Review-IP Villa Outdoor Doorbell Station & Indoor Monitor Kit

Holbs

Known around here
Joined
May 1, 2019
Messages
1,624
Reaction score
2,144
Location
Reno, NV
Ok, so if 37777 isn't port forwarded to your VTO, I'm not sure how this works at all
it is possible that this could be considered advanced networking since it involves firewall rules.
37777 is not port forwarded. Port 37777 is open but only to my VPN (I have to add the reserved static IP of my smartphone as a 2nd IP). Maybe your 'port forward' definition is different from mine. Through my firewall, I have "ALLOWED" port 37777 to talk to my VPN gateway.
 

gsmithsa

n3wb
Joined
Jun 23, 2021
Messages
12
Reaction score
1
Location
Sydney
it is possible that this could be considered advanced networking since it involves firewall rules.
37777 is not port forwarded. Port 37777 is open but only to my VPN (I have to add the reserved static IP of my smartphone as a 2nd IP). Maybe your 'port forward' definition is different from mine. Through my firewall, I have "ALLOWED" port 37777 to talk to my VPN gateway.
While manufacturers do sometimes use differing terminology, I use a UDM as well, and also have a selection of custom firewall rules, so we should be speaking the same language !

I'd be keen to work out what you're doing to make this work, as it would be good to avoid using the Dahua cloud if possible

  • My VTO (eg 192.168.10.10) has no restrictions to outgoing internet access
  • I have no ports forwarded
  • If I try and add my VTO to DMSS via my external IP address, it fails, because my UDM blocks Dahua from accessing the internal address of my VTO (because external_IP:37777 is not forwarded to 192.168.10.10:37777)

From what you've described above
  • Your VTO has outgoing access to only 60 IP addresses (so actually more restrictive than my firewall rules)
  • You say you have no ports forwarded
If you stop there, I don't know how you can add your VTO to DMSS via IP address.
It would work if you used P2P (via some of those 60 allowed IP addresses)

Do you have any WAN IN rules ?

Do you have uPnP enabled ?
 

Holbs

Known around here
Joined
May 1, 2019
Messages
1,624
Reaction score
2,144
Location
Reno, NV
While manufacturers do sometimes use differing terminology, I use a UDM as well, and also have a selection of custom firewall rules, so we should be speaking the same language !

I'd be keen to work out what you're doing to make this work, as it would be good to avoid using the Dahua cloud if possible

  • My VTO (eg 192.168.10.10) has no restrictions to outgoing internet access
  • I have no ports forwarded
  • If I try and add my VTO to DMSS via my external IP address, it fails, because my UDM blocks Dahua from accessing the internal address of my VTO (because external_IP:37777 is not forwarded to 192.168.10.10:37777)

From what you've described above
  • Your VTO has outgoing access to only 60 IP addresses (so actually more restrictive than my firewall rules)
  • You say you have no ports forwarded
If you stop there, I don't know how you can add your VTO to DMSS via IP address.
It would work if you used P2P (via some of those 60 allowed IP addresses)

Do you have any WAN IN rules ?

Do you have uPnP enabled ?
I'll explain more when I get home. But remember I am also using the UDM radius VPN server as well. So yes my VTO is by default on my camera network which is totally blocked other than NTP server. The VTO has allow rules to talk to Google IPs and specific Google ports. The BTO has to talk to Google solely and only for sending notification purposes. For the actual audio video purposes that remains inside my local networks through VPN.
 

Holbs

Known around here
Joined
May 1, 2019
Messages
1,624
Reaction score
2,144
Location
Reno, NV
While manufacturers do sometimes use differing terminology, I use a UDM as well, and also have a selection of custom firewall rules, so we should be speaking the same language !

I'd be keen to work out what you're doing to make this work, as it would be good to avoid using the Dahua cloud if possible

  • My VTO (eg 192.168.10.10) has no restrictions to outgoing internet access
  • I have no ports forwarded
  • If I try and add my VTO to DMSS via my external IP address, it fails, because my UDM blocks Dahua from accessing the internal address of my VTO (because external_IP:37777 is not forwarded to 192.168.10.10:37777)

From what you've described above
  • Your VTO has outgoing access to only 60 IP addresses (so actually more restrictive than my firewall rules)
  • You say you have no ports forwarded
If you stop there, I don't know how you can add your VTO to DMSS via IP address.
It would work if you used P2P (via some of those 60 allowed IP addresses)

Do you have any WAN IN rules ?

