u/Fancy-Big-576

I've been struggling for a few hours trying to get access to camera streams via NVR from a different VLAN using the mobile (Android) app. During troubleshooting i came across behavior that i can not explain. Hope some of you can help me understand the internals better.

Goals:

1. Prevent internet traffic from/to reolink devices
2. Allow access to live streams and recordings from
   • Inter-VLAN devices
   • Mobile devices via Reolink App (Android)
   • Mobile devices connected via WireGuard
3. Receive timely notifications (doorbell visitor) on Reolink app when connected remotely (WireGuard)

Discoveries so far:

1. When UID is disabled in Reolink streaming from mobile app is limited to same subnet traffic. Access via http(s) to either NVR or cameras is not affected by this.
2. Disabling UID won´t prevent Reolink from trying to access the internet whenever a camera stream is requested using the mobile app.
3. Blocking internet traffic (see previous discovery) to and from Reolink devices won´t prevent local or inter-VLAN access.
4. Accessing streams remotely (WireGuard) using the mobile app only works when accessing cameras directly. NVR streams won´t load.

To me the first two discoveries are weird, since the description of UID states: "Allow Reolink App/Client to access the device via WAN using UID.".

My question is if i should just keep UID enabled and block WAN traffic from the cameras or if there is another configuration i should consider. I'm also interested to learn if anyone has the third goal configured successfully with WAN traffic blocked to/from Reolink.