Most active commenters
  • eqvinox(6)
  • skopje(5)
  • tehlike(4)
  • shadowpho(3)
  • ssl-3(3)
  • mlrtime(3)
  • throw0101c(3)
  • bityard(3)

←back to thread

Power over Ethernet (PoE) basics and beyond

(www.edn.com)
257 points voxadam | 80 comments | 16 Oct 25 14:09 UTC | HN request time: 1.11s | source | bottom
1. skopje ◴[22 Oct 25 00:53 UTC] No.45663732[source]
PoE is awesome. My custom home security system is all CCTV PoE with a gstreamer backend running on four-core fanless linux box. Way to go. Complete control. No batteries, no wares spying on me, no personal data getting scraped by big guys. (Cloud connectivity sucks because I have segmented mp4s and jogging through them hurts but I only care for events after they happen, not while they happen.)
replies(6): >>45663770 #>>45664711 #>>45664915 #>>45665099 #>>45665193 #>>45667449 #
2. skulk ◴[22 Oct 25 00:59 UTC] No.45663770[source]
Got any recommendations on what cameras to get? The market is absolutely flooded with cheap shitty cloud-connected all-in-one cameras making it hard to find good, simple products.
replies(8): >>45663830 #>>45663833 #>>45664313 #>>45664727 #>>45664951 #>>45665239 #>>45669025 #>>45670401 #
3. stargrazer ◴[22 Oct 25 01:09 UTC] No.45663830[source]
reolink, also look at the frigate nvr software, they have a list for decent recommendations
replies(3): >>45664030 #>>45665227 #>>45668651 #
4. lights0123 ◴[22 Oct 25 01:09 UTC] No.45663833[source]
Any of those that mention ONVIF or RTSP will do if you put them on a LAN without internet access
replies(2): >>45665238 #>>45665395 #
5. zer00eyz ◴[22 Oct 25 01:42 UTC] No.45664030{3}[source]
This is the way.

Reolink cameras are pretty good for what they are. Just dont buy into their NVR solution...

Frigate also has some interesting applications to go along with it, see: https://github.com/mmcc-xx/WhosAtMyFeeder

I also have YOLO on my to do list for the home cameras.

replies(1): >>45666034 #
6. Cyberdogs7 ◴[22 Oct 25 02:34 UTC] No.45664313[source]
I have built out several Amcrest systems. You have the many options for recording and access, that will allow remote access without going to the cloud.
7. shadowpho ◴[22 Oct 25 03:44 UTC] No.45664711[source]
Poe is great for many things, but it’s not as efficient as direct connection (for both low and high power.)
replies(2): >>45665889 #>>45667292 #
8. foobarkey ◴[22 Oct 25 03:48 UTC] No.45664727[source]
The cheapest (~15 USD bullet, 20 USD dome) PoE cameras on AliExpress (focal length is pretty much the most important parameter to look at, depending on the fov you want) hooked up to a Unifi NVR. Skip all the vendor manuals, setup steps, and apps - adopt them directly to Unifi Protect.

I put them on separate vlan where they get no outbound network connectivity.

For cases where you want things like facial detection or license plate detection (automatic doors/gates) get a Unifi AI though and those things cost, but for normal perimeter/room monitoring the cheap ones are very good

replies(3): >>45665400 #>>45667393 #>>45669430 #
9. yardstick ◴[22 Oct 25 04:35 UTC] No.45664915[source]
Do you upload events to a remote location? How is your storage box secured against theft? That’s my biggest concern for doing local cctv- if you are robbed, they’ll grab anything that looks of value.
replies(1): >>45665246 #
10. mlsu ◴[22 Oct 25 04:42 UTC] No.45664951[source]
I got a lot of 6 Axis cameras from eBay, it was around $200. I think they took them off a school or something but they were in great shape. They look great and have no spyware etc because it’s an industrial company. I recommend getting some industrial surplus because they tend not to have all the bloatware and have significantly better weatherproofing, casing, etc, even if the optics are the same as the consumer units.
replies(2): >>45671509 #>>45673445 #
11. dheera ◴[22 Oct 25 05:11 UTC] No.45665099[source]
Except when it isn't awesome. There are multiple PoE standards. Passive PoE, active PoE, PoE+, PoE++, PoE+++, 802.11af, 802.11at, 802.foo, blah blah.

