Doorbell, privacy and managed switch

livebild

Young grasshopper
Joined
Aug 22, 2020
Messages
34
Reaction score
4
Location
Berlin
Hello,

I just ordered a Dahua VTO4202F-X system (doorbell + indoor station) and now I need to decide about the PoE+ switch.
I am a bit concerned about privacy, as I am ordering a product built in China (where Privacy is not much of a concern).

Does it make sense to order a managed PoE+ switch in order to have a better privacy ?
What are the best practices with these smart doorbells ?
Is it possible to get all the benefits without the privacy/safety drawbacks if I use the right architecture ?

Thanks for any idea on this topic.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
TschuB @livebild,

you are asking the right question. Unfortunately, there is no "right" answer :) "It Depends" is appropriate here.

Let me try to explain a bit further: having a mnaaged POE(+) switch an sich does not add anything for "better privacy". All depends on how you want to / can configure it. If you're implementing vlans (good thought btw!) that is great, but that means you'll need an upstream Layer 3 router which is vlan-capable too. Except if you want to have the doorbell in that isolated vlan anyhow, but then you can forget anything outbound capability (eg push notifications when someone rings the bell).

So it comes down to grabbing a piece of paper, and drawing (physically - with wiring) & (logically - with vlans/subnets/gateways/firewalls) what you think you want to achieve. Like I wrote: nothing is perfect. You want fort Knox, that is feasible. You want a bit less, that is .. also doable :) If you want to (re-)use an existing router, that's good, note down the capabilities (eg a 5y old TPlink might not support vlan routering) yet an Edgerouter will do just fine.

In terms of privacy: my VTO2000 is connected to its own POE switch (nothing else on there), terminated in a managed switch in a camera-vlan, together with an NVR with shitload of cameras. NVR is always recording the doorbell too. So that's fully isolated. I only allow one outbound TCP (2195 to be precise) for push notification (eg when someone rings the bell, or the NVR IVS system grabs something of interest). However, there it ends! Nobody (not from WAN, even not from LAN) can access the video feeds nor can "answer" the door. For that, a VPN needs to be opened (which is 24/7 always opened on my mobile devices, not only for my own privacy on 4G/wifi networks), and from there I can view/access/answer these things.

Is this "the best" solution? Don't know, maybe in 5 years VPN is hacked and fully obsolete, but till then, this works just fine.

Hope this gives you some inspiration!
CC
 

livebild

Young grasshopper
Joined
Aug 22, 2020
Messages
34
Reaction score
4
Location
Berlin
Hi @catcamstar,

For the moment I have not much, only my DSL-router (Fritz!Box) and you are right, I had VLAN in mind when I was talking about managed switch (I have to buy a switch anyway, as my DSL-router doesn't have enough Ethernet ports).

I was thinking about isolating the doorbell/indoor station in a separate VLAN but:
  1. I need to be notified about incoming visitor on my smartphone: as you said I probably need to open Port 2195 (TCP)
  2. I need to be notified about incoming visitor on Fritz!Fon (linked to the DSL-router Fritz!Box): not sure yet about the voice/video protocol (called Live-Bild or something like that)
  3. I need to be able to answer the incoming visitor either on the smartphone or Fritz!Fon
Especially about point 3, I don't know if it can be done without creating a VPN like you did. I really would prefer to avoid having an always-on VPN on my phones.

Thanks for your input !
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Hi @catcamstar,

For the moment I have not much, only my DSL-router (Fritz!Box) and you are right, I had VLAN in mind when I was talking about managed switch (I have to buy a switch anyway, as my DSL-router doesn't have enough Ethernet ports).

I was thinking about isolating the doorbell/indoor station in a separate VLAN but:
  1. I need to be notified about incoming visitor on my smartphone: as you said I probably need to open Port 2195 (TCP)
  2. I need to be notified about incoming visitor on Fritz!Fon (linked to the DSL-router Fritz!Box): not sure yet about the voice/video protocol (called Live-Bild or something like that)
  3. I need to be able to answer the incoming visitor either on the smartphone or Fritz!Fon
Especially about point 3, I don't know if it can be done without creating a VPN like you did. I really would prefer to avoid having an always-on VPN on my phones.

Thanks for your input !
Hi @livebild, thanks for coming back!

So regarding points:
1) remember, 2195 is for the VTO of Dahua, other vendors might require other or more ports. But this is the easiest part.
2) this is getting a bit more complex. What you are actually looking for (or have to be looking for) is SIP. Have a look at this article in German: Dahua VTO2000A – Komplettanleitung für die Türsprechanlage mit Fritzbox via Asterisk – wolf-u.li In other words, by using Asterisk and hooking the VTO together, you might come further. Buttttttt you might need to rethink the whole concept of your vlan stuff, because IF your fritz!box does not support vlans, and they need to enter the Asterisk vlan, that might conflict with a "fully separated" camera-vlan
3) Smartphone check: Fritz!fon: depending on (2). However, if you don't want a always-on VPN, you are always able to use the "included P2P" capability, which opens a VPN tunnel towards China's capital, and when you get your push notification, you hop into that tunnel and you can answer the doorbell/watch the feeds without having the need to open your own VPN. But that implies no privacy at all. No security at all. Hence your title of your original post: I would never ever dare to use that. Ever.

