Eufy firewall ports needed for remote viewing

First, let me start off with saying that I am a network administrator in my day job. I have searched the forum, Google, etc. with no luck.

What are the required firewall ports and IP addresses needed from the remote viewing subnet to open to the outside for viewing the Eufy cameras when NOT on the same subnet as the HomeBase? My HomeBase is located on my IoT very unrestricted subnet. I can view them when on a cellular network or on a very unrestricted wide-opened firewall.

I see that tcp:10280, udp:32100, udp:32700 are needed but I will NOT open a bunch or a range of upper tcp or udp ports to * (ANY IP) on my secure/private subnets or on my employer’s firewalls. tcp:80 and tcp:443 already enabled by default. I also see when these few ports are opened on my employer’s firewall, the app tries to connect to the internal IP address of the homebase at my house (smartphone = 10.10.90.204:xxxx --> (homebase) 172.20.4.61:xxxx), which of course will never work.

I should NOT have to open firewall ports to be able to remotely view the cameras when not on the same subnet as the HomeBase. VPNs will not work either as it is on a different subnet as the HomeBase.

Thank you,
Michael

There was a thread, and an official reply which effectively said what you want to do , you can’t, the cameras require a server to access them, a server-less access is not possible.

It would take me some time to find it. It was something like “Eufy server down” and an official reply from a product manager.

I am also extremely technical with networks. Which is why I remember seeing it. They seem to host out of AWS Seattle region. The server does not contain data, only metadata, the metadata makes it not able to work without the server, the non-data is their assurance it’s not insecure.

Contact Eufy directly, save me finding the exact search string. Server down Eufy type threads months ago.

Support came back with this:
“Regards to the requirements of the network for our home base, we use TCP port 80 and 443 and UDP 0~65535 port. Please make sure TCP port 80 and 443 and UDP 0~65535 ports have not been blocked.”

I replied back with:
"If there are a few IP addresses or a very small range of ports the app would connect to, this is more doable to allow in the firewall without needing to allow all out in the firewall.

Take the approach of https://mysecurity.eufylife.com/ website, it appears it only needs tcp:80, tcp:443, tcp:1443. This is something very doable that network administrators would open in their firewalls for remote viewing. Imagine telling your CEO that he has a choice, to be able to view his security cameras at his house & other personal properties while at work from his iMac, iPad and other Android devices or the security of his work’s IT network. This would be something to ponder for future consideration. "

My remote viewing within the Eufy app works just fine BUT not when using Homekit and that is exactly one of the reasons I use Eufy. Anybody an idea ? I have a brand new ASUS RT-AX92U and 3 Eufy Cams 2 with a Homebase 2

You can restrict the ports somewhat but some network sniffers have detected a broad range of outgoing connections, some to AWS but some right back to China.

It is a very server dependent software architecture, if the server is down then many complaints. It’s not like the homebase is it’s own server you talk directly. You talk to an external server which then supplies back the link to the homebase.

If you search there are many threads on the topic including, but really, this all should move to the Eufy community as Eufy said they are only looking at that community for help, not this community for help.

Here is an update for trying to view the cameras from your house/business environment where you have access to modify the firewall(s).

Allow tcp:10280, udp:32100, udp:32700 from the remote/secure network that has the app is viewing the cameras from. Then allow udp:1025-65535 (0-65535 would work, too) from the remote network to the HomeBase(s) IP address in the other network (e.g. IoT). Like most IoT devices, it should basically have unrestricted access to the outside would already.

For trying to view your cameras from your work, on the road, etc. to your home. The above is the same but the app that trying to view the cameras needs to have udp:1025-65535 (0-65535 would work, too) to the outside world as the camera feed is relayed through AWS servers. This is mentioned somewhere else in the community.

If there is a list of IP addresses it is relayed through, it would be helpful to narrow down the firewall rules to not open to the whole world.

Thanks, if you were trying to lock down to the maximum, it couldn’t be to external IP but network addresses, such as the AWS networks.

There was a server down issue a few months ago, that implicitly informed me at least they aren’t doing asynchronous region failover and may not even be synchronised HA within a region. My point being I doubt it’s more than a few network addresses.

Eufy is certainly saying the right advice of not telling your external IP as if they did architect failover it would obviously jump to a different network address.