If they had just stuck with 12VDC and buildings had 12VDC wall sockets everywhere, everything would have been fantastic.

I also had a PoE HAT for a RPi that smoked it. Never doing PoE again. 48V and 3.3V electronics probably don't belong within 10cm of each other.

replies(7): >>45665150 #>>45665155 #>>45665251 #>>45665484 #>>45665487 #>>45670739 #>>45673430 #
12. varenc ◴[22 Oct 25 05:22 UTC] No.45665150[source]
I use a PoE "extractor" to power my RPi over PoE and it works great. The extractor does the negotiation and safely gets the normal 48V PoE power, then converts that to 5V outputted on a USB-C cable that powers the RPi. Extractor also has an Ethernet[1] passthrough port that goes into the RPi as well. A bit basic, but seems relatively error proof.

[1] https://x.com/varenc/status/1961587127931867466

13. buccal ◴[22 Oct 25 05:23 UTC] No.45665155[source]
240V AC and 5V DC manage to live close in a charger without problems. Problems with quality does not depend on voltage. I love the concept of PoE with one exception that it requires constant 1W or similar load to work even if it is not needed for low power device.
replies(1): >>45669791 #
14. benoliver999 ◴[22 Oct 25 05:29 UTC] No.45665193[source]
What switch do you use? I have PoE wifi APs throughout the house, but I bought an Aruba switch and it's super noisy tbh. Fine for me because it's in the basement, but I couldn't recommend it
replies(2): >>45665266 #>>45665315 #
15. aivisol ◴[22 Oct 25 05:35 UTC] No.45665227{3}[source]
Reolink with Synology NAS using their native Surveillance app. All stored locally, no cloud. One issue with Reolink I haven’t solved is that it is unable to detect approaching cars in the night. Departing cars work fine though. Otherwise no complaints.
replies(1): >>45667415 #
16. kalaksi ◴[22 Oct 25 05:38 UTC] No.45665238{3}[source]
Not my experience. I've tried several such cameras and most of them are underpowered and suffer from very low fps or are fine when there's no movement but with movement the fps drops drastically essentially making the camera close to useless.
17. skopje ◴[22 Oct 25 05:38 UTC] No.45665239[source]
https://www.cctvsecuritypros.com/

Blue-line domes, the $240 ones. Four of them. I'd get more but do not know how to make outside routing look neat. i have one bullet and i don't like it and don't use it, i prefer the wide-angle domes with ir.

18. skopje ◴[22 Oct 25 05:40 UTC] No.45665246[source]
yes that is something you need to decide for yourself i'm ok with it. i push my segments up to an s3 bucket but yes if they find the box before the rsync i lose. oh well. there's much more valuable stuff in the house they'll probably go for first. i suspect junkies aren't that smart.
19. skopje ◴[22 Oct 25 05:41 UTC] No.45665251[source]
I never had to know the difference. I have four cctv cams on ~100ft of cat5 each. didn't have to think about it, just plugged them in and they worked.
20. skopje ◴[22 Oct 25 05:42 UTC] No.45665266[source]
some netgear 8-ch poe switch. i don't recall. it's been on and running for about 8 years with no issues, way up near the ceiling of my garage, covered with dust. its plugged into a wrt1900 router i bridged via wifi to my main router.
replies(1): >>45667270 #
21. ssl-3 ◴[22 Oct 25 05:50 UTC] No.45665315[source]
At one of our offices (it is not a large office), I have a 24-port Netgear POE switch running the show. If it has a fan inside (it may! there's cutouts for fans on the sides of the chassis but I have not looked inside), I've never heard it.

It fit the price-performance curve for our needs several years ago when we eventually outgrew the previous Netgear POE switch...that was also apparently fanless, and that I installed in 2007.