Hope this helps!

TschuB!
CC
 

livebild

Young grasshopper
Joined
Aug 22, 2020
Messages
34
Reaction score
4
Location
Berlin
2) In the German forum, it is now found that Dahua issued a firmware with a SIP server inside. So there is no need to have Asterisk anymore.
The Fritz!Box can define VLAN as well:

3) Interesting about the Dahua P2P, but you are right, too many problems associated to that.
It is not possible to access the Doorbell by only opening a port in the firewall and with a strong authentication (user/password) ? I would think this would be a good enough compromise if I have a fixed IP address.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Hello @livebild,
Opening a port and forward that to your VTO (or any other device) with a basic authentication is not the best way forward. Why? First of: port scans happen all the time. And your VTO will reply with a known string, and all hell will break loose. Secondly, your VTO will NOT handle all that hacking, and will subsequently badlier, all in your "internal network". Thirdly, there have been known cases with "hidden" user/password combos (8888888 / 666666666), and this won't be the last time.

Just take note that security by obscurity worked in 1990, not in 2020. Compromises should never be accepted, especially with "unknown" IoT devices (under which these doorbells falls). You should treat them accordingly.

Hope this helps!
CC
 

livebild

Young grasshopper
Joined
Aug 22, 2020
Messages
34
Reaction score
4
Location
Berlin
Ok thanks I think I got the picture.
If I understand correctly, this should do the trick:
1) Buy a managed switch and put the doorbell + indoor station on a separate VLAN
2) devices inside the VLAN can communicate with each others, but the only outbound opened port is 2195 (push notification)
3) devices inside the VLAN can however access the DSL-router (to ring the Fritz!Fon when someone ring the doorbell)
4) devices from outside the VLAN (on my LAN) can access the devices inside the VLAN
5) I will create a VPN which can access my LAN from outside

Compared to your approach, the VLAN needs to have access to the DSL-Router (no way to avoid that I suppose because the included SIP server needs to contact the DSL-Router) and the local LAN can access the VLAN.

How have you configured the VLAN in order to be accessible only from a VPN ?
Why did you prevent also your LAN to access the VLAN ? your LAN should be safe ?

Thanks a lot for your help.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Hi @livebild - your scenario does make sense, although I'm not sure and certain that that fritsbox, whilst "supporting Vlans" is also capable of routing those vlans (eg into the internets) - because for that, you do need some firewalling. With an edgerouter, it's easy peasy, if you can't secure the vlans on the fritsbox, you're farther away from a decent solution.

So in my case, I got a "bridged" ISP router thing. Nothing is "terminated", no WAN IP, no routing tables, nothing. That is all performed by the Edgerouter, who owns WAN, ànd vlans, ànd VPN. That VPN arranges all routing into each of the vlans.

Why did I prevent LAN access? As there are some "wifi-guest" vlans too, and I didn't want my guests (nor my kids) to watch the feeds, I blocked all. Except with the VPN "open" (remember, on my phone it's always-on), I can access everything.

Hope this helps!
CC
 

livebild

Young grasshopper
Joined
Aug 22, 2020
Messages
34
Reaction score
4
Location
Berlin
Hello @catcamstar,

The Fritz!Box would have been capable of handling the VLAN and Firewall rules, however it has just 4 Ethernet ports, which is really not enough.
I wanted to have a managed switch which could also managed VLAN and firewall rules (which port is opened, in which direction, etc.).

If such a switch exists, then the Fritz!Box is not really relevant: it is just a device which happens to have the DHCP server and the Internet gateway.

A managed switch which includes a firewall does not exist ? It is quite difficult to read about what exactly the managed switches are capable of.

I am also a bit surprised not to find many resources about this particular topic (security cam/doorbells and privacy). Are we the only ones who cares about privacy ;-)

Thanks
 

livebild

Young grasshopper
Joined
Aug 22, 2020
Messages
34
Reaction score
4
Location
Berlin
Something which looks a bit what I am looking for:
Or in german:

The edgerouter really looks nice, it seems to do everything I would like (with even PoE-out) but I have trouble understanding how it should interact with the Fritz!Box.
If I buy an edgerouter, what could be the feature missing in the Fritz!Box to "route the VLAN into the Internet" ?

Thanks a lot, it is not very easy for me to understand.
 
Last edited:

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Hi @livebild, I fully agree with you, for a home-user, vlan concepts were unreachable a couple of years ago. Even a SMB will not think of it. These concepts were topnotch-banking & governmental standards for years, and required expensive gear from CISCO and others.

