Reolink Poe doorbell vlan firewall setup

A

Andy M

n3wb
Aug 6, 2023
19
4
UK
Hi I am hoping someone can help I have a reolink POE doorbell, Dahua NVR and some Dahua IP camera's. I am setting up some vlans to create a more secure setup on my Synology router. I have the onvif stream setup to constantly stream from my reolink to my NVR as I have never had much love for motion recording. there's always a bit before or after that you need.


Anyway I digress. I have the doorbell and the NVR on Two indiviual lan's the NVR lan has internet blocked and the Reolink has internet access as I use the reolink app (the just isn't a good alternative- home assistant just doesn't cut it for 2 way audio . I am struggling to setup the firewall rule that allows the doorbell to stream to the NVR across lans. every time I enable the last kill everything else rule on the firewall it blocks the stream to the NVR.

the firewall allow rule from the doorbell to the NVR on port 8000. I cant work out what I need to change. any help or insite would be great.

thanks in advance
 
Last edited:
  • Like
Reactions: mat200
Andy M said:
the doorbell to stream to the NVR across lans.
Click to expand...
I'm guessing that for the video stream, port 554 would be needed.
What guided the choice for port 8000 - is this the ONVIF command and control port as used by the doorbell? Have you custom-defined this in the NVR?
It's what a Hikvision camera would use for Hikvision's command and control dialogues with an NVR.
Andy M said:
every time I enable the last kill everything else rule on the firewall it blocks the stream to the NVR.
Click to expand...
Does this generate a firewall deny log entry that would provide any clues?
 
Honestly there is little reason to create a VLAN just to keep the NVR off the internet. It makes more sense to put the NVR on the same network segment as the cameras, and just block the NVR from the internet using either a specific firewall blocking rule, or by using a bogus gateway address in the NVR network setup. Either way, it should be relatively easy to keep the NVR from accessing the internet while keeping the cameras & NVR on the same network segment.

Long story short, there are some negative consequences when you "over segment" your network and this is definitely a situation where you are trying to "over segment" your network.
 
alastairstevenson said:
I'm guessing that for the video stream, port 554 would be needed.
What guided the choice for port 8000 - is this the ONVIF command and control port as used by the doorbell? Have you custom-defined this in the NVR?
It's what a Hikvision camera would use for Hikvision's command and control dialogues with an NVR.

Does this generate a firewall deny log entry that would provide any clues?
Click to expand...

Hi guys thanks for the replies. I had tried 554 and it wasnt working either. I have no idea why but I changed the direction of the firewall rule so the source was the NVR and the desination is the Reolink and seems to be working well its streaming to the NVR again.. How can that be the case? Its a synology router btw. Oh and no logs as far as i can see they dont exist.



The Automation Guy said:
Honestly there is little reason to create a VLAN just to keep the NVR off the internet. It makes more sense to put the NVR on the same network segment as the cameras, and just block the NVR from the internet using either a specific firewall blocking rule, or by using a bogus gateway address in the NVR network setup. Either way, it should be relatively easy to keep the NVR from accessing the internet while keeping the cameras & NVR on the same network segment.

Long story short, there are some negative consequences when you "over segment" your network and this is definitely a situation where you are trying to "over segment" your network.
Click to expand...

I am not putting the NVR on its own vlan to keep it off the internet I did it so that its not exposed to the reolink doorbell setup because I am using the app and the reolink doorbell has full internet access. Not really being a networking person It made sense to isolate it other than the rtsp stream. Is that still overkill?

Thanks again.
 
Andy M said:
I am not putting the NVR on its own vlan to keep it off the internet I did it so that its not exposed to the reolink doorbell setup because I am using the app and the reolink doorbell has full internet access. Not really being a networking person It made sense to isolate it other than the rtsp stream. Is that still overkill?

Thanks again.
Click to expand...
You are currently using firewall rules to allow/prevent data from passing between two network segments/VLANs (one for cameras, one for NVR). You should instead put the cameras and NVR on the same network segment and use firewall rules on that network segment to allow/prevent data transfers between devices and/or the internet. The downside to your current method is that by using different VLANs for your cameras and NVR, you are forcing all of that data to pass through the firewall/router device (acting as the Layer 3 device) because the data is traversing across network segments. If you keep all of those devices on the same network segment, the data passing between them can be routed at the switch (Layer 2) level which will be faster and produce less network congestion.

Long story short, by using VLANs like you are, you aren't gaining any security benefit but you are causing a lot more network congestion going through your router/firewall.
 
Last edited:
Hi thanks for the clarity. I only have the reolink accross the vlan all of my ip cameras are plugged directly into my NVR. Ill move it and change the firewall rules to suit. Thankyou for the info.
 
You must log in or register to reply here.
Top Bottom