Saving CCTV footage remotely to SMB folder

[hexel]

Hi all,

I have a brand new surveillance camera (Milesight Lite Dome) for my cottage house. And besides SD Card saves locally, I want it to send video recordings remotely from other city to my home TrueNAS Scale.

I have checked their online guide for SMB settings (Ubuntu) https://support.milesight.com/suppo...02-how-to-use-nas-on-milesight-network-camera, but so far I cannot get my TrueNAS into "Online" status for camera.

Can anyone tell, do I need to change some spesific settings in Truenas GUI to get this work? My shared cctv folder works already well in Windows and I can read/write into it. Camera also is not connecting to my NAS even locally at home (with 192.168.x.xxx address). where I'm setting this up before bringing to cottage. There I will give it to my public domain address where to send recordings.

Thanks in advance!

 

[sretalla]

The camera is probably some old linux derivative and using ancient samba stack, so will only authenticate with NTLMv1 and SMB1... you need to set that on the SMB service (and prepare yourself for the security consequences of that).

 

[anodos]

The camera is probably some old linux derivative and using ancient samba stack, so will only authenticate with NTLMv1 and SMB1... you need to set that on the SMB service (and prepare yourself for the security consequences of that).

Old versions of mount.cifs on Linux (I think this changed somewhere in kernel 3.x land) defaulted to NTLMv1 and SMB1 IIRC.

There used to be a lot of how-tos that advised setting NTLMv1 and so back in the FreeNAS version 9 days we periodically had people that had SMB auth problems as they upgraded to the version where that parameter changed to off-by-default.

 

[hexel]

Oh okay, great. I just checked and yes, NTLMv1 and SMB1 is turned off by default. Will turn it on (and prepare myself for the security consequences) and see will the connection work in LAN.
If yes, I assume I need to port forward some SMB ports in order to make this work remotely?
But the question is, what ports? Google gives some multiple answers.

 

[sretalla]

If yes, I assume I need to port forward some SMB ports in order to make this work remotely?

Never do that... SMB1 is full of vulnerabilities and exploits are circulating unencumbered on the Internet.

What you should do is connect your premises with some kind of VPN (I would suggest tailscale as an easy option)... you'll need to have something more than the camera at the far end to "run" that though, even if just a raspberry Pi.

There are some good suggestions and helper videos for that here: https://blog.briancmoses.com/2021/03/tailscale-a-vpn-that-even-brian-can-use.html

 

[anodos]

SMB is full of vulnerabilities and exploits are circulating unencumbered on the Internet.

SMB protocol in general isn't full of vulnerabilities. MS for instance uses SMB for Azure Files IIRC (it's actually pretty cool, they wrote a whole new SMB server - non-Windows for the product).

SMB1 servers shouldn't be exposed on the internet, and NTLM auth probably shouldn't be used via internet. NTLMv1 auth should absolutely never be passing on any vulnerable network. In this day and age it's basically the same as plain-text authentication.

So in this case, you probably need to set up a VPN.

 

[sretalla]

There are at least 170 in just SAMBA... https://www.cvedetails.com/vulnerab...&sha=653c7b7fcf829358e3376d46edbe195666c5ceab

@anodos has done a lot of work to ensure that TrueNAS has versions of samba which are as patched as possible against those, so I will concede that my point was more about your camera than about a TrueNAS server (although in general, we never consider publishing a TrueNAS server directly to the Internet for any protocol as it was not designed as a hardened system).

VPN is the way to securely access things between premises.

 

[hexel]

Never do that... SMB1 is full of vulnerabilities and exploits are circulating unencumbered on the Internet.

What you should do is connect your premises with some kind of VPN (I would suggest tailscale as an easy option)... you'll need to have something more than the camera at the far end to "run" that though, even if just a raspberry Pi.

There are some good suggestions and helper videos for that here: https://blog.briancmoses.com/2021/03/tailscale-a-vpn-that-even-brian-can-use.html

Alright, seems legit and will not do it that way.
I just checked out that Tailscale and it really seems very easy to setup.

But few things what I'm wondering (coz lack of experience):
- I assume I need to install Tailscale app to my Truenas Scale server, how?
- How I should make possible in the other end where camera is, that it gets connection for this NAS? If I put Raspberry Pi to the cottage house and install Tailscale to it, will it make possibility for camera to connect through VPN to my NAS, since they are there in same LAN there?

So far, thanks a lot for help till this point. Hopefully I get answers for those few questions in order to make this work.

EDIT: Btw, at my home where TrueNAS is also I have this router https://www.tp-link.com/fi/business-networking/omada-sdn-router/tl-r605/
Seems it also includes integrated Open VPN, will that help in this case at all?

 

[sretalla]

I assume I need to install Tailscale app to my Truenas Scale server, how?

That's one way... maybe you won't use it if you go for OpenVPN:

[HowTo] Install Tailscale in a Jail

So in the past few days I have been playing around with Tailscale for the one day when I finally get back on the road for work and I want to access things at home like my files or my Plex instance when I finally get around to uploading media to my NAS. I looked around and fond that the...

www.truenas.com

If I put Raspberry Pi to the cottage house and install Tailscale to it, will it make possibility for camera to connect through VPN to my NAS, since they are there in same LAN there?

Yes, you would use the settings in the tailscale web UI to advertise the subnet at your remote house to the tailscale network.

That way, any client participating in the tailscale network can see that subnet across the secure VPN tunnel created with tailscale.

EDIT: Btw, at my home where TrueNAS is also I have this router https://www.tp-link.com/fi/business-networking/omada-sdn-router/tl-r605/
Seems it also includes integrated Open VPN, will that help in this case at all?

Only if you would rather use OpenVPN instead of tailscale (perfectly fine option, just a little harder to configure correctly... and I won't go into how here).