Accessing CCTV vlan from Main vlan using Android app

Installing and Using OpenWrt Network and Wireless Configuration
1

I have a simple goal:

  1. block CCTV from outside world
  2. Access CCTV from main LAN using android app

Things I have done:
I manage to create two separate vlan.

  1. Main LAN (vlan99)
  2. CCTV (vlan3)

Things I have done but not sure if done correctly since I cannot access my camera through my mobile phone.

Can someone please have a look at my settings and point me to the right direction as I have been trying to work this out for a week? Please refer to my settings below.

VLAN filtering

VLAN Filtering
VLAN Filtering1130×629 29.4 KB

Interface

LAN

Interface
Interface1200×466 40.1 KB

LAN 1
LAN 11120×760 28.1 KB

LAN 2
LAN 21115×763 37.9 KB

LAN 3
LAN 31138×566 43.5 KB

CCTV

CCTV 1
CCTV 11119×742 27.6 KB

CCTV 2
CCTV 21128×750 36.6 KB

CCTV 3
CCTV 31114×565 40.3 KB

WIFI

LAN

WIFI 2
WIFI 21118×573 52.2 KB

CCTV

WIFI 1
WIFI 11118×599 34 KB

Firewall

Firewall 1
Firewall 11208×632 52.5 KB

Firewall 2
Firewall 21116×850 53.7 KB

Firewall 3
Firewall 31116×831 54 KB

Port Forward

Port Forward
Port Forward1118×709 35.9 KB

Traffic Rules

Traffic Rules
Traffic Rules1196×324 47.6 KB

Android app showing offline when I connect to main LAN WIFI (WIFI-5ASD4F)

Screenshot_20250215-183555_V380
Screenshot_20250215-183555_V3801080×2400 140 KB

Another thing I have done before to access CCTV from main LAN was to create a new bridge interface and listed br.lan3 and br.lan99 in bridge port section, made necessary settings in the firewall and it worked but the problem was both CCTV and LAN zone was both blocked from the outside world and I cannot remember how I did that as I did a lot of trial and error.

2

You should contact your cctv vendor you are hiding here. There is no generic protocol called cctv

1 Like
3

I would not do any vlans. Simply traffic rule in your firwall, like mines:

1000013239
10000132391080×2340 204 KB

4

I only hid mac address, IPv6 (not sure if there are any security issues sharing it),and other zones to make it clear.

The CCTV you are seeing is just a name I created myself and have nothing to do with the vendor.

5

I already considered that solution before but not sure if my camera randomized its mac each time its connected. I will have a look closer and try again, maybe I was looking at a different device.

6

Setup a static IP and block that IP. I am not using Mac filters
Kr
K

7

It worked but only when I connect on same LAN. It does not work when I VPN to the server from outside. I cannot view my CCTVs. Im using tailscale for my vpn

8

It is unclear to me if you have a Tailscale setup issue and/or a CCTV Android App setup issue.

Do you have Tailscale working for other tasks or are you setting up Tailscale for the first time?

1 Like
9

Great!
What is the app and who is the vendor and what model?

10

I found your app.

I do not know why the mystery but I do not care either.
#1 is handled by the cameras/devices because they need a password to stream; regardless the app, penetration, etc.

#2 The app is designed to work if you are on the same LAN; since #1 is mitigated through a very strong password, I'm sure, you can safely use the app as it is intended: on your primary lan, each device handshaking with the app and settings/passwords stored.

11

Sorry if my explanation is too vague and as far people try to ask more information, its the only time im realizing that im missing some important information.

Tailscale is working fine I assume. I added the CCTV subnet 192.168.8.0/24 to Openwrt Tailscale subnet route and approve it in Tailscale admin console.

When I am away, I can ping the ip address of the cctv camera but when using the app, its showing offline

12

Isn't that the purpose of VPN is to let all your devices think that they are on the same LAN which means they should see each other?

I tried playing with firewall rule, port forward, and traffic rules but still no luck.

13

No...
A VPN encrypts traffic from point to point.

And so do your cameras and the app but I have no idea what encryption they use.
I'm sure it's on the page I linked.

14

There appears to be two ways to add devices to your Phone App, have you tried to manually add the devices?

FAQ - V380

How to add a networked device to your phone

Method one: Manually add 
1, open the [device list] interface, click [+] in the upper right corner 
2, select [WiFi connection completed] or [other ways] 
3, after entering the ID and password [OK add], the system jumps to the device List, the newly added device is displayed in the first place in the device list.
15

oh i see, I never knew about that, I thought VPN is all about tunnel and redirecting traffic.

apologies for my ignorance as networking is not really my thing but I am keen to learn since it is very useful.

About the encryption, in case I found the information how the data is being encrypted, is there any in the openwrt setting that needs setting up to make it work?

16

I 've done this steps, and camera can be viewed perfectly fine when I am at home connected through wifi. But when I am away, I do connect to my home nas via tailscale which is fine but cannot view the camera since it is always showing offline. I can ping the camera ip though