Securing NVR and cameras - VLANs / firewalls

[GrooveMerchant]

I'm very experienced with tech stuff, but networking is not my forte -- so could use a bit of clarity on securing things.

I have a Ubiquiti USW-Pro-Max-16-PoE that my Dahua cameras will be connected to and a Dahua NVR. I've watched countless videos and read countless blog and forum posts on how to setup networking so that the NVR and cameras are on separate VLANs, the NVR can see the cameras, but the cameras are completely isolated.

I know that you have to do some port magic on the switch to make sure that only certain VLANs can be used on a given port, some might be native, some might be tagged.

What I'm not clear on is if you setup the above properly, if you still have create firewall rules (anywhere), and exactly how they should beconfigured.

Perhaps my confusion partly stems from the fact that much/all of the config could be done on the switch only (not sure) or that some of it should be done (or has to be done) on the router as well.

Thanks in advance for any enlightenment --

 

[bigredfish]

Is your Dahua NVR a PoE type with its own switch and ports? If so your cameras are already isolated

 

[GrooveMerchant]

Is your Dahua NVR a PoE type with its own switch and ports? If so your cameras are already isolated

Thanks for your help --

NVR does not have POE ports, all cameras plug into the switch

 

[bigredfish]

I'm not saying you can't improve security.
I'm not a IT security expert. But it does effectively isolate your cameras. Outside IP's, outside of your LAN cannot reach them.

I have a very easy to use $350 firewall appliance in front of my LAN, it can be configured for separate VLAN's though I dont use that function. I only access my NVR via VPN remotely, or Dahus's built in P2P for simple remote viewing and playback on say a mobile phone.

 

[GrooveMerchant]

I want to do as you have described, have the ability to access my NVR via VPN remotely. But since this is my first item out of the gate with a security system, I thought I'd start easy and simply lock down the cameras and NVR, before I tried anything remote.


"Firewall appliance" - why did you go with that instead of configuring firewall rules on the router?

 

[bigredfish]

Because A) I'm not a guy who likes to write firewall rules, and B) the appliance is vastly superior in features for its purpose and stupid easy to use.

Start with setting up OpenVPN or WireGuard VPN on your router and use it to access remotely via your phone. .


(I found their mid level "Purple" to be more than adequate for a home/home office
Firewalla Purple: Gigabit Cyber Security Firewall & Router with WiFi Protecting Your Family and Business (Ships Worldwide) )

 

[looktall]

What are you using for your router?

 

[GrooveMerchant]

What are you using for your router?

Router is an EdgeRouterX, can't currently access it (won't bore you with the details), so thinking of replacing it.

 

[bigredfish]

Sorry I misread that just before the site crashed last night. Thought you said your NVR DID have PoE ports

 

[looktall]

Router is an EdgeRouterX, can't currently access it (won't bore you with the details), so thinking of replacing it.

Here's a good guide for setting up vlans in a unifi environment.

How to Setup and Secure UniFi VLAN

How to create VLANs in UniFi network. A Step-by-Step guide on how to set up an secure VLAN in UniFi

lazyadmin.nl

 

[GrooveMerchant]

Here's a good guide for setting up vlans in a unifi environment.

How to Setup and Secure UniFi VLAN

How to create VLANs in UniFi network. A Step-by-Step guide on how to set up an secure VLAN in UniFi

lazyadmin.nl

Thx very much for this link, last night I was poking around many things referenced there, will really help a lot.