Qnap NAS, Surveillance Station, Setup & Security

Discussion in 'Camera Installation Questions' started by Lemonade, Apr 16, 2018.

Share This Page

  1. Lemonade

    Lemonade n3wb

    Joined:
    Apr 12, 2018
    Messages:
    3
    Likes Received:
    0
    I am in the middle of revamping my internet and wifi. While doing all this, I’m also adding an option for 2 to 3 IP cameras (with options to expand in the future if needed). I thought I had everything planned out to the “t” but after reading many of the stickies here, I’m more lost than ever.

    Here’s a network overview of what I have and what will be added shortly:

    1. Cisco/Linksys EA4500 router (soon to be replaced with Ubiquiti USG) currently dropping physical ports left and right

    2. Ubiquiti 8 port POE 60w switch (4 POE – good enough for now)

    3. 12 port patch panel to hard wired lines all over the house (using 6 now)

    4. Unifi AC Lite wireless access point (House Wifi, guest Wifi soon to be VLAN for client isolation)

    5. Qnap 219+ (Raid 1, 2 EA 2TB drives)

    I have limited networking knowledge (Youtube is helpful) and even less IP camera knowledge (here is helpful). The plan had been to throw 2 Reolink cameras in at the front door/sidewalk and driveway and call it good. I had doubts about their quality and confirmed them after looking through on this site. That plan is OUT. Thinking Dahua or Hikvision now – jury is still out on which models.

    I was going to use the two surveillance station channels on my Qnap NAS and run Vmobile/Cloudlink on my android phone to access from outside. I’ve read a few posts from NAYR and now I’m rethinking my plan. I don’t fully understand how I’m going to set things up – I can bumble through things fairly well to get by. I’m concerned about the following:

    1. Overall security from outsiders looking in from the internet. Setting up a VPN per NAYR’s posts will help.

    a. Will a VLAN for IP cameras help me here?

    2. Unsure about Surveillance Station in general. Going to test an IP cam from work this week to see. Not thinking NVR in future – I use my NAS for limited music to Sonos so no problem with space yet.

    3. Was going to try out motion detection events only. Not thinking of recording 24/7.

    4. Wife would like 2 way audio to the front door. No subscription based anything. I want to do it with all owned equipment – why should I pay for a service?!?

    5. If I create a VLAN for the cams, I’m assuming my NAS has to be on the same VLAN for things to work? Is that the reason to run a VPN?

    6. Security of Qnap’s Cloudlink from outsiders. I don’t know how this works with ports and I’m downright scared of the unknown.

    This post is lengthy and may not even be in the right forum category.
     
  2. looney2ns

    looney2ns Known around here

    Joined:
    Sep 25, 2016
    Messages:
    3,527
    Likes Received:
    1,790
    Location:
    Evansville, Indiana
    Be sure to read the "cliff" notes in the wiki at the top of the page.
     
  3. Lemonade

    Lemonade n3wb

    Joined:
    Apr 12, 2018
    Messages:
    3
    Likes Received:
    0
    Downloaded them and read through before posting! Thanks for the heads up!
     
  4. smoothie

    smoothie Getting the hang of it

    Joined:
    Dec 19, 2015
    Messages:
    159
    Likes Received:
    62
    I would suggest the Dahua cameras over the Reolink and even over the Hikvision. I personally have a Dahua IPC-5231 from @EMPIRETECANDY and I couldn't be happier. The image is perfect during the day and night. They are around $170 each. There is a slightly newer variant of this cam which I will be buying in the next month or two, Andy can get you the right one for a great price.

    I also have a QNAP and I recommend AGAINST the Surveillance Station. I think it is expensive, doesn't have very good features, and overall is just not a good product.

    I am running Blue Iris on a PC I had lying around and it works great. I have it setup with a gmail.com account to send me text alerts when someone comes to my door, there is about a 20 second delay between person arriving at my door and text arriving to my phone. The alert text includes a screenshot of the person at the door. I bought the $60 full version of Blue Iris. The initial recordings are saved to the internal drive of the Blue Iris PC then after a couple of days they are moved to the QNAP and stored there as space permits.

