Ubiquiti have changed the UI quite a bit again, but your tutorial was still helpful. I have 4 cameras, and previously had them in Surveillance Station just on my main LAN. When it was setup ths way, on a flat network, it would take 5 to 8 seconds for the DSCam mobile app to load the camera feeds when on the local network. I moved the cameras to a dedicated VLAN, using the second Synology NAS NIC and not only do I have the benefit of isolation of the camera network, additionally it now takes only 1 to 2 seconds to load the camera feed on the DSCam app. Not sure why that made such a huge difference, but it did in this case. I don't have a particularly busy home network, but given I had a full Unifi system, including a USG Pro, it just made sense to utilise this. I did find it best to give the camera a reserved address (fixed IP) via Unifi console as Synology relies on the IP address of the camera not changing. Setting a reserved address means the camera can stay on DHCP, but Unifi will always give it the same IP address.
I found it worked just as well to put home bridge and IOT devices on the IOT network. The home bridge can communicate with the Apple Home hub (which can be accessed externally anyway). In this way, the IOT network including Homebridge are completely isolated from any other networks in my home. And since Homebridge also by definition solved adding/controlling all the random wifi smart devices (like light switches etc) using Apple HomeKit it means that every IOT device I have is controlled from within Apple HomeKit and also completely separated onto its own completely isolated network.
Just to confirm in your video. - Synology has two LAN connections 192.168.1 (camera VLAN) and 10.30 (Synology + Computer). - The reason the computer can talk to the Synology is because they are both on the 10.30 VLAN - The reason the camera can record to the Synology is because they are both on the 192.168.1 VLAN So the Synology is the device in the middle (it's connected to both VLANs). If you didn't have the second ethernet cable plugged into the Synology (for 10.30), then the computer (10.30) wouldn't be able to communicate to it - however the camera's would be able to see the NAS, correct? I think you missed that part in the setup - The Synology setup part for the LANs (as not all Synology units have more than one lan port iirc). I intend to do the same setup with my UDM + Synology unit (where the synology is the bridge between the two networks)
@@SpaceRexWill OK thanks, I'll try watch some videos or read somewhere on how to complete the Synology setup side of things, shouldn't be too bad. Otherwise I might just use a single network, as I'm not entirely sure how a camera could be a security risk and I cant remember if I left a free port on my Synology Switch - hopefully I did, did the patch cabling a few months ago.
Hoping you could provide some advice, I can’t find a tutorial for my situation: Have U6-ent AP’s with 3 ssid’s: - default ssid on on default vlan with wpa3 so I can have 2.4/5/6ghz - iot ssid on iot vlan with wpa2 at 2.4ghz - couple of other vlans like guest and security cameras - I put all the iot devices on the iot vlan and everything works great except my Wi-Fi printer and wife’s Bose speaker. Both devices are wifi3 that can’t do wpa3. I can’t print from the default ssid with phones,laptops, etc. I wanted to put the speaker and printer into the default ssid but then I would have to go to wpa2 and that would deactivate the 6ghz spectrum. Is there a way to leave those devices in the iot network and control them from the devices on the default ssid/vlan?
You mentioned setting this up w/ your Layer 3 Switch (Enterprise-24-PoE) @6:55. How do you set it up so your L3 switch handles inter-VLAN routing, but still blocks unwanted inter-VLAN traffic (e.g. Cameras -> LAN)?
Would having your phone on the IOT network not be an easier solution? It would make things both easier and safer. Plus, even tho that is debatable, a phone might be considered as a iot device which you would not want to trust.
