How to access different devices in the local network from external and 1 ip address?

Hi all. In short there is a problem. I have a surveillance camera and a PC enabled remote access + WOL. There is 1 static ip address. I'm a little dumb in this.
How to make routing between them, so I could work with every device? What do you need?
3 answers
April 7th 20 at 11:59
Solution
The port forwarding as said above, but it's not too safe, or rather quite unsafe. It is better to lift VPN, through which only and to access the internal network.
@Agnes, what is the advantage of VPN and port forwarding? Il it not? I have a router Tenda AC10U. There already have built-in service to open a pptp vpn - shakira.Goldner commented on April 7th 20 at 12:32
@victoria.Trinidad hay, VPN isolates your internal network - you must first connect to the VPN, and only then get access to the cameras. Plus, in the case possible VPN encryption of the traffic. Therefore, the solution is quite good, but often unnecessary.

In most cases, simply to limit the addresses from which you want to connect to the cameras in the firewall. - braxton_Prosacco commented on April 7th 20 at 12:35
@carme, But the danger in the port forwarding??? What might be unsafe? - braxton_Prosacco commented on April 7th 20 at 12:02
@Agnes, https://www.zoomeye.org/searchResult?q=app%3A%22Li... for example -- bare ass sticking out in the Internet. Bad is not even that left-wing people have access to cameras, worse is that occasionally I find vulnerabilities in all sorts of IOT devices, through which already have access to the internal network. - marvin.Hoeg commented on April 7th 20 at 12:05
@Agnes, not so long ago were treated with six cameras, which raised itself from DHCP, began to monitor the traffic and send to an unknown destination. They just had access via port forwarding.
@victoria.Trinidad hay, if the ip "white" - that VPN - if not, then a VPS for 200 rubles per month, and it VPN. - Camryn.Hegmann21 commented on April 7th 20 at 12:08
@Abelardo.Fish, ip white - shakira.Goldner commented on April 7th 20 at 12:11
@victoria.Trinidad hay, then on the device which will pull lift VPN and gateway ports through it trough before him. If you have gateway get VPN on it. - Camryn.Hegmann21 commented on April 7th 20 at 12:14
@Abelardo.Fish, on the router there is a feature for your vpn - shakira.Goldner commented on April 7th 20 at 12:17
@victoria.Trinidad hay, and then what is the question? - Camryn.Hegmann21 commented on April 7th 20 at 12:20
@carme, But what's port forwarding?
If you put out into the Internet - it is necessary to configure the right security.
For example, access only from one address, as is usually done.

If you need security - it should be set.
But what's port forwarding? It is completely safe! - braxton_Prosacco commented on April 7th 20 at 12:23
@Agnes, stated above. The problem is not in the mapping, as a means, and that your gear inside will break much faster.

The option of the VPN - perfect. - markus_Ro commented on April 7th 20 at 12:26
@cornell.Doyle, the Option of VPN is far from perfect, though convenient in some cases.
In most cases, VPN is simply not needed. - braxton_Prosacco commented on April 7th 20 at 12:29
And if it connects with dynamic IP addresses, what shall we do?
VPN immediately stuffing hides your network. But if the port forwarding and without limiting the addresses that can be seams. The attack surface significantly increases:
It is possible the router is broken,
Can camera to break, each separately...
You can break away all of the ports that stick out and brute-force thinking them... - markus_Ro commented on April 7th 20 at 12:38
@Agnes, I will connect with dynamic ip addresses - shakira.Goldner commented on April 7th 20 at 12:41
April 7th 20 at 12:01
Solution
How to access different devices in the local network from external and 1 ip address?
To forward the ports. Access from the Internet is only possible if you have white IP address. If just from the external network, then not necessarily.

How to make routing between them, so I could work with every device?
Routing has nothing to do with you NAT.

Just probressive for each camera its own port. Then connect to the camera specifying the port, and all.
For example you have three cameras on the local addresses 192.168.0.1, 192.168.0.2, 192.168.0.3. Access to the camera is on port 4000.
So you just probressive 50001 on address 192.168.0.1 and port 4000 port 5002 to the address 192.168.0.2 and port 4000, and so on.
When you need to get on the first camera подключаtтесь - vneshniy:50001
April 7th 20 at 12:03
Solution
If simply and tastefully:
- Put OpenWRT on the router
- Custom port forwarding to the cameras
- Custom firewall type (no more than 5 new connections a day to the camera port)
Milestones who was breaking to the standard ports are generally banned for a day for the first reason.
- Put normal passwords on the camera

The main thing is not to shoot yourself in the foot
No need for OpenWRT on the router already has all the settings. But the option is nice - shakira.Goldner commented on April 7th 20 at 12:06
@victoria.Trinidad hay, owner-the barin, as they say.
I always thought a few settings in the stock firmware (well, except microtheca).
OpenWRT and it's pure Linux. If memory allows - you can pretty much screwed. Including a variety of rules in iptables. And Wireguard VPN for example. It precisely is not present anywhere else in the drain. - mckayla_Reinger37 commented on April 7th 20 at 12:09
@Keira75, I have a router Tenda AC6 firmware multi. Me functional enough yet. I have OpenWRT on the second router. I think it is quite difficult to immediately understand, at least for me the first acquaintance with her was still the problem. - shakira.Goldner commented on April 7th 20 at 12:12
@victoria.Trinidad hay, no more difficult than microtia :)
I was even easier.
Why am I so stoked for openwrt? Due to iptables. In stock you have the ability to write firewall rules?

Here wrote that it is secure only VPN.
In principle, I agree, but IMHO, you can do forwarding with hard filtration. Then will be not worse.
For example putting all of this on non-standard ports, and all who are connected to standard 22, 119, 80, RDP,... - block immediately for many hours (protection from PortScan).
And get your Christmas tree from the ports will not show up. - mckayla_Reinger37 commented on April 7th 20 at 12:15

Find more questions by tags Network administrationNetwork equipmentComputer networksNetwork routing