Home Security Recommendations

[MyNameGoesHere]

This is my first post. Hopefully I've put it in the correct Forum.

 

I'm currently looking for a home security system with the following features:

• Remote access to view live and recorded video from anywhere
• Motion detection notifications, again from anywhere
• Local storage for recordings
• No Subscription

I'm pretty well versed in standard PC hardware and network configurations, but this is the first time I've looked into home security and a more advanced network config.

I've done some research already and need some advice on what the best and most secure option would be. Below are the primary configurations I'm thinking about:

1. Ubiquiti Protect w/ Remote Management enabled
   • UDM-Pro, Netgear Router
   • Network Config: Modem (bridged) => UDM-Pro => Netgear Router (via SFP+ LAN [Yes my router has that])
     • Cameras would be connected directly to the UDM-Pro
     • G4 Doorbell would be connected to Netgear router
2. Ubiquiti Protect w/ Remote Management disabled
   • UDM-Pro, Netgear Router
   • Network Config: Same as option 1 above, but the UDM-Pro would have a VPN configured with a DDNS
3. Ubiquiti Protect w/ Remote Management disabled
   • UDM-Pro, Netgear Router
   • Network Config: Modem (bridged) => Netgear router (VPN via DDNS) => UDM-Pro
     • Cameras and G4 connected as in option 1
4. Home Assistant w/ undetermined cameras
   • Would start with a Raspberry Pi as proof-of-concept, but I would need a full server of some kind to run it properly
   • VPN via DDNS would be configured in router as in option 3 above

 

I have been unsuccessful at finding a security option besides Ubiquiti that doesn't require a subscription other than complete DIY like in option 4.

 

I’ve read about the recent Ubiquiti breach, and it seems like if you don’t have Remote Management enabled there’s not really a security concern with their devices because of it, so I'm leaning toward option 3 for it's easier network configuration. But I'm unsure how the motion detection notifications would be affected. Would I need to be connected to the VPN at all times?

 

I'm also unsure how the G4 Doorbell would be effected when it's connected to a Wi-Fi AP in front of the UDM-Pro.

 

Any help anyone can give with picking the best option (or recommending a completely new one) is greatly appreciated.

 

[MyNameGoesHere]

Bump

[MyNameGoesHere]

Moved to Networking. 

[Donut417]

The UMD pro is a router its self. Best practice is not hooking a router to a router. It will cause double NAT and if you want to view your camera's when outside your home it will make things harder. The Netgear should only be used as an AP. Outside of that Im not expert in home security. 

[MyNameGoesHere]

Sorry, I guess that wasn't clear.

 

I would only use the NETGEAR as a wifi AP in options 1 and 2.

 

Though you have a good point for option 3. Could the UDM-Pro be configured to work in that type of network configuration without any issues?

[Donut417]

16 hours ago, MyNameGoesHere said:

Could the UDM-Pro be configured to work in that type of network configuration without any issues?

Not sure, but I can tell you most people who try connecting a router to a router have a bad time. Plus the software on the UDMPro mostly is just going to be better and provide more options for managing your network. 

[MyNameGoesHere]

I've had that issue myself in the past.

 

We were switching ISPs and we specifically told the new one we were going to use our own router, and to give us a modem only.

 

After setting everything up we started having constant connectivity issues. We contacted them and they tried a few things, including swapping the modem out entirely, but the issues continued.

 

It wasn't until I googled the modem's model number that I learned it had a built in router.

 

I went in and set it to bridged mode and all of our issues went away. 

[Falcon1986]

41 minutes ago, MyNameGoesHere said:

It wasn't until I googled the modem's model number that I learned it had a built in router.

Then the proper term for that is an internet gateway.

 

Internet gateways have built-in routers, so putting another router behind it will result in double NAT.

 

41 minutes ago, MyNameGoesHere said:

I went in and set it to bridged mode and all of our issues went away. 

Bridge mode “turns off” various features that a router would do and hands off WAN traffic to the next device directly. You’ll still need to use bridge mode if you’re using an internet gateway and want to use the UDM-Pro.

