A few years ago, my wife and I decided to get a CCTV security system. We didn’t know much about home security or security cameras at that point. But we wanted to be check in on our home while we were away.
But we felt deep unease about these brands storing our video footage on the cloud, especially indoor videos. Cloud-reliant security cameras were getting hacked left, right and center. Moreover, many useful features of these cameras such as advanced motion detection were locked behind monthly paid subscription plans. Even basic things like being able to review recorded clips!
So while the upfront costs looked low, ongoing costs would quickly balloon. This is the downside of the subscription-based model of business that most security camera companies are turning to these days. Don’t get me wrong, cloud backup is fine and serves as off-site backup. But having it shoved down our throats and having to pay for it is simply unacceptable.
But being the DIY and tech-crazy people we are, we decided to do it ourself – the ProDIY way, learning by doing, using excellent stand-alone IP cameras (like the Reolink E1 Pro), and high-quality yet affordable prosumer networking gear (like Ubiquiti’s Unifi range).
Today, we have a DIY CCTV home security camera system that we chose and set up ourselves based on months of research. It is ultra-reliable and has highly useful features such as interfacing fully with our Home Assistant and HomeSeer HS4 home automation system, yet is very affordable.
We often get questions about our DIY CCTV setup, such as how we are able to view our home security cameras securely from anywhere in the world. So we thought we would share our journey with you, our readers.
We will list our complete security camera setup and how we are able to safely and securely connect to our home from just about anywhere. Also we will go into not just a list of the different devices that form the system, but also how they all come together to help us achieve our specific security goals.
A quick note: As an Amazon Associate I earn from qualifying purchases. This post contains affiliate link(s). An affiliate link means I may earn advertising or referral fees if you make a purchase through my link, at no extra cost to you.
Our DIY Home Security Camera System goals were:
- Be able to simultaneously view multiple cameras on a single screen. This could be from a tablet while indoors and from our mobile phones and laptops remotely.
- Be able to record motion-detection clips and have the option to at record at least 2 weeks worth of 24/7 video footage.
- Be able to inform my home automation system whenever motion was detected so that I could take action such as turning on lights
- Get motion detection alerts by email with snapshots within seconds of the intrusion.
- High enough resolution to get a clear picture at day or night.
- Our privacy is paramount. All camera footage needs to be stored locally. No cloud-reliant stuff for us! We do not want to port forward cameras leaving the entire network vulnerable to hackers and botnets.
- Push notifications – a nice to have if it doesn’t compromise network security.
- The system should be flexible enough to grow and change according to our evolving needs.
- All of this should not break the bank! No monthly fees, no ongoing cloud subscriptions.
The End Result:
Here is a screenshot of how we live-view our IP cameras from our laptops and on the TV:
We can also access the cameras from our smartphones using either the tinyCAM Monitor Pro app or QNAP’s VMobile app to access the NAS (Network Attached Storage) NVR’s clips archives.
Whenever motion is detected by any of the IP cameras, the QNAP NAS informs our HomeSeer HS3 home automation system. HomeSeer then informs Home Assistant which can then turn on lights, play a siren alarm, send me video clips, anything I can think of really.
My step-by-step guide shows you how to connect QNAP Surveillance Station to Homeseer HS3/HS4. Eventually I plan to write how-to guides to replicate my entire smart home system setup.
Now let’s see what the security camera system part of our smart home network looks like (also see how we built our DIY Smart Home Automation system)
Our DIY Home Security System Network Setup
A topology is a representation of how a system is connected together. Network topologies may be either physical or logical. A physical network topology shows the actual physical layout and the connections between different elements. A logical network topology shows how they are functionally linked to each other.
Here’s a physical map of our entire smart home network. For a reliable and scalable surveillance system, you got to have the right network set up to support it. So let’s begin there.
The first thing you will notice is that there are a lot of different network components, and that devices are nicely siloed off into neat compartments (LAN, VLAN1, VLAN2…etc.).
Usually people just connect a Wi-Fi router to the ISP modem and call it a day. If you are just using a couple of wireless cameras, that will probably do.
But for our Pro-DIY system that is security and privacy-focused, we need to go further. We need to be able to defend our network from hackers and botnets. For this we need a strong and powerful hardware firewall.
We need to be able to isolate security cameras so that they cannot ‘dial home’ or leak data outside our network. Any device in our network we do not trust (like a Chinese security camera) shouldn’t be able to access sensitive personal devices like laptops and mobile phones of its own volition. For this we need the ability to create Virtual LAN (VLAN) networks.
Every consumer Wi-Fi router has a built-in firewall that offers basic protection. But they are often not very customizable. For example, in most cases you can’t create your own firewall rules. And most of them cannot create VLANs. So after dabbling with overpriced ‘prosumer’ ASUS router for some time, I switched to enterprise standard networking gear. I went with Ubiquiti’s Unifi range.
