Reolink NVR
-
Hello,
Just wondering if any one could help please.
So I have a mangement network which is on a vlan and I have another network which is for CCTV which isn't on a vlan this just go straight into a poe switch from pfsense.
what I wan't to try and do is have the reolink CCTV nvr on the management network so I can access the web gui from it and then have the 4 reolink poe cameras on the cctv network connected to the poe switch. I have put rules in place but when I add the camera it says failed to log in.
thanks
-
@ryan_2000 said in Reolink NVR:
says failed to log in.
Failed like this :
? which means : the connection is established, but user credentials were wrong.
Next potential issue : you use VLANs. This means that VLAN settings on pfSense have to match VLAN settings on other devices like smart switches etc.
Your poe switch is VLAN capable ? Or did you place a VLAN capable switch in front of the poe camera switch ?
For my own curiosity : why a VLAN for the cameras ? You don't trust them ? You don't want LAN devices to connect to your cameras ? Something else ?
Not that I'm saying that VLAN aren't any good, just that the break the KIS setup.To test this situation : go bare bone or native : ditch all VLANS for a moment (go KIS mode), make one global LAN, like you had when you installed pfSense, and test again.
What NVR ? This one ?
I've been looking at the site for some time now. A friend bought a couple of battery fed cameras from them a while a ago. I think of doing the same, just to play with it.
-
@ryan_2000 So your cameras are plugged into the poe ports of then nvr?
I have a lorex nvr - but would assume they are all pretty much same from from a networking point of view.
You have the nvr connection, and then poe ports to connect your cameras too
You connect the nvr to your network you want it to be on, this could be your lan, or some other vlan for management, etc.
If you are seeing the nvr gui and have a place to login, and your getting told its not correct - that just seems like what @Gertjan said is you have the wrong creds.
Do you have a different poe switch than the ports on the back of the nvr? Why would you not just use the poe ports of the nvr for your cameras? A drawing of how you have your nvr and cameras connected to the network might help understand what your trying to do.
Here is how I have mine setup.
The nvr admin gui is on one of my networks, the 192.168.110/24 - then cameras plug into the nvr poe ports, and are on a 10.1.1/24 network that the nvr creates.
Now I do have a leg connected into this 10.1.1 network from pfsense that I source nat so I can directly talk to the cameras, since their gateway is the nvr 10.1.1.1 address.
But I left that off the drawing for now for just simple drawing.
Normally the network behind your nvr would be completely isolated - and only way to talk to cameras would be via nvr, and only way cameras can go anywhere is through the nvr. Which it would nat.
If you want to leverage some other poe switch, the cameras would sit on the same network the nvr connection is on, in my example the 192.168.110 network.
-
Hello both,
Thank you for you reply’s.
So how my network is setup is the following.
The pfsense side of things there is an Ethernet cable that comes out of there and straight into a poe switch not managed that is for the CCTV network not on a vlan.
Then I have a trunk line from the pfsense into a mangaged Ethernet switch for the vlans 1 being the management network.
The plan is to have the 4 poe cameras connect to the cctv network so connect to the Poe switch.
Then the CCTV nvr connects to the management network so I can get access to the GUI.
The Poe camera has been reset to factory so no password on it at the moment.
Rules had been put in place but taken of for now.
Thanks
-
@ryan_2000 not sure about your nvr. And accessing cameras on a different poe switch that is not on your nvrs main connection network. Or connected to one of your nvr poe ports.
Does your nvr not support poe, or not have switch ports. Not clear on why you want/need to leverage another poe switch then most every nvr I have ever looked at provides poe on its switch ports.
https://support.reolink.com/hc/en-us/articles/900000537406-How-to-Connect-PoE-Switch-Router-and-Reolink-NVRs/
So do you now have access to your nvr gui? Which should have nothing to do with your poe switch and cameras.. I would make sure you can login to your nvr gui - then you can worry about how to connect the cameras to the network.
-
@johnpoz the only reason my 4 poe cameras connect to a Poe switch rather than the NVR itself is so if I wanted to I can move the NVR to another room and it would still work so makes the cables a centeral point.
When on the management VLAN I can access the NVR gui and can login no problem
-
@ryan_2000 Ah ok that makes sense.
I believe those cameras need to be on the same network as your nvr interface, my 192.168.110 in the above example.
You might want to take a look at that link on how to add a poe switch to your reolink nvr.
Not sure if your nvr can find the cameras if not either on its camera network (its switch ports) or on its normal network connection.. I would for atleast testing put your poe on the same network as your nvr interface - can you add a camera.. If so then try moving it to a different vlan and see if you can still add it.
Also when adding cameras on another network than the nvr interface network - make sure you firewall rules allow it on the nvr network interface in pfsense. And not say policy routing traffic out your gateway or vpn.
-
@johnpoz so I know that works being on the same network both the NVR and the cameras as that’s how I’ve had it before.
Would have been nice to have it separate if I can
-
I did have a pass rule specific to an IP addresss which is the NVR.
Even added a port number.
-
@ryan_2000 well if me and a limitation of the nvr. I would just put the nvr and cameras on some isolated network. Vs having your nvr interface on your management network.
Policy routing could cause you issues trying to get to other networks from the nvr. What rules did you put in place? What order. Can you post up rules that should allow access from the nvr to your cameras.
What port did you set? Not sure what port the nvr uses to find and connect to cameras - it might not be the standard onvif port.
