Adding EmpireTech System to Existing Ubiquiti Network

R

reefbyte

n3wb
Jul 16, 2024
4
0
Colorado
I installed a Ubiquiti network in my home over two years ago. In addition to my primary network, I have two VLANs configured (Guest and Iot). I have all the firewall rules in place to restrict traffic between the primary LAN and the VLans, including rules for printers, etc. I am about to purchase a kit from Empiretech (5 cameras total) and would like confirmation that my plan is sound.

Below are some design specifics, but I'm open to better ideas.

1. I'm leaning toward an 8 channel non PoE NVR so that I have separation in case of failure if NVR ports were to fail (but I'm open to a case for NVR w/PoE).
2. Based on my research, I think I can get by with a inexpensive unmanaged POE+ switch with similar specs to the built-in NVR PoE option (e.g., TP-Link 9 Port Fast Ethernet 10/100Mbps PoE Switch 8 PoE+ Ports @65W)
3. Cable Connections: Connect the NVR and all 5 cameras to the unmanaged switch, connect unmanaged switch to available port on UDM (to be restricted to new Security VLAN traffic).
4. Add additional Security VLAN with new subnet on UDM router and restrict Port 4 to Security VLAN
5. NVR/Cameras: configure new IP static addresses within the Security VLAN subnet
6. Add Firewall rules to restrict Security VLAN devices from talking to Primary network and other VLANs devices, and restrict Security VLAN Internet access (specific details TBD).
7. Setup UDM VPN for remote access via Dahua DMSS

Questions
1. Is it significantly easier to buy the NVR with POE? It seems like it would be the same effort either way since I need to configure new IPs for each security device either way.
2. What is the best method to get firmware updates - firewall exceptions for Internet access or download update files and install from USB?
3. Does anyone have a document/forum post with specific firewall rules for this setup where all security camera devices will be isolated to a separate VLAN?

Thanks for any insights.
 
There are a few users here using ubiquiti networks with isolated vlans and firewall rules. I can't recall who they are.

If you get an NVR with poe built in you will only need to give the NVR wan port an IP on your camera vlan. The NVR will provide its own isolated IP range to the connected cameras.
However you may have issues getting to the web config pages of those cameras. Depending on your vlan rules.
Alternatively you could put the NVR Poe switch into bridge mode which will then essentially put it onto the same vlan subnet as the NVR wan port.
 
Thanks. What are the pros/cons regarding NVR with PoE vs without PoE given my proposed configuration with a PoE switch restricted to a separate Security VLAN?
 
It amounts to the same thing really although Poe nvrs tend to cost more than non Poe nvrs (possibly more than a non Poe NVR plus unmanaged switch).
If you use a Poe NVR the NVR will take care of the IP addressing of the cameras, the cameras will be on the NVR Lan which is essentially a standalone network and won't generally be able to access the internet but this might depend on the NVR.
If you use a non Poe NVR and a separate Poe switch you will need to manage the IP addressing yourself and add the cameras to the vlan to avoid them having internet access.

There's potential that a non Poe NVR might have lower network bandwidth on the camera channels than a Poe NVR but this would depend on the specific models.
 
Thanks. Based on the replies, I think I will opt for a separate PoE switch. Either way, I need to change all the device IP addresses to get them on the Security VLan subnet. I can get an 8 port 1 Gb PoE+ switch for under $100, which is about the additional cost for the NVR w/PoE.
 
Sorry for being late to the party.

From personal experience: My biggest dislike of the NVR with POE as that access to the cameras UI was very difficult since the NVR used an internal LAN. There have been posts that state to connect a laptop via network cable to the NVR and change the IP address but that never worked for me. I would have to disconnect the camera, use a 4 port router to connect with my PC and use a separate power source for the IPC. With my NVR hidden tucked away to prevent theft, the process was a pain in the @ss. I switched to a non-POE NVR and am much happier.

Regarding the NVR, instead of an 8 port, I paid maybe $60 more and got a 32 port. I’m glad did because I went from my original 7 cams to the 9 that I currently have; and plenty of room for more.

For the POE switch, I also supersized. Even though I will probably never use all the available ports, each port has a higher max watts, the same with the unit as a whole. It's an assumption but think that not running the switch near 100% capacity will extend the life; plus if one port fails, I have extras.

I do have a Ubiquiti UDM-Pro and spent hours watching YouTube videos on setting up VLANs (Home, Guest, IPC, IOT) and Firewall rules to prevent cross traffic; it will take some digging in the UI settings but should be able to share the rules if you need assistance.

Side note: I buy my UI products directly from Ubiquiti mostly for the warranty. My 18 month old UDM-Pro was acting weird, and they are sending me a replacement no questions asked.
IMG_4466.pngIMG_4465.pngIMG_4467.jpeg
 
looktall said:
I don't know where you read that but it's really not correct.
Connecting to cameras on a Poe NVR isn't difficult at all.
Click to expand...

Hitting cameras web pages with a laptop in an NVR with POE

I figured I'd make a new post for this. It's nothing particulalry new and I certainly didn't invent this wheel! But I was taught how to do it and I want to pass it on to other people who have NVR's with built in POE. There IS a way to hit the cameras web pages directly, right through the NVR...
ipcamtalk.com ipcamtalk.com
 
  • Like
Reactions: looney2ns
HMC8403 said:

Hitting cameras web pages with a laptop in an NVR with POE

I figured I'd make a new post for this. It's nothing particulalry new and I certainly didn't invent this wheel! But I was taught how to do it and I want to pass it on to other people who have NVR's with built in POE. There IS a way to hit the cameras web pages directly, right through the NVR...
ipcamtalk.com ipcamtalk.com
Click to expand...
That's a 10 year old post.
Do you think things might have changed any since then?
 
