As for the title i would be able to successfully register their UID’s online, through which they are using some google and other servers, and of course some ports where they changed some data, the most know they using 9000 for streaming and RSTP but I don’t know if are also needed 443.
Anyway when I give my router different VLANS I know I can’t go to IoT lan, and I don’t need to, the only issue I am facing is that those Reolink cameras are not spanning their UID, I tried NAT rules and firewall rules but nothing.
If someone could help that would be great I see many threads online but no one giving a clear reply, asking to Reolink won’t giving me same explanation because maybe on OWT we should set also firewall I think, or maybe some mandatory reboot. Or I should just add a VPN.
I don't understand... if you have a IOT VLAN, and if that is setup on its own firewall zone which is setup to access the WAN, you should be fine. Have you verified with another device that the IOT VLAN/network you setup is able to access the WAN?
This zone had internet, I didn’t tried to access WAN from IoT VLAN because originally the zone was set to input reject in firewall, but of course after setting vlan I tried everything(accept, forward), to set zone as unmanaged, dhcp, static, with same broadcast, wan with 0.0.0.0, and so on.
Lastly I tried also to set just my LAN in a VLAN so WAN and IoT will be normally connected, but I think what can cause some issues for me to understand is after change the vlan seems the router needs a full reboot, so maybe I could have lost something between this.
Reolink team suggests to use snat so the ip seems to be out of “lan” (in this case they talking of opnsense) but I also tried to snat to wan and to lan but with no luck, I’m not good at it. And it seem easy to break everything with some wrong redundancy. Maybe is a just a mix of both things, give all those needed ports in firewall or firewall rules and SNAT, but also I don’t want end like someone I have read over there that just leaves all firewall rules accepted, at this point I will leave all in LAN, or just use the nas application again and wait until someone successfully managed it.
You state that the network did have ineternet, but then that you didn't try? Can you clarify?
The input rule has nothing to do with inter-network firewall rules. It is purely for a given network/zone's access to the router itself.
Zones don't have an 'unmanaged' option, but network interfaces do. If your interface is unmanaged, it won't do anything at all.
As I read through your most recent reply, my guess is that your configuration probably has some errors. Let's take a look so we can understand what might be going on.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Ok, I will do for sure later, after I bring all the zones settings back again.
I know I was referring incorrectly about VLAN and interfaces, but was just to explaining of what I was talking about, and because I am Italian;
Anyway despite the fact that for giving this P2P function working correctly, I think I should add some rules in the firewall section, also referring to the reply of Reolink support to add SNAT, I can’t deny I could have done some errors too, thank you very much.
You can remove the dns from here -- it doesn't do anything.
remove the ip6assign line from below... this is the IPv4 wan interface and shouldn't have any IPv6 items.
VLAN 4 isn't assigned to any physical ports. It looks like this is the iot VLAN -- what is connected and to what port? Is it expecting VLAN 4 to be tagged or untagged? Is the downstream device VLAN aware?
Delete these two stanzas:
Remove the last 3 lines of this section:
The DHCP server is disabled on your IoT network -- is this intended?
Delete this section completely:
Your IoT network doesn't allow input -- this means that hosts on this network cannot get a DHCP address or use DNS on the router (you don't have any rules to specifically allow this). If you want to be able to issue DHCP addresses or allow DNS on the IoT network, you need to add appropriate rules or set input to ACCEPT (that is the easiest short term fix which can be modified later);
I assume your IoT network is not allowed to reach the internet? Based on the current firewall, it cannot reach anything, but lan can reach the IoT network.
no... the 802.1q stanzas are not needed (and may even cause conflicts here). You have a bridge vlan config stanza for VLAN 88 which corresponds to your lan and is untagged on ports lan1 and lan2, and tagged on port lan4:
But my goal was to use those cameras trough a VLAN, so i was trying to separate those two interfaces from port 1/2 LAN (untagged), and port 4 (tagged).
That's why i asked i can be locked out, because i was actually using VLAN now.
What do you mean by this?
Are you trying to access the internet from the IoT network? Or access the IoT network remotely from the internet? Or something else?
And what are you trying to change here? What do you want br-lan.4 to do?
Trying go out of vlans for change protocol as i said before to see if those devices become accessible but i can't even go out of this vlan now in fact today i had to reset.
Also this site show i am writing on 6 January but is 8 today, maybe i should had try to use directly ddns or full-cone NAT
Well, you don't have any firewall rules to allow ingress from the wan to the IoT network. Or, better yet, a VPN server configuration -- this will be more secure than exposing your IoT devices to the internet.
I don't understand what you mean "go out of this vlan." And it isn't clear what protocol you are trying to change.
Your IoT network interface must have an address via static IP protocol if you want it to work properly. If you change it to dhcp client or none, it will not work.
No, the site is showing writing today. Maybe this is a font/display issue -- if 6 and 8 are not rendering clearly on your display, it would be easy to misread them.
You're getting ahead of yourself. first, don't worry about your NAT mode. "full cone NAT" is somewhat meaningless and there's no need to bring it up. Second, ddns is simply a way to use an easy domain name instead of an IP address to reach your network. That will be useful, but later -- you need to have a functoining IoT network AND firewall rules or a VPN to allow ingress (and that is assuming you have a proper public IP).
I can relate with your last reply, but i wasn't able to do nothing, even to navigate, i was on the iot ip, and once i clicked reset, my cameras was working and i wasn't still able to surf the web the wan wasn't set.
Maybe this is the reason exist the SPT so they can connect in any situation there is internet, anyway those cameras have a DDNS function too maybe i will try with this
It's really hard to follow what you are doing and why. I gave you a bunch of suggestions to fix the fundamental issues with your configuration, and then I asked a few more questions regarding changes that you might need to make. It's not clear if you've taken my suggestions and/or if you have made a bunch of other changes that you have not properly communicated (or if you reset, why). Further, you haven't described the method of external access required (web or other server with direct access, cloud connected, app-based with cloud reflector/broker, etc.).
As a result, it is really hard to help you achieve your goals. Maybe you can approach this more methodically so we can reach a solution. Otherwise, confusion will ensue.
