How to use an IP camera?

I want to add an IP camera that’s connected to a router (let’s call it router A) that’s also connected to my computer. Both cables are connected to the LAN ports of the router and nothing else is connected to it. I’m also connected to another router (let’s call it router B) for my internet connection. Both routers have OpenWRT installed if that makes any difference.

On a standard Linux laptop I was able to connect to router A and use the camera with ZoneMinder. I wasn’t connected to router B then.

I’m not very good with networks, so I may be doing something stupid.

On Qubes I see both connections in sys-net by typing ifconfig. They had an “inet” of 192.168.1.191 and 192.168.1.195 in ifconfig and a “destination” of 192.168.1.0 in route -n. I changed the router A connection like so:

sudo ifconfig ens7 down
sudo ifconfig ens7 192.168.2.1 netmask 255.255.255.0 up

Now route -n shows different destinations - 192.168.2.0 for router A and 192.169.1.0 for router B.

I can access router B’s web interface via 192.168.1.1 from AppVMs that are connected to sys-net (indirectly via sys-firewall). I can’t figure out how to acess router A’s web interface from AppVMs or even from sys-net. In AppVMs route -n shows:

> Destination   Gateway     Genmask         Flags   Metric  Ref Use Iface
> 0.0.0.0       10.137.0.6  0.0.0.0         UG      0       0   0   eth0
> 1013.0.7      0.0.0.0     255.255.255.0   UH      0       0   0   eth0

so it seems router A’s connection isn’t showing up at all - the output is the same without it.

I want sys-net to be able to give router A’s connection to other VMs. More specifically I want only some VMs to access router A (it’s web interface and the camera feed).

I’m not sure what to do - an AppVM can only have one VM that is providing it with a connection, it seems (like sys-firewall, sys-whonix, etc.). If I want to have an AppVM that has the IP camera only (router A), will I have to make a separate sys-net2 for router A, assign the ethernet controller that’s responsible for router A to sys-net2 and then assign sys-net2 as a net VM for the AppVM that will access the IP camera? What if I want to have a VM with access the the IP camera and the internet? (unlikely, as I’ll probably move the video feed to another AppVM, encrypt it there and then move it another AppVM with internet access.

What can I do? I’m in over my head, but any suggestion will be greatly appreciated.

I’m not altogether clear on what it is you have done, and where you did
it, because you don’t say in every case where you ran commands.
When you say you changed the router A connection, I take it you changed this on
the router itself.
So that now has 192.168.2.1 and netmask of 255.255.255.0
The effect of the netmask is to restrict access to anything with this
address: 192.168.2.X

You wouldn’t expect the route to any external machine to appear in the
qubes, because they don’t care. All that matters is that they know what
the default gateway is. So don’t worry about that.

What we need to see is the output on sys-net of ip addr and ip route - these are the “modern” versions of ifconfig and route
commands - everything is now subsumed under ip
Let’s get access working first, and then talk about restricting it.

Thanks so much for responding! I’ve read a lot of your posts.

I couldn’t change the settings on the router itself because I can’t find a way to access it. I have only accessed it through its web interface LuCI before, haven’t tried SSH, but I assume since I can’t access the web interface now (from sys-net itself and from qubes who get their connection from sys-net), I won’t be able to access any interface.

So that now has 192.168.2.1 and netmask of 255.255.255.0
The effect of the netmask is to restrict access to anything with this address: 192.168.2.X

I understand that - all 192.168.2.X addresses will be related to this router only and other addresses like 192.168.3.X will be available for other use, unrelated to that router.

You wouldn’t expect the route to any external machine to appear in the qubes, because they don’t care. All that matters is that they know what the default gateway is. So don’t worry about that.

By “the route to any external machine” do you mean that for a qube using sys-net as a NetVM (let’s call it qube P) the fact that sys-net is communicating with two routers will be unavailable? Just like I don’t know how many routers a router in my ISP is connected to and only care about the gateway, i.e. the point that’s between my network and my ISPs (or qube P’s network and sys-net’s)? These may be dumb questions, but I never had to deal with networks too much so I may be missing basic things most people assume are common knowledge.

Here are the outputs of ip addr and ip route:

[user@sys-net ~]$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 70:85:c2:83:c8:35 brd ff:ff:ff:ff:ff:ff
3: ens7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 70:85:c2:83:c8:33 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global ens7
       valid_lft forever preferred_lft forever
4: ens9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 70:85:c2:83:c8:37 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.195/24 brd 192.168.1.255 scope global dynamic noprefixroute ens9
       valid_lft 25330sec preferred_lft 25330sec
    inet6 fe80::718b:efab:1d65:6a4d/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
5: wls8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 8e:90:65:ec:e8:e9 brd ff:ff:ff:ff:ff:ff
6: vif5.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 32
    link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
    inet 10.137.0.5/32 scope global vif5.0
       valid_lft forever preferred_lft forever
    inet6 fe80::fcff:ffff:feff:ffff/64 scope link 
q       valid_lft forever preferred_lft forever

