mgdfp
February 26, 2024, 6:18am
1
I have 6 reolink cameras on VLAN30 with non access to internet.
I know that this is probably an issue with the reolink app but I have seen reports of someone being able to make this work by turning off isolation within the vlan or messing with the cross VLAN/isolation bits. This was on another router, not sure which.
Apologize if this is in the wrong forum, it should probably be in some reolink forum but I suspect that I will get better help here..
We can look at your configuration and see if there is anything that might affect the connections. But I suspect that the issue is with the reolink app and the expectation that the cameras and the phone will be on the same l2 subnet. It may use mdns to handle the auto-discovery and connection. If that's the case, you can install the avahi mdns reflector/repeater -- that may help.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
mgdfp
February 26, 2024, 6:43am
3
ok, thanks. here you go:
ubus call system board
root@OpenWrt:~# ubus call system board
{
"kernel": "5.15.134",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT1900AC v2",
"board_name": "linksys,wrt1900ac-v2",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}
network
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc5:797c:2de8::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'wan'
option macaddr 'REDACTED'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan2:u*'
list ports 'lan3:t'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan3:t'
list ports 'lan4:t'
config interface 'IF30_CAMERAS'
option proto 'static'
option device 'br-lan.30'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
config interface 'IF10_MAIN'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan3:t'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '40'
list ports 'lan3:t'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '50'
list ports 'lan3:t'
list ports 'lan4:t'
config interface 'IF20_IOT'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'IF40_APARTMENT'
option proto 'static'
option device 'br-lan.40'
option ipaddr '192.168.40.1'
option netmask '255.255.255.0'
config interface 'IF50_GUEST'
option proto 'static'
option device 'br-lan.50'
option ipaddr '192.168.50.1'
option netmask '255.255.255.0'
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan1:u*'
list ports 'lan3:u*'
list ports 'lan4:t*'
config interface 'IF99_ADMIN'
option proto 'static'
option device 'br-lan.99'
option ipaddr '192.168.99.1'
option netmask '255.255.255.0'
wireless. I have turned off wireless in the router, I am using a ubiquity AP
root@OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option channel '36'
option band '5g'
option htmode 'VHT80'
option country 'FR'
option cell_density '0'
option disabled '1'
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'Linksys00417_5GHz'
option encryption 'psk2'
option macaddr 'REDACTED'
option key 'REDACTED'
option network 'IF10_MAIN'
option disabled '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option channel '1'
option band '2g'
option htmode 'HT20'
option disabled '1'
option country 'FR'
config wifi-iface 'default_radio1'
option device 'radio1'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
option macaddr 'REDACTED'
DHCP
root@OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'IF30_CAMERAS'
option interface 'IF30_CAMERAS'
option start '100'
option limit '100'
option leasetime '12h'
config dhcp 'IF10_MAIN'
option interface 'IF10_MAIN'
option start '100'
option limit '100'
option leasetime '12h'
list dhcp_option '6,192.168.99.101'
config dhcp 'IF20_IOT'
option interface 'IF20_IOT'
option start '100'
option limit '100'
option leasetime '12h'
config dhcp 'IF40_APARTMENT'
option interface 'IF40_APARTMENT'
option start '100'
option limit '100'
option leasetime '12h'
config dhcp 'IF50_GUEST'
option interface 'IF50_GUEST'
option start '100'
option limit '100'
option leasetime '1h'
config dhcp 'IF99_ADMIN'
option interface 'IF99_ADMIN'
option start '100'
option limit '100'
option leasetime '12h'
config host
option name 'SynologyNAS'
option dns '1'
option mac 'REDACTED'
option ip '192.168.10.4'
config host
option name 'HomeAssistantHouse'
option dns '1'
option mac 'REDACTED'
option ip '192.168.10.100'
config host
option name 'CUPS'
option dns '1'
option mac 'REDACTED'
option ip '192.168.10.102'
config host
option name 'Wireguard'
option dns '1'
option mac 'REDACTED'
option ip '192.168.10.104'
config host
option name 'ubuntu-server-vm105'
option ip '192.168.10.105'
option mac 'REDACTED'
config host
option name 'node-red'
option ip '192.168.10.106'
option mac 'REDACTED'
config host
option name 'HomeAssistantApartment'
option dns '1'
option mac 'REDACTED'
option ip '192.168.10.200'
config host
option name 'camera-inside-garage'
option dns '1'
option mac 'REDACTED'
option ip '192.168.20.20'
config host
option name 'camera-frontyard'
option dns '1'
option mac 'REDACTED'
option ip '192.168.30.15'
config host
option name 'camera-glasshouse'
option dns '1'
option mac 'REDACTED'
option ip '192.168.30.16'
config host
option name 'camera-parking'
option dns '1'
option mac 'REDACTED'
option ip '192.168.30.17'
config host
option mac 'REDACTED'
option ip '192.168.30.18'
option name 'camera-garage1'
option dns '1'
config host
option name 'camera-garage2'
option dns '1'
option mac 'REDACTED'
option ip '192.168.30.19'
config host
option name 'camera-glasshouse1'
option dns '1'
option mac 'REDACTED'
option ip '192.168.30.20'
config host
option name 'piHole2'