    To answer your concerns as best I can:

    1. Yes, a VPN is the way to go. The current EA5400 or the proposed Ubiquiti are both fine devices. They are the "firewall" the primary job of which is to act as a one way valve allowing your network out to the Internet but not allowing the Internet back in to your network. A VPN is an opening that allows the Internet in to your network. When a device such as your phone is outside of your private network it is part of the Internet. So how to allow a specific device on the open Internet to get access to your private network while blocking the other 4.3 billion devices ? a VPN. A VPN is a purpose built highly secure means of getting access to your private network from the open Internet. Think of a VPN like a doorman at your building in New York City, they know you and recognize you and so let you into your building while preventing everyone else from entering. A common home VPN setup is OpenVPN which uses a username and password as well as a certificate. Without the correct username password and certificate you cannot access the VPN. This is pretty secure. There are additional considerations if you want absolute security such as the manufacturer of the firewall device and how well designed and protected it is etc. But for normal people an OpenVPN setup with your firewall is excellent. I personally use pfSense on yet another old PC I had lying around and use OpenVPN from it.

    1a. No, not really. A VLAN is a Virtual Local Area Network, it is a logical division of your private network infrastructure which is most common done by your Ethernet Switch to segregate specific ports, and by extension the device or devices on that port, from the rest of your private network. Say for example your private home network IP Address v4 range is 192.168.0.x so your EA5400 is probably 192.168.0.1 on the inside of your home network. A VLAN would allow you to have a second or third etc private network at home which you could assign the private IP Address range of 192.168.2.x or 192.168.222.x or basically any 3rd octet or even another private IP Address range such as 10.x.x.x. What this would accomplish is the ability to fully separate or slightly separate these networks. Say your home computer is on the 192.168.0.x network and your cameras are on the 192.168.222.x network which is a VLAN you opted to create. You can setup it up such that the 192.168.222.x network cannot talk to the Internet which isolates your cameras from performing dubious Internet activity which almost all cameras do. You can then setup the ACL or Access Control List to allow the 192.168.222.x network to talk to your Blue Iris PC, which is lets say 192.168.0.50. You can have ACLs that control the flow of traffic in both directions or just one, meaning 192.168.0.x is allowed to talk to any IP Address on the 192.168.222.x network, but the 192.168.222.x network can only talk to 192.168.0.50. The other major benefit that a VLAN provides is additional addressing, your 192.168.0.x network has 256 addresses in it of which 2 cannot be used (.0 & .255). You can add another 254m or more, usable address by creating another VLAN. The additional addressing will have no value to you since you have 254 usable addresses now and are likely not using close to that limit.

    1a related personal note. I have my Dahua camera set with the WRONG default gateway so my camera CANNOT speak to the Internet which keeps it and my network safe. I have my Blue Iris PC which is running Windows 10 and does nothing other than Blue Iris setup so that I can access it from across my VPN and view both the live camera feeds and the recorded historic data as well. I use the UI3 interface found elsewhere on ipcamtalk as I prefer it over UI2 and the default Blue Iris web interface, so I never actually access my camera directly. This is a simpler setup than VLANs and would be the best fit for your setup imo. For clarity this is the process if I want to view my cameras from the outside world on my iPhone. Open the VPN icon and click connect, open Safari and click the favorite for my Blue Iris machine. When done I just have to turn off the VPN or else it will try to keep me connected to my home and waste data and power doing so.

    2. As I said earlier I do not like Surv Stat on the QNAP at all. I would strongly suggest you try out Blue Iris which gives you a free 14 day trail and only costs $60 if you decide to stick with it. Sharing the QNAP storage space between the cameras and your other data is perfectly fine. You can control how much data Blue Iris saves in a given location such as the QNAP based on time or size. I suggest size and set it accordingly. Say you opt for 1TB of recording space on your QNAP for Blue Iris camera footage, you can set Blue Iris that it will delete the oldest files so as to not use more than the 1TB you have allocated (or however much you choose to give it). Additionally that size setting can be changed easily up or down as needed. I would suggest that you create a specific shared folder on the QNAP for camera footage, this way you can keep the camera footage and say your music separated, not strictly needed as you could just use a subfolder in your existing share for Blue Iris footage if you wanted to.

