A bit confused how to set Blue Iris Vlan on ubiquiti

[Roye]

Hello!

I manage my network using UDM PRO.

Attached is a sketch that explains how my network is established.

I have to use multiple (unmanaged) switches because it is a large area and there is physical infrastructure limitation of the network.

I have already created separate vlans for (Guest) (Family) (Iot). Everything is fine except for the matter of setting up a separate vlan for the cameras.

Still confused what is the best way to adopt. I thought of some options like:

• Buy a new PC dedicated for BI.
• Buy UNIFI managed switches.
• Install another NIC.

I'd be happy if you point me in the right direction

Many Thanks.

 

[iwanttosee]

What are you using as your DHCP server? All my devices are on the same vlan and I used my OpenWRT DHCP server to assign blank gateway and DNS address so my cameras and nvr can never go to the internet.

Use OpenWRT DNS to blank out gateway, dns1, dns2

I used an OpenWRT router's DHCP server to force my NVR and cameras to take on "blank" for gateway, dns1, and dns2 for specific devices while all other devices get the proper gateway and DNS. I had to SSH into the router to make the changes as explained here. DNS and DHCP examples...

ipcamtalk.com

You should get a dedicated PC for BI. I bought a used M93p for $30 off facebook then I added a SSD and a 1TB harddrive for storage.

 

[DG99]

Vlan require managed switches or tagging the port of the network adapter on the PC, your setup of vlan is not correct, the unmanaged you are using is just forwarding all packets by mac address and not the tag. Unmanaged switch can not put a vlan tag into a packet header, you can use the unmanaged switch for a single vlan connected to a managed switch configured with access port configuration. Your network has no vlan isolation right now with that setup

 

[Roye]

Vlan require managed switches or tagging the port of the network adapter on the PC, your setup of vlan is not correct, the unmanaged you are using is just forwarding all packets by mac address and not the tag. Unmanaged switch can not put a vlan tag into a packet header, you can use the unmanaged switch for a single vlan connected to a managed switch configured with access port configuration. Your network has no vlan isolation right now with that setup

I created some firewall rules to isloate networks.

In any case I will upgrade my switches to unifi managed ones.

Thanks.

 

[Roye]

What are you using as your DHCP server? All my devices are on the same vlan and I used my OpenWRT DHCP server to assign blank gateway and DNS address so my cameras and nvr can never go to the internet.

Use OpenWRT DNS to blank out gateway, dns1, dns2

I used an OpenWRT router's DHCP server to force my NVR and cameras to take on "blank" for gateway, dns1, and dns2 for specific devices while all other devices get the proper gateway and DNS. I had to SSH into the router to make the changes as explained here. DNS and DHCP examples...

ipcamtalk.com

You should get a dedicated PC for BI. I bought a used M93p for $30 off facebook then I added a SSD and a 1TB harddrive for storage.

I prefer to make separation and keep all my BI cameras at an isolated lan.

 

[mikeynags]

Checkout this video. Watched it a while back but I believe it’s what you are looking for.



Sent from my iPhone using Tapatalk

 

[DG99]

One thing to watch from your diagram is the left and right side of the network connect at the UDM, i would recommend you place a switch in front and connect each side to that. If you run the camera stream through the UDM you will see a major increase of CPU at the UDM, it will tax that unit, avoid any camera traffic at the router.

 

[Roye]

One thing to watch from your diagram is the left and right side of the network connect at the UDM, i would recommend you place a switch in front and connect each side to that. If you run the camera stream through the UDM you will see a major increase of CPU at the UDM, it will tax that unit, avoid any camera traffic at the router.

I thought instead of buying a new and expensive switch, just use the UDM network inputs.

 

[SpacemanSpiff]

I thought instead of buying a new and expensive switch, just use the UDM network inputs.

That is certainly still an option for you. Just understand the impact it will most likely have on the equipment performance.

 

[DG99]

Avoid at all cost using a port on the UDM, your cpu will run about 50% solid, The UDM will have to forward and route every packet going to BI, not efficient at all.

 

[looney2ns]

Blue Iris should be on a dedicated computer that is only used for BI.
The easiest solution is to install a second nic in the BI machine, then migrate all cameras to that nic.

Dual NIC setup on your Blue Iris Machine

In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs: Router Security - Subnets and IP addresses...

ipcamtalk.com

You should never run camera traffic through a router, you will saturate the router and slow your entire network and have issue's with camera streaming.
Run BI pc and the cameras to one separate switch. Then run one cable from that switch to the router if you need remote access.

 

[Roye]

Blue Iris should be on a dedicated computer that is only used for BI.
The easiest solution is to install a second nic in the BI machine, then migrate all cameras to that nic.

Dual NIC setup on your Blue Iris Machine

In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs: Router Security - Subnets and IP addresses...

ipcamtalk.com

You should never run camera traffic through a router, you will saturate the router and slow your entire network and have issue's with camera streaming.
Run BI pc and the cameras to one separate switch. Then run one cable from that switch to the router if you need remote access.

Blue Iris should be on a dedicated computer that is only used for BI.
The easiest solution is to install a second nic in the BI machine, then migrate all cameras to that nic.

Dual NIC setup on your Blue Iris Machine

In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs: Router Security - Subnets and IP addresses...

ipcamtalk.com

You should never run camera traffic through a router, you will saturate the router and slow your entire network and have issue's with camera streaming.
Run BI pc and the cameras to one separate switch. Then run one cable from that switch to the router if you need remote access.

All cameras are connected to Dahua PoE switches and the PoE switches are eventually connected to the UDM. This isn't a direct connection. Don't know if it matters.

Anyway if I add Ubiquitti's Switch how is this supposed to reduce load from UDM? After all, at the end of, the traffic have to get to the UDM, so I don't understand what the role of the switch is in that case.

I also copy the status of UDM at this moment when 60 clients are connected to it:

21%
CPU Load
Low
---
43.8°
CPU Temp
Good
---
58.4%
Memory
2.36 GB / 4.04 GB

 

[SpacemanSpiff]

The best scenario is to have two network interface cards (NIC) in your BI machine (as other members eluded to). One NIC attached to the 'everyday' network, the other NIC would connect to the camera VLAN. This will provide greatest isolation of camera network and result in the lowest volume of traffic on the UDM

 

[Roye]

The best scenario is to have two network interface cards (NIC) in your BI machine. One NIC attached to the everyday network, the other NIC would connect to the camera VLAN. This will provide greatest isolation of camera network and result in the lowest volume of traffic on the UDM

I am thinking of doing a total separation, purchase for myself a mini pc for surfing and small tasks and leave the main pc only for BI.

 

[SpacemanSpiff]

I am thinking of doing a total separation, purchase for myself a mini pc for surfing and small tasks and leave the main pc only for BI.

Of the recommended two NIC set-up. The NIC on the 'everyday' network (VLAN) allows a 'clean-n-easy' means for you to access the BI software to adjust, monitor and playback.

Otherwise... If you maintain a single NIC in BI server, and it is on the camera VLAN. You'll need to create rules to allow access from 'everyday' VLAN to camera VLAN. And the rules should be specific to ensure that not ANY device can access ANY device on the camera VLAN, because that is less secure. The rules should only allow ONLY specific devices from the 'everyday' (VLAN) access to ONLY the BI sever on camera VLAN.

The two NIC model eliminates the need for all the access and routing rules.