IIRC, it is a GS724TP. It's running a dozen cameras and some access points, and almost all of the rest of the ports are filled up with computers and printers and other Ethernet stuff. No issues at all to to report so far.

(A used enterprise switch with serious fans may be cheaper and/or more featureful and/or more reliable, but do we need that kind of noise at home? We sure don't need it at that small office.

I've also installed some fanless Cisco POE switches with big heatsinks (and dual power supplies, each fed from different sources) on some high-dollar projects where ultimate reliability was kind of a big deal, but... sheesh.

If one of these installed Netgear switches dies in one of these low-risk environments, I'll just patch things up for now and get a replacement coming under warranty.)

22. ssl-3 ◴[22 Oct 25 06:08 UTC] No.45665395{3}[source]
Aye.

ONVIF is the (now quite old, but still very relevant) standard for interfacing IP cameras locally on a network.

A cheap-but-performant ONVIF camera on an isolated VLAN (or a physically-isolated network; I won't tell anyone) can be a thing of beauty that is also completely unable to call home to some mothership in the clown.

I'm frankly very surprised that I don't see it mentioned here more often when discussions of cameras arise.

https://en.wikipedia.org/wiki/ONVIF

replies(1): >>45667408 #
23. vulkoingim ◴[22 Oct 25 06:09 UTC] No.45665400{3}[source]
I would argue sensor size is what's most impotant to look for in a camera.

Have a look at this thread [1] I have bookmarked. I found it quite informative. I already got some cheap cameras and set them up, but I wish I would have found it earlier. The ones I got are 4MP with 1/3" sensor and perform absolutely terribly in night setting.

[1] https://ipcamtalk.com/threads/getting-cameras-with-the-right...

24. ssl-3 ◴[22 Oct 25 06:23 UTC] No.45665484[source]
> If they had just stuck with 12VDC and buildings had 12VDC wall sockets everywhere, everything would have been fantastic.

Huh? We used to have low-voltage AC and DC powered cameras in the world (and we still do, too).

Those are awful in implementation because buildings, whether or old or new, don't have 12VDC sockets everywhere -- or at all, really.

Nor should they have 12VDC sockets for cameras; they're unnecessary.

I've run my share of siamese coax for low-voltage-fed analog cameras, and also separate power for low-voltage Ethernet-connected cameras, and I'm completely over those concepts.

With proper-fucking IEEE POE, we have standards and it only takes one cable to make it work properly instead of more than one.

If a switch isn't up to the power demands of a particular camera, then: No big deal. I can upgrade or supplement that switch without rewiring even more of the building than was already necessary to get Ethernet going.

(Structured cabling for the win.

Passive POE: Not even once.)

replies(1): >>45665524 #
25. eqvinox ◴[22 Oct 25 06:23 UTC] No.45665487[source]
> There are multiple PoE standards.

No, there aren't, not in the way you imply. There is the IEEE 802 PoE standards, which are all compatible (save for not enough power), and designed to carefully negotiate and especially never break non-PoE devices. And there is bullshit (sorry) like "Passive PoE" that is ironically an active violation of the IEEE specs, can break pretty much anything, and you shouldn't buy so the likes of Ubiquiti and Mikrotik finally get the wallet vote and stop f*cking doing. Unfortunately, the proper PoE PD logic is a few dollars of extra expense.

Yes, there is a slightly higher risk of killing devices due to faults in the PoE supply logic. I have the official PoE HAT for a RPi 4. I have to say it is somewhat poorly designed due to space constraints; the isolation between 48V and 3.3V should be better. I'm not even sure the RPi PoE HAT is spec compliant.

But I don't think you can/should blame this on PoE.

replies(1): >>45665551 #
26. eqvinox ◴[22 Oct 25 06:28 UTC] No.45665524{3}[source]
> Passive POE: Not even once.

Amen.