We have a large home and getting reliable Wi-Fi throughout has been an issue. I had realized we needed multiple Wi-Fi access points. But the house is already wired for gigabit Ethernet. So this was another reason to skip the consumer-grade mesh networks and just go with a reliable established enterprise brand.
Also when your network gets large and you have multiple devices (router, switches, Access points), it becomes difficult and time-consuming to configure and manage multiple devices.
Here are the advantage of the Ubiquiti Unifi line of enterprise class networking gear:
- Enterprise-grade hardware with higher reliability
- Central management dashboard
- Seamless Wi-Fi mesh network with Ethernet back-haul
- Affordably priced
- Ability to create VLANs
The easiest way to understand Unifi’s product line is this: a typical Wi-Fi router like Asus or Netgear is an all-in-one device.
There’s a router, a firewall, and Wi-Fi access point all rolled into one device for convenience. However this means that if you want advanced features, you have to shell out a lot of money.
Also if one function (like the wireless radios or the router part) fails, the entire network fails and you have to junk the whole device. Not great for redundancy or your wallet.
Full equipment list
The Networking Gear
Starting from the top left, we have a symmetric 500 mbps up/down fibre broadband connection. So the first device is the ISP modem which we cannot avoid. However, everything after that point is of our design.
After the ISP modem, comes the Unifi Security Gateway (or USG). This is our hardware firewall, serves as the DHCP router for the whole network and manages all the VLANs. The USG has a Dual-Core 500 MHz processor with 512MB RAM. It can handle up to 1,000,000 packets per second and a line rate of 3Gbps. It can more than handle our 500 Mbps broadband connection.
The ISP modem plugs into the WAN1 port. The USG has two physical LAN ports – LAN1 and LAN2. Each port will create a unique sub-net. I use only the LAN1 port for my network – I will refer to this as LAN. The Unifi system uses a central management portal for all device configuration and logging. You can run it off a computer and use it only when you need to configure devices.
Or you can get a Cloud Key, a small PoE device that hosts the controller software and logs network statistics locally 24/7. I don’t want a computer running all the itme, but I like to log all the data I can. So I went for the Cloud Key.
As mentioned in our goals earlier, we didn’t want to forward ports from the cameras to the Internet. The alternative to forwarding ports from the camera to the router and exposing them to the Internet, is to create a VPN connection to your home network so that you can dial in securely. For this you need an Internet-facing device in your home network that can act as a VPN server.
The Unifi USG does not natively support OpenVPN or Wireguard, like it does the L2TP or PPTP protocols. L2TP and PP2P have been compromised either by the government or by hackers.
Now QNAP has built into their NAS a VPN server app that supports all the major VPN protocols. In the beginning I used our QNAP TS-253A NAS as the VPN server for the entire home network. But I learnt that this is not secure, so I have PiVPN running on an Orange Pi Zero that also runs PiHole on my network. I chose the Wireguard protocol as it requires less resources than OpenVPN.
The Pi Zero’s Wireguard port is forwarded to the Unifi USG. No other port forwarding is present. The USG is configured with Dynamic DNS (DDNS) and so is always accessible from the internet using a friendly name, instead of the public dynamic IP address which ISPs change every so often. I use the excellent and free Afraid.org service.
We use the official Wireguard VPN client on our Android phones or laptops to connect to our home network, the Orange Pi Zero acting as the Wireguard server for the entire home network. This lets us access all our network resources as if we never left home, live-viewing and reviewing recorded footage is so easy.
I also recommend checking out the Unifi UDM Pro which is a newer device that fuses the USG and a managed 8-port switch into the same device. It is rack-mountable and so may be a better fit if you plan to have a server rack or cabinet.
Let’s explore LAN first. If you just want to create VLANs for WI-FI devices you don’t need a managed Ethernet switch – the Unifi wireless access points (WAP) can do that. But to create Ethernet-based VLANs, you need a managed switch.
I wanted to create a separate VLAN for my Ethernet connected devices: my Raspberry Pi4 running Home Assistant, Home Automation laptop running HomeSeer HS4, and another VLAN for my IP cameras.
I could use Wi-Fi for the laptop but I wanted Ethernet instead of Wi-Fi for 100% reliability of my Home Aautomation system. So I got the Unifi US-8-60W (image below), an 8-Port fully managed 802.3af PoE Gigabit switch. It has a fan-less design and thus is silent in operation.
The switching capacity is up to 8 Gbps total, and it can provide up to 15W output per PoE port. I use one of the PoE ports to power the Unifi Cloud Key.
