Can't access camera on newly created Cam VLAN

I’ve followed a number of different videos to segment my home network and have learned quite a lot from this channel/forum, but I’ve hit a snag when creating a Cam VLAN. I’ve created the VLAN, I can connect to it from various devices and it doesn’t have internet access (huzzah!) but I don’t seem to be able to actually access a camera after switching it over to the Cam VLAN, either from the Cam VLAN or LAN. I can ping from both and if I connect both my PC and Android to the Cam VLAN i can ping each device. But I changed the profile of the port of one of my POE Cams to the Cam VLAN and am unable to ping it (or access the POE Cams gui like I can for other cams still on my LAN). Pinging the cams old LAN address ( gives me a “Destination Host Unreachable” and pinging the new one ( gives me a “Request Timed Out”. I’ve trying to paste screenshots of relevant info, but please let me know if anything further would be helpful…(edit: the first set of Firewall rules is for the LAN, sorry for cutting off the top)

P.S. And yes i know the tutorial suggests putting the NVR/Controller on the same subnet but that would wreck a few backup scripts currently run. I assume everyone would think this isn’t the most secure way to set this, but i’d love to get over this hurdle an get everything with BlueIris back up and running before I starting moving the BlueIris box behind the cam vlan/subnet…

Have you power cycled the camera? It may just be that it hasn’t refreshed its IP address via DHCP yet.

Edit: I guess this is not the problem since you know the new IP address. Sorry, it’s late here :sweat_smile:

For testing try to loosen up your rules on the cam VLAN and allow all traffic without restrictions. If successful then try tighten up the rules again.

Regarding the security aspect of having the NVR on a different network from the cameras: This is actually an example of a more general problem. Unless you put extra measures in place like IP-MAC Binding and Port Security, a threat actor could theoretically spoof a camera’s IP address and gain access to parts of the overall network that they shouldn’t. But perhaps the more pressing concern is that all the traffic between the cameras and NVR is now forwarded through the router instead of being switched, which negatively impacts your router’s performance.

I think this is a good suggestion and something I will try anyways, but in the Unifi Controller Software it states that the IP is one i assigned in the DHCP server for the new VLAN

So you’d recommend, for example, just the last “* to *” rule as a beginning test?

yikes! i don’t want to negatively impact anything! So it sounds like it would be best to put the BlueIris PC behind the Cam VLAN (eventually) and then give the BlueIris PC access to the WAN?

Yeah. Set a wide open rule for testing.

1 Like

well i disabled all the rules except the bottom “* to *” rule and thankfully I was about to access the Cam residing on the cam VLAN (as well as various other Cam VLAN clients). One by one, I re-enabled the rules top to bottom and each time everything still worked as expected…all the way to the last rule! Nothing worked, then I simply disabled all the rules, then re-enabled them and everything worked. I guess I’ll take it but I hate when a problem gets solved with the ole “have you tried turning it off and on?”

There is one issue though: I am able to ping around 10.10.30.x and i’m blocked from other networks and the internet, but I’m unable to ping my Blue Iris pc when connected to Cam VLAN. Is there a conflict in the rules passing traffic from Cam Net to and the following one blocking Cam Net to Lan Net (10.10.10.x)?


Are you sure that the blue iris server itself allows ICMP traffic?

Yorur rules only allow TCP traffic, for ping you need to add a rule for icmp traffic - select ICMP as the traffic type, any as icmp subtypes

I can ping the Blue Iris PC from my LAN network (e.g. to so i assume so

they def used to (see screenshot in first post) but I thought i changed it (see screenshot in last post) to allow all protocols. Does it look wrong?

I tested just your suggestion (changed any to icmp/any) and still was unable to ping from Cam VLAN


sorry to bump, just curious if there were any further troubleshooting suggestions for allowing my Cam VLAN to access the Blue Iris box on the LAN?

It might not matter but you have an ANY rule on the source first rule on your cam interface. You should switch the source to CAMS net.

Also your allow all rule at the bottom needs to have the sources to be CAMS net

Like this?

if so, unfortunately i was still unable to ping when connected to the Cam VLAN

Can you show me what ipconfig show in a command prompt?

Let me know if the “media disconnected” output above this is of any use…

Hey sorry to bump and apologies for my previous delayed response. Anybody have any ideas for troubleshooting the (in)ability to access the Blue Iris box (resides on the LAN network) from the Cam VLAN network?