Blue Iris UI3

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,544
Location
USA
@rfj - yep, do not take the camera POE switch into the router. Add a second NIC into the BI computer and run all of the cameras into one NIC and then the internet is connected to the other NIC. This will keep your cameras completely off the internet and off your router.
 

bp2008

Staff member
Joined
Mar 10, 2014
Messages
12,666
Reaction score
14,005
Location
USA
@bp2008 When viewing cancelled alerts within BlueIris, you can right click and mark as Confirmed if there was a false negative with AI integration. Is this something that is possible to add to UI3 as well or is there no API for that.
It might be possible if all that needs to happen is to modify the flags field for the alert to include "AI Confirmed". I'd have to try it and I'm too busy right now, but I will make a note.
 

rfj

Pulling my weight
Joined
Oct 26, 2014
Messages
391
Reaction score
115
Hmn, it seems I have messed this up. I have my wireless router connected to the modem. The router has 4 1Gb connections. I have 3 of those useed, i.e.

  • "server computer" which hosts BlueIris and some other programs
  • 16 port PoE switch (an old Trendnet TPE-S160) which includes the cams and a few other devices
  • 48 port non-PoE switch that accommodates all Ethernet ports in the house

I guess I should hook up my BlueIris "server" to the PoE switch
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,544
Location
USA
But that would still have the camera traffic go through the router. You need to either VLAN your system or dual NIC the BI Computer so that the wifi router isn't routing the camera traffic and to keep them from phoning home.
 

rfj

Pulling my weight
Joined
Oct 26, 2014
Messages
391
Reaction score
115
I am not quite following. If the cameras and the computer are all on the same switch then why would camera traffic go from the switch to the router and then from the router back to the same switch (and then to the computer, assuming I switch the computer to the PoE switch)? I think strictly by OSI model this is what should happen but in reality pretty much every switch remembers routings and makes a direct connection. I might be completely off here as I am not a networking guy.

You mentioned a second NIC. If that helps improving things I won't hesitate adding a second NIC to the computer. I guess in this case I would have my main 2.5GbE connected to the router and a 1Gb NIC connected to the 16 port PoE (and disconnect that switch from the router). I do have some other devices on that switch, though so I am not sure how that will work out. The PoE switch is "dumb" (TPE-S160) but the 48 port switch is "smart" and I could create VLANs. But it's not a PoE so I can't connect my cams to that switch. I really need to read up on this networking stuff...
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,544
Location
USA
The router typically assigns or manages the IP address traffic. A "dumb" switch is no different than simply having more ports on your router - the whole purpose of the switch is to provide additional wired ports.

So your cameras are probably on the same IP addresses range of your other devices and thus the cameras are probably passing through the router (you won't know for sure unless you monitor it). Maybe it is and maybe it isn't. But if you login in the admin screen of the router, you will see the cameras as devices on the router, so the potential is certainly there for it to be passing through it.

But unless you have taken steps to keep them from being able to talk to the outside world, they are either phoning home or open to being hacked. Ironically surveillance cameras are known to be very poor at security. They need to be isolated from the Internet via VLAN or a dual NIC system.

In a dual NIC or VLAN system, the router never sees the camera IP addresses. They do not exist according to the router.
 
Last edited:

Sparkey

Pulling my weight
Joined
Apr 3, 2015
Messages
237
Reaction score
159
If your cameras are on the same subnet as the rest of your network they are exposed to the internet. By adding a second NIC you can put your cameras on their own subnet that isn't routed to the Internet. This way they can't call home. You'll need to put a second NIC in the computer you use to manage the BI computer if you want to do so remotely. A NIC can only access one subnet at a time. Adding asecond NIC means the computer can access 2 different Subnets at the some time but only one of these is connected to the Internet, the other to the cameras. Clear as mud?
 