Do you have uPnP enabled ?
I am keeping this info in this posting of the review of the VTO2202 and VTH's in the hopes this may aid those down the road that encounter such problems.
As to your quetions...
WAN IN rules? None. UDM router uses IMPLICIT rules. None come in, AOK to go out.
Do I have uPNP enabled? As I have stated multiple times so far, no. The whole reason to figure this out with firewall rules & ports was to not use uPNP at all, not to use any port forwarding at all.
I'd like to hear how other folks use their VTO notification config. I bet, my way seems...amateur because I am a amateur :)
 

gsmithsa

n3wb
Joined
Jun 23, 2021
Messages
12
Reaction score
1
Location
Sydney
I am keeping this info in this posting of the review of the VTO2202 and VTH's in the hopes this may aid those down the road that encounter such problems.
As to your quetions...
WAN IN rules? None. UDM router uses IMPLICIT rules. None come in, AOK to go out.
I'd like to hear how other folks use their VTO notification config. I bet, my way seems...amateur because I am a amateur :)
I only asked about WAN IN because you said you had isolated your cameras by using WAN OUT.

As a general rule, you should never need to use WAN OUT rules.

It's best to place rules on incoming (from the perspective of the port), so LAN IN. See here for a good explanation.

Looking forward to hearing more precise details of your setup
 

Holbs

Known around here
Joined
May 1, 2019
Messages
1,624
Reaction score
2,144
Location
Reno, NV
I only asked about WAN IN because you said you had isolated your cameras by using WAN OUT.

As a general rule, you should never need to use WAN OUT rules.

It's best to place rules on incoming (from the perspective of the port), so LAN IN. See here for a good explanation.

Looking forward to hearing more precise details of your setup
I was going along the lines from the suggestion of a YouTuber who "says" IT guys for 10 years and knows Ubiquiti and UDM really well. He could be wrong! But I did a general search on how to block cameras from the internet... all said to use WAN OUT, so I ran with that. I do have a rule not allowing CAMERA subnet to talk to any other subnet already.
To use LAN IN to block camera internet? I think I can. Maybe it's better? I am no firewall specialist. Kinda rushed into the matter.
 

gsmithsa

n3wb
Joined
Jun 23, 2021
Messages
12
Reaction score
1
Location
Sydney
I was going along the lines from the suggestion of a YouTuber who "says" IT guys for 10 years and knows Ubiquiti and UDM really well. He could be wrong! But I did a general search on how to block cameras from the internet... all said to use WAN OUT, so I ran with that. I do have a rule not allowing CAMERA subnet to talk to any other subnet already.
To use LAN IN to block camera internet? I think I can. Maybe it's better? I am no firewall specialist. Kinda rushed into the matter.
Yes. You are hitting up the router to do unnecessary routing, when the traffic could be stopped before hitting that interface
 

Holbs

Known around here
Joined
May 1, 2019
Messages
1,624
Reaction score
2,144
Location
Reno, NV
Yes. You are hitting up the router to do unnecessary routing, when the traffic could be stopped before hitting that interface
I just remembered...I did use the LAN IN to block camera network from going out. Then my UDM somehow broke and I had to do factory reset. I think I'll go back to LAN IN 'reject' for the cameras. On my todo list #12.
 

denywinarto

Young grasshopper
Joined
Mar 15, 2018
Messages
53
Reaction score
3
Has anyone tried this with milestone? Any compatibility issues?

Thinking of getting the doorbell alone,
as i've already got poe switch and
poe-powered NUC + 16 inch usb monitor as viewing station.
(Possible with POE injector since it's <25 watt)

But then i will lose the 2 way audio from their poe monitor,
So can this be emulated somehow using my NUC + mic + speaker + BI /HA / other apps?

Would rather have 16 inch monitor with 2 way audio,
although i don't think my Celeron NUC could handle BI..
 

denywinarto

Young grasshopper
Joined
Mar 15, 2018
Messages
53
Reaction score
3
Hmm just got an idea, could anyone with windows machine test dahua's android app with emulator such as memu?
And see if under LAN 2 way audio works correctly, with headset for speaker and mic i guess..
I think that's the least complicated way to emulate the VTH.

