Hikvision CAM+NVR and Remote access

alexkid

n3wb
Joined
Apr 14, 2022
Messages
12
Reaction score
0
Location
france
Hello,

first of all, I thank you in advance for the help and advice you can give me. I am a newbie in all these kind of settings so I will try to explain as precisely as I can all my config and questions.

I have just finalized the installation of Hikvision POE cameras (DS-2CD2185FWD-I) and a Hikvision NVR (iDS-7716NXI-I4 / X(B)).
From what I understood by reading different posts on this forum, I had to create a specific VLAN for all of this and, if possible, block all access to the internet (WAN IN and WAN OUT dropped). I use a UDM Pro from Ubiquiti to manage my network.

I don't use the HikConnect connection because I read on this forum that it was not very secure...

But now I'm a little bit lost with the configuration of the NVR and the network to allow me to do the following:
  • How can I receive motion detection notifications from the NVR to my smartphone without internet access? Do I need to open specific ports to the internet? or rather accesses on another VLAN which could send info? Or do I have to use the SMTP config to send emails directly from NVR to internet (or another VLAN)?
  • The Hik-Connect application on iphone does not offer me to receive real-time notifications (I don't have the option that appears, maybe because I am "manually" connected to the NVR via wifi or VPN?) Should I use another application? Or do I have to set something in the app to get the option?
  • When I want to take a picture or start a recording from my smartphone, it is recorded on my phone and not locally on the NVR. I have read posts about using ASAPI but it doesn't seem to work for me even though I have enabled the option in the NVR... Is there any other way to start recording locally?

I thank you for your help ;)
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
Correct, port forwarding is not secure:

Setting up SMTP notifications is slightly less than realtime. But most have reported it works well for them. Once notified of an alert via email on their phone, they will access their system after establishing a VPN link they have set-up on their mobile device.
If the NVR has not already started recording due to the motion/activity that caused the alert, you can remotely start/stop recording, take photos, etc. Just as you would if you were sitting at the system operating it locally.
I am fairly certain that any remote operating of the NVR records on the NVR itself. However, if you are playing back existing clips and wish to save them it believe it attempts to save them to the device you are viewing the clips from.
 

alexkid

n3wb
Joined
Apr 14, 2022
Messages
12
Reaction score
0
Location
france
Thanks for your help

Setting up SMTP notifications is slightly less than realtime. But most have reported it works well for them. Once notified of an alert via email on their phone, they will access their system after establishing a VPN link they have set-up on their mobile device.
I can use this process if it's the best way to stay secure from the internet but, in this case, what is the config usually made to send email : open a way directly form the NVR (on the hikvision setup, I can define an email sender like we do in outlook, for example) or open a way to another "local" vlan to send an email from there? If it's the first choice, what port do I have to open and is my system still secure?

If the NVR has not already started recording due to the motion/activity that caused the alert, you can remotely start/stop recording, take photos, etc. Just as you would if you were sitting at the system operating it locally.
I am fairly certain that any remote operating of the NVR records on the NVR itself. However, if you are playing back existing clips and wish to save them it believe it attempts to save them to the device you are viewing the clips from.
The Hik-connect app on iOs does not launch the recording locally on the NVR. I read that it can do that if I use the HikConnect connection mode but I don't want to use that kind of connection because some posts say that it's not secure.
I am thinking that another app may do what I want but I don't know if it can work with the NVR
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
Thanks for your help

I can use this process if it's the best way to stay secure from the internet but, in this case, what is the config usually made to send email : open a way directly form the NVR (on the hikvision setup, I can define an email sender like we do in outlook, for example) or open a way to another "local" vlan to send an email from there? If it's the first choice, what port do I have to open and is my system still secure?

The Hik-connect app on iOs does not launch the recording locally on the NVR. I read that it can do that if I use the HikConnect connection mode but I don't want to use that kind of connection because some posts say that it's not secure.
I am thinking that another app may do what I want but I don't know if it can work with the NVR
Great idea folks have shared here is to create a gmail account solely for the purposes of receiving notification emails from their recorders.