The Unifi Wi-Fi Access Points are widely acclaimed for solid wireless performance. I went for the cheapest AP in their product range – the Unifi AP-AC-LITE (image below). Described as an 802.11ac Dual Radio Access Point, it can do up to 300 Mbps in the 2.4GHz band and up to 867 Mbps in the 5GHz band simultaneously.
You can power it via standard 802.3af PoE or Ubiuiti’s proprietary 24V PoE (if you are already invested in their older equipment).
I am able to create separate Wi-Fi VLANs for my personal devices (VLAN6), media devices (VLAN4) and indoor Wi-Fi cameras (VLAN5) because the AP-AC-LITE supports VLANs. I am very happy with this Access Point as a single AC-LITE covers my entire home.
I no longer experience dropped frames on my Wi-Fi cameras and overall responsiveness while browsing on my Samsung Galaxy S20 has improved noticeably.
The DIY Security Camera System
Outdoor IP Cameras
We have a few Hikvision IP cameras and some Reolink IP camera recording on motion detection to a Network Attached Storage (NAS) system from QNAP. They are connected to the TP-Link PoE switch which in turn is connected to the Unifi Managed Switch.
I created a VLAN (numbered as VLAN3) to group these 4 IP cameras together. The Unifi USG firewall allows me to then set up strict rules on what these cameras can and cannot do in my network.
For example, they cannot phone home to their Chinese manufacturers if they wanted to, they cannot access the Internet, they cannot even initiate any connection outside of the VLAN they are in. They can only respond to ONVIF and RTSP connection requests (using port number access controls on the Unifi USG). That’s what an advanced enterprise-grade firewall like the Unifi USG can do.
Here’s a review of one of the cameras I use:
Check out my recommendations for the best outdoor IP cameras without a monthly fee.
Indoor IP Cameras
We have 3 indoor security cameras. The Reolink C1 Pro and C2 Pro are connected via Ethernet and monitor the front and back doors. The Reolink E1 Pro is a Wi-Fi only camera and we use it as our baby monitor camera.
- 2.4/5 GHz WiFi, Ethernet
- 2.4/5 GHz WiFi, Ethernet
- 2.4/5 GHz WiFi only
Check out my recommendations for the best indoor IP cameras without a monthly fee.
Other Switches I use
TP-Link Gigabit PoE switch
The TP-Link TL-SG1008P Gigabit PoE switch powers the PoE cameras, and is connected to the Unifi Managed Switch. Read our review of this capable little switch.
Netgear 8-port Switch
You can never have enough Ethernet ports! The Netgear GS-308 8-port gigabit switch is an unmanaged switch. This means there are no settings to configure, it is truly plug and play. It has a sturdy metal chassis, auto-sensing 10/100/1000 Mbps port support and excellent real-world performance.
It also has LED activity, link speed and status LEDs per port. I have been using it for over 6 months now and it has been super reliable. Highly recommended plug and play switch for setting up your home surveillance network!
DIY Network Attached Storage (NAS) NVR
QNAP NAS TS-253A with 2x 3TB WD Red hard drive (WD30EFRX)
Now let’s move on to the NVR where the camera footage is recorded. You could take one of 3 Pro-DIY routes for recording video streams from your cameras:
- use an IP camera and NVR kit
- use a NAS as the NVR.
- use a PC as your NVR using NVR software like BlueIris
The main reason we went for the NAS is because it allows us to integrate the security cameras with our Home Assistant / HomeSeer HS4 home automation system without needing a powerful energy-guzzling computer to run BlueIris software 24/7.
NAS devices today are much more than just network storage, they are more like mini-servers. Generally they run their own Linux-based operating system that is accessed through a web browser.
Common uses for a NAS are centralized network storage, as a backup target, as a VPN client/server, and as a DLNA server for streaming your media across the house to multiple devices.
Synology and QNAP make NAS models that have powerful software running on them which makes them more like computers than dumb hard drives. But since they use Linux and specialized software, they can do a lot of things far more efficiently. So we use the NAS as the NVR, a VPN server, backing up our laptops, phones, and as a DLNA server. All for a few watts of energy usage.
We settled on the QNAP because it had slightly more powerful hardware, more features such as HDMI out ports, and 2 extra camera licenses over the Synology 416play. Both Synology and QNAP are great brands and both claim to be able to send push notifications to their respective mobile apps, but I haven’t tested this on our QNAP NAS.
The QNAP NAS has a built-in NVR software called Surveilance Station. So the QNAP records full resolution video streams from my 3 Hikvision cameras to its internal hard drives. You could get a dedicated NVR but as I said, we had other uses for the NAS.
QNAP now also have an alternative free NAS NVR app called QNAP QVR Pro which grants you 8 IP camera channels regardless of how many channels your NAS originally came with. Here’s a rundown of QVR Pro and how it compares to QNAP’s standard Surveillance Station software. This is incredible value and I highly recommend trying it out.
