Adding EmpireTech System to Existing Ubiquiti Network

[reefbyte]

I installed a Ubiquiti network in my home over two years ago. In addition to my primary network, I have two VLANs configured (Guest and Iot). I have all the firewall rules in place to restrict traffic between the primary LAN and the VLans, including rules for printers, etc. I am about to purchase a kit from Empiretech (5 cameras total) and would like confirmation that my plan is sound.

Below are some design specifics, but I'm open to better ideas.

1. I'm leaning toward an 8 channel non PoE NVR so that I have separation in case of failure if NVR ports were to fail (but I'm open to a case for NVR w/PoE).
2. Based on my research, I think I can get by with a inexpensive unmanaged POE+ switch with similar specs to the built-in NVR PoE option (e.g., TP-Link 9 Port Fast Ethernet 10/100Mbps PoE Switch 8 PoE+ Ports @65W)
3. Cable Connections: Connect the NVR and all 5 cameras to the unmanaged switch, connect unmanaged switch to available port on UDM (to be restricted to new Security VLAN traffic).
4. Add additional Security VLAN with new subnet on UDM router and restrict Port 4 to Security VLAN
5. NVR/Cameras: configure new IP static addresses within the Security VLAN subnet
6. Add Firewall rules to restrict Security VLAN devices from talking to Primary network and other VLANs devices, and restrict Security VLAN Internet access (specific details TBD).
7. Setup UDM VPN for remote access via Dahua DMSS

Questions
1. Is it significantly easier to buy the NVR with POE? It seems like it would be the same effort either way since I need to configure new IPs for each security device either way.
2. What is the best method to get firmware updates - firewall exceptions for Internet access or download update files and install from USB?
3. Does anyone have a document/forum post with specific firewall rules for this setup where all security camera devices will be isolated to a separate VLAN?

Thanks for any insights.

 

[looktall]

There are a few users here using ubiquiti networks with isolated vlans and firewall rules. I can't recall who they are.

If you get an NVR with poe built in you will only need to give the NVR wan port an IP on your camera vlan. The NVR will provide its own isolated IP range to the connected cameras.
However you may have issues getting to the web config pages of those cameras. Depending on your vlan rules.
Alternatively you could put the NVR Poe switch into bridge mode which will then essentially put it onto the same vlan subnet as the NVR wan port.

 

[reefbyte]

Thanks. What are the pros/cons regarding NVR with PoE vs without PoE given my proposed configuration with a PoE switch restricted to a separate Security VLAN?

 

[looktall]

It amounts to the same thing really although Poe nvrs tend to cost more than non Poe nvrs (possibly more than a non Poe NVR plus unmanaged switch).
If you use a Poe NVR the NVR will take care of the IP addressing of the cameras, the cameras will be on the NVR Lan which is essentially a standalone network and won't generally be able to access the internet but this might depend on the NVR.
If you use a non Poe NVR and a separate Poe switch you will need to manage the IP addressing yourself and add the cameras to the vlan to avoid them having internet access.

There's potential that a non Poe NVR might have lower network bandwidth on the camera channels than a Poe NVR but this would depend on the specific models.

 

[reefbyte]

Thanks. Based on the replies, I think I will opt for a separate PoE switch. Either way, I need to change all the device IP addresses to get them on the Security VLan subnet. I can get an 8 port 1 Gb PoE+ switch for under $100, which is about the additional cost for the NVR w/PoE.