Looks like your NVR has two network ports (NIC). If you have not done so already, assign NIC#1 to the camera VLAN, and put NIC#2 (static IP) on the everyday network with rules on the router to block everything from it's IP/MAC address except the SMTP traffic
 

alexkid

n3wb
Joined
Apr 14, 2022
Messages
12
Reaction score
0
Location
france
I am new in all of these configs (router/firwall/vlan/...) so I have a question with the advice you just told me :
what is the difference between this 2 solutions :
  • use 1 network port. Put NVR+Cam on the same VLAN. Block internet access into firewall (in/out). Open only port to send email.
  • use 2 network ports. 1 network = NVR+CAM on the same VLAN. Block internet access into firewall (in/out). 1 network = NVR on the main VLAN (with my computers,...). Block internet access into firewall for the NVR specifically (in/out) and open smtp port.
In the case 2, the NVR will have access into 2 VLAN so I can't be sure that the cam won't be available from my main VLAN.
where do I make a mistake?
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
I am new in all of these configs (router/firwall/vlan/...) so I have a question with the advice you just told me :
what is the difference between this 2 solutions :
  • use 1 network port. Put NVR+Cam on the same VLAN. Block internet access into firewall (in/out). Open only port to send email.
  • use 2 network ports. 1 network = NVR+CAM on the same VLAN. Block internet access into firewall (in/out). 1 network = NVR on the main VLAN (with my computers,...). Block internet access into firewall for the NVR specifically (in/out) and open smtp port.
In the case 2, the NVR will have access into 2 VLAN so I can't be sure that the cam won't be available from my main VLAN.
where do I make a mistake?
Both scenarios will work. I offered scenario 2 because it offers a better means of isolation. The cameras (and NVR NIC#1) will be on a VLAN that has zero ports open to any other LAN, or WAN resource. Cams only need to access to NIC#1 of NVR. Anyone looking to review footage will access the NVR via NIC#2 which is on your main VLAN. Blocking the IP/MAC of NVR NIC#2 except SMTP at the router prevents the NVR from 'phoning home'.
 

alexkid

n3wb
Joined
Apr 14, 2022
Messages
12
Reaction score
0
Location
france
Thanks for the explanation.
I will try to make this configuration.

About the ios app to control the NVR, do you think I can use one from another brand than Hikvision? one that can control the recording locally inside the NVR, not the mobile phone.
 

alexkid

n3wb
Joined
Apr 14, 2022
Messages
12
Reaction score
0
Location
france
I come back to you because I try to open the good port on the UDM Pro but nothing seems to work...
In fact, I can't find the port I have to "open" to let the NVR send emails via Gmail.
I have a Wan In and Wan Out that drop all the trafic to the static IP of the NVR.
In the Wan Out section, I opened the port 465 or 587 but nothing worked. I think it's not this port that is used because this port is the one used by Gmail to receive the information, isn't it?
If anyone has an idea on how to do it, I'll give it a try
thanks
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
...
About the ios app to control the NVR, do you think I can use one from another brand than Hikvision? one that can control the recording locally inside the NVR, not the mobile phone.
Have not worked with a Hikvision NVR in many years... have your reviewed the mobile app wiki? Mobile Apps
 

alexkid

n3wb
Joined
Apr 14, 2022
Messages
12
Reaction score
0
Location
france
Thanks for your help again.
I did not find the right port to open to send just emails... Or I made a bad config of the NVR with the good port opened...
as you said, maybe someone will help me with the right process to send emails from NVR with a lan without any internet access...
 

alexkid

n3wb
Joined
Apr 14, 2022
Messages
12
Reaction score
0
Location
france
When I accept all the internet trafic in the wan_in and the wan_out firewall rule for the cctv network (vlan), the email notification works.
when I drop only one of them, the notifications stop...
does that mean that it needs have wan_in and wan_out accepted rules?
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
When I accept all the internet trafic in the wan_in and the wan_out firewall rule for the cctv network (vlan), the email notification works.
when I drop only one of them, the notifications stop...
does that mean that it needs have wan_in and wan_out accepted rules?
I believe the router default is... if an internet request emanates from the LAN, the router will allow the response to the request back to the LAN. To verify this... do you have a mail app set-up on your desktop/laptop or your mobile device? If so, did you have to modify your router config to allow it to work?

What make/model router do you have?
 

alexkid

n3wb
Joined
Apr 14, 2022
Messages
12
Reaction score
0
Location
france
My router is an UDM Pro from Ubiquiti
My devices (laptop, mobile) are on another vlan (the "private" one) and there is no restriction rule for this vlan...

I really did not find anything about this "email setting" when internet access is forbidden whereas this kind of configuration (no internet access) seems to be the "more secured config" for the cctv vlan... I don't understand what I missed in my config...
 

alexkid

n3wb
Joined
Apr 14, 2022
Messages
12
Reaction score
0
Location
france
Finally, I used a mail server app on my synology to send emails from my NVR. All the internet access are blocked (cctv lan and nvr ip address on the private lan).
it's the only solution I was able to make.
thanks for your help
 
Top