Advice Needed on Best Practices for Securing Reolink NVR

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
41
Reaction score
10
Location
Live Oak, FL
I'm looking for advice on how to best secure my cameras (not just from being used as bots or potential access points into my network, but also from freely streaming live feeds of my property across the web) while utilizing Reolink's NVR and maintaining the ability to use Reolink's mobile app to receive notifications, alerts and for accessing footage and live feeds via the NVR.

I recently purchased a Reolink 16ch 4K NVR and 14 Reolink PoE cameras. I've come across a couple posts on IPCT that illustrate that Reolink has not been very well received by most members. I know most members are running far more advanced networks and BI systems. I watched several YouTube videos and read several tutorials on other sites about BI and it was just way too over my head, so I decided to go with Reolink.

I've read through several threads in the Cyber Security Forum including; "Newbie Starter Guide...", "IPCT Cliff Notes", "Network Security Primer", and "VPN Primer...". Most of the posts are geared towards a system running BI ("double NIC", VPN, etc). I understand the premise of a VPN and being able to remotely access your BI system (or any system on your network) securely via the VPN from outside of your home network, the point behind the double NIC, using a VLAN, and just isolating the cameras completely from the internet.

Theoretically I could put the NVR behind a VPN and use the VPN to remote access the NVR (I'm not sure if this would work) but my goal isn't to access the web UI of the NVR, rather to maintain the functionality and ease of use of the Reolink Mobile App (unless there is some fundamental and well known vulnerability in the Reolink Mobile app that I am unaware of).

Does having the NVR act as the "middle man" between the cams and the internet provide adequate protection (I assume not)? I'm assuming the cameras are using the PoE switch built into the NVR to connect directly to the internet and it's not just the NVR connecting to the internet.

I read all about the basic tips in regards to disabling uPnP, port forwarding and even firewalling the cameras specific IP/MAC addresses. But since most of the recommendations on what ports to leave open appear to apply to BI I'm not sure which ports are required for the Reolink system to maintain function and whether the cameras themselves (not just the NVR) need an internet connection to maintain app functionality as well.

Currently my physical network setup is very basic ISP Modem > Wireless Router and my plan was to connect the NVR directly to the router I use to connect all my devices to the internet. I had already planned on adding a run of Cat6 from my ISP Modem and purchasing a second wifi router to add coverage. Perhaps using ASUS router to connect the NVR to the internet and using its advanced VPN and firewall controls is the solution? Or placing a physical firewall device between my current router and the NVR?

Any suggestions, recommendations, experiences (what settings to change/disable, ports to open/close, physical devices to use, firmware/software, procedures, best practices, etc) would be much appreciated before I just plug the NVR into my wireless router and hope for the best.

I'm sure I forgot some stuff, it was a lot of information to take in for a beginner, and lots of switching between open tabs and google searches to comprehend everything.

Thanks!
 

mat200

IPCT Contributor
Joined
Jan 17, 2017
Messages
6,861
Reaction score
5,856
I'm looking for advice on how to best secure my cameras (not just from being used as bots or potential access points into my network, but also from freely streaming live feeds of my property across the web) while utilizing Reolink's NVR and maintaining the ability to use Reolink's mobile app to receive notifications, alerts and for accessing footage and live feeds via the NVR.

I recently purchased a Reolink 16ch 4K NVR and 14 Reolink PoE cameras. I've come across a couple posts on IPCT that illustrate that Reolink has not been very well received by most members. I know most members are running far more advanced networks and BI systems. I watched several YouTube videos and read several tutorials on other sites about BI and it was just way too over my head, so I decided to go with Reolink.

I've read through several threads in the Cyber Security Forum including; "Newbie Starter Guide...", "IPCT Cliff Notes", "Network Security Primer", and "VPN Primer...". Most of the posts are geared towards a system running BI ("double NIC", VPN, etc). I understand the premise of a VPN and being able to remotely access your BI system (or any system on your network) securely via the VPN from outside of your home network, the point behind the double NIC, using a VLAN, and just isolating the cameras completely from the internet.

Theoretically I could put the NVR behind a VPN and use the VPN to remote access the NVR (I'm not sure if this would work) but my goal isn't to access the web UI of the NVR, rather to maintain the functionality and ease of use of the Reolink Mobile App (unless there is some fundamental and well known vulnerability in the Reolink Mobile app that I am unaware of).

