I’m trying to setup a dedicated vlan for my 3 Reolink cameras. As of right now my home assistant box and the cameras are on the same network. I understand that once I setup that vlan, I’ll have to setup a firewall rule to allow traffic between home assistant and the cameras. I just don’t have enough experience creating firewall rules to understand what I’m supposed to do. For reference I have a UDM SE as a network controller, any help, as usual I most appreciated, thanks!
This should work out for Unifi controller V8.1 and above.
For Cameras and IOT devices (not media players)
Unifi Controller >> settings >> new virtual network
add Name
Under Advanced
Guest network: uncheck (not a guest network)
isolate network: check (block from connecting to other networks)
allow internet access: uncheck (block internet)
This will create IOT network for cameras and sensors. They can talk to each other which is OK since they cannot go out onto internet or do anything else. In the future you can take time to learn firewall rule creation and block device to device if you feel needed but for now this is OK.
After this you will need to create a firewall rule that allows HA into the vlan.
Unifi Controller >> settings >> security >> firewall rules >> create entry
I forget unifi rules but I will try
type: lan in
name: allowinIOT
protocol: all
source: this can be network if allowing entire vlan you create for HA, IP or IP range if only for HA server IP. the remaining SOURCE settings should match this selection. if select IP just put IP or range and done
destination: network
network: select the camera vlan you previously created
To review. you will create a vlan that blocks all traffic out to your network and blocks internet connectivity. You will then create firewall rule that allows the HA server to connect IN to the vlan. Cameras and IOT sensors technically dont send data out, it is actually HA the requests and retrieves that data. Once HA server starts connection to device on the vlan, the device is allowed to respond to the request. This is why blocking everything works
I dont use unifi router daily but I checked and this looks like it should work OK
2 Likes
The IOT network is actually usable for anything that doesn’t need internet access
All my switches, dimmers, lights and cameras go here along with any esp type device.
You can opt to create a vlan for servers but I never did this. I have
Guest.
Same as IOT but has “allow internet access” checked. I then create firewall rule to allow
These devices to connect to my plex/jellyfin server PORT or any other ip:port that they may need access to. This network I think I may have also created a firewall rule so they cannot see each other. The guest network is the dangerous one since you got random people connecting. I put my media players here but as I think about it maybe I should seperate this into 2 where one is MPs and other is guests and family.
IOT
As described above
TEST
I use this mostly for setting up devices that default to 192.168.x.x network. I can connect them here them set them to dhcp or static ip then move to correct vlan. It was said in past that a camera connected to internet may immediately download
Malicious code (no source for this). I avoid connecting them if I can
NoVLan
My network equipment is not in a vlan. Laziness really but it’s cumbersome to connect a network device and not have it immediately on network
so i did all of the above, and i can ping the cameras from HA and from my laptop (on the sam VLAN as HA). But the reolink integration cant add the cameras. If i put the cameras back on the same vlan as HA they connect just fine…
Are you using this reolink integration?
Is the login your using for the camera an admin account?
Did you try troubleshooting steps?
Discovery may not be working if your trying to use that so make sure you manually add the cameras using the devices and services page.
EDIT
disregard above.
Can you just login to the camera webpage? if not the defaults rules created with the checboxes suggested may go to far and block replies to incoming requests. If you cant login to camera web let me know and I will try to give manual configuration.
Yup, I’ve been using the Reolink IP NVR/camera integration without issues (until now) for a while, works just fine. As soon as I move the doorbell to the camera VLAN, i’m unable to add it. I CAN see the webpage for the camera with the rule as you explained it, and another interesting tidbit, I installed the Reolink IP camera integration via HACS, and with that one I CAN add the doorbell, however, no entities come thru, just for the fun of it i added a camera that is on the same VLAN as HA, and it has the same issue with this integration.
one more odd thing, I’ve been trying to update the IP NVR/camera integration and it just hangs there.
at this point it feels like it’s not a VLAN or firewall issue, feels more like a HA/Reolink integration thing…
Thanks for a great explanation, this will help me as well, I always wanted to separate my network but didn’t have a good grasp on how to do it.
Question: from your second post, am I correct to say that both IOT and TEST vLAN don’t have access to the internet?
And lastly, (please forgive my ignorance here) but is there a way to hide your SSID on your main network but expose it to your guest network? Also how would this work for IOT that requires to see a visible SSID? Can you expose it even if it doesn’t access the internet?
Its possible I missed something or something missing in firewall rule.
Make sure you are able to login to camera web IP and view images. Verifying this will identify if firewall is cause of issue.
Correct. IOT is blocked and Test is basically IOT for initial connection of devices that dont do DHCP
wifi and vlan are technically not related. devices connect by wifi which places them onto ethernet network. guest and main would be connected over Ethernet not wifi so hidden SSID will have no importance.
YES. while device on IOT will have no connectivity the IOT VLAN is still connected to network. You can allow other devices access IN to IOT VLAN.
Yeah, I can connect to the camera web IP, and see the image and I can even open the stream in VLC, that’s what leads me to believe it’s a HA issue. Also, no matter how many times I try to update the Reolink integration, it’s just doesn’t. I’ll try uninstalling and re-installing it to see if that makes any difference, thanks for the help so far, feels like I’m getting close