-
@johnpoz honestly I can’t remember what rules I had used now, think I was just basic pass rules with a port number for each of the networks, with specified ip and destination.
What rules would you recommend trying?
Thanks
-
@ryan_2000 I would have an any any rule from your nvr network interface on pfsense to the network your cameras are on - once they are connected, you can then look to see what ports are being used via state table and then lock the rule down to that one, or multiple ports, etc.
-
@johnpoz ok thanks, I will try that and see
-
@johnpoz spoke to Reolink, from what they were saying, looks like the cameras have to be on the same network as the NVR.
So I’ll have to think of something else to make this work, as I wanted the web gui to be accessed from the management network like everything else is.
-
@ryan_2000 well why can you not access the gui from your device on the management network.. That should just be a simple firewall rule to allow that.
I access my nvr web gui from a different network than its on. My device I am currently using is on my lan (192.168.9.0/24) or trusted network.. You could call that management I guess ;) none of my iot or other devices are on this network nor can they access it.. My switches admin interface on the 192.168.9 network etc.
Yeah had a funny feeling the cams had to either be on the network the nvr creates for the cameras - mine is 10.1.1.0/24 - and stupid thing won't let you change that. Or on the same network as the nvr interface.
So guess you have 2 choices - put the cameras on the same network as your nvr interface is on.. You could for sure do that with your switches - one is managed right, and the other the poe is not.
Or get your cameras connected via the poe ports on the nas.. Run a wire maybe if you want your nvr where the camaras cables can not reach. Then you could have your nvr interface on your management network.
Not sure about the reolink brand - but can tell you on my lorex nvr it doesn't really expect to see more than 1 camera per port. So you could run into some issue with that sort of setup - but I believe that link I gave about connecting poe to your nvr showed that sort of connection.
Trouble I ran into with the poe ports, is I had a normal switch interface connected to one of them so I could put a leg into the camera network and directly connect to the cameras bypassing the nvr.. And seems the nvr didn't like there was no poe power being used on that port - so it would reset the port, it was quick - and never really noticed it watching video stream directly from the camera to be honest, but noticed it in switch logs, and if I would run a constant ping I would loose a packet or 2 every specific amount of time - like every 2 minutes or something. I could of just lived with it like that - but it was filling up my switch log that I didn't like - so I connected a little poe powered switch between my normal switch (non poe) and the nvr poe port - now the nvr powers that switch and seems to be happy to be providing poe on a port it shows connected (no cameras connected via this port) and doesn't reset it on a schedule ;)
take that back about being able to change that cameras network, looks like you can.
but it would still be an isolated L2 network behind the nvr, you can't bridge the networks together - so I could change I guess to be more in line with my ip scheme - But I have everything setup, kind of pointless to change it. Have to mess with the apps on my tvs that allow showing the camera feeds direct from the cameras, etc.
-
@johnpoz something I will have to think about I guess. Not really decided what I am going to do. This is the last device I need to setup for now. Then at some point I’ll get an unraid server setup again.
Yeah that’s correct so have my pfsense which the wan connects to the onboard nic and then I have a quad Ethernet nic.
1 port for the trunk line and the other for the CCTV network.
The CCTV network cables comes out of the Ethernet Nic and straight into the non managed poe switch.
The trunk line comes out of the Ethernet nic and straight into the managed Ethernet switch.
-
@ryan_2000 I have a Reolink setup on a Camera VLAN on my pfSense. From my learnings you have to have the NVR and the cameras on the same Layer 2 network (same L3 IP subnet as well) because they discover each other by broadcast when you scan the QR code and elect to add the camera to the NVR.
I have not tried to use fx. Broadcastrelay services to attempt to seperate them, but it would require special broadcast forwarding from L2 to L2 to work.Love the no fuss of using the official appliances :-)
-
@keyser that’s interesting to know, so it could be possible then by what you are saying.
Do you know the steps for fully setting this up.
I have a managed TPLINK switch and unmanaged TPLINk poe switch.
-
@ryan_2000 The switch (managed or not) is irrellevant for this issue. Your problem is that your NVR is sitting on one Layer 2/3 network, and the cameras another. It does not matter if the L2/L3 is a pfsense physical nic connected to an umanaged switch, or if it is a pfSense VLAN interface connected to a VLAN capable managed switch.
The problem is Broadcasts does not pass between Layer 2 networks. I don’t know the specifics of how reolink broadcasts are formatted, but I seem to recall they are UDP Netlocal (fx. 192.168.1.255 and are directed to port 2000). But you will probably need to do a packet capture to verify that.
In order to flood those to another VLAN you would need to install the UDPbroadcastRelay package on your pfsense and configure it to forward those specific broadcasts to the relevant interfaces (remember to allow the packets in the Firewall as wall).
But like I said, I have not experimented with it, so you are on your own here.
-
@keyser said in Reolink NVR:
because they discover each other by broadcast
So you can not manually add them? I have had no need to try to do this - but with lorex you can set an IP of the camera to search for.
You can only add with qr code?
If they send a directed broadcast, ie 192.168.1.255 vs 255.255.255.255 not sure it would work even if you did relay it. If the camera was say 192.168.100.42 - and you relay a broadcast to 192.168.1.255 - why would it pay attention to that broadcast?
Wonder if the qr code is just the mac of the camera?
You could sniff on pfsense interface the nvr is setup on - and then try to add the camera and see what it sends out.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 25.11 | Lab VMs 2.8.1, 25.11