rfj

Pulling my weight
Joined
Oct 26, 2014
Messages
391
Reaction score
115
I had some security problems with my cams a while ago (passwords were reset, etc). If I recall correctly, the cameras automatically opened ports on my router. There was some function to disable this feature and since then all camera problems disappeared. However, I also lost connection to my home automation system, streaming services, etc since all ports were shut down. Now I just use a VPN connection if I need to connect to my system at home. But I am considering changing my PoE switch to a fanless "smart" (that allows VLANs) one. 16 port smart PoE switches without fans are not easy to find at "reasonable" prices, though.
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
I had some security problems with my cams a while ago (passwords were reset, etc). If I recall correctly, the cameras automatically opened ports on my router. There was some function to disable this feature and since then all camera problems disappeared. However, I also lost connection to my home automation system, streaming services, etc since all ports were shut down. Now I just use a VPN connection if I need to connect to my system at home. But I am considering changing my PoE switch to a fanless "smart" (that allows VLANs) one. 16 port smart PoE switches without fans are not easy to find at "reasonable" prices, though.
If you are concerned about network security (and it sounds like you need advice pretty badly), might want to dig through existing posts on this site in that regards. Many folks ask those same questions and many folks respond with valued suggestions and opinions. Start searching & researching before you end up on YouTube hacked security cameras :)
Or start a new topic and see can give you more detailed advice than from this Blue Iris UI3 forum post.
 

piconut

BIT Beta Team
Joined
Feb 17, 2015
Messages
176
Reaction score
63
Location
Austin, TX
If your cameras are on the same subnet as the rest of your network they are exposed to the internet. By adding a second NIC you can put your cameras on their own subnet that isn't routed to the Internet. This way they can't call home. You'll need to put a second NIC in the computer you use to manage the BI computer if you want to do so remotely. A NIC can only access one subnet at a time. Adding asecond NIC means the computer can access 2 different Subnets at the some time but only one of these is connected to the Internet, the other to the cameras. Clear as mud?
Maybe clear as murky water.

I'm also wanting to try this more secure setup but I have been apprehensive because by BI computer is a headless system in a closet and I access the camera feeds through the UI3 web interface from several computers on my LAN. So if I understand you correctly, I should add a second NIC to the headless BI computer and connect only my POE switch to that second NIC. However, if I want to be able to manage the BI computer I also need to add a second NIC to my main (non BI) computer. Is this correct? I'm also assuming here that both of the second NICs need to be connected to the same POE switch for the cameras. Do I have all this straight so far?

If so, my last question is can I access the UI3 web interface from other computers on my LAN (like a laptop) that does not have a second NIC?

Thanks for your help!
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
I had some security problems with my cams a while ago (passwords were reset, etc). If I recall correctly, the cameras automatically opened ports on my router. There was some function to disable this feature and since then all camera problems disappeared. However, I also lost connection to my home automation system, streaming services, etc since all ports were shut down. Now I just use a VPN connection if I need to connect to my system at home. But I am considering changing my PoE switch to a fanless "smart" (that allows VLANs) one. 16 port smart PoE switches without fans are not easy to find at "reasonable" prices, though.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,544
Location
USA
Most of us run headless BI computers.

We use Remote Desktop (RDP) or some other similar application to log directly into the BI computer from another device.

UI3 is on the BI Computer, which has two IP addresses under the dual NIC setup - Camera IP addresses on one NIC and an Internet IP address on the 2nd NIC. You would access UI3 from the LAN the exact same way using the exact same IP address you use now to access UI3, the only difference is the cameras are no longer on the same IP address as the rest of your system.

All you would do is add the 2nd NIC to your BI computer and assign it an IP address range that is not the same IP address range as you current LAN. Then you change the IP addresses of the cameras in the camera GUI and in BI and you are good to go.

So if your existing internet LAN is 192.168.1.xxx, just change the cameras to 192.168.2.xxx and then you are only changing one number in your already existing setup in the cameras and in BI.

Another NIC can be had for $10-$20 and is a cheap investment in keeping cameras off the internet.
 

piconut

BIT Beta Team
Joined
Feb 17, 2015
Messages
176
Reaction score
63
Location
Austin, TX
Most of us run headless BI computers.

We use Remote Desktop (RDP) or some other similar application to log directly into the BI computer from another device.

UI3 is on the BI Computer, which has two IP addresses under the dual NIC setup - Camera IP addresses on one NIC and an Internet IP address on the 2nd NIC. You would access UI3 from the LAN the exact same way using the exact same IP address you use now to access UI3, the only difference is the cameras are no longer on the same IP address as the rest of your system.

All you would do is add the 2nd NIC to your BI computer and assign it an IP address range that is not the same IP address range as you current LAN. Then you change the IP addresses of the cameras in the camera GUI and in BI and you are good to go.

So if your existing internet LAN is 192.168.1.xxx, just change the cameras to 192.168.2.xxx and then you are only changing one number in your already existing setup in the cameras and in BI.

