I agree with nayr here. Chinese camera with their software able to open up whatever session to any place in the outside world via a normal user connection (nat so inside to outside all is allowed) is scaring me.
I will put them behind a pfsense firewall in a seperate vlan and only allow things ntp against the firewall itself for the nvr and cameras. I assume i will find out what else i block and might be needed from the log files.
I can than restrict my own access to the nvr from user vlan, and also from openvpn on the firewall from remote.
Most people have no idea how many port scans pass your public ip address. Ever port foreward hole you make in your router opens the device listening to that port up to the outside world, so reachable for all those attackers.
