Popolou

15 hours ago, lippavisual said:

Pretty sure DNS rebinding is a way for hackers to hack your PC.  Why do you need this protection removed??

It wont, it has valid applications for internal LANs.

14 hours ago, BY96 said:

I don’t want to turn off the protection, just add an exception to run a program. However, my issue may be entirely unrelated to rebinding.

If you want to expand on the issue, there could be a solution - presumably this is regarding a VPN routing/DNS issue? I am unfamiliar with the OS but there may be a way to add an exception through the CLI if SSH access is available.

Like i said, that is not how it works. I've never come across anyone choosing to configure 50+ cameras individually on systems like these when they are purposely designed to be managed via the NVR.

8 hours ago, Control4Savant said:

I absolutely do not suggest this. Each camera should be set up individually. NVRs are designed to be reactive to a camera, not as the administrator. 

That's not how it works within Hikvision. The NVR must have access to the camera to manage them. Is there something precautionary in your mind?

@RyanE Understood, thanks. I will need to explore how to code it so that it extracts the room name. It may end up being quicker to write all the notifications out individually for each similar device but where's the fun in that

4 hours ago, mattyp said:

Awesome--thank you for the help with identification. I installed IVMS and managing playback is a little less clunky than through the tiny Hik-Connect mobile app, but I still have very limited functionality (e.g., can't actually speed up playback to 2x, 4x, etc.; there are no pins in the timeline showing me people and/or vehicles; no way to set up notifications that I can find).

I managed to get into the NVR by just hard-wiring to it, and here it looks like I can set up zones and notification triggers, which is great! Unfortunately, these notifications don't appear anywhere outside of the local NVR setup. I.e., I don't get them in my Hik-Connect app and I don't see anything in IVMS. But I'm down the rabbit hole now, so will crack it eventually. 

HIkvision (and similar) guides are a little clunky when trying to understand how it all comes together but it is essentially a system where the NVR is central to the wider system. Whenever a change is made on the NVR, it sends that config to the camera in question which does the grunt work. It is meant to be centrally administrative. So if you want a line crossing event, you configure it as a Smart Event on the NVR for that camera, add the schedule it should apply and the triggers. Altogether, any event that is detected will then be fed back to the NVR which logs both the video and the time/event VCA data so that you can easily see it on the timeline (be sure to tick either the Human or Vehicle tickboxes under it). Notifications are configured the same way.

5 hours ago, mattyp said:

Great! Based on some YT videos I've watched, it looks like the PoE will give me more direct access to the cameras + they'll actually appear in SADP (currently they don't!). Agree, it sounds like a good investment.

Yes, depending on the NVR, most pro installs use POE switches for the cameras and you simply add the IP addresses to the NVR for it to do its thing.

Good luck.

As you discovered, they are rebadged Hikvision 8MP cams. Spec sheet here, and a variant of the DS-2CD2383G2 with near-identical specification. If they have an NVR, you can use their IVMS software to connect to it, manage the cameras and control playback. If you are relying on the onboard SD card for footage then you will have a few additional hurdles to overcome for the same result. They're perfectly reasonable cameras from mid-2022 iirc.

For integration, you'd want the Chowmain driver for the full functionality. The standard C4 drivers do work but it is limited, dated and a lot more thought went into the third-party alternative.

Evening.

There does not seem to be one provided by the driver associated with the project. But curiously, there does not appear to be a generic one either internal to C4 as part of the standard variables available to call up the name of that room or device. Is this a programmatic shortcoming or is there something obvious that is not clicking with me?

1 minute ago, msgreenf said:

That mentality is changing. But it still doesn't me I would pick unify. I would pick fortinet before unifi 

I thought this was in general but yes in terms of firewalling, no disagreement there.

I am drawing a blank for what might be really quite simple: is there a pre-configured variable to represent the room name or device a programming event is attached to? In my use case, i do not want to have a separate push notification to explicitly reference that room/device and using what will otherwise be an identical message if i can simply substitute it with a variable.

Cheers!

1 hour ago, therockhr said:

When i look at all the integrators on instagram it seems to me that Unifi is by far the most popular residential/small business networking vendor (small sample I am sure). When i view corporate campuses or universities or hospitals it seems to be mostly Cisco AP's (again probably a small sample).