Please note that some QNAP NAS models come with only a license for 2 channels in the Surveillance Station app instead of the 4 channels included with the QNAP TS-253A. If you want to record more the included free channels, you will have to purchase additional licenses.
For the hard drive, I use the WD RED NAS drives. Check out my recommended surveillance hard drives for both NAS NVRs and dedicated NVRs.
Accessing the security camera system while at home
The QNAP NAS Surveillance Station can be accessed either via the web interface or the Windows QNAP QVR client software that you saw above in the screenshot.
The tinyCAM Monitor Pro app on our smartphones are all configured using the local IP address of the QNAP NAS and Hikvision cameras. At home, we just open the app and it simply works. No fuss. No hassles.
Accessing the security camera system from outside the home
Outside our home network, I simply need to connect to the VPN server (running on the the Orange Pi Zero as mentioned earlier), and all the apps and the QVR client on the laptop simply continue to work. This is the detailed process: So I use the Wireguard client on my laptop or phone to connect to the Wireguard server on the Pi Zero. Once connected, my PC is virtually part of our home network.
So our Hikvision & Reolink cameras are not directly exposed to the Internet. The Pi Zero running Wireguard server is, but this is a far better option because the Wireguard server is built for this purpose and has attack defeat measures such as IP exclusion, automatic IP bans based on rules etc. which the IP cameras simply don’t have.
Also the VPN server allows me to access the data on my QNAP NAS without hassle – my laptop or smartphone will think that they are in the local network. So all network drives automatically re-connect and the experience is seamless in terms of recently used files etc.
External IR Illuminators
Two basic IR illuminators for the backyard and 12V power adaptors that have lasted nearly a year now and are still going strong. These are of the 60 degree coverage variety, and you can also get wide-angle illuminators.
For Ethernet cables that run outside the home, I recommend using cables that are designed specially for this purpose – outdoor heavy-duty burial-grade CAT-5e or CAT-6 Ethernet cables.
This will ensure that you do not face issues with the cables such as breakage, little animals chewing the cables etc. Ensure that the cables are 100% pure copper and not the cheaper and inferior Copper Clad Aluminium(CCA) variety.
A CyberPower BRICs BR650ELCD (Line-interactive UPS – 390W/650 VA) to protect and power the entire system (13% load for all the above kit + a couple of other devices). I got a cheap yet reliable UPS which is officially compatible with the QNAP NAS.
If the power fails or supply voltage is outside the tolerance, it informs the NAS which is programmed to shut down gracefully. I also have a schedule to turn it on automatically every morning, which ensures the NAS will turn itself on the next morning if the power fails and it shuts down.
I believe the UPS has paid for itself. On several occasions, the NAS has informed me that it had shut down as instructed by the UPS.
64GB SD cards for all the cameras. 128 GB SD cards should also work but some cameras are a bit picky about which 128GB cards they will accept.
Make sure you use at least a Class 10 speed card so that you don’t suffer from dropped frames in the recordings. I use the SD cards to record motion detection alert clips. This is then yet another location where the clips are backed up.
The QNAP NAS comes with the free QVR Pro app. It supports all the features a good NVR has and it works very well.
We use tinyCam Monitor PRO app on Samsung Galaxy S9, Samsung Galaxy A5, Samsung Galaxy M10S and a Nexus 7 tablet. The tablet is our dedicated IP camera monitoring screen running the Imperihome Android app.
Storage capacity needed for QNAP Surveillance Station
Initially I recorded all my 3 external IP cameras 24/7 at 6Mbps bitrate and 10fps. This meant that the 1.5TB that I had set aside was good for 8-10 days of CCTV footage for all 3 cameras put together.
But I have since realized I don’t really need 24/7 recording and that replacing hard drives every year or so is no fun. Modern surveillance hard drives are rated for no more than 1 year of continuous operation. So now I just use alarm recording which places markers on the QVR Pro timeline so that I can jump directly to motion events.
The amount of storage you need depends on the quality and frame per second settings. After 3 years of experimenting with various quality settings, I have settled at 2Mbps and 6fps as we couldn’t see any improvement with higher settings.
I have also set the QVR Pro app on the QNAP to use only 1.5 TB (out of the 3TB available). So it automatically overwrites older recordings to maintain the 1.5TB quota. You can also specify number of days instead.
We hope this article gives you an insight into how you can set up your own DIY home security camera system. If you have any questions at all, please do not hesitate to get in touch through the comments field below.
A quick note: This article may contain affiliate links. If you click on one of these links and then purchase something, we may receive a fee. This does not cost you anything extra. Also note that Hikvision and Dahua do not consider certain platforms including Amazon as an authorized seller platform. So if you need warranty support please purchase from authorized resellers of Hikvision and Dahua products in your country.