VLAN for Reolink Cameras

Hello,

Noob here.

My ultimate goal is to have access to my Reolink Cameras / NVR when I'm away from home and also have these cameras only viewable when I'm on my Tailscale Tailnet.

I’m hoping someone can help me with the first step which is seting up OpenWRT to allow my Reolink cameras to be viewable via the Reolink app only when I’m on LAN.

I have a Flint 2 Router flashed with the latest Vanilla OpenWRT.

I have a Reolink NVR with PoE cameras connected.

Here’s the steps I took with my NVR connected to port 4.

created the VLAN

Created the bridge

removed lan4 from br-lan

added a new interface

set up said interface

enabled DHCP Server (although, maybe I don't need to do that if it's just going to be on the LAN?)

I set the "Allow Forward to destination zones:" to "lan"

When I did this, I was no longer able to access my cameras via the Reolink App regardless of if I was on the network via WiFi or not.

Any help would be greatly appreciated :-)!

Let’s see the complete config in text form.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Hello @psherman, please find the information below:

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.12.74",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.2",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32802-f505120278",
		"target": "mediatek/filogic",
		"description": "OpenWrt 25.12.2 r32802-f505120278",
		"builddate": "1774469393"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_Duid REDACTED
	option ula_prefix REDACTED
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.1/24'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option type '8021q'
	option ifname 'lan4'
	option vid '4'
	option name 'lan4.4'

config device
	option type 'bridge'
	option name 'br-VLAN'
	list ports 'lan4.4'

config interface 'VLAN_int'
	option proto 'static'
	option device 'br-VLAN'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option multipath 'off'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel 'auto'
	option htmode 'HE40'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid REDACTED
	option encryption 'psk2'
	option key REDACTED

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel 'auto'
	option htmode 'HE160'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid REDACTED
	option encryption 'psk2'
	option key REDACTED

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

config dhcp 'VLAN_int'
	option interface 'VLAN_int'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'VLAN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'VLAN_int'

config forwarding
	option src 'VLAN'
	option dest 'lan'

You've got a number of significant errors here.

However, before I make any suggestions, a few questions:

1. Is the Reolink system expecting tagged VLAN 4 or are you just using VLAN 4 arbitrarily? Unless the connected system (i.e. the Reolink NVR) can be configured for VLANs, it probably expects an untagged connection.
2. Will this new subnet ever be used on multiple ethernet ports and/or wifi + ethernet?
3. Does the Reolink system need internet access? Or, on the other side of the coin, do you specifically want to prohibit internet access to this device?
4. Does the reolink system need to be able to initiate connections to the lan? Or the other way around (lan initiates)? Or both directions will initiate?

Hello,

Thank you for reviewing this.

1.) I'm using VLAN 4 arbitrarily. Understood that it expects untagged.
2.) This subnet will only be exclusive used for this single ethernet port.
3.) I would like to prohibit internet access, the goal is to only have the LAN access. I'll use tailscale to be on my LAN while outside of the house so I can still access my cameras.
4.) I'm not exactly sure on this one... I believe my goal is to have both directions be able to initiate as I'd like push notifications to work.

Ok... so we'll fix this to be untagged.

you don't even need to use VLANs (with respect to the technical definition of the term).

Ok. This will require that the Reolink system will respond to traffic from a different subnet. As long as it works lan > camera, you should (in theory) be good with the Tailscale side of the equation.

I suspect that push notifications are dependent on an internet connection. I don't think that the system can push without internet. But that's something you can test.

Delete all of this:

Next, we'll edit this:

I'd recommend changing the name of the network to avoid underscores, and maybe make it more obvious (like camera). You also need to change the device to lan4. So I'd recommend making the above look like this:

config interface 'camera'
	option proto 'static'
	option device 'lan4'
	option ipaddr '192.168.4.1/24'
	option multipath 'off'

Edit the firewall:

On the zone, we'll adjust the name, network, and remove masquerading and mtu lines. This will now be:

config zone
	option name 'camera'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'canera'

Next, you are not allowing input, so you need to add rules to provide at least DHCP (I'd recommend DNS, too). Add this:

config rule
	option name 'Allow-camera-dhcp'
	option src 'camera'
	option dest_port '67'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow-camera-dns'
	option src 'camera'
	option dest_port '53'
	option target 'ACCEPT'

Next, we'll adjust the forwarding fules.

