Just got doorbell camera, weird behavior across subnets, what is the actual rule?
-
Just got a doorbell/wifi camera. At present it is my only reolink (having sold the house which had others). I am aware of this discussion:
https://community.reolink.com/topic/6726/unable-to-access-reolink-ip-cams-from-different-vlan
Here's the thing -- some IP goes through to another subnet, I can ping it just fine, and Home Assistant (and whatever protocols it uses) seems OK accessing it. The web gui is flakey, it will paint a login screen but not log in.
This does not SEEM to be a security feature preventing access from other subnets (if so ping would not work, for example). This just seems broken.
Is there a clear statement on what does, and does not work across subnets? On another forum it was said that broadcast traffic must flow and arrive with the same subnet, which makes no sense for a gui (and also might imply nat would not be a solution, as has been suggested).
I just got this -- I can put it back in the box and return it, and plan to if I can't get a clear understanding of this. I don't need the web gui to work across subnets, but I do need whatever integration protocols home assistant uses to work -- and continue to work. At present with this half-working-half-broken approach, it seems likely to expect some firmware update to break it entirely.
I've seen products with subnet isolation as a (bogus) security feature, but all of them (a) actually block all traffic, as any security related approach would, and (b) let the user turn it off if needed. So... what's really up with this?
Linwood0View 0 replies-
@user_746479291687074_746479291687074 The Client broadcasts a packet with payload aaaa0000 using destination addresses 255.255.255.255.255 and 192.168.1.255 (or your configured IP subnet).
Now 255.255. 255.255 is the limited broadcast address which is only propagated within the single subnet of the interface that sent it. It is never routed to other subnets unlike the subnet directed broadcast address 192.168. 1.255 which may be routed from elsewhere, depending on router configuration. Most ISP routers won't allow this. Check yours.
-
-
Sounds like you are not using a Reolink Home Hub Pro. This issue goes away with the HHP as the HHP's WiFi is a private network and the HHP does it's own NAT for access to it. The HHP also has dual Ethernet ports... a LAN port which is on the same private network as the WiFi and a WAN port for connectivity to YOUR network. With this, the LAN port can be connected to it's own switch or to a Layer-2 switch with defined VLANS. With this setup, no additional routing is necessary and you can block access to the Internet to require a VPN connection to your network for remote access.
When not using a HHP, camera isolation does work as I have sandboxed it for client's evaluation (this is actually how I found out about Reolink). I used their Layer-3 switch to handle the VLAN routing, not their firewall. The two test cameras which are wired in on their own VLAN can be access from the mobile client either via their company WiFi or remotely.
So this brings up something I have not tested... turning of UID to prevent remote access without having to VPN in. Because the cameras are on on a different subnet than the mobile client, I do not know if turning off UID will prevent the client from finding the cameras. I don't believe it should as the client should have the IP addresses of the cameras. If it does not, I would think the enabling broadcast forwarding to the subnet would fix that.
Anyhow, FWIW, camera isolation does work and there are a couple different approaches.0View 5 replies-
@chopstix_887064913674433 The client doesn't store the IPs of the cameras. It just broadcasts a packet with payload aaaa0000 on port 2000 and any Reolink device listening will respond with payload aaaa0000, IP of cam and port 9000 (if not changed by user) plus mac address, UID and camera name.
But it stores the UIDs which it forwards to the P2P relay servers for remote login. -
@joseph_1979 that would explain then (from previous conversation) that the client and cameras need to to be on the same subnet if UID is turned off or if there is no Internet access. It also explains why in my sandbox, the cameras are accessible from different VLANs when UID is turned on. With that, I should be able to conclude that turning UID off will necessitate enabling VLAN broadcast traffic. I'll test it to confirm, but I believe based on your information, that will be the case. Thanks!
-
@chopstix_887064913674433 You may wish to read what I wrote in June 23 at https://community.reolink.com/topic/87/how-does-the-reolink-uid-actually-work?post_id=22657&_=1734789769689
So the client broadcast the packet with payload on 255.255.255.255 and 192.168.1.255 repectively (assuming cams are on 192.168.1.0/24. Now 255.255.255.255 and 192.168.1.255 have identical effect if there are no subnets in the network. However, there is a difference when you have broken down your network into subnets. 255.255.255.255 (called as 'Limited-Broadcast') is used by a host to broadcast to all of its immediate neighbors i.e. all those interfaces on the local subnet. Whereas, you would use 192.168.1.255 (called as 'Directed-Broadcast') to broadcast to all the interfaces on the entire LAN or WAN. In this case the router has to be configure to broadcast to all subnets when receiving a broadcast on 192.168.1.255. Also, 255.255.255.255 is used by a node to broadcast on subnet if it doesn't know about its network (or simply prior to it IP configuration) and is requesting for its dynamic IP from a DHCP server. Refer to 'RFC 919' for more details.
You sound to be technical and will ask Oskar whether he can nominate you as a global moderator to assist customers. -
@joseph_1979 I did speak with Oskar a couple of weeks ago, but please do speak with him as well. I have been a network and system engineer since the days of Windows 3.1 and LANtastic... Windows server technologies and Cisco products in particular. Also a few years of SQL database and web development sprinkled in. I would be glad to help out where I can with more than 1 post every 24 hrs.
Interesting that Reolink chose to utilize direct broadcast... How does the app know what direct address to broadcast to? What I mean is, assume the cameras are on 192.168.10.x and the Reolink client is on 192.168.20.x and let's also assume there is no Internet access so UID is not in play here. How does the client know to net-direct broadcast to 192.168.10.255? Even with the possibility that it is based on the client IP address, a broadcast to 192.168.255.255 or even 192.255.255.255 would only work if the both the cameras and client are on the same class private network.
That is actually what I need to test... I have some sandbox cameras on 172.18.250.x and the Reolink client on 172.20.1.x with Internet access and UID. I need to disable Internet and enable direct broadcast forwarding on the switch and see if the client can connect to the cameras. I suspect that it will based on what we have been discussing, only now curious on what address it will use... 172.255.255.255 perhaps? It has been well over a decade since I have used Wireshark but I may need to dust off the cobwebs and fire it up. -
@chopstix_887064913674433 So if the client is on 172.20.1.x/24 then the dynamic broadcast shall be 172.20.1.255 and you need to program the router to broadcast it through other subnets. Normally this is not done and so the client won't receive the packet with payload aaaa0000, UID, IP, etc. Then it will do a DNS query for P2PX servers etc....as I described in the para I have mentioned in my previous correspondence.
Wireshark is quite good. Protocols are fun especially when there are issue in a network where a number of protocols are involved, Telecom, networking and IMS. I am a senior technical Architect handling such networks and in my free time a programmer using C++. Have good knowledge of SQP (using Oracle, sybase, etc), python, Assembly language, etc ...... -
@joseph_1979 It's been 15+ years since I've dealt with the programming side of unicast/broadcast/multicast, but if memory serves, with direct broadcast you must specify the destination subnet. So in my example, a host on 172.20.1.x broadcasting to 172.20.1.255 will go no further than the local subnet even if broadcast forwarding in enabled on the switch. In order to reach the cameras on 172.18.250.x, the client must broadcast to 172.18.250.255 -OR- to 172.255.255.255.
Ultimately as long as the client finds the cameras in other subnets without UID, it doesn't really matter what the broadcast address is. The actual address is more for my own curiosity. I'll dust off Wireshark after the holidays and have a peek.
Thanks for the chat!
Cheers,
Joe -
@chopstix_887064913674433 you must either enable helper-addresses or UDP forwarding via spanning tree to get the broadcast propagated.
-
