Blue Iris UI3

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
11,758
Reaction score
13,185
Location
Evansville, In. USA
I had this happening for months. I tweaked (and tweaked) the camera settings and BI video settings to no end. Finally, very recently, I ended up buying a more updated and much (MUCH) faster router (TP Link AX6000) and all of my orange clock issues went away. I didn't realize that my trusted and tried old router (WRT1900ac) was just not powerful enough to handle all of the stuff on my network, including my cameras. By tech standards I guess that was an old (and weak) router to handle my network load.
Your network should be configured so that when not viewing remotely either at home or when away, that no camera traffic goes through the switch on the router.
Simple setup: All Cameras plugged into POE switch. Bi computer plugged into same poe switch as cams. One cable from same Poe switch to the router.
 

morrisky

Getting the hang of it
Joined
Jun 30, 2017
Messages
95
Reaction score
46
@bp2008 When viewing cancelled alerts within BlueIris, you can right click and mark as Confirmed if there was a false negative with AI integration. Is this something that is possible to add to UI3 as well or is there no API for that.
 

rfj

Getting the hang of it
Joined
Oct 26, 2014
Messages
159
Reaction score
29
Your network should be configured so that when not viewing remotely either at home or when away, that no camera traffic goes through the switch on the router.
Simple setup: All Cameras plugged into POE switch. Bi computer plugged into same poe switch as cams. One cable from same Poe switch to the router.
Hmm, I might be missing something basic here. All my cams are connected to a PoE switch.,This switch is connected to the router. The router also has two other connections, i.e. one to a non-POE switch and one to the computer that records all the videos from the cams. So am I doing something wrong?
 

wittaj

Known around here
Joined
Apr 28, 2019
Messages
6,056
Reaction score
8,507
Location
USA
@rfj - yep, do not take the camera POE switch into the router. Add a second NIC into the BI computer and run all of the cameras into one NIC and then the internet is connected to the other NIC. This will keep your cameras completely off the internet and off your router.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
11,025
Reaction score
9,797
Location
USA
@bp2008 When viewing cancelled alerts within BlueIris, you can right click and mark as Confirmed if there was a false negative with AI integration. Is this something that is possible to add to UI3 as well or is there no API for that.
It might be possible if all that needs to happen is to modify the flags field for the alert to include "AI Confirmed". I'd have to try it and I'm too busy right now, but I will make a note.
 

rfj

Getting the hang of it
Joined
Oct 26, 2014
Messages
159
Reaction score
29
Hmn, it seems I have messed this up. I have my wireless router connected to the modem. The router has 4 1Gb connections. I have 3 of those useed, i.e.

  • "server computer" which hosts BlueIris and some other programs
  • 16 port PoE switch (an old Trendnet TPE-S160) which includes the cams and a few other devices
  • 48 port non-PoE switch that accommodates all Ethernet ports in the house

I guess I should hook up my BlueIris "server" to the PoE switch
 

wittaj

Known around here
Joined
Apr 28, 2019
Messages
6,056
Reaction score
8,507
Location
USA
But that would still have the camera traffic go through the router. You need to either VLAN your system or dual NIC the BI Computer so that the wifi router isn't routing the camera traffic and to keep them from phoning home.
 

rfj

Getting the hang of it
Joined
Oct 26, 2014
Messages
159
Reaction score
29
I am not quite following. If the cameras and the computer are all on the same switch then why would camera traffic go from the switch to the router and then from the router back to the same switch (and then to the computer, assuming I switch the computer to the PoE switch)? I think strictly by OSI model this is what should happen but in reality pretty much every switch remembers routings and makes a direct connection. I might be completely off here as I am not a networking guy.

You mentioned a second NIC. If that helps improving things I won't hesitate adding a second NIC to the computer. I guess in this case I would have my main 2.5GbE connected to the router and a 1Gb NIC connected to the 16 port PoE (and disconnect that switch from the router). I do have some other devices on that switch, though so I am not sure how that will work out. The PoE switch is "dumb" (TPE-S160) but the 48 port switch is "smart" and I could create VLANs. But it's not a PoE so I can't connect my cams to that switch. I really need to read up on this networking stuff...
 

wittaj

Known around here
Joined
Apr 28, 2019
Messages
6,056
Reaction score
8,507
Location
USA
The router typically assigns or manages the IP address traffic. A "dumb" switch is no different than simply having more ports on your router - the whole purpose of the switch is to provide additional wired ports.

