@Janlia For me it is currently not a big problem since I use my Synology NAS for it, everything including the controller is running on it so I don't mind. Just though for the feature it would be a good thing, one thing I would also appreaciate if they would finally release a new firmware for that model, which improves like on the ER707-M2 the IDS/IPS rate drastically ^^

Hi @Julian2111,

I'm not quite sure, if this is a good idea from security point of view. 

Reverse proxy should run independently as a only application on some host inside of DMZ. I personally use nginx docker container for this with letsencrypt certbot.

Adding reverse proxy to router or controller could IMHO widen the surface for possible attack.

Regarding accessing camera feeds - best solution is to access them via VPN - you have plenty options built-in in Omada routers.

  @ZoloNN I totally get your point, currently I'm using synology's built in reverse proxy, were I only forward 443 to, since I do not need any http:// stuff accessible from external.
The thing I though was like you can select the allowed ports and not automatically everything is forwarded.. even a DMZ to a docker container wouldn't be good though.

Point is just, some people have things running in their home that are important to be accessible.. and if the power supply dies of that nas I can not access it anymore.. I solved it now a bit different since my router (ER8411) has a redundant power supply, I just seted up a LAN-DNS to all important server/ services and imported there the certificate (need to renew them now all few months) but in case the synology dies, I simply connect to the router by VPN and still can access them without changing anything big.

Hi @Julian2111,

there are two scenarios to consider:

1. power outage (environmental issue)
2. power supply failure (hardware failure)

in 1st case you should have all devices in path (ISP modem/router - Omada router - switch - server) backed up with UPS. In my case it would mean 3 separate UPS boxes in separate rooms - one for router, second for main distribution switch and third for servers. I have UPS only for servers (and server switch).

in 2nd case you should have all devices with dual (redundant) supply - not only router, but switches and server(s) too.

Looking at current Omada switch range only Omada Campus series has dual power capability (prices starting at 2K€ per device) - and only OC400 controller has dual power capability (price starts at 600€) - which is overkill for small company.

Nevertheless in your security camera scenario, the video recorder has to have dual power supply with UPS too (assuming cameras are powered via PoE from recorder)

And if your setup is completely redundant abd backed up by UPS systems, there is no need to have the reverse proxy running on router/controller - you can have it as a VM or docker container somewhere on server - and you will have a freedom of choice which software to use and patch support from vendor.

On the other hand, I'm not quite sure, if a small company is willing to invest such amount of money for 99.9+ onsite uptime.......

My professional experience is, small companies don't have completely redundant environment, mostly they are relying on NBD on-site service contract, which is sufficient.

Regarding LAN-DNS - this feature is absolutely not usable - better use your own internal DNS, for example piHole