Lately I have been looking for an IP Camera solution for my house.  The requirements were simple - it needed to be cost effective, support wired and wireless cameras, and not require a connection to the cloud to operate.  While I'm a big fan of the cloud, the idea of sending video footage of my home to some random IP in the cloud isn't something I'm really comfortable with.

After reading several reddit threads I came across Reolink.  I ended up ordering the RLK8-810B4-A which was a nice starter bundle - 4 cameras (with the ability to grow to 8) and a local NVR with a 2TB HDD.  Not wanting to do the ladder work myself, I found a local installer who did an amazing job installing the physical cameras around my house.  Everything was going great.

After the installer was done, I created a new VLAN on my local network for the cameras and NVR so I could put firewall rules in place to ensure they only went where I wanted them to - IP cameras are notoriously insecure.   The new subnet was in the 172.16.0.0/12 range, which is a standard part of the RFC1918 space used for private IPv4 networking.  I've used the 172.16 block on my internal network for years - since most corporate networks use the 10/8 or 192.168/16 prefix I've never had any issues with IP overlaps and its worked well for me.  So with the new subnet created, switch ports updated, and router interfaces created I was ready to rock.

When I powered on the NVR, I noticed it got an IP address from my DHCP server - excellent!  But when I tried to ping it and access it via HTTP(S) I got no response - this wasn't good.  I put my laptop into the same subnet as the NVR and it connected.  Odd, I thought - this doesn't feel right.  Something somewhere isn't doing what it's supposed to.

For the next few hours I banged my head looking at firewall logs, doing packet captures, searching the internet, and even posting to reddit to seek help.  I checked my switch and router configs multiple times.  I thought I was going crazy. I finally found a blog post on hacking the NVR, where deep in the comments I found this gem:

i hacked the unit in order to debug a connectivity issue i had between routed networks and the NVR. turns out, they are using 172.16.0.0/16 as their internal camera network (where the PoE ports are connected to) and this overlaps with my other local networks i have here.

No where in the documentation is this stated.  The UI doesn't give you a single warning that the IP you've assigned conflicts with what they use for the NVRs internal switch.  Nadda.  Now they didn't use the entire 172.16/12 block, but they used enough of it to overlap with the internal network I created.

Once I switched the camera network and my wireless LAN from a 172.16 IP to new 10 IP blocks everything magically started to work.  Finally I had success.

Vendors really need to do better - if you're going to make the assuption that everyone is using 192.168 and it's safe to null route the entire 172.16/12 block without a single warning it really makes me wonder what other shortcuts they took in their code.  I'll be triple checking my firewall rules to make sure these things can't go anywhere.

I won't be returning the unit over this, but they are on a short leash with me.