  • Like
Reactions: bigredfish
looktall said:
That's a 10 year old post.
Do you think things might have changed any since then?
Click to expand...
To clarify, if you have a monitor and mouse plugged into the NVR, you can access the cameras that way. I have my NVR in an attic (need to drag out the ladder to access) and prefer to make changes via a pc on my home network; that is the limitation.

Another reasons I now believe in non-POE NVRs is costs and initial installation.
1. For overall cost, you will spend about the same for separate POE switch and basic NVR compared to an all in one unit; at least if the POE dies, you only have to replace that instead of also replacing the NVR too. And vise versa.
2. Initial installation was something that I didn’t consider as a rookie. As mentioned, my NVR is in the attic at one end of the house and several cameras at the other end. It was a pain to run five +100ft cable runs from the NRV’s POE to those cameras. Now I just use a single cable run to that end of the house and have a separate 8 port POE switch closer to the cameras.

IMG_0149.jpeg
 
Last edited:
looktall said:
If you can reach the NVR on the network then usually you can reach the cameras plugged into the Poe ports of the NVR through the NVR itself.
Click to expand...
That statement is false, the POE LAN is isolated.
 
I found an inexpensive TP-Link PoE+ 1GB 62W switch that should work just fine for $60 (TP-Link LS108GP). Yesterday I spent some time researching the VLAN and firewall rules and found some good information. I have a good handle on the firewall rules to 1) isolate the security VLAN but enable access to the NVR and cameras through my PC on sitting on the primary LAN, and 2) drop inbound and outbound Internet access for the NVR and cameras. I plan on using the Wireguard firewall to enable access to the cameras from my phone using the DMSS app. The trickiest part looks to be the firewall configuration to enable push notifications to my phone when I am not connected to my network, but I found some great info on a solution that does not require P2P or port forwarding:

Dahua NVR W/ VPN Setup - Push Notifications

How do DMSS push notifications work?
 
i just checked which switch I recently purchased. Surprisingly the NETGEAR I got a year ago for $79 now costs $122, wow!
IMG_4483.jpegIMG_4484.png
 
  • Like
Reactions: bigredfish
HMC8403 said:
That statement is false, the POE LAN is isolated.
Click to expand...
See the internet explorer symbol listed in the web page column?
Clicking on that should take you through to the camera.
I have two different brand nvrs that do this.
QiF2AJ7.jpeg
 
  • Like
Reactions: bigredfish
+1 above!

HMC8403 said:
That statement is false, the POE LAN is isolated.
Click to expand...

Your statement is false.

To clarify for others that find this thread, to get into the camera GUI from the NVR, you need to first access the NVR GUI by going to a computer and opening up a browser (preferably Internet Explorer but Pale Moon will work as well) and type in the IP address of the NVR and login that way. Next go into the camera settings page on the NVR and look for the Microsoft e Web Browser and select it and it will go to the camera GUI (photo credit bigredfish from his PSA thread). Your screen may look a little different to get into the camera gui and see if doing it this way gets you access to some other features the NVR is blocking - do not worry about the Port number and circle as that was from another issue someone posted.

Much simpler than disconnecting the camera from the back of the NVR and hooking it to a POE switch and using IPConfigTool to temporarily change the IP address to your subnet to log into the camera GUI and then reverse it to plug it back in to the NVR.




1715729692343.png
 
  • Like
Reactions: bigredfish and looktall
  • Like
Reactions: looney2ns, bigredfish and looktall
looktall said:
See the internet explorer symbol listed in the web page column?
Clicking on that should take you through to the camera.
I have two different brand nvrs that do this.
QiF2AJ7.jpeg
Click to expand...

^^^^^
This
Also if you do buy a PoE NVR and are worried about the internal PoE switch failing, you can then connect the NVR to an external switch the same as a non PoE NVR and be back in business. So there’s really no downside
 
HMC8403 said:
2. Initial installation was something that I didn’t consider as a rookie. As mentioned, my NVR is in the attic at one end of the house and several cameras at the other end. It was a pain to run five +100ft cable runs from the NRV’s POE to those cameras. Now I just use a single cable run to that end of the house and have a separate 8 port POE switch closer to the cameras.

View attachment 202624
Click to expand...

One of the main reasons why NVR should be installed somewhere other than POE switches for cameras is the possibility of mounting/hiding the NVR somewhere near the TV or any computer display. Thanks to this you have the possibility of monitoring the cameras 24/7 by pressing a single button on the TV remote control and also easy access to remote control of the NVR using a Bluetooth mouse in front of Your TV/monitor.

5/10/20 meter long optic HDMI cables are cheap on amazon...
 
  • Like
Reactions: bigredfish
My apologies if I gave it incorrect information. I was going off of personal experience from around 2019ish. I would have to look up old posts but When I first got my Dahua system from Andy (NVR5216-16P-4ks2E x 1, T5442TM-ZE x 3, T5442TM-AS x 1, T2431T-AS x 2, EW5531-AS x 1), I was having issues with multiple cameras that when I accessed the NVR from another computer on my home network, the blue web browser didn’t work.

I just looked up some old posts and now remember another problem. I used several POE extenders/splitters to add multiple IPCs to a single Cat5 cable Those camera would use port 37777 and the web browser icon would not work on any of them, even directly on the NVR.

Four years and several firmware versions later, maybe this has all been fixed.
 
You must log in or register to reply here.
Top Bottom