option dns '1'
option mac 'REDACTED'
option ip '192.168.99.101'
config host
option name 'CUPS-Admin'
option ip '192.168.99.102'
option mac 'REDACTED'
option dns '1'
config host
option mac 'REDACTED'
option ip '192.168.99.107'
option name 'Unify'
option dns '1'
Firewall
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'MainZone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IF10_MAIN'
config zone
option name 'GuestZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IF50_GUEST'
config zone
option name 'ApartmZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IF40_APARTMENT'
config zone
option name 'IoTZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IF20_IOT'
config zone
option name 'CameraZone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IF30_CAMERAS'
config forwarding
option src 'GuestZone'
option dest 'wan'
config rule
option name 'Allow-Guest-DHCP-DNS'
option src 'GuestZone'
option dest_port '53 67 68'
option target 'ACCEPT'
config forwarding
option src 'ApartmZone'
option dest 'wan'
config rule
option name 'Allow-Apartment-DHCP-DNS'
option src 'ApartmZone'
option dest_port '53 67 68'
option target 'ACCEPT'
config forwarding
option src 'MainZone'
option dest 'wan'
config forwarding
option src 'MainZone'
option dest 'CameraZone'
config forwarding
option src 'IoTZone'
option dest 'wan'
config forwarding
option src 'MainZone'
option dest 'IoTZone'
config zone
option name 'AdminZone'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'IF99_ADMIN'
config forwarding
option src 'MainZone'
option dest 'AdminZone'
config rule
option name 'Allow-IoT-DHCP_DNS'
option src 'IoTZone'
option dest_port '53 67 68'
option target 'ACCEPT'
config forwarding
option src 'AdminZone'
option dest 'wan'
config rule
option name 'Allow-Apartment-HomeAssistant'
option src 'ApartmZone'
list dest_ip '192.168.10.200'
option dest_port '8123'
option target 'ACCEPT'
config rule
option name 'Deny-camera-garage-internet'
list src_ip '192.168.20.20'
option dest 'wan'
option target 'REJECT'
config redirect
option dest 'MainZone'
option target 'DNAT'
option name 'Wireguard'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_ip '192.168.10.104'
option dest_port '51820'
config rule
option name 'Deny-Tibber-Pulse-Internet'
list src_ip '192.168.10.181'
list src_ip '192.168.10.195'
option dest 'wan'
option target 'REJECT'
config rule
option name 'deny-TV-until_11_00'
list proto 'all'
option src 'IoTZone'
list src_ip '192.168.20.192'
option dest 'wan'
option target 'REJECT'
option start_time '01:00:00'
option stop_time '11:00:00'
option enabled '0'
config rule
option name 'deny-TV-from-12-00'
option src 'IoTZone'
list src_ip '192.168.20.192'
option dest 'wan'
option target 'REJECT'
option start_time '12:00:00'
option stop_time '23:00:00'
list proto 'all'
option enabled '0'
config redirect
option dest 'MainZone'
option target 'DNAT'
option name 'Plex'
option src 'wan'
option src_dport '32400'
option dest_ip '192.168.10.4'
option dest_port '32400'
config forwarding
option src 'AdminZone'
option dest 'CameraZone'
I don’t see anything that would cause the problem you are describing from a config standpoint.
I’d recommend doing some research on user reports of similar issues with reolink devices - this may be an mdns or similar type issue.
nomadeh
February 26, 2024, 2:22pm
5
Hi.@psherman said, some issues with vlan and reolink devices are described over reolink forum. Like this one topic:https://community.reolink.com/topic/1473/e1-pro-unaccessible-from-another-local-subnet-after-firmware-update/38?lang=pt-PT&page=2
darksky
February 26, 2024, 4:03pm
6
I have a number of Reolink cams on their own VLAN which cannot access the WAN. I access them by IP with the correct firewall setup. I will post for you in a few hours if you wish.
mgdfp
February 26, 2024, 4:36pm
7
Yeah, I can access mine too if I use the web browser and go the IP. But I kind of would like to be able to use the reolink app.
At the risk of stating the obvious, apps (in general) can connect to your devices in the following ways:
Directly/explicitly specified IP address
mdns (or other similar) methods
cloud - where the data streams from the device to the cloud and then the cloud to your app
could - where the cloud serves as a broker to establish a direct connection.
And of course, an app can implement just one or may have any combination of these methods available.
Without knowing what the Reolink app does, if it does not provide a method for specifying the IP, things get more difficult in the absence of cloud options. Typically, mdns does not traverse across VLANs, although there are methods to do this with mdns and some other specific 'local network' protocols.
Typically, the cloud based methods will work across VLANs since it;s really the cloud that is helping with the connection. But this assumes that the cameras have internet access -- it appears that you don't allow wan access based on the firewall (unless I missed the forwarding rule).
nomadeh
February 26, 2024, 5:57pm
9
Hi.
Just for info... tested on-site, over local network.
darksky
February 26, 2024, 8:16pm
10
Yes, I defined the cameras by IP on the App and they work as such. Web or app doesn't matter from the firewall's perspective.
1 Like
mgdfp
February 26, 2024, 8:47pm
11
oh dear.. you are absolutely right.. I just saw the button that said LAN and completely missed the button next to it saying Input UID/IP..
system
March 7, 2024, 8:47pm
12
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.
