fixed WAN address. I don't but I was trying to just do a test of how that might work if I did.

And of course what I did above made no mention of my fixed internal IP address for that camera. But that is accounted for in a port forwarding table in my router where I forward port xx from inside to ouside my network for a fixed IP address that is 192.168.m.n.

So let's say I really did have a fixed WAN IP address as given to me by my ISP. Would my above experiment have worked??? And why did my test not work?? This seemingly easy concept is seemingly getting harder... sorry... bob

Port forwarding does not necessarily forward the same external port to an internal port. You would have to look at how your router is configured. Using your apartment analogy, say you are directed to go to apartment 2A, but when you get to the front door, there is a doorman that delivers you to 4A which is really the apartment you want to go to. Even though you were sent to 2A, you end up at 4A because of the forwarding rules the doorman was told to follow.

Let's say you have a camera that is configured to answer to the standard HTTP port of 80. You could have a forwarding rule that mapped external port 80 to the internal address of that camera and port 80, but you can only do that once. If you add a second camera, also at port 80 you would need to map a different external port to the next cameras IP address and port 80.

For example I have quite a few devices that all answer to port 80, server management interfaces, UPS management interfaces, HomeSeer server and a Windows Server. external port 80 goes to my Windows server port 80, so if I browse to my DDNS domain name, it will land at that server. Each of my other devices that answer on port 80 on my local network have a different external port mapped to the local IP address port 80. I use a port numbering scheme that allows me to easily remember the device, I use 80 followed by the two digit IP. Following that example external port 8025 is mapped to internal IP XXX.XXX.XXX.25:80, 8026 to XXX.XXX.XXX.26:80 and so on.

Now translating tit to a DDNS function the addressing is
myname.myddns.org:8025 to go to one device
myname.myddns.org:8026 to the next and so on.

Since you only have one external WAN IP address, this port forwarding scheme allows you to have many devices accessible through the one external IP address. A DDNS is just a means of always being able to find your WAN IP if it is dynamically assigned. The vast majority of ISPs use DHCP to assign the WAN IP, so it can change each time the IP lease expires. most of the time your modem will grab the same IP each time the lease expires.

You can find out your port forwarding rules by logging into your routers management console and look under Port Forwarding / Port Triggering. There you can set the external port source and the internal IP address and port destination.

Here is an article from noip.com showing examples of setting up the rules on several brands of router.

I have each of our network cameras various IP ports (and there are like 5-6 per camera for reasons unclear to me) mapped to a different non-standard port within the router's port-forwarding.

Ditto,

Are you still or have you migrated from Nexia to HomeSeer? I've been using Nexia for 2 years but currently testing HomeSeer. Would love to hear what you eventually ended up with.

Hi Jim, I have moved away from Nexia. I have moved to HomeSeer but I'm still in the process of trying to learn how to deploy such a system in a way that is safe and secure. Quite honestly, I've not made the sort of progress I would have liked to have made. You will likely fly past me soon as I've had little time lately to dedicate to the home automation system and today it is unplugged and powered off.

I hope to get back to it soon and my first task will be to come here and read what others are doing.

So not much help I know but that's where I'm at today...

OK,


NAT=====> What is Network Address Translation? :http://whatismyipaddress.com/nat

And if you still freak out about the connected world then buy this router :https://routerboard.com/CCR1009-8G-1S-1Splus And set it up properly as securely as it's meant to be as here :https://www.youtube.com/watch?v=7stWTeD9hw8 There are more videos and info. on this out there. Then you will have the hackers complaining about you not being friendly

Enjoy!



Eman.

Good advice, Eman.

Most home use routers are made for default installs by end users with no tech expertise - meaning you get nothing more than the default security. Going with a better router usually gives you more control over security configs as well as better power/performance. Most of the time you get what you pay for.

I'm a big fan of Ubiquity equipment. http://ubnt.com

Much like I've found with HomeSeer, they have an active and helpful user community which is nice when you're on a steep learning curve.

JimiB

Wow... So this shows a bit more about how little I know about networking as I had not before ever heard of Mikrotik until you, Eman, pasted the link you sent in your last response. Thanks for that... I've already watched one tutorial and I will need to watch a few more I'm sure...

I had once upon a time thought the best approach for me would be to set up my own VPN at home but after reading about that topic quite a bit I decided setting up such a network was beyond my skill level unless I wanted to first go take a class somewhere or watch lots of YouTube videos. And I'm a retired electronics engineer who has worked on, with and around macs and PC's since they first showed up 30 years ago... But admittedly I've never worked with networks per se. I just use them... It's just a topic with a lot of complexity, at least that's my view. Thus the reason I've moved slowly...

Thanks, Eman, for your help... I will read and study some more...

You can buy firewalls that include the VPN functionality such as Fortinet, SonicWall, etc. Most devices (smart phones, tablets, etc) that you would use to access your home network have clients built in, so overall the setup can be pretty simple. Of course, this is not a cheap option, but if you're not into setting up software like OpenVPN yourself, it is a good alternative.

Cheers
Al