BI, VPN and Unifi USG

[DLONG2]

I am almost there with my home cameras, but am struggling with VPN and networking, using the Ubiquiti USG and a UniFi switch.

BI is running on its own dedicated PC, and that PC and the IP cameras are on their own VLAN. The cameras are blocked from accessing the internet via a 'LAN IN' rule. The current port-forward points to the BI PC on the BI VLAN, and remote access is working well. But I want to engage the VPN solution.

Here are the networks:
Corporate: 192.168.1/24
BI_LAN: 192.168.55.1/24
VPN remote user: 10.0.25.1/29

My iPhone is on the corporate LAN. I disable LTE and use WiFi only; when I run the Net Analyzer app, it shows an IP of 192.168.1.100. I cannot ping the BI PC, but can connect to it in the BI app and view the cameras. Not sure why this would be, as the BI LAN server address is on the BI VLAN.

The VPN works well on my iPhone, and the Net Analyzer shows a VPN IP of 10.0.25.1. When I try to run the BI app it fails, and I believe it's because the VPN network can't access the BI network.

Any pointers appreciated.

 

[Cher14]

I would like to know as well, I have similar setup, I am moving from Netgear R7000 to Unifi USG, USW, UAP, UCK. I haven't started VPN, currently BI machine is local only). Thanks

 

[giomania]

I think the BI app is using some sort of cloud service to connect the app and your PC, therefore negating the fact that your phone and the BI machine are on different subnets?


Sent from my iPhone using Tapatalk

 

[DLONG2]

giomania: Then I wonder about the use of VPN to view the cameras. What is the actual process to do so? Would one use the BI app via VPN? Or just load up the localhost address in a browser while in VPN? I looked at the VPN Primer for Noobs and didn't see anything about how to actually view cameras via VPN.

 

[Chris TT]

I haven't setup my Vpn as yet....
However, once you are connected to your network via Vpn, you can use the app with local ipaddress of bi machine or use the browser with local address.
No port should be required.

Bi app doesn't use cloud service as far as I know.

 

[DLONG2]

Thanks Chris, I think my problem is that I had segmented the network clients into separate LANs (one for Blue Iris stuff, and another for everything else), and haven't established the proper firewall rules to bridge the data between LANs. The construct of VPN in the USG requires a separate LAN, though.

 

[NoloC]

No doubt this will be a configuration issue in your USG.
UBNT has a very good support forum. Might give it a look. Great products but I have found the learning curve to be steep.

 

[giomania]

Thanks Chris, I think my problem is that I had segmented the network clients into separate LANs (one for Blue Iris stuff, and another for everything else), and haven't established the proper firewall rules to bridge the data between LANs. The construct of VPN in the USG requires a separate LAN, though.

I set up my Ubiquiti EdgeRouter Lite with the WAN2LAN2 (or something like that, LOL) wizard and it automatically set up the firewall rules with the established/related connections between subnets by default.

So when I am on my LAN (wired or Wi-Fi), I can get to my cameras which are on a separate subnet.

I am only currently using the iDMSS Lite app from Dahua, but before I set up open VPN on my edge router I could not view the cameras. I can view them fine when using the VPN.

I had a steep learning curve with open VPN due to no experience with command line. I recorded detailed instructions and I have a 45 page document for reference. I would be happy to share if you think it would help you.

Mark


Sent from my iPhone using Tapatalk

 

[sdyfgasd]

Doesn't sound like a BI issue. Routing and firewall.

 

[bob2701]

I am almost there with my home cameras, but am struggling with VPN and networking, using the Ubiquiti USG and a UniFi switch.

BI is running on its own dedicated PC, and that PC and the IP cameras are on their own VLAN. The cameras are blocked from accessing the internet via a 'LAN IN' rule. The current port-forward points to the BI PC on the BI VLAN, and remote access is working well. But I want to engage the VPN solution.

@DLONG2 did you ever get this working?

 

[DLONG2]

Yes, thanks, Bob, I did get the Unifi USG to route a VPN connection into the VLAN where Blue Iris resides. It took a little work to figure out, with Radius services, users, and VLANs. But it works really well. Good riddance to port-forwarding!

 

[JNDATHP]

Yes, thanks, Bob, I did get the Unifi USG to route a VPN connection into the VLAN where Blue Iris resides. It took a little work to figure out, with Radius services, users, and VLANs. But it works really well. Good riddance to port-forwarding!

Care to share? All cameras are on my corporate network. I would like to Vlan them and VPN like you have done.

Thanks,

Michael

 

[DLONG2]

Hi Michael,

I am not very good at networking, but was able to get the UniFi USG and UniFi switch to work with a separate Blue Iris VLAN and VPN, so I can only go by those hardwares. If anyone can see anything wrong or better to do then please let me know.