In no small part i am sure because Cisco do not release firmware which borks their kit (or at least not in a long while). Unifi have demonstrated a tendency not to fully QA their revisions which causes a lot of issues across the full spectrum of customers and despite it being GA. Their wireless AP lines are pretty solid mind.

5 hours ago, Cranky Oldman said:

another timely comment!  I was just in the middle of figuring out why some of the functionality on the Control4 website (voice control) wasn't working and I tracked it down to pfBlockerNG DNSBL blocking the domains events.split.io, sdk.split.io, and auth.split.io.   Looks like I'm going to have to whitelist them, at least temporarily.

For my next trick, tomorrow night's lottery numbers...

Oh and you really only want to whitelist the TLD so that you capture any future changes should they roll out new services/servers.

1 hour ago, Cranky Oldman said:

You're right that the random-guy-in-the-driveway scenario is low risk, but it probably won't surprise you if you've read this far in the thread that I'm more paranoid than most people about these things!  I set up the VLAN for the Control4 network with a whitelist of MAC addresses that are permitted to use the network.  So a random device that shows up in the driveway with the SSID/passkey will get connected to the access point, but won't get network access.  It was a bit of a pain to set up the whitelist initially, but once in place it shouldn't require any maintenance unless I change hardware somewhere in my system.  If I need a house call from my dealer at some point, I'll have to turn off access control or add his phone/PC to the whitelist.   

 

You probably already have it installed but i use the arpwatch package for this . Whilst primarily monitoring the blackhole vlan across my sites, if a new device joins any point in the network, it will trigger a notification.

On 3/25/2024 at 9:22 PM, Cranky Oldman said:

Thanks Popolou for your comments.  Your reference to cloud-based instances appears to be spot-on.  I searched the Control4 controller logs for the link-local IP address, and found matching entries in the file "c4metricsd.log".  The timestamps in the sample below match the timestamps for packets my router blocked.

2024-03-25 14:51:08.520 -0500 core5-000FFF9CC615 [1312] ERROR: AWS: [CurlHttpClient] Curl returned error code 28 - Timeout was reached
2024-03-25 14:51:08.520 -0500 core5-000FFF9CC615 [1312] ERROR: AWS: [EC2MetadataClient] Http request to retrieve credentials failed
2024-03-25 14:51:09.522 -0500 core5-000FFF9CC615 [1312] ERROR: AWS: [CurlHttpClient] Curl returned error code 28 - Timeout was reached
2024-03-25 14:51:09.522 -0500 core5-000FFF9CC615 [1312] ERROR: AWS: [EC2MetadataClient] Http request to retrieve credentials failed
2024-03-25 14:51:09.522 -0500 core5-000FFF9CC615 [1312] ERROR: AWS: [EC2MetadataClient] Can not retrive resource from http://169.254.169.254/latest/meta-data/placement/availability-zone

We can see there is some kind of Curl command that is failing, apparently related to Amazon Web Services.   Google found some matches for the string "http://169.254.169.254latest/meta-data/placement/availability-zone" eg.  Getting Ec2 Instance Availability Zone With Curl or Powershell // ShellRunner  

So it looks the Control4 software may be designed to run in a virtual environment, in which case these packets might gather useful info.  Not sure why the controller still sends out these requests when running in a local hardware environment.  I suppose this could be a way of testing "am I in a virtual environment?"  In any event, other than triggering some red-herring paranoia about bots infiltrating my network, the behavior appears to be benign

Glad to help. What you'll come to find from the wealth of data that comes with a C4 and pfSense combo (and if you use pfblockerNG) is a large world where devs use many different cloud-based systems not just to collect metrics but also to communicate back with their drivers to either provide improvements or upgrades/unlocks that you may have purchased. If you go down the blocking path, you may find you'll need to investigate each service in operation if in case you end up blocking one that causes a driver to default to its basic function. Some C4 services are purely telemetry (like the one you pointed out) but others do considerably more which could cause problems (such as to split.io). It's just the current state of play in the dev world.

Sure, but i meant can you initiate the ping back through the tunnel from the remote site to the local site, i.e to the laptop running HE. The trouble you are describing is a classic routing issue. The remote option within HE relies on the gateway. So do successful VPN connections. This suggests to me an area common between them that i would begin to investigate.