27. yread ◴[22 Oct 25 06:32 UTC] No.45665551{3}[source]
I have a ubiquiti 30w poe+ injector that somehow doesnt provide enough power for 20W aruba AP. When I plug it in a 120W switch it works unless the cable gets too twisted or something. I vote not awesome
replies(2): >>45665608 #>>45673523 #
28. eqvinox ◴[22 Oct 25 06:39 UTC] No.45665608{4}[source]
Don't buy Ubiquiti. Personally speaking, anyone doing passive PoE (even if only on other device series you're not looking at) is automatically on my shitlist.

I'm not surprised they can f* up a basic PoE injector. The reason for doing passive PoE is saving a few bucks, on the back of safety and compatibility. Of course they would try to pinch hard on the PoE injector too.

Oh and I'd say they (together with Mikrotik) are responsible for 90% of the bad rep PoE gets. The IEEE 802 stuff really just works. And I say that having been part of rolling out 15000 people conference deployments with several hundred wifi APs in the span of a few days. The only real problem is broken cables, but the Ethernet link commonly fails before PoE is impacted.

replies(2): >>45667969 #>>45671901 #
29. rjdj377dhabsn ◴[22 Oct 25 07:31 UTC] No.45665889[source]
Why's that?
replies(2): >>45666423 #>>45671318 #
30. mkl ◴[22 Oct 25 07:53 UTC] No.45666034{4}[source]
What's wrong with their NVRs? I have one connected to some Reolink cameras (though not yet the full house-surrounding setup I have planned) and it seems fine so far.
31. jansper39 ◴[22 Oct 25 08:53 UTC] No.45666423{3}[source]
You have to convert the power to 48v and back down to whatever you need on the other end which has losses, plus you have losses over the cable too.
replies(1): >>45669483 #
32. debian3 ◴[22 Oct 25 10:54 UTC] No.45667270{3}[source]
GS308EP or EPP if you need more power budget.

Netgear are hard to beat in terms of reliability/price. They also have a 5 and 16 ports fanless version.

I also got an old Juniper EX2200 24ports and replaced the fans with quiet noctua. It run quite hot, better go with Netgear.

33. foofoo12 ◴[22 Oct 25 10:58 UTC] No.45667292[source]
That's pretty much stating the obvious. X is great for many things, but it’s not as efficient as Y.

Life is a balance between inefficiency and inconvenience. Throwing that statement in without actual numbers is just derailing the conversation.

34. mlrtime ◴[22 Oct 25 11:15 UTC] No.45667393{3}[source]
Thanks!

Any specific POE with a good sensor/fl on ali that you recommend? I'm all POE/Protect but would like to play with some cheaper poe cameras.

35. mlrtime ◴[22 Oct 25 11:17 UTC] No.45667408{4}[source]
ONVIF has it's own problems, like when a NVR require ONVIF and all you have is rtsp. You need to convert somehow.

Or ONVIF has a multiple cameras behind a IP, but a crappy ONVIF client only picks one (Unifi Protect).

replies(2): >>45668367 #>>45669325 #
36. mlrtime ◴[22 Oct 25 11:18 UTC] No.45667415{4}[source]
Dont dorget to pay Synology for the extra licenses for more cameras.
replies(1): >>45669878 #
37. benhurmarcel ◴[22 Oct 25 11:21 UTC] No.45667449[source]
If one of those cameras is outside, did you consider the case of someone plugging in his laptop on that ethernet cable? He'd be on your local network.
replies(6): >>45667551 #>>45667567 #>>45667989 #>>45669412 #>>45671399 #>>45672136 #
38. teddyh ◴[22 Oct 25 11:35 UTC] No.45667551[source]
Zero-trust networking.
39. matt-p ◴[22 Oct 25 11:36 UTC] No.45667567[source]
You would normally put CCTV on its own vlan for this reason.
replies(1): >>45668917 #
40. deviantintegral ◴[22 Oct 25 12:23 UTC] No.45667969{5}[source]
Ubiquity only did passive PoE in the very early days. Everything has been 802.11 variants for a long while wow. The injectors that shipped a decade ago with my APs were all 802.11af.
replies(2): >>45670528 #>>45670961 #
41. transpute ◴[22 Oct 25 12:25 UTC] No.45667989[source]
MACsec, https://forum.openwrt.org/t/macsec-802-1ae-with-802-1x-eapol...
replies(1): >>45668639 #
42. brk ◴[22 Oct 25 12:57 UTC] No.45668367{5}[source]
ONVIF and RTSP are different things. ONVIF is a device and services discovery protocol RTSP is a video streaming protocol.