Another NIC can be had for $10-$20 and is a cheap investment in keeping cameras off the internet.
OK, great. I think I follow that. So the internet side NIC on the BI computer would get it's IP info and subnet from the router via DHCP. Since the second NIC is not connected to a router (only to the POE camera switch), do I set the camera subnet within the NIC IPv4 properties like this:
NIC example.PNG

If so, do I leave the default gateway blank?
How do the cameras get their IP now? Do I set a static IP in each camera's configuration settings?

Thanks again for all of your help.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,544
Location
USA
That would be correct - and yes go into each camera and manually assign them an IP address (which you should have been doing anyway so that the router wouldn't change the IP and then BI cannot find them). Then go into the BI camera setting and simply change the IP address to the new IP for each camera.

But you should also manually assign an IP address to the BI computer for internet as well. Maybe you have just got lucky that your router hasn't changed it and then you couldn't get into UI3 or BI find your cameras.
 

piconut

BIT Beta Team
Joined
Feb 17, 2015
Messages
176
Reaction score
63
Location
Austin, TX
That would be correct - and yes go into each camera and manually assign them an IP address (which you should have been doing anyway so that the router wouldn't change the IP and then BI cannot find them). Then go into the BI camera setting and simply change the IP address to the new IP for each camera.

But you should also manually assign an IP address to the BI computer for internet as well. Maybe you have just got lucky that your router hasn't changed it and then you couldn't get into UI3 or BI find your cameras.
I am currently setting the BI computer and all the cameras with a static IP assigned from the router, but I can change that. I never tried this before because I always thought that I wouldn't be able to access the web interface from any of my LAN computers except the BI machine. Now I know better and I think I'm going to make this change this weekend. Thank you for all of your help.
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
I am currently setting the BI computer and all the cameras with a static IP assigned from the router, but I can change that. I never tried this before because I always thought that I wouldn't be able to access the web interface from any of my LAN computers except the BI machine. Now I know better and I think I'm going to make this change this weekend. Thank you for all of your help.
It's the best cheapest easiest way to secure your camera network so good luck!
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,544
Location
USA
Yeah setting the BI computer to a static in the router is fine. Obviously your cameras will not be able to do that after you take them off the router, but it is a simple procedure to assign them a static in the camera GUI and then change the IP address in BI for each camera.

You will probably see some improved performance of your home internet after you take the cameras off of it.
 

DLONG2

Known around here
Joined
May 17, 2017
Messages
763
Reaction score
454
Yeah setting the BI computer to a static in the router is fine. Obviously your cameras will not be able to do that after you take them off the router, but it is a simple procedure to assign them a static in the camera GUI and then change the IP address in BI for each camera.

You will probably see some improved performance of your home internet after you take the cameras off of it.
Thanks for these tutorials, wittaj. I imagine that as soon as a camera's IP is statically set and changed, then the GUI login fails, and a person would have to log into the camera's new IP.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,544
Location
USA
Thanks for these tutorials, wittaj. I imagine that as soon as a camera's IP is statically set and changed, then the GUI login fails, and a person would have to log into the camera's new IP.
That would be correct!
 

cam26

Getting the hang of it
Joined
Jan 21, 2019
Messages
233
Reaction score
97
Location
USA
Most of us run headless BI computers.

We use Remote Desktop (RDP) or some other similar application to log directly into the BI computer from another device.

UI3 is on the BI Computer, which has two IP addresses under the dual NIC setup - Camera IP addresses on one NIC and an Internet IP address on the 2nd NIC. You would access UI3 from the LAN the exact same way using the exact same IP address you use now to access UI3, the only difference is the cameras are no longer on the same IP address as the rest of your system.

All you would do is add the 2nd NIC to your BI computer and assign it an IP address range that is not the same IP address range as you current LAN. Then you change the IP addresses of the cameras in the camera GUI and in BI and you are good to go.

So if your existing internet LAN is 192.168.1.xxx, just change the cameras to 192.168.2.xxx and then you are only changing one number in your already existing setup in the cameras and in BI.

Another NIC can be had for $10-$20 and is a cheap investment in keeping cameras off the internet.
Hey @wittaj, so my existing setup is basically a tower and monitor in my basement with a POE switch connecting cameras and everything together. My cameras are isolated from the internet by my router- I've got into each one and blocked access to the internet and use a VPN to connect to my BI pc from outside of the house.

Say, for example, that I wanted to move my monitor to a different location in the house but keep the switch, connections, and tower down in the basement, how would I and what would I need to basically view the BI pc from the monitor in a different location- another whole pc that remotes in?
 
Top