 

18 hours ago, MyNameGoesHere said:

I would only use the NETGEAR as a wifi AP in options 1 and 2.

If using any wireless router in AP mode, the ethernet ports are now switch ports. So technically, putting a switch between your modem/gateway and router isn’t standard practice. Simply wire the AP to the UDM-Pro.

 

On 5/3/2021 at 1:56 PM, MyNameGoesHere said:

I’ve read about the recent Ubiquiti breach, and it seems like if you don’t have Remote Management enabled there’s not really a security concern with their devices because of it, so I'm leaning toward option 3 for it's easier network configuration. But I'm unsure how the motion detection notifications would be affected. Would I need to be connected to the VPN at all times?

It’s understandable to be wary about any data breach to an online service that keeps some of your personal information. That being said, with remote management turned off, you likely won’t be able to view your camera feeds through UniFi Protect.

 

The alternative is to use another hosted UniFi Controller, i.e. one that you install yourself on a cloud hosting service (you’ll be responsible for this) or something like Hostifi which specifically handles UniFi cloud hosting. Realize that you’re now putting your information in the hands of someone else which can be subject to the same vulnerabilities.

 

Hostifi isn’t cheap, but they’re the best alternative to UniFi’s own cloud-based service and is easy to set up. Cost might be justified if you want to manage multiple site controllers instead of just one.

 

You should visit the UniFi Community Forums to get specific recommendations, as their users are more up-to-date with this kind of thing.

[MyNameGoesHere]

23 hours ago, Falcon1986 said:

If using any wireless router in AP mode, the ethernet ports are now switch ports. So technically, putting a switch between your modem/gateway and router isn’t standard practice. Simply wire the AP to the UDM-Pro.

The Netgear Router in option 3 would not be bridged. But that does lead to a question I asked in a reply above - would the UDM-Pro even work if placed behind a router? I wouldn't connect anything to it directly except the cameras.

 

23 hours ago, Falcon1986 said:

It’s understandable to be wary about any data breach to an online service that keeps some of your personal information. That being said, with remote management turned off, you likely won’t be able to view your camera feeds through UniFi Protect.

To be honest, I'm not overly worried about the information they may be able to access. An email address on its own is basically useless, and passwords can be changed. I'm more concerned that someone could gain access to my cameras and/or other devices on my network.

 

That's what the VPN with DDNS would be for. With Remote Management disabled, I could (theoretically) VPN into my local network and log into UNIF Protect from anywhere that way. But I'm not sure if the motion detection notifications would still work in this setting if I'm not connected to the VPN at all times.

 

23 hours ago, Falcon1986 said:

You should visit the UniFi Community Forums to get specific recommendations, as their users are more up-to-date with this kind of thing.

I've been thinking of posting something on the Ubiquity community as well, but I wasn't sure how active it was so I figured I'd start here since it seems very active.

[Falcon1986]

8 minutes ago, MyNameGoesHere said:

The Netgear Router in option 3 would not be bridged. But that does lead to a question I asked in a reply above - would the UDM-Pro even work if placed behind a router? I wouldn't connect anything to it directly except the cameras.

You’d encounter double-NAT with that setup.

 

Why do you need the Netgear router, again? What is the model of the router? If you want to keep the Netgear router, maybe the better solution would be the UNVR instead of the UDM-Pro.

 

17 minutes ago, MyNameGoesHere said:

I've been thinking of posting something on the Ubiquity community as well, but I wasn't sure how active it was so I figured I'd start here since it seems very active.

Oh, it’s active! For this type of thing, you need specialist recommendations.

[MyNameGoesHere]

1 hour ago, Falcon1986 said:

Why do you need the Netgear router, again? What is the model of the router? If you want to keep the Netgear router, maybe the better solution would be the UNVR instead of the UDM-Pro.

It's the Nighthawk x10 AD7200. There isn't really a point in buying Ubiquiti's own APs since they wouldn't be an improvement.

 

I hadn't noticed the UNVR before! Since that only has UniFi Protect I think that would solve most if not all of the network issues.