• In the SETTINGS/NETWORKS, create the new BI network. I chose 192.168.50.1/24, as Corporate LAN, and entered 50 as the VLAN number.
• In the SETTINGS/NETWORKS, build a new VPN network. I chose 192.168.60.1/24. Rather than Corporate, it is set as 'Remote User VPN'. The type is L2TP Server, and a Pre-shared key is set. The RADIUS Profile is set to Default.
• In the DEVICES, with the UniFi PoE switch where the cameras and BI PC are connected to, each port to be used as cameras and the BI PC was set to this "LAN_BI (50)". That segments fully the devices. Each device needs to have a static IP set within this VLAN 50, which will be used in the firewall rules.
• In the SETTINGS/PROFILES, make sure the Default Radius has the VLAN Support option checked.
• In the SETTINGS/SERVICES/RADIUS/Users, this is where you will build the VPN users. Build as many as you will need. Each user has a name and password. The VLAN is set to the BI VLAN number build above. Tunnel Type = 3, Tunnel Medium Type = 1.
• In the SETTINGS/SERVICES/RADIUS/Server, enable the RADIUS server, add a secret key, and the rest are defaults as I recall. In my case, I used the same secret key here that I had set above in the VPN network Pre-shared key.
• In the SETTINGS/ROUTING & FIREWALL/FIREWALL/GROUPS, create a new group named 'Cameras' type = Address, and add in the IP addresses of the cameras.
• In the SETTINGS/ROUTING & FIREWALL/FIREWALL/RULES/WAN_OUT, create a rule: Applied before predefined rules, Action = Drop, Protocol = All, IPsec = Don't Match, Source type = Address/Port Group, Address Group = 'Cameras'. Destination is left unset. This will block the cameras from calling home through the internet. You can test this by adding in the BI PC to the camera group to assure that it cannot reach the internet. Then remove its listing from the camera group.
• In the SETTINGS/ROUTING & FIREWALL/FIREWALL/GROUPS, create a new group (mine is named 'VPN-to-BI_PC'). In this group, type = Address. Add in the IP of the BI PC, and of all as many Radius users built above, such as 192.168.60.1 and 192.168.60.2 for maybe two different mobile devices. [EDIT: And add the WAN IP to this group as well.] It is a concurrent user arrangement, so the maximum users defined would be the maximum allowed. I believe another good way would be to just enter '192.168.60.1/24' but I haven't tested that.
• In the SETTINGS/ROUTING & FIREWALL/FIREWALL/RULES/LAN IN, create a new rule (mine is named 'Allow VPN to Reach BI_PC'). Again, you want Before Predefined Rules, Action = Accept, Protocol = All. Don't match, and for Source, select Address Group and point to the 'VPN-to-BI_PC' defined above. The same group is selected for the Destination.

These settings should get the VPN to connect to the BI PC. Within the BI app on the mobile, be sure to set both the LAN and WAN servers as the local BI_PC IP address, followed by the required port number.

Within the mobile's built-in VPN, (Android) I chose L2TP/IPSec PSK. The server address is the public WAN provided by the ISP.

There are other rules to add, such as when I wanted a Wi-Fi camera to reach BI, I had to create a rule for that. In addition, I have a rule in LAN IN which blocks Source VLAN50 (192.168.50.0/24) from VLANS (all other networks).
I also have a rule which allows my mobiles to reach BI while at home on the Wi-Fi, and this list of addresses includes things such as the Firestick and Smart TVs so I can connect the UI3.htm within the home.

Hope this helps. Please let me know if I missed anything.

 

[JNDATHP]

Thank you for taking the time to write this up. Greatly appreciated.

Michael

 

[bob2701]

After going round and round DLONG2 helped me get it set up along with the info here.

UniFi - USG VPN: L2TP Remote Access VPN with USG as RADIUS Server

Here are some screen shots of the areas you need to program. My system does not use VLAN's at the moment, I need to spend some time to lay them out so I only do it once.

Use the same password in "Pre-Shared Key" and "Secret".









To make sure the VPN is working add the VPN widget to the Unifi dashboard.



Also if you are using the BI App, DLONG2 reminded me to make the WAN address the same as the LAN address.

Good luck,
Bob

 

[DLONG2]

Also if you are using the BI App, DLONG2 reminded me to make the WAN address the same as the LAN address.

It was fenderman himself who helped me earlier with the Blue Iris app settings.

 

[DLONG2]

With a segmented VLAN for Blue Iris . . .

To connect a Wi-Fi camera:

• In the SETTINGS/ROUTING & FIREWALL/FIREWALL/GROUPS, create a new group (mine is named 'WIFI_CAM'). In this group, type = Address. Add in the LAN IPs of any Wi-Fi cameras on the WLAN.
• In the SETTINGS/ROUTING & FIREWALL/FIREWALL/GROUPS, create a new group (mine is named 'VLAN50'). In this group, type = Address. Add in full VLAN range IP, such as '192.168.50.0/24'.
  
• In the SETTINGS/ROUTING & FIREWALL/FIREWALL/RULES/LAN IN, create a new rule (mine is named 'ALLOW VLAN50 TO WIFI CAM'). Again, you want Before Predefined Rules, Action = Accept, Protocol = All. Don't match, and for Source, select Address Group and point to the 'VLAN50' defined above. The Destination group is 'WIFI_CAM' defined above.

To connect mobile devices to the Blue Iris app while at home, and to allow Fire Stick or Smart TVs to use the UI3.htm browser:
​

• In the SETTINGS/ROUTING & FIREWALL/FIREWALL/GROUPS, create a new group (mine is named 'Mobile_Phones_to_BI'). In this group, type = Address. Add in the LAN IP of the Blue Iris PC, and the LAN IPs of any mobile device or Wi-Fi enabled smart TV device where you want the browser to work.​
• In the SETTINGS/ROUTING & FIREWALL/FIREWALL/RULES/LAN IN (and also in LAN LOCAL), create a new rule (mine is named 'Allow Mobile to Reach BI'). Again, you want Before Predefined Rules, Action = Accept, Protocol = All. Don't match, and for Source, select Address Group and point to the 'Mobile_Phones_to_BI' defined above. The Destination group is also set to 'Mobile_Phones_to_BI'.​

 

[JNDATHP]

I intend to try to set this up over the Thanksgiving holidays. Thanks so much for all of your help.

 

[Jeff Erdmann]

Tagging this

 

[JNDATHP]

Well, I can connect to my network but can’t connect to BI. I haven’t separated the cameras yet so I am VPN in with 192.168.60.0/24 and my Corporate network is 192.168.0.0/24. I’m obviously missing a step.