So your cameras are probably on the same IP addresses range of your other devices and thus the cameras are probably passing through the router (you won't know for sure unless you monitor it). Maybe it is and maybe it isn't. But if you login in the admin screen of the router, you will see the cameras as devices on the router, so the potential is certainly there for it to be passing through it.

But unless you have taken steps to keep them from being able to talk to the outside world, they are either phoning home or open to being hacked. Ironically surveillance cameras are known to be very poor at security. They need to be isolated from the Internet via VLAN or a dual NIC system.

In a dual NIC or VLAN system, the router never sees the camera IP addresses. They do not exist according to the router.
 
Last edited:

Sparkey

Getting the hang of it
Joined
Apr 3, 2015
Messages
116
Reaction score
25
If your cameras are on the same subnet as the rest of your network they are exposed to the internet. By adding a second NIC you can put your cameras on their own subnet that isn't routed to the Internet. This way they can't call home. You'll need to put a second NIC in the computer you use to manage the BI computer if you want to do so remotely. A NIC can only access one subnet at a time. Adding asecond NIC means the computer can access 2 different Subnets at the some time but only one of these is connected to the Internet, the other to the cameras. Clear as mud?
 

rfj

Getting the hang of it
Joined
Oct 26, 2014
Messages
159
Reaction score
29
I had some security problems with my cams a while ago (passwords were reset, etc). If I recall correctly, the cameras automatically opened ports on my router. There was some function to disable this feature and since then all camera problems disappeared. However, I also lost connection to my home automation system, streaming services, etc since all ports were shut down. Now I just use a VPN connection if I need to connect to my system at home. But I am considering changing my PoE switch to a fanless "smart" (that allows VLANs) one. 16 port smart PoE switches without fans are not easy to find at "reasonable" prices, though.
 

Holbs

Known around here
Joined
May 1, 2019
Messages
1,602
Reaction score
2,094
Location
Reno, NV
I had some security problems with my cams a while ago (passwords were reset, etc). If I recall correctly, the cameras automatically opened ports on my router. There was some function to disable this feature and since then all camera problems disappeared. However, I also lost connection to my home automation system, streaming services, etc since all ports were shut down. Now I just use a VPN connection if I need to connect to my system at home. But I am considering changing my PoE switch to a fanless "smart" (that allows VLANs) one. 16 port smart PoE switches without fans are not easy to find at "reasonable" prices, though.
If you are concerned about network security (and it sounds like you need advice pretty badly), might want to dig through existing posts on this site in that regards. Many folks ask those same questions and many folks respond with valued suggestions and opinions. Start searching & researching before you end up on YouTube hacked security cameras :)
Or start a new topic and see can give you more detailed advice than from this Blue Iris UI3 forum post.
 

piconut

BIT Beta Team
Joined
Feb 17, 2015
Messages
145
Reaction score
42
If your cameras are on the same subnet as the rest of your network they are exposed to the internet. By adding a second NIC you can put your cameras on their own subnet that isn't routed to the Internet. This way they can't call home. You'll need to put a second NIC in the computer you use to manage the BI computer if you want to do so remotely. A NIC can only access one subnet at a time. Adding asecond NIC means the computer can access 2 different Subnets at the some time but only one of these is connected to the Internet, the other to the cameras. Clear as mud?
Maybe clear as murky water.

I'm also wanting to try this more secure setup but I have been apprehensive because by BI computer is a headless system in a closet and I access the camera feeds through the UI3 web interface from several computers on my LAN. So if I understand you correctly, I should add a second NIC to the headless BI computer and connect only my POE switch to that second NIC. However, if I want to be able to manage the BI computer I also need to add a second NIC to my main (non BI) computer. Is this correct? I'm also assuming here that both of the second NICs need to be connected to the same POE switch for the cameras. Do I have all this straight so far?

If so, my last question is can I access the UI3 web interface from other computers on my LAN (like a laptop) that does not have a second NIC?

Thanks for your help!
 

Holbs

Known around here
Joined
May 1, 2019
Messages
1,602
Reaction score
2,094
Location
Reno, NV
I had some security problems with my cams a while ago (passwords were reset, etc). If I recall correctly, the cameras automatically opened ports on my router. There was some function to disable this feature and since then all camera problems disappeared. However, I also lost connection to my home automation system, streaming services, etc since all ports were shut down. Now I just use a VPN connection if I need to connect to my system at home. But I am considering changing my PoE switch to a fanless "smart" (that allows VLANs) one. 16 port smart PoE switches without fans are not easy to find at "reasonable" prices, though.
 

wittaj

Known around here
Joined
Apr 28, 2019
Messages
6,056
Reaction score
8,507
Location
USA
Most of us run headless BI computers.

