Confirmation (blocking internet access for "made in China" cameras)

[Volcom]

Hi,

first thing first, it's true that designing the network of a new home is time consuming and requires rethinking over and over again all decisions.

Anyway this is the current setting. Before I start drilling holes, I'd like to hear your opinion. In essence my main question is making sure my Dahua cameras can't connect to the internet since they are made in China (you know the story). Click to zoom.



As you can see I have a dedicated PC that runs Blue Iris. At the moment this PC only has one NIC (the one on the motherboard) but as far as I can tell I need to add a second NIC in a PCI expansion slot. This way the PC is connected to 192.168.1.xxx with main NIC and also to 192.168.2.xxx with the other.

This secondary NIC on 192.168.2.xxx is then connected to a Managed POE switch that provides power & data to 4x POE camera. There's also a cable that runs from this switch to another switch on the 1st floor (Unmanaged POE switch with Pass Through) that provides power & data to 2x POE camera.

Keep in mind Blue Iris PC saves all recordings to a NAS that is accessible via 192.168.1.xxx. Here are my questions.

Question 1 - If the above configuration is correct, can you confirm me I don't need to create a VLAN? On paper all cameras are on a separate network and not exposed to the internet. Moreover they can't be seen from 192.168.1.xxx and connect to this network either. Isn't that enough?

Question 2 - I've seen people talking about "taxing of CPU" on Blue Iris PC when it needs to re-router packets from/to one network to the other. Can you confirm me that in my case this doesn't apply?

Thanks.

 

[wittaj]

You are good to go on both questions, but you do not need a managed switch on the camera side of the BI machine.

You simply manually assign each camera a static IP address and be done with it and use cheaper unmanaged switches.

Dual NIC setup on your Blue Iris Machine

In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs: Router Security - Subnets and IP addresses...

ipcamtalk.com

 

[OICU2]

I like to use 'cheap' Netgear managed switches so I can bounce unruly POE cams by shutting down individual ports.

 

[Techhead]

I’d add an internal hard drive in the BI PC for the recordings instead of using your NAS. Keep that traffic off of your LAN.
Depending on you router’s capabilities, your IoT devices can be on a guest network or otherwise isolated from your LAN but not on the cameras subnet.

 

[Volcom]

First of all thank you for answers

but you do not need a managed switch on the camera side of the BI machine.

You simply manually assign each camera a static IP address and be done with it and use cheaper unmanaged switches.

Oh right! If I'm correct the managed switch was needed if I only had one switch in order to create the VLAN. Well, I already own one but I am more than happy to keep it as dumb as possible.

I like to use 'cheap' Netgear managed switches so I can bounce unruly POE cams by shutting down individual ports.

My managed POE switch is from Netgear And it was cheap (200-ish $/€)

I’d add an internal hard drive in the BI PC for the recordings instead of using your NAS. Keep that traffic off of your LAN.

Damn it! You're right. Recordings will travel through 192.168.1.xxx.

Maybe I found a solution. I happen to have a spare Ubiquiti EdgeRouter Lite 3. It has 3x Gb port each. I could use it as follows.




This way recordings travel through a dedicated network at full speed leaving full bandwidth for all TVs and PCs for LAN and internet purposes. It should work but maybe there's a better use I can do for the spare Ubiquiti router. My only concern is that I am not quite sure I can access to NAS and Blue Iris PC from other PCs. Maybe I'll need to play with routings

Side note: for what is worth I could also buy a 2x NIC PCI-card for Blue Iris PC so that it will have 3 NIC. Initally I was thinking of using the third NIC for direct connection with the NAS. It would work but this way I can no longer use the NAS for other PCs without taxing the CPU for silly routings.

Depending on you router’s capabilities, your IoT devices can be on a guest network or otherwise isolated from your LAN but not on the cameras subnet.

All clear. Thanks.

 

[Mike A.]

