Setting up a Niko video kit (510-01501) on a restricted network

Published: 2025-01-09

The Niko 510-01501 video kit is a video doorbell set with a DIN rail mounted controller that integrates into your local network (LAN). Even though Niko is a reputable manufacturer, you're still integrating a closed, proprietary system into your home network, with a - worst case scenario - physical attack vector: your video doorbell. Since Niko requires a network connection for the set to function, I wanted to lock things down as much as possible. That meant:

  • A dedicated VLAN for the controller
  • A tight firewall that allows no outgoing traffic other than the ports I specified

Since Niko uses a few cloud providers - which typically operate across big IP ranges, and whose IP ranges can occasionally change - I decided not to limit the destination IP ranges.

Finding out the needed ports and tracing the IP addresses

A 'funny' thing happened once I fired up the controller. First off, it would moan it could not set up the video doorbell. That turned out to be a firewall issue, because I hadn't opened up any ports yet and it kept phoning into the cloud. Niko could be more helpful there and publicly document which ports you need to open up. All they have up is a reference to what seems to be a different video kit, since virtually none of those port ranges mentioned apply here. A list of domains the video kit makes calls to:

  • Amazon Web Services
  • CDS Global Cloud
  • Cloudflare
  • Tencent
  • Zenlayer Inc

From this list, Tencent is a bit worrying. The controller hit that domain when I pushed the 'firmware update' button, so that's probably where the firmware updates are hosted. Not that weird if the kit itself is manufactured in China, but I would expect some control from Niko over the firmware, and at least them hosting it themselves in the EU somewhere.

CDS Global Cloud and Zenlayer Inc are two cloud players I never heard of before they showed up here.

Setting up the firewall

You'll need to open up the following outgoing ports in your firewall. For peace of mind, I'd recommend putting this controller on its own VLAN, but not all consumer networking gear allows that. OpenWrt does if you are familiar with it (and your router supports it), you can consult their VLAN documentation if you'd like. If you are familiar with VLANs, it's fairly straightforward.

Note the Zenlayer TCP port range is extremely wide. Outgoing port numbers incremented slowly when I was monitoring the controller, and they seem to be picked at random.

  • DNS: 53, TCP/UDP
  • DHCP: 68, UDP
  • DHCPv6: source port 546, destination port 547, UDP
  • NTP: 123, UDP
  • ICMP v4 ('ping')
  • ICMP v6
  • Tencent: 80, TCP
  • Cloudflare: 443, TCP
  • Amazon: 8666, 8820, TCP
  • Zenlayer Inc (UDP): 6101, 6110, 6113
  • Zenlayer Inc (TCP): 10000 - 50000
  • CDS Global Cloud: 6107, 20008, UDP