    3. Motion detection works pretty well. I personally prefer continuous recording with motion flagged on my setup. I have Blue Iris set to record 24/7 @ 15fps, if Blue Iris detects motion it will add an icon to the timeline view to show it occurred and to shows its duration. I prefer continuous recording since the few seconds of recording prior to the system detecting motion or something occurring too far away to trigger motion is still recorded. Security cameras should never be set to record more than 15 fps as you gain virtually nothing but burn more and more data space as you increase fps, I am willing to allocate more data space in return for having continuous recording active. Ultimately personal preference but I would recommend continuous recording as I have missed out on footage in the past when on motion recording, for example a person was trying to break into a car and was largely standing still while trying to slimjim or pick the lock and so the recording stopped as the system didn't detect motion after the default 10 seconds. This is an extreme example and unlikely to occur but it is something to be aware of.

    4. I too am chasing two way audio but don't have it yet. My camera has a basic built in mic and I can output the audio to my television or phone but the camera has no speaker so two way isn't possible for me yet. I have heard many different options for two way audio all with various degrees of success and various benefits and drawbacks, almost none are dependent on the cameras in anyway and are usually separate systems entirely. The most common fully featured system I have found is a VoIP solution but I haven't dug into it fully yet. If you just want 2 way audio from front door to specific spot in the house that is super easy and traditional intercom will work fine. If you want to have mobility around the house that gets more complicated and if you want it to work in the house or out in the world that is more complicated still.

    5. No two devices need not be on the same VLAN to talk to each other as I mentioned above. If they are on different VLANs or networks to each other they will need some path to reach each other to talk which is usually a basic or complicated set of rules on the device that controls the VLANS. A single port on an Ethernet switch can be a member of two or more VLANs simultaneously but would need static IP addresses for each VLAN they are attached to assigned to the device such as the QNAP. Another option is if your QNAP has 2 network connections you can have one into one VLAN and one into the other, so one on the network with the cameras and one on the network with your computer. Generally no this isn't the reason to run a VPN. While you could use a VPN and its resultant encryption for a VLAN to VLAN connection it would generally be considered unnecessary and excessive since both the source and destination are within your private network and are not part of the open Internet. An argument can be made that from a WiFi based VLAN to a wired VLAN you can and should use a VPN since the WiFi signal can be intercepted but I personally think unless you live somewhere with high population density (New York City or Tokyo) this is excessive.

    6. I am generally not a big fan of having any third party system or service or company connected to my private network. I do not like Ring doorbell or anything else like it. I also do not like subscription fees that are due in perpetuity. My QNAP has access to the Internet and I have it setup with a gmail.com account that can email me if there is a problem or alerts like new firmware but I only have the basic file sharing running and no other QNAP "Apps" or whatever those are from the web interface of the QNAP. The only thing my whole system costs me on a recurring basis is electricity which is pretty much unavoidable.

    Let me know if you have any questions or need any clarifications

    All the best.

    Edited to fix a typo
     
  5. Lemonade

    Lemonade n3wb

    Joined:
    Apr 12, 2018
    Messages:
    3
    Likes Received:
    0
    @smoothie , thanks for a great reply. I borrowed an older Panasonic IP cam from work (from an old, unused construction camera setup) and set it up for testing. I was able to logon using the default user and password but was unable to change much of anything. I did get the picture working with Surv Stat and you're totally right - it sucks. The picture was upside down (because the camera is meant to hang) and nowhere could I find anything to rotate the image. I used the PTZ controls (my cameras won't have it) and it was rough. I also used the Vmobile app and it sucked as hard as the web gui. Just an FYI, I disconnected the cam before going to bed - not being able to change the admin password freaked me out.