ONVIF can be used to discover a camera on a network, query it for its RTSP URL, and facilitate a connection between a client service and the RTSP stream. But you can't stream video via "ONVIF".

43. bc569a80a344f9c ◴[22 Oct 25 13:15 UTC] No.45668639{3}[source]
MACSec is irrelevant for this purpose. MACSec encrypts points to point links, it doesn’t authenticate. That’s what 802.1x is for.
replies(1): >>45670987 #
44. stevenhubertron ◴[22 Oct 25 13:16 UTC] No.45668651{3}[source]
I’m less happy with Reolink and most of Reolink are now in a drawer. Been a fan of Amcrest and Scrypted.
45. EvanAnderson ◴[22 Oct 25 13:34 UTC] No.45668917{3}[source]
Absolutely. Ideally one with Private VLAN[0] functionality and an upstream router configured to allow the CCTV server to pull video streams from the camera while disallowing any outbound communications from the cameras themselves.

[0] https://en.wikipedia.org/wiki/Private_VLAN

46. throw0101c ◴[22 Oct 25 13:41 UTC] No.45669025[source]
Depending on your paranoia level, there are lists of National Defense Authorization Act (NDAA: i.e., non-Chinese) camera OEMs:

* https://www.a1securitycameras.com/blog/non-chinese-security-...

Some names: Axis, Avigilon, Bosch, Vivotek, Hanwha Techwin (SK), Acti (TW), Motorola, Mobotix.

replies(1): >>45669425 #
47. baby_souffle ◴[22 Oct 25 14:01 UTC] No.45669325{5}[source]
I have also found that poor onvif implementations run as root and not as any other user. If you’re sending auth creds, better make sure you have something protecting them on the wire…

And profiles. There are many different feature sets in onvif and just because a camera has onvif logo or compatibility doesn’t mean it will play nice with your gear.

48. tehlike ◴[22 Oct 25 14:07 UTC] No.45669412[source]
Vlan is the answer.
replies(1): >>45669481 #
49. tehlike ◴[22 Oct 25 14:09 UTC] No.45669425{3}[source]
With local restricted vlan, it doesn't matter as much, unless they expose a wireless endpoint (wifi or otherwise).
50. tehlike ◴[22 Oct 25 14:09 UTC] No.45669430{3}[source]
I got a bunch of annke dual lenses, put some in their own local only vlan, others waiting to be installed.
51. beala ◴[22 Oct 25 14:13 UTC] No.45669481{3}[source]
This is a pretty significant lift for most home networks, both in terms of cost and complexity, but I agree it’s the right way to go. If you’re upgrading to a PoE switch, you might as well go all the way and make it a managed switch.
replies(2): >>45670986 #>>45671789 #
52. rubatuga ◴[22 Oct 25 14:13 UTC] No.45669483{4}[source]
Well quite frankly 48V has lower losses than 12V
replies(1): >>45671353 #
53. dheera ◴[22 Oct 25 14:37 UTC] No.45669791{3}[source]
> 240V AC and 5V DC manage to live close in a charger without problems.

I mean, yes and no. My laptop case is at 78VAC to ground right now. It gives the tingles. I don't use my laptop much while plugged in. They all skimp on making proper 3-pronged chargers these days. My desktop has a grounded case and doesn't have this issue.

My phone, when plugged into wall AC, the touch screen stops working because the whole phone is at an elevated potential and it messes up the capacitive sensing.