1 hour ago, Dueport said:

Unfortunately it still does not work for a remote site for me. I cannot connect to our vacation home from our primary residence despite both locations being fully updated and running the newest version of Composer HE. It doesn't work using the remote option and it doesn't work using the local option (the homes are connected through a vpn via Unifi Site Magic configuration). I'm running Composer HE in parallels on a Mac. When I try the local connection it just fails. When I try the remote connection it just hangs saying it is connecting. Over the past couple weeks sometimes I got it to connect but mostly not just very unreliable but this morning I have spent over an hour fiddling with this stupid thing - I've restarted computers and controllers tried multiple computers, etc etc. nothing - very disappointing. Over the past few weeks, I have gotten a notification of a security threat block once or twice from unifi that appears to be associated with trying to connect and I have cleared those by bypassing/allowing the "threat" in the unifi security settings so I don't think this is a firewall issue. This is extremely frustrating - HE worked fine before 3.4.1 remotely and locally. Finally locally works but still not working remotely. I hope this issue is resolved very soon. Now, if anyone else can get remote to work reliably in Composer HE I would like to know that in case the issue is a networking setting on my end.....otherwise I hope this gets fixed fast because it is very frustrating.

If i ever encounter a comms problem like this, i find often the best way forward is to go back to basics and begin by ruling things out. In this case, are you sure that the remote location is able to communicate back to your network? VPN traffic relies heavily on routing so even though you can communicate one way, it does not mean that the route back is open. This can be as simple as an incorrect gateway configured on the other side or (more complex) firewalling. Ideally, opening up a terminal session on the controller and pinging the laptop HE is running is a good enough test or alternatively, another remote device on the same subnet to test from.

If i had to guess, i suspect a driver is using that address for its telemetry comms. I'd not be overly concerned being that it is link-local, an address more commonly used in cloud-based instances and being APIPA, cannot traverse the gateway.

Another option could be from Orisec. They also provide for third part automation from all the main players including C4. I believe their product range allows for wireless connectivity to their shock & PIR sensors.

Coincidentally, another member has one for sale here if that is an option?

2 hours ago, Rob21 said:

Thank you guys.

Is it possible to change these icons to something that resembles a heated driveway icon? Does anyone have thoughts on programming the driveway to turn on based on weather?

Yes, the driver files (c4z) are actually compressed zip files. With some effort, you can swap out the included icon file with the one you want to replace it with but you need to make sure you adhere to the same original pixel dimensions and for each repetitive one.

This is uncanny timing since i was also about to implement this same feature using a triad matrix amp. I drafted the programming (yet untested) to include ramping down/up the volume around the announcement. But, is it peoples experience that without a specific ducking feature, the combination of C4 with a matrix amp will not actually lower the playback volume but cease it entirely before the announcement is executed?

Perhaps a sticky post may be helpful for the infrequent/visitor in the meantime.

7 hours ago, nxr said:

22 hours ago, Popolou said:

Or go virtual machines. Many use a local 'admin station' that has access to all vlans (for e.g.) which means you can VNC/RDP into that station to carry out config changes. Making this hardware is also fine (even if a laptop) but most prefer to use equipment with out-of-band access in case of hardware crashes.

I use AnyDesk to remote into a current home but not familiar with this. Is it better?

It has its benefits but i suppose if you have not come to find the need for it, perhaps it'll be unnecessary. Remoting into a single PC without the complexity may well be enough in some applications.

1 hour ago, Shoe said:

Liking the idea of a POE stick computer. Pop it in any POE port. Fedex it to a client. Tailscale it.

 

https://liliputing.com/minisforum-s100-n100-is-a-pocket-sized-alder-lake-n-pc-with-power-over-ethernet-support/

Minisforum are really killing it lately.

No problem, WG is a more modern & lightweight VPN service so it should run pretty well on that hardware. From what i gather, the existing VPN methods (PPTP, IPSEC) will be dropped in favour of WG so your existing connections will need to be remade. That video appears to go into it at some length.

Then you are in luck - https://res.cloudinary.com/avd/image/upload/v133508088/Resources/Luxul/Routers/Firmware/Luxul_Page-Firmware-ABR-4500.pdf

5 hours ago, South Africa C4 user said:

Thanks everyone! Some really useful feedback.

@Shoe - I have Luxul routers at both residences.  While they allow client VPN which I use regularly, they don’t allow site to site VPN AFAIK.

I suspect my best option is to stick with my clunky solution in the short term and change routers in both houses thereafter.  

Is it the ABR-4500 model or similar?