How to setup UniFi VLANs for IOT / Security Cameras (Dream Machine & Synology surveillance station)
Vložit
- čas přidán 30. 01. 2022
- This tutorial goes over how to setup secure VLAN's on a UniFi network for either IOT devices or IP security cameras. This example goes over setting up my security camera VLAN which allows me to connect my surveillance cameras directly into Synology and only into the Synology.
Hire Me! www.spacerex.co/hire-me/
Sponsor the Channel & Get Early Access to ALL Videos: / spacerexwill
#UniFi #VLAN #IOT #HomeLab
Link to switch I am using (affiliate) geni.us/GBG3dL
Reolink camera I am using [amazon] geni.us/aZJny - Věda a technologie
Ubiquiti have changed the UI quite a bit again, but your tutorial was still helpful. I have 4 cameras, and previously had them in Surveillance Station just on my main LAN. When it was setup ths way, on a flat network, it would take 5 to 8 seconds for the DSCam mobile app to load the camera feeds when on the local network. I moved the cameras to a dedicated VLAN, using the second Synology NAS NIC and not only do I have the benefit of isolation of the camera network, additionally it now takes only 1 to 2 seconds to load the camera feed on the DSCam app. Not sure why that made such a huge difference, but it did in this case. I don't have a particularly busy home network, but given I had a full Unifi system, including a USG Pro, it just made sense to utilise this.
I did find it best to give the camera a reserved address (fixed IP) via Unifi console as Synology relies on the IP address of the camera not changing. Setting a reserved address means the camera can stay on DHCP, but Unifi will always give it the same IP address.
This video was very helpful thank you for posting
I learned a lot from this video. Thank you!
I found it worked just as well to put home bridge and IOT devices on the IOT network. The home bridge can communicate with the Apple Home hub (which can be accessed externally anyway). In this way, the IOT network including Homebridge are completely isolated from any other networks in my home. And since Homebridge also by definition solved adding/controlling all the random wifi smart devices (like light switches etc) using Apple HomeKit it means that every IOT device I have is controlled from within Apple HomeKit and also completely separated onto its own completely isolated network.
Could you go into detail how you put homebridge in the iot network?
Looking at the footage of your security camera makes me feel you could do with more subscribers. Anyway, thanks for all the tips and tricks!
hahaha we just moved in and I am still have not gotten a filming desk so I take our dining room table
Thanks!
Thanks!
You mentioned setting this up w/ your Layer 3 Switch (Enterprise-24-PoE) @6:55. How do you set it up so your L3 switch handles inter-VLAN routing, but still blocks unwanted inter-VLAN traffic (e.g. Cameras -> LAN)?
Sometimes, for no particular reason, I find myself humming the SpaceRex outro tune...
I am so sorry lol
Watch best videos about vlan
czcams.com/video/ZiV3cZEKSVo/video.html
Can you do all these configurations on other poe switches or does it have to be a unifi?
Hoping you could provide some advice, I can’t find a tutorial for my situation:
Have U6-ent AP’s with 3 ssid’s:
- default ssid on on default vlan with wpa3 so I can have 2.4/5/6ghz
- iot ssid on iot vlan with wpa2 at 2.4ghz
- couple of other vlans like guest and security cameras
- I put all the iot devices on the iot vlan and everything works great except my Wi-Fi printer and wife’s Bose speaker. Both devices are wifi3 that can’t do wpa3. I can’t print from the default ssid with phones,laptops, etc. I wanted to put the speaker and printer into the default ssid but then I would have to go to wpa2 and that would deactivate the 6ghz spectrum.
Is there a way to leave those devices in the iot network and control them from the devices on the default ssid/vlan?
Just to confirm in your video.
- Synology has two LAN connections 192.168.1 (camera VLAN) and 10.30 (Synology + Computer).
- The reason the computer can talk to the Synology is because they are both on the 10.30 VLAN
- The reason the camera can record to the Synology is because they are both on the 192.168.1 VLAN
So the Synology is the device in the middle (it's connected to both VLANs). If you didn't have the second ethernet cable plugged into the Synology (for 10.30), then the computer (10.30) wouldn't be able to communicate to it - however the camera's would be able to see the NAS, correct?
I think you missed that part in the setup - The Synology setup part for the LANs (as not all Synology units have more than one lan port iirc).
I intend to do the same setup with my UDM + Synology unit (where the synology is the bridge between the two networks)
This is correct. You need 2 ports on the NAS for this to work. There are other ways to do it but they require the command line to get it to work
@@SpaceRexWill OK thanks, I'll try watch some videos or read somewhere on how to complete the Synology setup side of things, shouldn't be too bad. Otherwise I might just use a single network, as I'm not entirely sure how a camera could be a security risk and I cant remember if I left a free port on my Synology Switch - hopefully I did, did the patch cabling a few months ago.
What would be the advantage of going with a layer 3 switch? It looks like you can specify the vlan on a port in a layer 2 switch, correct?
Layer 3 would allow you to route traffic between 2 VLANs on the switch itself
@SpaceRex cool, in other words... It would remove overhead from my UDM. My main concern is if I can assign vlans in Ubiquiti layer 2 switch port. Would it be worth buying a layer 3 in a network with 10 4k cameras and up to 50 devices (mainly IOT devices)?