54. aivisol ◴[22 Oct 25 14:43 UTC] No.45669878{5}[source]
Yes I did pay for extra licenses. I also paid for the cameras to Reolink and disks to WD.
55. craftkiller ◴[22 Oct 25 15:13 UTC] No.45670401[source]
I'd recommend checking out "Project Farm" reviews. They do actual tests and comparisons of products rather than the current trend of reading off marketing copy and shilling sponsored products. I've seen some of their reviews on cameras and the difference in clarity across brands is shocking. Not that important if you just want to know "my package was stolen", but very important if you want to read their license plate.

Here is one such review: https://www.youtube.com/watch?v=HYUY61ZFZAs

replies(1): >>45671461 #
56. eqvinox ◴[22 Oct 25 15:22 UTC] No.45670528{6}[source]
https://eu.store.ui.com/eu/en/products/loco5ac

Still being sold with 24V passive "PoE"

(It's 802.3af btw)

57. numpad0 ◴[22 Oct 25 15:36 UTC] No.45670739[source]
The (negative)48VDC voltage comes from regular telephones. So did the RJ45(8P8C) plug. It's not an invented thing.
58. wolrah ◴[22 Oct 25 15:49 UTC] No.45670961{6}[source]
The UniFi line has moved away from passive PoE. The "UISP" line is almost exclusively passive PoE, even for brand new products. Ubiquiti has proven they know how to make devices that support both when they transitioned the UniFi line, but they actively choose not to and to enforce the use of bad nonstandard trash with their new products in their ISP product line.
replies(1): >>45672741 #
59. thmsths ◴[22 Oct 25 15:50 UTC] No.45670986{4}[source]
I would assume that putting a router between the POE switch and the rest of the network would work too and basic routers are cheap.
60. RationPhantoms ◴[22 Oct 25 15:50 UTC] No.45670987{4}[source]
No it isn't. Most MACsec-capable platforms have a "must-secure" or "should-secure" transmission mode.

If the security association isn't completed on a "must-secure" configured port then no traffic is transmitted. One would need access to the pre-shared keys to successfully use the link.

Now, could one perform a side-channel attack of the memory on the camera and get access to them? Maybe.

replies(2): >>45672024 #>>45682432 #
61. shadowpho ◴[22 Oct 25 16:11 UTC] No.45671318{3}[source]
At higher power the Ethernet drops quite a bit of voltage/power compared to the wiring in your walls. Furthermore 48v vs 110v is double the amperage/more loss on top of that.

Then there’s double/sometimes triple conversion (120:48 and then 48:dc; 120:48 and then 48:12, and then 12:dc).

Furthermore magnetics are a must on both side of the PoE which also isn’t great.

At lower power there’s more circuitry to run and multiple conversions aren’t great compared to a simple cheap flyback.

For more technical feel free to check here, although it isn’t quite end to end: https://e2e.ti.com/cfs-file/__key/communityserver-discussion...

62. shadowpho ◴[22 Oct 25 16:13 UTC] No.45671353{5}[source]
110v -> 48v (long thin cable) -> 12v

Versus

110v (long thick cable) -> 12v

Top has more conversions and more current running on smaller gauge

63. bityard ◴[22 Oct 25 16:16 UTC] No.45671399[source]
If someone can roll up to your property undetected and get physical access to the network, then the security cameras aren't even doing their job.
64. bityard ◴[22 Oct 25 16:20 UTC] No.45671461{3}[source]
He does a good job at reviewing the cameras themselves but IIRC, all of the cameras he reviewed require cloud connectivity, and many of those clouds are "overseas."
65. bityard ◴[22 Oct 25 16:23 UTC] No.45671509{3}[source]
I was under the impression that most commercial/industrial cameras all required some kind of proprietary ecosystem of peripherals and controllers. Do those work with open source DVR solutions like frigate? (If so, did you know that before you bought them?)
replies(2): >>45673015 #>>45673498 #
66. mmmlinux ◴[22 Oct 25 16:45 UTC] No.45671789{4}[source]
When you get to the point of building out your own ip security camera system and then worrying that some hacker is going to roll up and plug in to one of your cameras. you probably already have vlans going.
replies(1): >>45682143 #
67. radicality ◴[22 Oct 25 16:52 UTC] No.45671901{5}[source]
Fwiw, I’ve had a few different PoE switches from Ubiquity and at least so far haven’t had any problems with the switches. My current one is the 48 Pro-Max etherlighting , and I have around fifteen PoE devices and it’s pretty much plug and play always.

