Network Firewall Rules for Dahua Camera Remote Access

D

david-bann

Active Member
Joined
Aug 11, 2008
Messages
31
Reaction score
8
Hi all,

I am busy securing my Dahua camera network. I have put my NVR, cameras, gate station and indoor monitor on their own VLAN without internet access.

I have managed to get them all working on the local network, but now I want to get the DMSS app to work on my mobile remotely so that I can view the cameras remotely, and so that the gate station can ring my mobile when someone's at the gate.

I'm running a Unifi setup.

Please let me know what firewall rules I need to create to allow this.

The only thing I have done is create a rule to allow outbound NTP (UDP port 123).

I've monitored the logs and see so many outgoing connections being blocked but the ports are a huge range, so not really sure how to approach this.

I could use WiFiman to create a VPN connection from my mobile to the UCG-Ultra so that I can view video feeds, if that is the better approach? It just adds an extra step when I want to view the feed... Or do I allow a certain rnage of ports? But either way I need to be able to get calls from the gate station when someone rings the intercom, even if I am not on the VPN.

Any suggestions?

Thanks
David
 
Last edited:
Port forwarding is a bad idea when comes to devices such as CCTV systems.

If you need to get the calls from the gate station and indoor station, I would recommend removing it from the CCTV VLAN and give it internet access. No port forwarding required, as you can use P2P to configure it on the DMSS app.

Then setup a VPN tunnel to view your CCTV cameras remotely.
 
Almost all the apps these days are breaking out to cloud servers - so your NVR/DVR etc keeps a connection to a server and your app on your phone talks to their cloud. When you want to see live it gets a message back, and streams. Alerts are simply pushed to you. Some also open an on-demand uPNP connection but i'de be weary keeping uPNP on unless you really really need it as it can allow apps to open inbound connections.

The other option is the VPN - Ubiquity's Teleport is good and integrates seamlessly into the ecosystem.
 
@Park@82 You posted a really simple looking solution based on AI feedback - I assume it was deleted due to AI giving bad advice?
 
Captain Morgan said:
Port forwarding is a bad idea when comes to devices such as CCTV systems.

If you need to get the calls from the gate station and indoor station, I would recommend removing it from the CCTV VLAN and give it internet access. No port forwarding required, as you can use P2P to configure it on the DMSS app.

Then setup a VPN tunnel to view your CCTV cameras remotely.
Click to expand...
Ok thanks - so just to get this straight - the reason I should move the gate station off the camera VLAN is so that no port forwarding is needed - is that right? i.e. I could create a device specific firewall rule allowing that device internet access, but then I assume my mobile will not be able to connect to it remotely due to no port forwarding - is that what you are saying?
 
Why the need to remove internet access in the first place?

If this is using a Cloud-based app then it needs to be able to connect OUT not in for this to work.

You allow the device to connect to the cloud service and your phone connects to the same cloud service...hence no port forwarding or "direct connection" required.

I've never used Dahua but would imagine it works exactly the same as others in this regard.

This obsession people have with removing internet access to their own detriment, especially when not understanding how things work, really needs to end. You've already put it in it's own VLAN and presumably segregated it in doing so, so removing the internet access OUTGOING is just silly.
 
neoprema said:
Almost all the apps these days are breaking out to cloud servers - so your NVR/DVR etc keeps a connection to a server and your app on your phone talks to their cloud. When you want to see live it gets a message back, and streams. Alerts are simply pushed to you. Some also open an on-demand uPNP connection but i'de be weary keeping uPNP on unless you really really need it as it can allow apps to open inbound connections.

The other option is the VPN - Ubiquity's Teleport is good and integrates seamlessly into the ecosystem.
Click to expand...
Thanks - yes, the concept makes sense. But are you then saying that my NVR should have internet access so that it can send the push notificaitons to my mobile, and for me to answer the intercom calls?
 
SauRoNZA said:
Why the need to remove internet access in the first place?

If this is using a Cloud-based app then it needs to be able to connect OUT not in for this to work.
Click to expand...
I don't know much about security, but it seems like a common recommendation I've seen to not have your cameras with internet access, as they are vulnerable (security not kept up to date) and there are concerns over potential data privacy.

Is that just an overreaction, and actually just having cameras on a separate VLAN is good enough even if they have internet access?
 
david-bann said:
I don't know much about security, but it seems like a common recommendation I've seen to not have your cameras with internet access, as they are vulnerable (security not kept up to date) and there are concerns over potential data privacy.

Is that just an overreaction, and actually just having cameras on a separate VLAN is good enough even if they have internet access?
Click to expand...

Especially if you don't understand it all the more reason not to follow common recommendations.

Putting them "on the internet" would be exactly what you are trying to do with Port Forwarding, not just allowing them internet access.

But in your case with the NVR you should only need to give that access to the internet so it can connect to their cloud service and so can your mobile phone, not every camera in and of itself as those don't generally connect out anyway.

By and large you don't want anything connecting IN to your network and therefore by default you block all incoming connections unless specifically required otherwise (port forwarding) but at the end of the day you bought the thing to do a job and part of that job is to connect out to the service you bought and paid for so you can gain functionality.

You could directly port forward to the NVR and have multiple ways of connecting to that from the outside, but in doing so while not understanding what you are up to you actually open yourself up to far more risk.

So if Dahua is indeed a cloud-based service as I presume it to be then you want it to be able to connect out, the NVR at the very least, not necessarily every camera.

@Captain Morgan seems to have experience with this specific system so I would follow his guidance.
 
david-bann said:
Ok thanks - so just to get this straight - the reason I should move the gate station off the camera VLAN is so that no port forwarding is needed - is that right? i.e. I could create a device specific firewall rule allowing that device internet access, but then I assume my mobile will not be able to connect to it remotely due to no port forwarding - is that what you are saying?
Click to expand...
Correct, well sort of. You will be able to add the device to the DMSS app on your phone using the serial number (which is over P2P). So your phone will be able to connect to it without port forwarding.

The same method will work on the NVR/DVR as well. P2P can be enabled under network settings. Alternatively you can leave the CCTV on the VLAN and use a VPN to access your cameras remotely.

As with any device with internet connectivity, always ensure that you are using the latest available firmware (in your case the NVR/DVR. IP cameras, gate station and indoor station).
 
For anyone stumbling on this in the future, this is what I ended up doing in order to have remote mobile access to my camera feeds, as well as the gate station for incoming calls.
  • I put all my cameras, the gate station and monitor on a separate VLAN without internet access (I'll call it the Security VLAN).
  • I isolated the Security VLAN from other VLAN's.
  • I created a firewall rule on the Security VLAN to allow outgoing NTP access (UDP port 123) so that all cameras can poll the time server.
  • To create the P2P link to the mobile app, I created a Wi-Fi on the Security VLAN, and connected my mobile phone to it (you must have the mobile on the same network as the monitor to connect them).
  • I temporarily enabled outgoing internet access from the Security VLAN, and followed the P2P link steps on the monitor, connecting the phone to the monitor.
  • I disabled internet access on the Security VLAN.
  • I created a device-level firewall rule to allow the monitor and the gate station outbound internet access.
  • I removed the Wi-Fi SID linked to the Security VLAN - I don't have any Wi-Fi cameras, so it is not needed other than to pair the mobile app.
  • To avoid port forwarding, I put my NVR on the main VLAN with internet access.
With the above, I am able to receive incoming calls from the gate station on my mobile, answer calls, see the video feed and open the gate, and view all camera feeds, all from outside my network.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X