If you properly lock down you nvr/computer - how do you get notifications?

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
Hi all,

Getting ready to take the plunge using Dahua and am trying to figure out as much as I can beforehand so I don't have any surprises (or at least fewer surprises).

As I understand from reading here, it is best practice to:
1. have your cameras on a different subnet than the rest of your network. I believe one gets this be default when using a Dahua NVR (NVR5216-16P-4KS2E ).
2. in the router settings, block the nvr/computer from accessing the internet - given the cameras are on a different subnet, not actually sure if most do this or this is going overboard?
3. use vpn if you need to access cameras when away from home network.

Assuming that the above, particularly #2, is correct, how would one receive, say, a motion notification from the NVR/computer while away from the home network? I know the iDMSS app by Dahua can send notifications, but Dahua says the NVR needs internet access to do so - which makes sense.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
You'll have to open up a rule (in my case it's a firewall rule) to allow that traffic outbound from the network or source IP of your NVR.
 

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
Okay, so do #2 to, in theory, prevent someone from accessing the NVR from outside your network. But then create a rule to allow the NVR to send out to the internet, thus allowing notifications.

So if a guy is paranoid that the nvr might 'phone home', he is out of luck if he want notifications.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
In my case, I have a firewall rule that locks down the notification to the defined application for Apple Push Notifications and for SMTP which handles SMS text alerting. It's an outbound only rule so, no paranoia needed :)
In my example, I allow out only what is needed and nothing else. I'm not aware of what you have for your network protection. Maybe you could describe what you are running.
 

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
In my case, I have a firewall rule that locks down the notification to the defined application for Apple Push Notifications and for SMTP which handles SMS text alerting. It's an outbound only rule so, no paranoia needed :)
In my example, I allow out only what is needed and nothing else. I'm not aware of what you have for your network protection. Maybe you could describe what you are running.
Right now I just am just using the crap router that is built into the cable modem I am using. I used to use 3rd routers with the modem in bridge mode, but when I got my new modem (required for an upgrade to my internet service) about 2 years back, Bridge mode was not working and I just ended up using the modem router. But, I need to revisit that now. What router are you using? I am sort of leaning towards the ASUS models that support open vpn.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
I've used Asus routers before. I am actually using a commercially available firewall which also handles my routing. Make sure any solution you look at can support VLANS and has a decent built-in firewall that will allow you to block by IP or VLAN. Most firewalls will allow you to create rules to allow network traffic utilizing IP addresses for source and destination along with TCP/IP port numbers as well. For instance, to allow SMTP you would most likely allow the IP of your email server and the port would be port 25. Hope this helps, I haven't used an ASUS router in years so I'll let others comment on the quality of the VLAN support and firewall on the ASUS platform.
 

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
I've used Asus routers before. I am actually using a commercially available firewall which also handles my routing. Make sure any solution you look at can support VLANS and has a decent built-in firewall that will allow you to block by IP or VLAN. Most firewalls will allow you to create rules to allow network traffic utilizing IP addresses for source and destination along with TCP/IP port numbers as well. For instance, to allow SMTP you would most likely allow the IP of your email server and the port would be port 25. Hope this helps, I haven't used an ASUS router in years so I'll let others comment on the quality of the VLAN support and firewall on the ASUS platform.
Thanks. My understanding is VLAN functionality is less important (or not required at all?) when using a NVR vs. a computer as the NVR (at least Dahua) places the cameras on their own subnet?

Thanks. I have seen this before. I think I understand most of what should be done to secure you network/camera's - I have just never seen anything commenting on how one can get push notifications after locking everything down.
 

awonson

Pulling my weight
Joined
Feb 7, 2020
Messages
146
Reaction score
147
Location
Australia
@foghat, I have all inbound traffic to my NVR and cameras blocked via my firewall and only open port 2195 and port 25 outbound from my cameras and NVR. I get emails and notifications from the cameras and NVR. Opening port 443 outbound allows me to check for updates on the NVR and cameras.
 

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
@foghat, I have all inbound traffic to my NVR and cameras blocked via my firewall and only open port 2195 and port 25 outbound from my cameras and NVR. I get emails and notifications from the cameras and NVR. Opening port 443 outbound allows me to check for updates on the NVR and cameras.
Thx. What router are you using?
 

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
I've used Asus routers before. I am actually using a commercially available firewall which also handles my routing. Make sure any solution you look at can support VLANS and has a decent built-in firewall that will allow you to block by IP or VLAN. Most firewalls will allow you to create rules to allow network traffic utilizing IP addresses for source and destination along with TCP/IP port numbers as well. For instance, to allow SMTP you would most likely allow the IP of your email server and the port would be port 25. Hope this helps, I haven't used an ASUS router in years so I'll let others comment on the quality of the VLAN support and firewall on the ASUS platform.
@foghat, I have all inbound traffic to my NVR and cameras blocked via my firewall and only open port 2195 and port 25 outbound from my cameras and NVR. I get emails and notifications from the cameras and NVR. Opening port 443 outbound allows me to check for updates on the NVR and cameras.
Okay,

I bought and set up an Asus RT-AC68U router. I don't have my NVR yet, but in the screen shots below, I am pretending my skybell doorbell camera is my NVR. Here is what I think I will need to do:

1. In the Network Map, block the NVR from accessing the internet:
one.png

2. In the firewall settings, under Network Services Filter, whitelist ports 25 and 2195?
two.png

According to Apple TCP port 443 and 2197 are also used for for APN, so should probably add those ports as well?

Does this look about right? Anything else I should look at doing (aside from setting up OpenVPN for accessing cameras outside my network)?

Does anyone know if I can comma separate the ports on a single line instead of creating two rows?
 

Sybertiger

Known around here
Joined
Jun 30, 2018
Messages
4,536
Reaction score
13,058
Location
Orlando
I'll be messing around this too soon so I'm bookmarking this thread. SMS messages don't work well with my AT&T service. Oftentimes when SMS message alerts are triggered rapidly from several cams the messages arrived out of order and sometimes hours apart and out of order. Hoping push notifications work out better than SMS.
 

aristobrat

IPCT Contributor
Joined
Dec 5, 2016
Messages
2,982
Reaction score
3,180
1. have your cameras on a different subnet than the rest of your network. I believe one gets this be default when using a Dahua NVR (NVR5216-16P-4KS2E ).
My understanding is VLAN functionality is less important (or not required at all?) when using a NVR vs. a computer as the NVR (at least Dahua) places the cameras on their own subnet?
Just wanted to call out for anyone new following along with this thread, it's only the PoE version of NVRs (like the model the OP has above) that put the cameras on a different network segment.
 

foghat

Young grasshopper
Joined
Sep 20, 2019
Messages
85
Reaction score
19
Location
Alberta
Just wanted to call out for anyone new following along with this thread, it's only the PoE version of NVRs (like the model the OP has above) that put the cameras on a different network segment.
Thanks!
 
Top