Wyze Cam OG attempting UDP connections outside of VLAN

While I understand that Wyze cameras are not necessarily intended to be operating on complex networks, this issue is more about the suspicious traffic than the network. My cameras are sitting on their own VLAN. I have 12 cameras which are all different models (V2, V3, Pan V2, OG).

On my firewall, I am seeing attempts to connect to my iphone (or whichever device is viewing live stream) from my OG camera. This only happens from OG cameras, none of the others. My iphone and other devices are on a separate VLAN. Why is the OG attempting this connection, and why are none of the other cameras doing this?

Everything appears to work correctly, such as sound, video, SD card recordings, etc. I cannot find anything that is not working even though the attempts are blocked. These connections attempts are UDP and on ports in the 50000 range. This does not appear in any of the docs I have seen regarding ports/protocols for the Wyze cameras.

1 Like

When viewing live stream or SD card footage, they will first attempt to connect directly to your phone using your phone’s IP address. If that fails, they then attempt to connect via Wyze’s servers in the cloud.

Mine operate in similar fashion, they are on an isolated network so they stream via Wyze servers.

The different cameras use different protocols and servers, I would suspect that you’d probably be able to find similar denied traffic (possibly TCP) from the others. However it is also possible those cams keep better track of whether your phone is directly reachable and don’t attempt quite as often.

It must be the latter. It is surprising that the older cameras would keep better account of if my device is directly available. There is no other blocked traffic on the interface at all. And the only time any blocks pop up is when I try to connect to the OG. Your answer makes perfect sense. I would love to know what the difference is between the OG and the others in the list I provided that would cause this activity.

@dave27, do you know if there is a way to force a local connection if my cameras and end devices are on separate SSIDs and VLANs? Is there a port range I could open uni-directionally to allow the video streams to my end devices if I chose to, or do you have to be on the same WiFi SSID and/or network?

The OG cams were intended to be the cheapest ones they’ve ever made, and they also appear to be the first that strictly use AWS for their external connectivity, based on my observations of their TCP/UDP connections. When comparing to my Panv3s they have very different connections going out.

AWS is cheap, but it still adds up as they charge by bytes, so I’m guessing they designed the OGs (and possibly v4, I haven’t looked at the connections on the one I just got yet) to be more aggressive when trying to connect directly to save cost.

I haven’t done a lot of testing. Most IOT devices require the same subnet at the very least and many also look at the SSID. It doesn’t seem that Wyze cares about SSID as it will let you connect different cams to different SSIDs, unlike some other manufacturers.

I suspect it would only work if it is on the same subnet (and if you have client/AP isolation disabled obviously). But I’ve never tested to be able to say for sure, perhaps they’ve made them subnet/router aware and they’d be able to stream direct via your router. But seems pretty unlikely.

There are ways to have a single subnet span across VLANs and still protect them from one another but it requires a switch with fairly advanced features, or a router/switch that is runing a linux variant so you can use EBTABLES (layer 2 firewall) to do it.

Honestly the reason I haven’t toyed with it much is streaming via their servers and looping through the internet has not caused me any noticeable issues. My OGs connect very quickly and streaming is smooth. Maybe it would be slightly better if going direct (I did test it on the same subnet once by putting my spare phone on that wifi and disabling client isolation) but I didn’t notice any difference.

1 Like

That was my thought as well. These OG cameras were intended to be very cheap. I had thought maybe they didn’t invest in the appropriate logic to determine the best path, but you may be on to something. Perhaps this attempt to connect locally first is intentional. It would make sense that they would want to keep their own costs low. I appreciate you writing out a thorough response. Thanks!

2 Likes

At least you know your protection mechanisms are working :slight_smile:

All the cams will use the local path as their first choice. As I mentioned it is possible they just made the OG more “aggressive” about continuously trying to establish a local connection, but that’s just a theory on my part.

Somewhere in your logs you should see your other models attempting as well, maybe just not as frequently or they give up easier. Perhaps there is better logic in the app for them where it only attempts when it sees a network/IP change and then stops until another change takes place. Again this is all just guesswork on my part.
The app is essentially just a “container” for all the different camera interfaces so each one can behave differently.

Protocols like RTSP etc are capable of streaming through routers, but the OG cams don’t support that natively (none of them do anymore).

I am also running a more advanced home network using a Mikrotik SOHO class router and Meraki Enterprise grade APs. I have a bunch of VLANs and the IoT devices are on their own VLAN. It is entertaining at times to see what devices are trying to get to what. I have not looked at what the cameras are doing lately.

1 Like

I am running TP-Link smart switches, opnSense firewall, and TP-Link access-points which support multi-SSID (and each can be tied to different VLANs). Cheap, but effective.

1 Like

I’m guessing the TP Link Omada stuff? Very functional and the price is right.

In theory you might be able to set up a single subnet across two VLANs in the opnSense and still be able to filter traffic (only allowing the ports Wyze needs) since it is LInux based, but in reality I personally wouldn’t want to do this, isolation is a good thing.

Now if you wanted to stream them constantly all day using something like Tiny Cam or one of the programs that can run on linux to pull the feed, it might make sense. Though I’m not even sure if those have the intelligence to stream direct or if they just use the Wyze servers anyway. One would think they’d go direct (if they are able).

1 Like

I actually thought about attempting a couple of VLANs across a single subnet, but I quickly decided against the idea. I wanted the clarity of distinct subnets to make troubleshooting and reporting easier. Yes, I have the EAP610 and an EAP670. WiFi 6E and they are both OMADA devices which I manage using the cloud controller to get access to all of the enterprise features. I did that originally to be able to use the mesh feature, but I have both of the access points directly wired to the network, so I don’t even use that.