The above is only a good option if you trust the Reolink system. With this rule, your reolink nvr will have the ability to connect to your trusted lan... typically this is not desired for camera systems like this which are usually treated as untrusted systems. That said, the name needs to be adjusted to be consistent:

config forwarding
	option src 'camera'
	option dest 'lan'

You almost certainly want to be able to initiate connections from the lan > camera. That one looks like this:

config forwarding
	option src 'lan'
	option dest 'camera'

And, as I mentioned, you almost certainly need wan (internet) access if you want to have push notifications. That is obviously contrary to your desire to have this camera system prohibited from accessing the internet. But, for the purposes of testing, that would look like this:

config forwarding
	option src 'camera'
	option dest 'wan'

So, to recap/explain the forwards:

• camera > lan
  • will allow your Reolink to initiate access to your trusted lan.
  • This is probably not desirable, especially if you consider the Reolink untrusted
  • It's also probably not necessary for push notifications.
• lan > camera
  • this will allow your lan to initiate connections to the camera system and is generally the way that most connections would be made.
  • This should allow access to the camera systems in many situations, but I do not know if there are any other quirks with the Reolink system.
  • You may need to adjust settings/firewalls on the Reolink device itself to ensure that it will accept connections from a subnet that is different than the one that the Reolink uses (i.e. your lan).
• camera > wan
  • this gives your Reolink camera system internet access.
  • per your stated goals, this is not desired.
  • However, it may actually be required for access via their mobile app (I don't know one way or the other)
    -This rule is almost certainly required for push notifications.

1. You can implement all 3 forwards initially to make sure you can connect as expected and get your push notifications when the camera is on the new network.
2. Then, remove the camera > wan forward and see if you can still gain access to the cameras. Also test the push notifications.
3. Remove the camera > lan forward and ensure that everything still works.
4. test via tailscale

Note that for this to work, you need to specify the IP address of the NVR -- be it an app or a web interface. This means you obviously need to know the IP address of the NVR. But beyond that, an app must have a mechanism by which you can enter the IP address of the NVR (rather than some cloud login) since you'll ultimately have this device offline relative to the internet.

Hello,

Thank you for this explanation and walk through, I implemented the suggestions.

I started with having both the Camera > WAN forward as well as the LAN > Camera forward.

I removed the Camera > WAN forward

I am getting a feed from the cameras, which is great! However, I'm getting a feed from the cameras regardless of if I'm on the network or not. I don't have tailscale set up yet so I'm not sure why this is the case, would you be willing to review my setting below to make sure I didn't miss something / configure something wrong?

root@OpenWrt:~# ubus call system board
{
	"kernel": "6.12.74",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "25.12.2",
		"firmware_url": "https://downloads.openwrt.org/",
		"revision": "r32802-f505120278",
		"target": "mediatek/filogic",
		"description": "OpenWrt 25.12.2 r32802-f505120278",
		"builddate": "1774469393"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option dhcp_default_duid 'REDACTED'
	option ula_prefix 'REDACTED'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.1.1/24'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'camera'
	option proto 'static'
	option device 'lan4'
	option ipaddr '192.168.4.1'
	option multipath 'off'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel 'auto'
	option htmode 'HE40'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'psk2'
	option key 'REDACTED'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel 'auto'
	option htmode 'HE160'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'psk2'
	option key 'REDACTED'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/odhcpd.leases'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'
	option piodir '/tmp/odhcpd-piodir'
	option hostsdir '/tmp/hosts'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config forwarding
	option dest 'lan'

config zone
	option name 'Camera'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'camera'

config forwarding
	option src 'lan'
	option dest 'Camera'

root@OpenWrt:~# 

lan4 needs to be removed from the bridge. (It was previously absent, so I'm not sure why it was added back in)

This section needs the subnet definition (ideally in CIDR notation):

replace 192.168.4.1 with 192.168.4.1/24 above.

You're missing the DHCP server for the camera network. Add this to the dhcp file:

config dhcp 'camera'
	option interface 'camera'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Delete this stub from the firewall (just above the camera zone definition):

You're missing the other rules I said would be necessary: