-= IDS Communications Blog =-

-= Feel free to join the discussion, share your thoughts, ideas, projects, knowledge and anything else you may think of! =-
Categories
Tags
Authors
Teams
Archives
Categories:   All Categories
Suggested keywords
x

UniFi Protect NVR direct connection from separate Network

Super User
Font size: +
1736 Hits

This tutorial will show you how to configure your firewall to allow a direct connection to UniFi Protect from devices located on a separate network (or VLAN). For this tutorial, I will be using OPNSense as an example but it should also be a very similar setup on pfSense.

If you are like me and possess UniFi products, especially cameras and a network video recorder (NVR), configured to be on a separate network (or VLAN) to isolate your cameras from your LAN, this tutorial is for you.

It's been very frustrating not to be able to configure an IP address in the UniFi Protect App to force it to connect locally to the NVR when the clients reside on a separate network. This caused Protect to load through the UniFi Cloud access, causing delays (or sluggish opening when loading the App).

I have googled this issue over and over again until I stumble upon this page. Thanks to rickatnight11 who did a great job at finding a solution and sharing his knowledge. Following this discovery, I decided to create a quick tutorial with a few printscreen hoping to complement this post and help others like me who have been struggling with this issues for years. I already have implemented this solution on my network and it works like a charm so lets get started!

The first step is to install and configure a plugins called "os-udpbroadcastrelay", once that's done, you will need to configure it to broadcast the packages from the UniFi NVR network to your desired network (or LAN) as shown below: 

The port use by UniFi Discovery is 10001, then select the 2 networks you want the broadcast to be relayed, add an instance ID and enter a quick description. After you saved your configuration, you should end up with a "green" highlighted instance which means your settings are correct.

The next step is to create a firewall rule on your UniFi Protect (NVR) interface. The rule should read as follow:

Action: Pass
Interface: CAM (the Interface where your NVR resides)
Direction: In
TCP-IP Version: IPv4
Protocol: UDP
Source: Your NVR IP Address
Source port range: any
Destination: LAN net (Network where your devices loading the Protect App are located)
Destination port range: any (Protect will reply on a random high port)

Your rule should look like this one below:

Then we need to create another rule but this time under your LAN interface. The rule should read as follow: 

Action: Pass
Interface: LAN (the Interface where your devices running the Protect App reside)
Direction: In
TCP-IP Version: IPv4
Protocol: UDP
Source: LAN net (it should be the same interface as above, LAN)
Source port range: 10001 (I am using an alias ui_discovery)
Destination: Here you have 2 choices, either enter 255.255.255.255 or any (this allow the UDP Broadcast Relay service to pick up the packets)
Destination port range: any

Your rule should look like this one below:

Lastly, you need a rule to allow your devices on the LAN running the Protect App to reach and connect to the NVR on the other network. The rule should read as follow:

Action: Pass
Interface: LAN (the Interface where your devices running the Protect App reside)
Direction: In
TCP-IP Version: IPv4
Protocol: TCP
Source: LAN net (it should be the same interface as above, LAN)
Source port range: any
Destination: NVR IP Address

Destination port range: 443, 7443 (you will have to use an alias for this one)

Your rule should look like this one below:

You should now be all set! What we just did can be explained as follow:

  • Protect App on a device on the LAN network starts up and sends a discovery broadcast packet to the local network on 255.255.255.255:10001;

  • OPNSense firewall allows that packet on its LAN interface;

  • The UDP Broadcast Relay service on OPNSense is listening on that network for that port, hears the packet, and relays it to the CAM network (with the original source IP);

  • Protect service running on the NVR on the CAM network is listening for broadcasts on that port, hears the forwarded packet, extracts the original source IP from it, and sends a reply to it from its own source IP and a random high port;

  • OPNSense firewall allows the reply packet on its CAM interface and routes it out the LAN interface;

  • Protect App hears the reply, now knows the IP of a "local" Protect service, and connects to it over TCP on ports 443 and 7443;

  • OPNSense firewall allows that traffic coming in its LAN interface and routes it out the CAM interface;

  • Since the traffic is TCP, OPNSense automatically tracks the connection and allows the response traffic without a static rule.

That sums it, once again I wanted to thank rickatnight11 for this great post!

Let me know if it works for you in the comments below.

Enjoy!


0
Tweet
How do you feel about this post?
Happy (0)
Love (0)
Surprised (0)
Sad (0)
Angry (0)
Tags:
Unifi Protect Separate Network Unifi Protect Local Connection Protect NVR Unifi
 

Comments 1

Guest - Jack on Saturday, May 11, 2024 14:12

Wow, this is a great post, finally a local connection that works!

0 Cancel Reply
Wow, this is a great post, finally a local connection that works!
Cancel Update Comment
Already Registered? Login Here
Saturday, July 27, 2024
We use cookies

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.

Ok Decline