Edit : or even easier, with laptop, as long as it's still under same network it should detect the VTO
 
Last edited:

Holbs

Known around here
Joined
May 1, 2019
Messages
1,624
Reaction score
2,144
Location
Reno, NV
Yes. You are hitting up the router to do unnecessary routing, when the traffic could be stopped before hitting that interface
have you figured this out yet? I had some personal drama appear and forgot about helping you with this.
 

gsmithsa

n3wb
Joined
Jun 23, 2021
Messages
12
Reaction score
1
Location
Sydney
have you figured this out yet? I had some personal drama appear and forgot about helping you with this.
Nope. Reading your pages again, I think what you have done is allow your VTO outgoing access to call push notification services only, but then placed your phone on a VPN, and allow VTO->VPN routing, so the SIP call itself goes locally.

My setup is simply to have the VTO/VTH on their own VLAN.

It has unrestricted outgoing access, so it can use the DMSS relay servers to call my phone when the intercom is pressed.

The VTO VLAN has no access to anything else on my network. That's good enough security for me at this point

There would be a battery trade-off for an always-on VPN connection on my phone; with an on-demand VPN connection, there would likely be call connection delays with initiating an on-demand VPN service over cellular, which may make the whole thing less usable (particularly for the wife !)

If the DMSS cloud becomes less reliable (it had a rough patch a few months ago), I'll reconsider all of this :)
 

Holbs

Known around here
Joined
May 1, 2019
Messages
1,624
Reaction score
2,144
Location
Reno, NV
Nope. Reading your pages again, I think what you have done is allow your VTO outgoing access to call push notification services only, but then placed your phone on a VPN, and allow VTO->VPN routing, so the SIP call itself goes locally.

My setup is simply to have the VTO/VTH on their own VLAN.

It has unrestricted outgoing access, so it can use the DMSS relay servers to call my phone when the intercom is pressed.

The VTO VLAN has no access to anything else on my network. That's good enough security for me at this point

There would be a battery trade-off for an always-on VPN connection on my phone; with an on-demand VPN connection, there would likely be call connection delays with initiating an on-demand VPN service over cellular, which may make the whole thing less usable (particularly for the wife !)

If the DMSS cloud becomes less reliable (it had a rough patch a few months ago), I'll reconsider all of this :)
Correct. VTO has outgoing internet access to Google Push notification ports ONLY. That is it for VTO internet access. Never want this thing phoning home or not blindly on the internet itself. But to utilize the push notification to my smartphone, it does HAVE to have access to the google (or for those with iOS) push service. Unfortunately, there are 61 IP's related to Google Push Notification Service (this is not the case with iOS) that I had to input into a single firewall group:temp.jpg

You say you want VTO/VTH on an unrestricted VLAN. That should be simple. Since default UDM's do not block outgoing traffic, your VTO VLAN should have full access to either google or iOS push notification service. So that means, you should be getting the VTO notification on your smartphone.
Of course, on the DMSS app you have to enable not one but two buttons: the "Me" icon at the bottom that gets you to settings / general / tool manager / etc...you have to goto 'tool manager / push notification / and select your VTO. I "think" this is how you subscribe to your VTO. The 2nd button to play with, device details of the VTO itself and turn on notifications.
I do have VPN always on running. I have not noticed a drastic battery drain...nor drastic mobile cellular usage. Not sure if it's my Pixel4 phone or the UDM RADIUS server...but maybe once every 5-7 days, the Pixel can not connect to the server so I just simply reconnect and whalla. Maybe a fix for this but I live with it for now.

You are using the cloud so all should be good. I do not use the cloud as I am.....wary :) Probably the same reasoning why I am trying to go away from Google all together. Now using Firefox, using 1.1.1.1 for DNS, swapped my Pixel4 from GoogleFi cellular service to $15/month (I am no power user) Charter Spectrum cellular service. I'll investigate more on how to ween myself off big brother here & there.
 

gsmithsa

n3wb
Joined
Jun 23, 2021
Messages
12
Reaction score
1
Location
Sydney
Unfortunately, there are 61 IP's related to Google Push Notification Service (this is not the case with iOS) that I had to input into a single firewall group
You do realise you have something like over 6000 IP addresses allowed in that screenshot ?
 

Holbs

Known around here
Joined
May 1, 2019
Messages
1,624
Reaction score
2,144
Location
Reno, NV
You do realise you have something like over 6000 IP addresses allowed in that screenshot ?
these are the IP addresses (with the /24's and such) given by Google. All those 6000+ IP's belong to Google.
 

Holbs

Known around here
Joined
May 1, 2019
Messages
1,624
Reaction score
2,144
Location
Reno, NV
You do realise you have something like over 6000 IP addresses allowed in that screenshot ?
or should I say... this is the official Google listing response in what is required to hit their push services. I am just a slave so do not know any better :(
 
Top