Does having the NVR act as the "middle man" between the cams and the internet provide adequate protection (I assume not)? I'm assuming the cameras are using the PoE switch built into the NVR to connect directly to the internet and it's not just the NVR connecting to the internet.

I read all about the basic tips in regards to disabling uPnP, port forwarding and even firewalling the cameras specific IP/MAC addresses. But since most of the recommendations on what ports to leave open appear to apply to BI I'm not sure which ports are required for the Reolink system to maintain function and whether the cameras themselves (not just the NVR) need an internet connection to maintain app functionality as well.

Currently my physical network setup is very basic ISP Modem > Wireless Router and my plan was to connect the NVR directly to the router I use to connect all my devices to the internet. I had already planned on adding a run of Cat6 from my ISP Modem and purchasing a second wifi router to add coverage. Perhaps using ASUS router to connect the NVR to the internet and using its advanced VPN and firewall controls is the solution? Or placing a physical firewall device between my current router and the NVR?

Any suggestions, recommendations, experiences (what settings to change/disable, ports to open/close, physical devices to use, firmware/software, procedures, best practices, etc) would be much appreciated before I just plug the NVR into my wireless router and hope for the best.

I'm sure I forgot some stuff, it was a lot of information to take in for a beginner, and lots of switching between open tabs and google searches to comprehend everything.

Thanks!
Welcome @CaseyJones

1) I'm looking for advice on how to best secure my cameras (not just from being used as bots or potential access points into my network, but also from freely streaming live feeds of my property across the web) while utilizing Reolink's NVR and maintaining the ability to use Reolink's mobile app to receive notifications, alerts and for accessing footage and live feeds via the NVR.

2) I'm sure I forgot some stuff, it was a lot of information to take in for a beginner, and lots of switching between open tabs and google searches to comprehend everything.



Numbers #1 and #2 will make it a challenge.

Running a VPN on your router and turning off non-VPN remote access is typically the place we recommend as a start.
 

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
41
Reaction score
10
Location
Live Oak, FL
Numbers #1 and #2 will make it a challenge.

Running a VPN on your router and turning off non-VPN remote access is typically the place we recommend as a start.
@mat200 Thanks, I reading through all the old posts on the VPN Primer for Noobs thread and slowly learning.

The answer is, don't purchase Reolink junk. Return it.
Don't open/forward ANY ports in your router.
Setting up a VPN would work the same for an NVR as it does for Blue Iris.
@looney2ns yeah I figured I would get that response. I could return it and go BI. My fear is I will leave even more gapping and obvious holes in my security by going with BI with my very limited understanding. I'm learning more as we speak. But I would be setting up BI and everything that entails by following a script without really understanding what I'm doing. I think BI is just a little out of my ballpark.
 
  • Like
Reactions: 338

samplenhold

Known around here
Joined
Aug 8, 2018
Messages
2,496
Reaction score
5,311
Location
Spring, Texas
My fear is I will leave even more gapping and obvious holes
If you have those fears, what makes you think that the same issue will not be present with an NVR kit? BI is just an NVR on a PC. You will still have to learn about the Reloink NVR but few here can actually help since it is considered junk by most folks here and they would never purchase one.

If you are that afraid of BI, then at least get a better NVR kit like the Lorex (Dahua OEM) kits that have been talked about here. Kits in general are not that great. But if kit you must, get a better one than Reolink.
 

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
41
Reaction score
10
Location
Live Oak, FL
If you have those fears, what makes you think that the same issue will not be present with an NVR kit? BI is just an NVR on a PC. You will still have to learn about the Reloink NVR but few here can actually help since it is considered junk by most folks here and they would never purchase one.

If you are that afraid of BI, then at least get a better NVR kit like the Lorex (Dahua OEM) kits that have been talked about here. Kits in general are not that great. But if kit you must, get a better one than Reolink.

I'm digging through all the BI How-To threads right now. Some of the benefits do seem to be worth the trade off in amount of time it's going to take me to learn. I was really looking for just a simple solution to replace the drawbacks in my current mix of WiFi based cameras. But seeing as I'm going to go through all the trouble I might as well go for it. Reading as I type on spec-ing out the computer build. I've got 20 some odd days left to return the Reolink so I'm gonna keep digging into BI for now.
 
Top