VLANs and Cameras

I have separate VLANs including one for my cameras and everything works well except for one thing.

I have this HA ‘Repair warning’.

image

I am pretty sure I understand why; my Cameras VLAN cannot initiate a conversation with any other VLAN. The streams work fine but I don’t get the motion detection.

I think the only answer is to add a firewall wall to allow traffic from the Cameras VLAN to the HA port?

Am I right?

I’m not paranoid but everything I read says ‘don’t trust IP cameras’ so is this the ‘right’ thing to do? Doesn’t that to some extent negate the benefits of segregating the cameras?

Just to be clear, until recently I have had my cameras on my main VLAN for a long time and the sky hasn’t fallen in. I’m just wondering.

You have to do it to get them to work.
The question about if it is secure is a bit trickier, because it depends on the rest of your network setup.
If your VLAN with the cameras do not have internet access, then the cameras are pretty secure.
If they have internet access and security flaws, then they might be possible to use as a router into your network, but if you only open the port for HA access, then you have done the best-practice approach, “Least rights needed”.

1 Like

Thanks.
A quick follow-up question. I have blocked outgoing Internet access but am I ‘worried’ about incoming Internet access too?

The standard rule for incoming connections in firewall is to deny, so unless you have made a portforwarding or you are running an uPNP service on your router, then you are fine.
The uPNP service can be running and should IMHO really be disabled.
uPNP is a service, where devices and programs can make portforwarding rule automatically in your router without you knowing it.

Yeah I knew that so it was a pretty silly question with hindsight!
Thanks though, especially for the full explanation.

I already have uPNP specifically disabled for my Reolink camera but I have not found anywhere to disable it for my Eufy. Although it is off for my Internet connection in my Unifi Network.

As long as it is off in the router/firewall, then it can’t make new portforwarding rules.
Having uPNP on the internal network is less of an issue, al though best-practice is to evaluate all running service and lock them down.

1 Like

I have several Reolink cameras and have disabled UPnP in the web interface for each camera as I think it may have been defaulted on.