    That said, I downloaded Blue Iris demo version. I got as far as setting up the video before I had to go do other family duties. It looks like it's a lot more in depth than Qnap ever got. And one of the first setup screens in BI there was a rotate option!
    It wasn't really in the overall plan to run a pc 24/7 - that was why I wanted to run the NAS because it's super low power (not that I'm a good energy conscious person but because I'm cheap!). The laptop that I have is more than enough to run BI but it's going to eat something like 65 watts just running. BI and the rest of this is pretty overwhelming. There are a lot more options and settings that I even know about but I'm not sure that I'm a candidate for an NVR. I'm thinking I might be more of a tinkerer than it would allow later on. If I run the pc with BI, I'll likely setup a daily backup/transfer of recordings older than x to be moved to NAS. I've got a 500 gb ssd but I will need to keep storage in check.

    It looks like my current router won't support a VPN so that's on hold for a few months till I get a new router/gateway. To simplify everything, I'll just run a VLAN for guest wifi and stick with the VPN for remote access. That said, anyone using the BI Android mobile app? Does it still require using a VPN?

    What is this UI3 you speak of?

    I'm willing to give up 2-way audio for now.

    I reviewed my overall goals of stuff last night. I need good daytime for the front door. The side/driveway needs to be a compromise of day/night. My wife also indicated she wants more than 2 cameras... one for a side door, backdoor, and side yard. I laughed and I told her that we'll start with the front door. :)

    I'd love to hear your thoughts and comments.

    Edit to add: Should the VPN be run on my NAS, router/gateway, or otherwise?
     
    Last edited: Apr 17, 2018
  6. looney2ns

    looney2ns Known around here

    Joined:
    Sep 25, 2016
    Messages:
    3,527
    Likes Received:
    1,790
    Location:
    Evansville, Indiana
    Read the wiki at the top of the page for info on a proper system to run BI on, a laptop isn't it.

    Easy setup with VPN on a Asus 68u router.

    Blue Iris UI3
     
  7. smoothie

    smoothie Getting the hang of it

    Joined:
    Dec 19, 2015
    Messages:
    159
    Likes Received:
    62
    @Lemonade I am not familiar with the Panasonic cams so I don't know how much of it is configurable or if there are different accounts of say user vs admin, perhaps a different username and password would allow you to change various settings. You can search the exact model of Panasonic cam and see what the deal is but having a default username and password isn't a huge risk if the cam is behind the firewall (Linksys EA4500) which it is. If you want to play it safe you can configure a firewall rule in your Linksys EA4500 that basically says "Block outbound traffic from <ip address of camera>" which would prevent the camera from making outbound connections to the open internet. Using the direct web interface to the Panasonic cam might need different credentials to make the PTZ functions work, might need a different web browser such as Chrome or Internet Explorer or Edge etc, or the PTZ functionality might not be functioning on that camera any more. I'll touch on your security concerns later in this post.

