How to get Hikvision camera connected to POE ports of Hikvision NVR to access WAN (WWW) ?

[alastairstevenson]

Any reason I should be concerned about the setup?

I think that varies with the camera brand / firmware. Hikvision aren't too bad.

My Cameras do not cover any sensitive or indoor area's.

It's as much about what can be done by a bad actor via the Linux device that's inside your private network as it is about seeing what the camera is seeing.

You might find it instructive to temporarily create a WAN block rule with logging for an individual camera IP address just to see what if anything gets attempted.
edit Sorry - a LAN block rule. Though that may pick up the redirected traffic from the static route if the source device doesn't do the redirect itself.
I have a couple of Chinese cameras that 'beacon' a few cryptic bytes on a specific port to a couple of Chinese IP addresses every few minutes.
It's probably the manufacturer trying to judge the installed base, but it gets blocked anyway.

 

[MrFlood]

I think that varies with the camera brand / firmware. Hikvision aren't too bad.


It's as much about what can be done by a bad actor via the Linux device that's inside your private network as it is about seeing what the camera is seeing.

You might find it instructive to temporarily create a WAN block rule with logging for an individual camera IP address just to see what if anything gets attempted.
edit Sorry - a LAN block rule. Though that may pick up the redirected traffic from the static route if the source device doesn't do the redirect itself.
I have a couple of Chinese cameras that 'beacon' a few cryptic bytes on a specific port to a couple of Chinese IP addresses every few minutes.
It's probably the manufacturer trying to judge the installed base, but it gets blocked anyway.

Thanks, I will do some research on how to do that logging and make this a weekend project.

 

[deepsea]

Thanks, the Camera's are set to plug and play, but I manually edited the Gateway to 192.168.254.1.

I ended up getting it working. Here are the complete steps for those wanting to use PFSense in the future.


NVR LAN IP#192.168.1.75
NVR PoE IP# 192.168.254.1
NVR Camera IP's# 192.168.254.3-6

On Cameras

• Manually Update the Gateway on each Camera to the NVR PoE IP (192.168.254.1)

On PFSense Router

• Create a new gateway for the NVR 192.168.1.75 (System/Routing/Gateways)
  • Interface LAN
  • Gateway IP = NVR LAN IP (192.168.1.75)
• Create a static Route between the NVR LAN & NVR PoE (System/Routing/Static Routes)
  • Destination Network = PoE IP Range (192.168.254.0/24)
  • Gateway - Point to Gateway Created in step Above (192.168.1.75)
• Adjust Outband NAT Settings (Firewall/NAT/Outbound)
  • Interface = WAN
  • Source = Network, Enter IP Range of NVR PoE (192.168.254.0/24)
• Create Firewall Rule to allow Outbound traffic (Firewall/Rules/LAN)
  • Clone "Default allow LAN to any Rule"
  • Source = Network & IP of PoE (192.168.254.1/24)

Hoping this helps someone in the future.

Neatly done, Are you using separate VLAN's for the NVR? I have a similar setup did not get it to work correctly on Unifi Dream Machine, but I try this out.

BTW, my NVR is Hilook (Hilook NVR - NVR-108MH-C/8P).) and (Camera is Hikvision). After enabling virtual host on the NVR and the NVR reboots, the virtual host setting gets disabled? Is this normal? Is there a workaround for this?
Once the NVR virtual host setting gets disabled, the email notifications stop being sent. Many TIA, appreciate any suggestions!

 

[MrFlood]

Neatly done, Are you using separate VLAN's for the NVR? I have a similar setup did not get it to work correctly on Unifi Dream Machine, but I try this out.

BTW, my NVR is Hilook (Hilook NVR - NVR-108MH-C/8P).) and (Camera is Hikvision). After enabling virtual host on the NVR and the NVR reboots, the virtual host setting gets disabled? Is this normal? Is there a workaround for this?
Once the NVR virtual host setting gets disabled, the email notifications stop being sent. Many TIA, appreciate any suggestions!

Not using a VLAN, just a separate Subnet for the NVR.