You referred to that netgear: indeed, that switch is able to do this. But it's not a "standard" capability. Let me try to explain this in short: normally, a ROUTER does Layer 3. A switch is Layer 2 (in comparison, a "hub" does Layer 1). That netgear is a SWITCH which can do L3 (limited) capabilities. The EdgeROUTER is a ROUTER doing L2 capabilities. Why the difference: a switch (and its hardware) is optimised for SWITCHING. A router for... routing. Which means, if you compare the technical bandwidth specifications, a L3 switch underperforms against a L3 router, yet a L3 routing doing "swithing" underperforms by a L2 switch. Does this matter? Except if you do 24/7 fullHD streaming on 128 channels, then it might hog your device and not your ISP uplink.

Hope this helps!
CC
 

livebild

Young grasshopper
Joined
Aug 22, 2020
Messages
34
Reaction score
4
Location
Berlin
Ok @catcamstar I got it I think.
I have forgotten that I have a nice Asus RT-AC68 lying around which Tomato installed on it. I think I can recycle it into a router+switch to properly isolate the doorbells/indoor station.
If I remember correctly, I was able to directly enter iptables instruction into it, so there is not much it can't do.
Very interesting insights, thanks a lot !
 

Jessie.slimer

BIT Beta Team
Joined
Aug 23, 2019
Messages
1,627
Reaction score
4,657
Location
Illinois
Some interesting reading here. @catcamstar are you saying that if you put an IoT device such as a doorbell or home automation hub, etc. on a vlan there is no way for it to reach out to the internet on its own for things like notifications? I'm interested in this topic as well because I will also be adding a doorbell. It also got me thinking if I have my home automation stuff properly secured.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Ok @catcamstar I got it I think.
I have forgotten that I have a nice Asus RT-AC68 lying around which Tomato installed on it. I think I can recycle it into a router+switch to properly isolate the doorbells/indoor station.
If I remember correctly, I was able to directly enter iptables instruction into it, so there is not much it can't do.
Very interesting insights, thanks a lot !
Indeed, drag some RMerlin's firmware on it, and you got a whopping nice linux-prompted network gear in your hands. There are some models which even support vlan, however mine AC87 didn't (because of split/dual networking chipsets). Search the SNB forum for that level of detail.

Good luck!
CC
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Some interesting reading here. @catcamstar are you saying that if you put an IoT device such as a doorbell or home automation hub, etc. on a vlan there is no way for it to reach out to the internet on its own for things like notifications? I'm interested in this topic as well because I will also be adding a doorbell. It also got me thinking if I have my home automation stuff properly secured.
Hello @Jessie.slimer, if you define a vlan (which has off course its own subnet), it acts like a physically seperated network. No other pc nor the internet can access that vlan. You need to tell a router (and I leave in between if this is a dedicated router and/or a L3 switch "acting" as one) to do something with that traffic. If you apply a "standard" routing that (for example) 192.168.20.x is routed to 192.168.1.1 (ISP gateway), then for obvious reasons, the whole vlan can access the internet. Which, off course, undermines the concept of a vlan, doesn't it?

So there are different "alternatives" to solve this equation: you can define static routes (eg your desktop pc in your home office with IP 192.168.30.15 can access all cameras in 192.168.20.x), but those are difficult to maintain and update. Also if kiddo changes his ip to 192.168.30.15, you'll need additional MAC spoofing security rulings. Hence the reason why I opted for a VPN-always-on: as long as the VPN is enabled, access is granted to the camera vlan. Is that safer/secure? No, it isn't, as security keys are also "stupid" files and passwords can be grabbed with keyloggers. So lots of options for the "inbound" traffic.

Outbound is almost the same: you can define access rules for intervlan or outbound-internet. All depends on the "dependencies" of your IoT device: it wouldn't make sense to open port XYZ which creates a p2p tunnel to a greyzoned Alibabababa service which exposes your whole (v)lan and block all other ports. That's fort knox with the gates opened. Hence I liked the VTO requirements for push notifications: only port TCP/2195 is required. Imagine you want a Google Home/Alexa in that vlan, that would require some more twiggling to figure out which ports are required to provide full functioning interfaces.

Hope this helps!
CC
 

Jessie.slimer

BIT Beta Team
Joined
Aug 23, 2019
Messages
1,627
Reaction score
4,657
Location
Illinois
Thats helpful. So if I set up seperate vlans for my Smartthings hub, for instance, on my router and routed it to the internet, nothing on that vlan network could access my other home network with my personal info? But at the same time it should have full functionality due to it having full internet access?

Thanks from a networking noob.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Thats helpful. So if I set up seperate vlans for my Smartthings hub, for instance, on my router and routed it to the internet, nothing on that vlan network could access my other home network with my personal info? But at the same time it should have full functionality due to it having full internet access?

Thanks from a networking noob.
Indeed, you got it 100% correct! And the easiest way to test: put a laptop in the first vlan, and ping something in your "private" LAN (eg your NAS). Plan, Test, Verify and go! :p

Hope this helps!
CC
 
Top