In the previous lab in this series, we setup a basic NAT topology for a camera on CBRS, but the camera was only accessible by a machine on the same local switch. In this lab, we enable a machine on the corporate network to access the camera behind CBRS.
Note: In general we can substitute the camera for any server or service, such as iperf3 or a webserver. However, note that cameras are particularly different in that they never connect out - this may have impact on router devices that expect outbound activity to connect to a WAN.
The topology remains the same as before, but we have made some changes on the Cradlepoint R500 to port forward connections to the camera to allow access from the NVR machine on the corporate side of the network at 192.168.4.62.
Create a DHCP reservation for the camera
A DHCP reservation for the camera ensures the DHCP server on the R500 will assign a consistent, non-changing IP address for the camera. This is important because we need the IP address in the port forwarding configuration.
We noted the MAC address from the camera ending in 85:65 and chose 192.168.0.100 for DHCP reserved IP address for the camera.
Create port forwarding rule(s) for the camera
We created port forwarding rules for both RTSP and the management web service on the camera.
Access to Servers behind NAT+Port Forwarding
With NAT+Port Forwarding, here is how the camera can be accessed:
(As with basic NAT) From Macbook (192.168.0.169) on the same network segment to 192.168.0.100. Note that a connection in this manner is NOT going over CBRS, as both the Macbook and camera are wired over ethernet to the same switch.
From Macbook (192.168.0.169) on the same network segment to 184.108.40.206. The Celona Edge assigns DHCP addresses on 220.127.116.11/24. Connecting from the local laptop to 18.104.22.168:554 will route packets from the Celona Edge to AP to the R500, which in turn will port forward to the camera at 192.168.0.100:554. This method DOES transfer packets over CBRS.
We still cannot access the Camera from the corporate network machine (192.168.4.62) because the CBRS router (R500) has a 22.214.171.124 IP address from the DHCP server in the Celona Edge.
To connect to the camera from the corporate network, we need addressing and routing that allows for it. To achieve that, in the Celona Orchestrator we configure an External IP Domain and a Device Group.
Configure a Celona External IP Domain
The External IP Domain changes the IP addressing for the CBSD, whether it is a CBRS gateway or device. Instead of assigning the CBSD an address from the default Celona 126.96.36.199/24 subnet, we can obtain an address from any routable DHCP server. In this case, we configure the External IP Domain with the IP address of our DHCP server - 192.168.4.1 (the Netgear Nighthawk M1 with AT&T SIM).
The External IP Domain is configured in the specific Celona Edge context.
Configure a Celona Device Group
We now need to tell Celona which SIMs should be associated with our new External IP Domain via a Celona Device Group.
Now, instead of the CBRS gateway (R500) getting a 12.1.1.x IP address from the Celona Edge, it will obtain an IP address (192.168.4.67) from the corporate WAN DHCP server.
Access to Servers behind NAT+Port Forwarding with Celona External IP Domain
As before, from our local Macbook at 192.168.0.169 to 192.168.0.100 (non-CBRS) or 192.168.4.67 (CBRS).
Our corporate Macbook/simulated NVR at 192.168.4.62 can now reach the camera at 192.168.4.67 through CBRS. The Celona Edge gets us from the corporate network through the AP to CBRS gateway(R500), and port forwarding on the gateway takes us to the camera.
Connection to camera failing after disconnecting from RTSP/web service
Remember that note above regarding cameras being "different"? The Cradlepoint R500, in its default settings, will eventually put its WAN to sleep if the camera is the only device plugged into its ethernet port and you have disconnected from the camera RTSP or web service after some time. Recovery requires rebooting the R500.
To prevent the R500 WAN from falling asleep when you are not connected to the camera, you can configure the R500 WAN state to Always On. This is found in the specific WAN interface context.
Other considerations for NAT+Port Forwarding with Celona External IP Domain
With selective use ports (e.g. for RTSP, not just 554, but also 555, 556. etc.) port forwarding can be used to access multiple cameras behind a single CPE, such as the Cradlepoint R500.
In some deployments, you may have a 1:1 ratio of cameras to CPEs (e.g. poles for cameras that are so far apart, making cabling and switching to a single CPE impractical). In some deployments, it may be undesirable to use non-standard ports for multiple servers or services behind a single CPE.
In these cases, our third method of access to servers or services behind CBRS can be used - IP passthrough on the CPE+Celona External IP Domain+Celona Device Group. Stay tuned for an explanation of this in our next lab in this series!