[user@sys-net ~]$ ip route
default via 192.168.1.1 dev ens9 proto dhcp metric 100 
10.137.0.6 dev vif5.0 scope link metric 32747 
192.168.1.0/24 dev ens9 proto kernel scope link src 192.168.1.195 metric 100 
192.168.2.0/24 dev ens7 proto kernel scope link src 192.168.2.1 

[user@sys-net ~]$ ip -d addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 0 maxmtu 0 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens6: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 70:85:c2:83:c8:35 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 16334 numtxqueues 8 numrxqueues 8 gso_max_size 65536 gso_max_segs 65535 
3: ens7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 70:85:c2:83:c8:33 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 9000 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 
    inet 192.168.2.1/24 brd 192.168.2.255 scope global ens7
       valid_lft forever preferred_lft forever
4: ens9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 70:85:c2:83:c8:37 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 9216 numtxqueues 8 numrxqueues 8 gso_max_size 65536 gso_max_segs 65535 
    inet 192.168.1.195/24 brd 192.168.1.255 scope global dynamic noprefixroute ens9
       valid_lft 25297sec preferred_lft 25297sec
    inet6 fe80::718b:efab:1d65:6a4d/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
5: wls8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 8e:90:65:ec:e8:e9 brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 256 maxmtu 2304 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535 
6: vif5.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 32
    link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65517 numtxqueues 2 numrxqueues 2 gso_max_size 65536 gso_max_segs 65535 
    inet 10.137.0.5/32 scope global vif5.0
       valid_lft forever preferred_lft forever
    inet6 fe80::fcff:ffff:feff:ffff/64 scope link 
       valid_lft forever preferred_lft forever

[user@sys-net ~]$ ip -d route
unicast default via 192.168.1.1 dev ens9 proto dhcp scope global metric 100 
unicast 10.137.0.6 dev vif5.0 proto boot scope link metric 32747 
unicast 192.168.1.0/24 dev ens9 proto kernel scope link src 192.168.1.195 metric 100 
unicast 192.168.2.0/24 dev ens7 proto kernel scope link src 192.168.2.1

I pasted the -d version too, just in case it’s helpful.

ens7 is router A (the one with the IP camera). ens9 is router B (the router I use to access the internet).

I’m not sure I fully understand how qube P will distinguish connections to router A and router B. Does sys-net being a middle man (or woman or unman ) between the routers and qube P count as a NAT? Is each such NetVM (sys-firewall, sys-whonix) a NAT of its own? Or did I get the terminology completely wrong?

Thanks again for taking the time to respond to a newbie question.

Not dumb, and you have understood.

What is the IP address of router A, and of the attached camera?

Thanks again!

How can I find that out? I guess from sys-net, but I don’t know how to get more info than 192.168.2.0/24 dev ens7. Is that something hard-coded into the router (that I can’t access)? Sorry for my newbishness, I’m just out of ideas and have been dealing with lots of other issues (non-Qubes related) today.

In sys-net:

nmap 192.168.2.1-255

Output:

Nmap scan report for 192.168.2.1
Host is up (0.000084s latency).
Not shown: 999 closed ports
PORT     STATE  SERVICE
8082/tcp open   blackice-alerts

With blackice-alerts being what nmap guessed the port stands for (relevant superuser.com link) and is actually tinyproxy.

I tried accessing it from Firefox by typing 192.168.2.1:8082 and I got Access denied. The administrator of this proxy has not configured it to service requests from your host. Generated by tinyproxy version 1.10.0.

I think I understand your problem.
I think you are confused between the IP addresses of the network
interfaces in sys-net, and the IP addresses of the upstream router(s).
I should have seen this before - sorry.

In you first post you said -

What you have here are TWO NICs with addresses on the same subnet -
192.168.1.0/24 - the 24 there is a way of representing the range of
addresses - 8 would represent the FIRST part - so all addresses starting
with 192…, ; 16, the second, - all 192.168… addresses; 24 the
3rd all 192.168.1.X addresses.
That is why you only have a single route, to ONE of the routers, acting
as gateway.

So I think that both routers are configured to hand out, and
recognise, addresses in the same subnet - 192.168.1.0/24
That is why both NICS end up with addresseses in the same range.

For this to have any chance of working, you will need to configure
router A to work on a different network than router B.
Then your two interfaces in sys-net will be on different networks, and
you will have to make sure that you set one as the default gateway to
the outside world.

I might have completely misunderstood (yet again).
Try removing the address that you set for the NIC connected to router A,
and see if you can connect to it again. Then see what its IP address is
and what network it is configured to work with.

Thanks so much for the responses so far! I’m swamped right now, but will definitely try again in a few days and will report back, which will hopefully help others that share my goals and (lack of) networking experience.