    Blue Iris does have a great many options, a great many of which you probably won't care about. There are excellent wiki articles and videos on youtube and this sites Blue Iris forum all of which can give you volumes of information about BI. You will not want to run the laptop 24/7 as laptops have fairly poor heat venting due to their compact size and are manufactured with the assumption that they will not be running 24/7. If you run that laptop constantly it will burn out much, much more quickly. You can find many cheap used desktops that have minimal power consumption for sale on eBay or similar sites that will do a far superior job and will last a long time running 24/7. Honestly I wouldn't worry too much about the power consumption for a small desktop, it is the equivalent of running an old incandescent light bulb 24/7 not free but not expensive. While you can configure some outside or 3rd party program to do the daily backup/transfer Blue Iris has the functionality built in. I'll attach a couple of screenshots of my BI config at the end of the post. My BI setup uses two folders <new> & <stored>. New is where real time footage is recorded from the camera by BI. I have a 256gb SSD in that machine and after the OS and BI install has around 200gb free so I chose to allocate 140gb to the <new> folder. The <new> folder exists as a default sub folder of the default Blue Iris install at C:\Blue Iris\New\. I chose 140gb instead of 200gb to allow some breathing room and a little buffer in case the NAS can't be reached I didn't want the BI machine to instantly be full and thus instantly have issues. I figured that 60gb breathing room would buy me some time to be made aware of the issue and take steps to fix it before BI stopped being able to record footage. The second folder is <stored> which is also a default folder of the BI default install and is similarly located at C:\Blue Iris\Stored\ but since this folder exists on the same drive as <new> it doesn't really help me. So I changed where the <stored> folder points to. As you can see in my screenshot the <new> folder config is located at C:\blue iris\new\ and limits the size to 140gb then moves to folder <stored>. With only 1 camera recording 24/7 that 140gb buys me just under 3 days worth of footage. The other screenshot shows the config of the <stored> folder which is located at \\cameras\archive and limits the size to 15,750gb (or 15.7 TB) then deletes any footage beyond that. With only 1 camera recording 24/7 that 15,750gb buys me about 300 days worth of footage. I am planning on adding a great many more cameras, around 14-ish ultimately at which point that crazy big NAS will hold about 21 days of footage for all cameras. The address \\cameras is the name of my QNAP NAS and the \archive\ is the shared folder I made for my footage, I could have just as easily called the QNAP \\banana and the shared folder \happy\.

    Your current router does not have built in VPN capabilities, you are correct. However you "might" be able to load a 3rd party firmware on that router such as openwrt.org which could then load OpenVPN and grant you VPN functionality without changing your router hardware. If your EA4500 is a v1 or v2 you can load openwrt.org on to it, if however it is v3 you cannot. Or an easier solution is just wait and buy a new router in the future that does come with VPN functionality right off the bat. When you say "...I'll just run a VLAN for guest wifi and stick with the VPN for remote access." That sounds like your only wifi network would be the VLAN guest wifi network, if that is the case then devices on your guest wifi will NOT be able to see the cameras feeds. If however you were to have 2 wifi networks a guest wifi that is a separate VLAN and a wifi network that is on the same network segment as your internal network that you could have your wifi devices on that second wifi and they WILL have access to the camera feeds. The BI android app likely doesn't require a VPN but it does require some means of reaching the BI computer to see the feeds. There are 2 different methods of accomplishing remote viewing of your cameras, they are "port forwarding" and "VPN". By default your EA4500, acts as a one way valve, it allows any device on your internal private network to talk out to the open Internet without restriction, and conversely it does NOT allow ANY communications from the open Internet in to your private network. In this sense the EA4500 is much like the entry door on your home, it cannot be opened from the outside, but you are able to open it from the inside. Thus you can exit the house anytime you like to anywhere you like but a stranger can't just walk into your home. Port forwarding is the process by which TCP and/or UDP ports on your public IP Address are forwarding thru your EA4500 in to a specific internal IP Address thus enabling communication with that device from the outside world. This is the same way a website works, the physical server hardware that the website exists on is behind a firewall and TCP port 80 is port forwarded from the public IP Address of that site to the internal private IP Address of that physical server. TCP port 80 is where unencrypted web browsing takes place. Take for example the website Vons - Official Site which is the site of the US supermarket of the same name. The address www.vons.com resolves to the public IP Address of 45.60.12.113 which is the public side of some firewall. TCP port 80 is port forwarded from 45.60.12.113 to whatever the internal private IP Address of that physical websites server is, lets say the internal private IP Address of that server is 192.168.1.10 for discussions sake. When I open my Google Chrome web browser and type www.vons.com and press enter here is what happens. My computer checks to see if it knows what www.vons.com resolves to, if it does it proceeds to the next step, if it doesn't it asks my DNS server what www.vons.com resolves to. The DNS system will tell me that www.vons.com equals 45.60.12.113 so my computer sends a request on TCP port 80 to 45.60.12.113 saying essentially "hey show me your website". The firewall that protects that website server receives my request and forwards that traffic on thru itself to 192.168.1.10 and the web server software responds back to me with the www.vons.com website which displays in my browser window. This whole process takes a faction of a second. The reason that our example of www.vons.com is using port forwarding and not a VPN is that they want their site to be publicly accessible. If it were behind a VPN I would not be able to reach their site as a member of the general public. But that port forwarding means that the entire global Internet can reach www.vons.com which the company likely wants since someone somewhere might want to visit that website, but it also means that site can be probed or attacked from anywhere in the world. www.vons.com is relying on their web server to be able to withstand that attacks and probes that it undoubtedly receives by virtue of being on the open Internet. www.vons.com hopefully spends the appropriate amount of money annually to make sure their web server is patched and maintained which is what IT guys are for. A VPN is in broad strokes the same thing, it is a public IP Address that is accessible to the global Internet. The difference is easiest to explain in an analogy, the publicly accessible web server is like a Kwikset or Schlage deadbolt lock which is pretty good at withstanding attacks and being picked. A VPN is like an armored vault door with high security locks. A VPN is designed with security and protection in mind first and foremost, a web server is not. Additionally the site www.vons.com because it is on TCP port 80 is unencrypted meaning any data that is sent between your computer and that site is in plain text and readable by any device along the path of communication, sounds scarier than it really is with the exception of wifi. The site is unencrypted because the company Vons chose not to have it encrypted, had their web designers not make it encrypted, and so it is not encrypted. If they choose to they could convert it to an encrypted site and then it would be Vons - Official Site (note the extra "s" in the beginning) and would transmit traffic on TCP port 443 instead. Having given this whole long explanation is to allow me to say this, you can use port forwarding to grant remote access to your Blue Iris machines and the camera feeds on it should you wish. It isn't ideal which is why it is strongly suggested on this site and many others that you not port forward your cameras. The real risk to port forwarding is how strong is the "lock" on the device you are forwarding to, is it a cheap kwikset or a robust fortress. Another consideration in port forwarding is which ports are forwarded, there are 65536 TCP ports and 65536 UDP ports. The first 1024 are called the "well known" ports as they have predefined roles to play, the ports from 1025 to 65536 are called the "high ports" and can be used for whatever you like without concern. If you forward common ports such as 80, 443, 25, 110, etc which are web, encrypted web, smtp email, pop email respectively they are much more likely to be found, probed and perhaps attacked than say a random high port such as 49712. My BI installation uses port 81 I don't remember if that was the default or I chose it specifically.

