Hi All,

Any help appreciated.

I have a Unifi USG, 2 AP's and 3 switches.

All runs well with 3 Vlans. Spent a fair bit of time reading threads and posts on how to set VLans up and the firewall rules. 

Seems to be a bit of confusion (on my end) around the Dahua NVR.

I have a rule to block all traffic (Lan_IN) from the VLan the NVR is sitting on, to stop it connecting to the internet, for general security purposes.

Question:

1) Can I create a firewall rule to allow only IVS email notifications to get through, and if so, what ports specifically from my NVR? from previous posts I have tried 2195 and 53, but it does not seem to work. I use Microsoft Outlook as the email server in the Dahua settings. I even went in to SSH and looked at the logs when allowing emails to get through (disabling the general 'drop all' rule), but the source ports from the NVR destination always seem to change on each new email that is sent. 

2) if this firewall rule is possible, where should it sit on the list?

I have:

Lan_in -

2001 - allow established and related (Before; accept; src is all local ips, dest is all local ips; state estab/related)

4000 - drop all Lan3 (CCVT Vlan network) - (after; drop; src is CCTV Vlan; dest is any; no states applied)

All other rules are the predefined ones.

I would really like to keep receiving email notifications from IVS alerts, but cant for the life of me figure out how, if at all, this is possible.

By having a general 'drop all' traffic to maintain NVR security, this may not even be possible - so if not, it would be good to know either way.