One benefit of a managed POE switch is that you may have some added features that can be useful for cams/other POE-powered devices. One of mine shows power use by each port, estimates distance to cable faults, let's me power cycle the POE device, etc. All of which I've actually used at various times and have been nice to have. As well as VLANS and other normal managed switch functions. Not a whole lot of difference in price in many cases. Don't have to use the management features (other than assigning an IP) but they're there if you want them at some point.

 

[Ri22o]

Side note: for what is worth I could also buy a 2x NIC PCI-card for Blue Iris PC so that it will have 3 NIC. Initally I was thinking of using the third NIC for direct connection with the NAS. It would work but this way I can no longer use the NAS for other PCs without taxing the CPU for silly routings.

I use 192.168.0.XX for main network.
I use 10.7.83.XX for camera network.
Dahua camera default IP is 192.168.1.108

With my PC I have the MOBO ethernet port and also run a dual NIC. One port on the dual NIC connects to my home network and the other connects to my camera network. I have the MOBO connection set to 192.168.1.XX and this is connected to a desktop POE switch. This allows me to connect any new camera to that switch and get it set up and the new IP set without doing anything super involved with re-assigning of IPs for the ethernet ports. It keeps it 100% off of the internet and never gets the opportunity to call out.

 

[Volcom]

I use 192.168.0.XX for main network.
I use 10.7.83.XX for camera network.
Dahua camera default IP is 192.168.1.108

With my PC I have the MOBO ethernet port and also run a dual NIC. One port on the dual NIC connects to my home network and the other connects to my camera network. I have the MOBO connection set to 192.168.1.XX and this is connected to a desktop POE switch. This allows me to connect any new camera to that switch and get it set up and the new IP set without doing anything super involved with re-assigning of IPs for the ethernet ports. It keeps it 100% off of the internet and never gets the opportunity to call out.

I don't understand. You have 3 NIC on BI as follows:

• Home network 192.168.0.xxx
• Camera network 10.7.83.xxx
• POE Switch 192.168.1.xxx

What is the difference betwen 10.7.83.xxx and 192.168.1.xxx? I get that you run cameras & POE on 192.168.1.xxx but what's the purpose of 10.7.83.xxx? What kind of data/device uses this network?

 

[Ri22o]

I don't understand. You have 3 NIC on BI as follows:

• Home network 192.168.0.xxx
• Camera network 10.7.83.xxx
• POE Switch 192.168.1.xxx

What is the difference betwen 10.7.83.xxx and 192.168.1.xxx? I get that you run cameras & POE on 192.168.1.xxx but what's the purpose of 10.7.83.xxx? What kind of data/device uses this network?

10.7.83.XX contains my camera IPs and 192.168.1.XX is used only for provisioning new cameras.

192.168.0.XX is my standard network IP scheme.
192.168.1.XX is only my desktop POE switch.
10.7.83.XX is all in-use cameras on my network.

When I get a new camera I will connect it to my BI PC via the 192.168.1.XX desktop POE switch (default Dahua IP is 192.168.1.108). I will do initial set up and change the camera's IP to 10.7.83.XX. Once this has saved I can either install it or do additional set up by plugging it into my camera network switch.

An unforeseen upside to this setup/method is the camera will never have the opportunity to access the internet. If your internet facing network is 192.168.1.XX and you temporarily plug the camera in to that network to change its IP to 192.168.2.XX then it will be able to briefly see the internet.

 

[Ri22o]

Maybe this will help make more sense of it.

 

[tigerwillow1]

One of mine shows power use by each port, estimates distance to cable faults, let's me power cycle the POE device, etc.

I have also used my managed switch for the same purposes. Being in a hard to access location, I can't just look at the port LEDs to see if a camera is running, or pull it's plug to force a reboot. And, a used one costs less than a good unmanaged switch.

 

[Volcom]

Maybe this will help make more sense of it.

So in essence (correct me if I'm wrong) you use the third network (the NIC on the mobo) as a sort of "garage" to tune/configure cameras before throwing them in the camera network. Well... this is veeeeeeery cool! Great idea. I'll do the same. Thanks.

 

[Ri22o]

So in essence (correct me if I'm wrong) you use the third network (the NIC on the mobo) as a sort of "garage" to tune/configure cameras before throwing them in the camera network. Well... this is veeeeeeery cool! Great idea. I'll do the same. Thanks.