    UI3 is just an alternative layout for the web interface of the BI cameras. I will attach a couple of screenshots of the default BI web ui vs ui3. Think of it like rearranging your furniture in the living room, same basic furniture but in a layout you find more pleasing based on personal preference.

    You can always add 2 way audio later when you are ready.

    It isn't clear to me if you are looking at 4 or 5 cameras overall, not sure if "The side/driveway" and "one for a side door" are the same camera or not. The BI software is able to scale to as many cameras as any human could possibly want. The hardware you run it on might not, I would suggest you use the wiki article @looney2ns mentioned to spec a system suitable to 5 cameras of whatever resolution you decide, I still recommend the camera I originally suggested as it has both an excellent day and night picture for all your camera locations you mentioned.

    bi options clips and arch new.JPG bi options clips and arch stored.JPG Blue Iris default web interface.JPG Blue iris web interface using ui3 instead.JPG

    That was lengthy. Enjoy
     
    looney2ns likes this.
  8. alastairstevenson

    alastairstevenson Known around here

    Joined:
    Oct 28, 2014
    Messages:
    7,916
    Likes Received:
    2,107
    Location:
    Scotland
    Wow. Too right it was! Quite tough. Speech to text?
    Still appreciated though ...
     
  9. smoothie

    smoothie Getting the hang of it

    Joined:
    Dec 19, 2015
    Messages:
    159
    Likes Received:
    62
    Nope, good old fashion clickity clack on the keyboard, took way longer to write than I had originally intended.

    Glad you found it informative, always happy to help
     
    looney2ns likes this.