We use Remote Desktop (RDP) or some other similar application to log directly into the BI computer from another device.

UI3 is on the BI Computer, which has two IP addresses under the dual NIC setup - Camera IP addresses on one NIC and an Internet IP address on the 2nd NIC. You would access UI3 from the LAN the exact same way using the exact same IP address you use now to access UI3, the only difference is the cameras are no longer on the same IP address as the rest of your system.

All you would do is add the 2nd NIC to your BI computer and assign it an IP address range that is not the same IP address range as you current LAN. Then you change the IP addresses of the cameras in the camera GUI and in BI and you are good to go.

So if your existing internet LAN is 192.168.1.xxx, just change the cameras to 192.168.2.xxx and then you are only changing one number in your already existing setup in the cameras and in BI.

Another NIC can be had for $10-$20 and is a cheap investment in keeping cameras off the internet.
 

piconut

BIT Beta Team
Joined
Feb 17, 2015
Messages
145
Reaction score
42
Most of us run headless BI computers.

We use Remote Desktop (RDP) or some other similar application to log directly into the BI computer from another device.

UI3 is on the BI Computer, which has two IP addresses under the dual NIC setup - Camera IP addresses on one NIC and an Internet IP address on the 2nd NIC. You would access UI3 from the LAN the exact same way using the exact same IP address you use now to access UI3, the only difference is the cameras are no longer on the same IP address as the rest of your system.

All you would do is add the 2nd NIC to your BI computer and assign it an IP address range that is not the same IP address range as you current LAN. Then you change the IP addresses of the cameras in the camera GUI and in BI and you are good to go.

So if your existing internet LAN is 192.168.1.xxx, just change the cameras to 192.168.2.xxx and then you are only changing one number in your already existing setup in the cameras and in BI.

Another NIC can be had for $10-$20 and is a cheap investment in keeping cameras off the internet.
OK, great. I think I follow that. So the internet side NIC on the BI computer would get it's IP info and subnet from the router via DHCP. Since the second NIC is not connected to a router (only to the POE camera switch), do I set the camera subnet within the NIC IPv4 properties like this:
NIC example.PNG

If so, do I leave the default gateway blank?
How do the cameras get their IP now? Do I set a static IP in each camera's configuration settings?

Thanks again for all of your help.
 

wittaj

Known around here
Joined
Apr 28, 2019
Messages
6,056
Reaction score
8,507
Location
USA
That would be correct - and yes go into each camera and manually assign them an IP address (which you should have been doing anyway so that the router wouldn't change the IP and then BI cannot find them). Then go into the BI camera setting and simply change the IP address to the new IP for each camera.

But you should also manually assign an IP address to the BI computer for internet as well. Maybe you have just got lucky that your router hasn't changed it and then you couldn't get into UI3 or BI find your cameras.
 

piconut

BIT Beta Team
Joined
Feb 17, 2015
Messages
145
Reaction score
42
That would be correct - and yes go into each camera and manually assign them an IP address (which you should have been doing anyway so that the router wouldn't change the IP and then BI cannot find them). Then go into the BI camera setting and simply change the IP address to the new IP for each camera.

But you should also manually assign an IP address to the BI computer for internet as well. Maybe you have just got lucky that your router hasn't changed it and then you couldn't get into UI3 or BI find your cameras.
I am currently setting the BI computer and all the cameras with a static IP assigned from the router, but I can change that. I never tried this before because I always thought that I wouldn't be able to access the web interface from any of my LAN computers except the BI machine. Now I know better and I think I'm going to make this change this weekend. Thank you for all of your help.
 

Holbs

Known around here
Joined
May 1, 2019
Messages
1,602
Reaction score
2,094
Location
Reno, NV
I am currently setting the BI computer and all the cameras with a static IP assigned from the router, but I can change that. I never tried this before because I always thought that I wouldn't be able to access the web interface from any of my LAN computers except the BI machine. Now I know better and I think I'm going to make this change this weekend. Thank you for all of your help.
It's the best cheapest easiest way to secure your camera network so good luck!
 

wittaj

Known around here
Joined
Apr 28, 2019
Messages
6,056
Reaction score
8,507
Location
USA
Yeah setting the BI computer to a static in the router is fine. Obviously your cameras will not be able to do that after you take them off the router, but it is a simple procedure to assign them a static in the camera GUI and then change the IP address in BI for each camera.

You will probably see some improved performance of your home internet after you take the cameras off of it.
 
Top