I did have issues with some of their other products - eg an old CloudKey gen1 that I had remotely in my parents place that I think ran out of space to the point it can’t update itself and can’t compact some old mongodb.

68. mkipper ◴[22 Oct 25 17:01 UTC] No.45672024{5}[source]
This is veering into pedantry, but from what I can understand of that setting (I'm not a sysadmin guy but have used MACsec on embedded stuff), that's just as much of an 802.1X feature as a MACsec feature.

Sure the switch will only accept encrypted L2 traffic...but that encrypted link is set up via MKA, which is a part of the 802.1X standard. If you don't have 802.1X authenticating the endpoint, you don't have MKA setting up the encrypted link between that endpoint and the switch and you don't have MACsec.

So if you're trying to prevent a bad guy from getting on your LAN, you need 802.1X, whereas MACsec is an optional extra (a very useful extra if you're worried about MITM attacks). But 802.1X is still doing the heavy lifting w.r.t access control.

replies(2): >>45672329 #>>45681384 #
69. nucleardog ◴[22 Oct 25 17:10 UTC] No.45672136[source]
I did. Implemented a "simple" solution (simple for anyone who is going to be setting up their own IP camera system and NVR):

Cameras are on their own VLAN. Port isolation is enabled so they can't connect to each other. Only connectivity allowed to/from that VLAN is from the cameras to the router for NTP, and from the NVR to the cameras.

So if you plug in you can... check the current time on my router. Maybe see how many other cameras are on that segment? Likely not going to get very far given you're already caught on camera, an alert's been fired, and pretty soon I'm going to be making a call to the police.

70. brohee ◴[22 Oct 25 17:25 UTC] No.45672329{6}[source]
802.1x-2010 includes MACsec. 802.1x without MACsec is mostly a joke, (802.1x-2002 IIRC) you just get a legit device to open the port...
71. varenc ◴[22 Oct 25 17:54 UTC] No.45672741{7}[source]
The majority of UISP devices they sell are all relatively old products. For example the 'NanoStation 5AC Loco' is a great $50 product that continues to work well, but it was released in ~2019. And they continue to sell new models of products that have been unchanged for over a decade.

In the last 2 years they've released very few new UISP products and you're right that they continue to be passive PoE. I suspect this is for continued compatibility with their older product line. Upgrading from passive PoE to active 802.3 PoE requires replacing the injector and maintaining passive PoE makes it easier to upgrade. And the UISP product line is really meant for wireless ISP operators, not consumers, where the risks of passive PoE are smaller.

Anyway, I agree with the sentiment, but I don't hold it against Ubiquiti too much for continuing to use passive PoE for their UISP line, since I think it makes sense for their customers. As so-so work around you can get a 802.3 -> passive 24V converter: https://store.ui.com/us/en/products/ins-3af-i-g

replies(1): >>45681306 #
72. mlsu ◴[22 Oct 25 18:13 UTC] No.45673015{4}[source]
Onvif is the keyword, if it’s supported it works with frigate. I think most of the industrial cams are not as locked down as you might think. They are infrastructure so vendors aren’t going to force customers to tear down their existing setup.
73. throw0101c ◴[22 Oct 25 18:45 UTC] No.45673430[source]
> Except when it isn't awesome. There are multiple PoE standards.

There are three: IEEE 802.11af, at, and bt.

af can deliver up to 12W at the powered device (PD), at delivers up to 25 W, and bt either 51W (Type 3) or 71W (Type 4):

* https://en.wikipedia.org/wiki/Power_over_Ethernet#Standard_i...

Any device you purchase should list the IEEE standard it supports and how much power it may draw.

