As I have mentioned in my how-to on creating an isolated network, I have several Amcrest IP cameras (affiliate link) on an isolated network which I use mostly as high quality baby camera monitors. Recently my family decided to get an outdoor camera (affiliate link) to put on the front porch and a video doorbell (affiliate link) for the front door to help monitor the entire front of our house.
In addition to those purchases, I got a relatively cheap Amcrest NVR box to use so that I could have a dedicated box to doing video recordings on my isolated network. I would be assured that it is powerful enough to handle up to 16 4K cameras (the 8 camera NVR was out of stock). I added the porch camera and the doorbell to my Amcrest NVR, but I wanted to receive push notifications from the Amcrest NVR when motion is detected.
I probably will not always want motion detected enabled all the time since it will constantly be notifying me of alerts unless I restrict the detection zones and/or the time of day when to allow notifications…
Since Internet access is blocked on my isolated network for security reasons, I could not receive push notifications from the NVR. I was hoping it would send over the local network to a devices on another VLAN if I created a rule to allow access. This approach does not work.
Note that if you have your NVR in a network where it has full access to communicate out to the Internet, you do not need to refer to this how-to because you should already be able to receive push notifications even if your devices are on different VLANs. This post is intended for those who desire to have a locked down IP camera network.
Inspecting the Firewall Logs
I often find it useful to look at the live firewall log file page to see in real time what is being allowed or denied through the firewall. The advantage of the live log is that you can open that page, do something on a device on your network, and watch the log to see which entries show up in the log files. The live view includes a label column which is the description of the firewall rule which is triggered. Including detailed descriptions on all your firewall rules will be very beneficial to you when looking at the live view. To go to the live view page, navigate to “Firewall > Log Files > Live View”.
I noticed that the NVR attempts to connect to remote servers to allow push notifications to be sent to your mobile device with the Amcrest View Pro application. Since I am using the iOS app, push notifications can be sent through the Apple Push Notification (APN) service. Following the guidance from Apple and watching the firewall log, push notifications can be allowed out of an isolated/restricted network by using the following firewall rule:
|Destination||220.127.116.11 / 8|
|Description||Allow Amcrest NVR to send push notifications to Apple servers|
For the “Interface”, it will be your isolated VLAN interface where your NVR is located. The “Source” is the NVR IP address. The destination network should be 18.104.22.168/8 since that is the full address range used by the Apple Push Notification service. Apple owns that entire IP space so it should be safe to allow that large of a network through the firewall. I noticed looking at the firewall logs, that it was using port 2195 even though Apple’s documentation says port 2197. There is a footnote that says some older services may use port 2195 and 2196.
That should be all you need to do to enable push notifications for motion events! This how-to may work exactly the same for individual Amcrest cameras as well. I only tried it for cameras attached to the NVR so I cannot say for certain if this will work for individual cameras. You can follow the same process to ensure the ports and destination addresses are the same. Mostly likely they are the same and you can allow individual cameras to send push notifications to your Amcrest View Pro app.