If this was an office then that would not be a bad setup. But since it’s my personal setup it’s got issues for 2 reasons: 1) my phone needs to be able to connect to the rest of my computers 2) if the reason I am setting this up is for security of my devices I don’t want my phone exposed to the unnnown of the IOT VLAN
@@Fryn_Haynyou can set up your firewall rules so that camera can talk to only synology block everything out except the specific port to the specific IP. When you are trying to view the camera feed you are doing so via the synology app. If you are talking about accessing the camera directly from remote (eg: to change settings) then you would want to open a hole in the firewall so internet in can access the camera. but the camera should never need access to the internet out
Isn't it better to drop just New and Invalid sessions from IoT to LAN, there by and allowing Established and Related out from your IoT network? I guess it depends how isolated you want to make you VLAN, and your solution of using Home Bridge negates the need to Established and Related out. However probably most IoT setups should allow Established and Related to the primary LAN (where your clients are) for more reliable operation of the IoT device.
@SpaceRex cool, in other words... It would remove overhead from my UDM. My main concern is if I can assign vlans in Ubiquiti layer 2 switch port. Would it be worth buying a layer 3 in a network with 10 4k cameras and up to 50 devices (mainly IOT devices)?
@@SpaceRexWill interesting. Good to know. With the Qnap and recent Asustor attack, you should do another video addressing what should be done on a Synology NAS.
I noticed that your router and switch provides 10.10.0.0 IP addresses. how to do that? do you have a video about it? I just got my dream machine pro, and AP wifi 6 lite. I would like to set it up to work with this ip address. I'm new with Ubiquiti products. Thanks!
I have a video talking about my plan ("I am redoing my network again") And its just a setting in the console. Go in and choose your network and change the subnet
In this case we are just passing the port through as being on that VLAN. Effectively the Synology thinks we just plugged it into an entirely different network. It does not need to know that VLANs even exist
@@SpaceRexWill Oh ok. Another question is in the network configuration on the snology it has a check box for vlan ID and you enter a vlan ID there. Is that for multiple vlans? I read synology don't work well with multiple vlans.
That would be if you had multiple vlans sent to the port on the Synology then you would be able to select it. But if you are only sending then one then you do not have to select it (and should not)
So every time you need a direct connection to a camera you need to go plug in into a specific port that has access to both vlans??? that's not very good man! Ideally just need to segment the network into a different vlan for security cameras, and isolate them from talking to the PC LAN, but still leave access to the cams from the PC LAN. The cams wont be able to talk to any devices on the PC LAN (have their own broadcast domain) but still access the Internet.
my only issues is i only have 10Gbps NIC with no more room for more NICs so i can't record from my cameras anymore. i'll have to see if it's possible force multiple on one port. out side of unifi/ubiq i know QinQ is a thing for for the 802.x spec on that. i might try a usb3 dual port NIC but, i really prefer to have motherboard/pcie Intel nics due to Shitty NICs Disease. EDIT: I FOROGT I SET DHCP RESERVATIONS BEFORE THIS VIDEO! going to go see about re addressing the camera IPs. EDIT: still double whammy issue(s)
@@SpaceRexWill how is that done? i also noticed after "converted to l3 routing" on a few vlans an intervlan router showed up. i also can access my cameras via wifi despite them being on the a camera only network. i think i may need some rules blocking the vlan from the new intervlan network unifi created. also i noticed in your video there are no rules specifically blocking the camera vlan from internet and i some internt/wan options in there for rules but, i may not understand how those work. also i got it working with secondary NIC on my server would still need a usb nic. i don't see any where where i can select multi vlans it turns red and angry when i try to select multiple vlans. EDIT: it paused my firewall rules, thats probably why EDIT: no iwonder if it's because i need an intervlan rule or because UAPS are on "ALL" EDIT: disabled my secon nic and cameras still work and vlans are not blocked so i think i have to start all over. seems ot have broke when i able switch routing as i did not want my ipcam vlan touching the router, also the router is tiny dual core old usg.
@@SpaceRexWill ok i figured it out, intervlan routing is a whole new game is what allowed all my vlans to talk to each other, block that you have to make special network with some RFC tags in the name. i gout usb3 dual nic and reverted all my stuff back and started over. FYI the cameras can not pull form inet for time sync (doesn't matter nvr does time stamps) so the vlan works!