74. bobbob1921 ◴[22 Oct 25 18:46 UTC] No.45673445{3}[source]
This! I manage about 70 CCTV cameras, over the past 15 years. Partially as a hobby. and axis cameras are the best bar none. They are expensive, but if you don’t have a need for the latest gen axis, then eBay is your friend, along with one or two generation prior of axis current gen cams. They are just very well thought out in terms of installation, and ui/operation. Axis is among the most responsive to security issues (which mostly can be negated by controlling your cameras at the network level through vlans and firewall rules). They have a very intuitive web based UI, for example one well thought out ability is through events/rules- you can add a physical SD card into the camera and set up a rule that if the video feed is not being accessed ( set a inverse trigger for “live stream accessed”) then start recording to the on-cam SD card (i.e. your NVR has gone off-line or a network issue is stopping the feed, then you have onboard storage saving that video). That’s just one example.
75. bobbob1921 ◴[22 Oct 25 18:51 UTC] No.45673498{4}[source]
Another method that most cameras support (if you want the bare basics of record video/audio) is accessing an RTSP stream from the camera. In fact RTSP streams are the primary way you get video into frigate specifically. Some of the more fancy cam manufacturers (axis), are just now starting to support encrypted RTSP , but most of it is unencrypted. you can enable authentication, however in general if you’re doing this over the Internet you do it over a VPN via un encrypted rtsp
76. throw0101c ◴[22 Oct 25 18:52 UTC] No.45673523{4}[source]
> I have a ubiquiti 30w poe+ injector that somehow doesnt provide enough power for 20W aruba AP.

What's your cabling like? Contact Ubiquiti? Looking at the datasheet, I do not see any IEEE standards listed, so they could be doing their own thing:

* https://dl.ubnt.com/datasheets/poe/PoE_Adapters_DS.pdf

You don't mention a specific Aruba AP, but their AP22 stuff lists the needed IEEE standard and wattage:

* https://instant-on.hpe.com/products/access-points/access-poi...

77. eqvinox ◴[23 Oct 25 13:00 UTC] No.45681306{8}[source]
> And the UISP product line is really meant for wireless ISP operators, not consumers, where the risks of passive PoE are smaller.

I'm afraid that's not how it works out in actual practice, it's the other way around:

WISP devices are installed in random people's windows, roofs and chimneys. The injector might end up behind their TV set. If their TV doesn't work, they unplug and replug random things. Which will fry whatever has the unlucky pleasure of ending up on the output side of the injector. I'm unfortunately speaking from experience.

Meanwhile, people buying and putting up a wifi AP beyond their CPE wifi router tend to have a bit of understanding. If you told them to never plug anything other than the given device into the output side of an injector, it'd probably go reasonably well.

78. eqvinox ◴[23 Oct 25 13:09 UTC] No.45681384{6}[source]
> This is veering into pedantry,

It's not veering, it's a full on car crash ;)

You run MACsec either with 802.1X, or with your switch vendor's favorite color of proprietary switch-to-switch 802.1X replacement. MACsec without 802.1X [or equivalent] is a bit like TLS without certificates. It exists in a few places because some people have really weird custom requirements (TLS with pre-shared keys… TLS with NULL encryption…) but those things shouldn't drive a discussion outside their special usage areas.

In that sense: MACsec implies and requires 802.1X. Exceptions confirm the rule.

79. tehlike ◴[23 Oct 25 14:22 UTC] No.45682143{5}[source]
The more likely scenario is camera firmware being compromised and either allowing outbound or inbound connections, either of which can be prevented with a firewall+vlan
80. graealex ◴[23 Oct 25 14:46 UTC] No.45682432{5}[source]
What's everyone here talking about?

The absolute low-tech solution would be to dedicate a switch for it.

If you have decent infrastructure with a managed switch, you can easily create a VLAN.

Besides the fact that the female RJ45 is usually inside the dwelling. You'd have to unmount the camera, pull out the cables and connect to it, all at typical heights of 6' and above. That's maybe a concern in commercial setups, although then we're circling back to VLAN.