Need help with Ubiquiti Edgerouter X+SFP using VLAN with Backstreet NVR

[Etech]

The title describes the basis of my setup. My problem is that I am having issue making a connection to my IP NVR cameras. I can connect to the NVR device just fine however attempting to use the included VMS Windows based software or Blue Iris software fails to connect to the IP cams I have.

The weird thing is that I can work with the cameras via the Edge web browser but not with other software. My thinking is that I need to have some firewall rule in place to allow connection but I have no idea what that may be?

Does any one here have any experience with the equipment named here or any suggestions I can consider? The NVR has a 16 port POE switch which is set to use a different subnet for the cameras. I get the impression that this arrangement is standard practice, can anyone tell me if that assumption is correct? The subnet used via DHCP by the NVR does not exist in my Edgerouter setup so that is troubling as well as I think routing signal to and from attached cameras will be problematic at best.

Any ideas/advice is welcomed

 

[tech_junkie]

Its standard practice to use a different ip scheme on the cam network than its lan connection on a NVR

Yes, theoretically someone could split the 255.255.255.0 pool (i.e. 192.168.1.1-192.168.1.255) to 255.255.255.128 ( two network segments with address with one being 192.168.1.1-192.168.1.128 and another segment 192.168.1.129-192.168.1.255) but other than organizational purposes, there would be no advantages since most cam networks have a 100M interface and its lan is 1000M and joining them on the same router at 255.255.255.0 is going to inject latency due to the effect of making a dual speed network.

This is an example of a setup I would use.

NVR's Lan connection
DHCP box is checked, the router fills in the address after hitting "APPLY"
Then I add a public dns into the dns options so my STUN connections from the internet get serviced at low latency with remote viewing
8.8.4.4
8.8.8.8

cam interface connection:
any private ip scheme that is not used
so if my LAN connection is at 192.168.1.52
I'll use a different one;
IP address: 10.10.111.254
subnet: 255.255.255.0

The camera poe ports are on a separate network on purpose for cameras that are secured away from the local network.
So only cams should be connected to cam ports, unless you are adding something like access points or extending the cam network to service more than one switch expansion on the same cam port. (I.E. 2- 8 port switches daisy chained)

The only way to access them would be either logging into a viewing IP address hosted by the NVR via web browser or use a desktop app to access the NVR and not the cameras individually. Because the NVR is the encoding server for the remote viewing when the cameras are connected to the POE ports.


The NVR can add cameras from both networks and some include a dhcp server on the cam side.

the router that is connected to your local network should be only connected to the NVR LAN port. You shouldn't have to log into the cams themselves after you connect them to the same brand of nvr because the NVR gets the current settings of the cams for its managing menus and when you change camera parameters on the NVR, the NVR sends those changes to the camera to make the adjustment. Now if you don't have the same brand, yes you would have to log in on the camera network, but in those cases, someone plugs in a computer statically assigned an unused ip address of the cam network into one of the cam(POE) ports

 

[Etech]

tech.junkie,

So I suspected something like you outline here to be the case. This all means of course that NVR's by default are not compatible with VLAN assignment unless that OS based management software is not compatible with VLAN attached NVR's. That is where my problem is for sure. I am certain that I could connect my NVR into same subnet that my PC runs on and all would be great. Doing that would defeat the isolation I was hoping to achieve by using a VLAN subnet. This is a shame really. I would say this is a shortcoming of the management software supplied with NVR systems.

Maybe I should look into bridging the PC LAN subnet with the VLAN subnet but I believe that would simply defeat the purpose of the VLAN isolation.

 

[Etech]

I solved this issue myself after a bit of research. Using an Edgerouter poses issues with connected NVR's and cameras attached to NVR built in POE switches that manage IP addresses for the attached cameras outside of the routing table of the Edgerouter.

The fix was to establish a firewall rule allowing the IP camera management software to access the media output port of the NVR through the Edgerouter. Once that was in place everything worked.

The network system is now ready for production work. I am simply waiting on a bit more infrastructure work to be completed to finish the project.