You are correct.

Initially I was just using the dual NIC for LAN and Camera Network and it was a pain to get the new ones added. Then it dawned on me that I had the unused 3rd network port on the MOBO I could use for that purpose. Connecting it to a POE switch just cuts down on needing to use a wall power adapter.

 

[Mike A.]

You can also do the same without another network card/port by mutli-homing the computer so that it has IP addresses on both 192.168.0.x (or whatever) and 192.168.1.x. Under IP 4 properties for the adapter, select Advanced at the bottom, then add the other IP. I think the computer needs to have a static address for both, doesn't work if DHCP. Can also do other ways with routing or supernetting but more complicated.

 

[wittaj]

You can also do the same without another network card/port by mutli-homing the computer so that it has IP addresses on both 192.168.0.x and 192.168.1.x. Under the IP 4 properties for the adapter select Advanced at the bottom, then add the other IP. I think the computer needs to have a static address for both, doesn't work if DHCP. Can also do other ways with routing or supernetting but more complicated.

Wouldn't that give the camera access to the internet though?

 

[Mike A.]

Guess it depends on how you have things set up and blocked. The firewall typically goes by MAC not by IP. So assuming that you have that MAC blocked, it shouldn't get through no matter what internal network it's on. And the camera would need to have the right gateway out which you don't need to provide.

But I was responding more along the lines of above. i.e., To easily find and set up new Dahua cams that come at 192.168.1.108 when your primary network isn't. Then moving them off. Not to run longer term.

 

[wittaj]

Guess it depends on how you have things set up and blocked. The firewall typically goes by MAC not by IP. So assuming that you have that MAC blocked, it shouldn't get through no matter what internal network it's on. And the camera would need to have the right gateway out which you don't need to provide.

But I was responding more along the lines of above. i.e., To easily find and set up new Dahua cams that come at 192.168.1.108 when your primary network isn't. Then moving them off. Not to run longer term.

Yeah I get that, but my question is more along the lines of you get a brand new camera and plug it in and it is at 192.168.1.108 does that initially provide it with internet access until you go in and change thing in the camera? And because it is a new camera and you don't know the MAC address yet, it wouldn't be blocked by MAC address in a firewall.

My question is because you multi-homed one NIC (as opposed to it being a different NIC), does that give both IP addresses internet access or are you able to set it up such that 192.168.1.xxx cannot get to the internet?

 

[Mike A.]

In the same way that two NICs works, the camera doesn't automatically get routing across the networks through the multi-homed computer. You'd need set that up separately if that's what you wanted. You've just set up a second IP address for that machine (not the entire 192.168.1.x network) using the same physical network card. At the IP level, they still are on separate subnets. And the 192.168.1.x IP address on the computer also would need to have a gateway/routing to get out also which you don't have to define when setting up the second IP address. It would potentially permit access by the cam to the computer that you're using but you have that anway.

Yes, you'd need to know the MAC to block it at the firewall. I was responding to your question there more generally and longer term.

 

[Techhead]

One benefit of a managed POE switch is that you may have some added features that can be useful for cams/other POE-powered devices. One of mine shows power use by each port, estimates distance to cable faults, let's me power cycle the POE device, etc. All of which I've actually used at various times and have been nice to have. As well as VLANS and other normal managed switch functions. Not a whole lot of difference in price in many cases. Don't have to use the management features (other than assigning an IP) but they're there if you want them at some point.

What model switch are you using for this?

 

[Mike A.]

I have a couple of different ones. The TP-Link managed switches that I have are a little more complicated since they're set up through their Omada controller (similar to Ubiquiti's controller). Using that, there's a simple POE Recovery cycle button that you can hit. Power use by the switch overall and per port is shown through the same interface. If using the switch directly vs through the controller, then there are controls/better stats available through the switch's web interface and SSH. Unfortunately, the TP-Link doesn't estimate distance to faults. Wish that it did. A Netgear switch that I was using previously had that and it helped me chase down things several times.