I noticed that your router and switch provides 10.10.0.0 IP addresses. how to do that? do you have a video about it? I just got my dream machine pro, and AP wifi 6 lite. I would like to set it up to work with this ip address. I'm new with Ubiquiti products. Thanks!
I have a video talking about my plan ("I am redoing my network again") And its just a setting in the console. Go in and choose your network and change the subnet
Do you use Ethernet surge protectors for your Poe cameras mounted outside?
I do not, I have heard that they disrupt service and makes it out of spec.
If you need that I would use fiber and a sacrificial switch
@@SpaceRexWill interesting. Good to know. With the Qnap and recent Asustor attack, you should do another video addressing what should be done on a Synology NAS.
Isn't it better to drop just New and Invalid sessions from IoT to LAN, there by and allowing Established and Related out from your IoT network? I guess it depends how isolated you want to make you VLAN, and your solution of using Home Bridge negates the need to Established and Related out. However probably most IoT setups should allow Established and Related to the primary LAN (where your clients are) for more reliable operation of the IoT device.
It totally depends on how your IOT devices work. For example a door bell that alerts you when it goes off would not work in this manor
Would having your phone on the IOT network not be an easier solution? It would make things both easier and safer. Plus, even tho that is debatable, a phone might be considered as a iot device which you would not want to trust.
If this was an office then that would not be a bad setup. But since it’s my personal setup it’s got issues for 2 reasons:
1) my phone needs to be able to connect to the rest of my computers
2) if the reason I am setting this up is for security of my devices I don’t want my phone exposed to the unnnown of the IOT VLAN
Watch best videos about vlan
czcams.com/video/ZiV3cZEKSVo/video.html
I thought you had to add a vlan ID on the port in synology in network setup?
In this case we are just passing the port through as being on that VLAN. Effectively the Synology thinks we just plugged it into an entirely different network. It does not need to know that VLANs even exist
@@SpaceRexWill Oh ok. Another question is in the network configuration on the snology it has a check box for vlan ID and you enter a vlan ID there. Is that for multiple vlans? I read synology don't work well with multiple vlans.
That would be if you had multiple vlans sent to the port on the Synology then you would be able to select it. But if you are only sending then one then you do not have to select it (and should not)
Does anyone know how to cast CZcams across Vlans?
You would need to allow multicast DNS and the firewall rules
Ideally you would block internet access from the camera (and intranet access) and just use Synology surveillance station to view the footage.
How would you go about accessing the camera via smartphone when remote?
@@Fryn_Haynyou can set up your firewall rules so that camera can talk to only synology block everything out except the specific port to the specific IP. When you are trying to view the camera feed you are doing so via the synology app. If you are talking about accessing the camera directly from remote (eg: to change settings) then you would want to open a hole in the firewall so internet in can access the camera. but the camera should never need access to the internet out
my only issues is i only have 10Gbps NIC with no more room for more NICs so i can't record from my cameras anymore. i'll have to see if it's possible force multiple on one port. out side of unifi/ubiq i know QinQ is a thing for for the 802.x spec on that. i might try a usb3 dual port NIC but, i really prefer to have motherboard/pcie Intel nics due to Shitty NICs Disease. EDIT: I FOROGT I SET DHCP RESERVATIONS BEFORE THIS VIDEO! going to go see about re addressing the camera IPs. EDIT: still double whammy issue(s)
You should be able to have multiple VLAN on a single NIC. or you can use intervlan routing
@@SpaceRexWill how is that done? i also noticed after "converted to l3 routing" on a few vlans an intervlan router showed up. i also can access my cameras via wifi despite them being on the a camera only network. i think i may need some rules blocking the vlan from the new intervlan network unifi created. also i noticed in your video there are no rules specifically blocking the camera vlan from internet and i some internt/wan options in there for rules but, i may not understand how those work. also i got it working with secondary NIC on my server would still need a usb nic. i don't see any where where i can select multi vlans it turns red and angry when i try to select multiple vlans. EDIT: it paused my firewall rules, thats probably why EDIT: no iwonder if it's because i need an intervlan rule or because UAPS are on "ALL" EDIT: disabled my secon nic and cameras still work and vlans are not blocked so i think i have to start all over. seems ot have broke when i able switch routing as i did not want my ipcam vlan touching the router, also the router is tiny dual core old usg.
@@SpaceRexWill ok i figured it out, intervlan routing is a whole new game is what allowed all my vlans to talk to each other, block that you have to make special network with some RFC tags in the name. i gout usb3 dual nic and reverted all my stuff back and started over. FYI the cameras can not pull form inet for time sync (doesn't matter nvr does time stamps) so the vlan works!
"Go ahead and..."
i was good until about 5 minutes in. is there a video that explains what every feature is for? vlan 3, what does that mean? just a tag? i'm trying to add my dahua to a unifi switch and keep the hood rats out of it. i'd like to be able to view my cams remotely but everyone says not to allow that, it's almost 2023, is there a safe way to look at your home security cams while you're away these days?
I need an answer for this too
So every time you need a direct connection to a camera you need to go plug in into a specific port that has access to both vlans??? that's not very good man! Ideally just need to segment the network into a different vlan for security cameras, and isolate them from talking to the PC LAN, but still leave access to the cams from the PC LAN. The cams wont be able to talk to any devices on the PC LAN (have their own broadcast domain) but still access the Internet.
Is the purpose of this vide to advertise Apple home kit? The description doesn't say that.