Edge Router 4 - Firewall help

AP514

Pulling my weight
Joined
Dec 10, 2018
Messages
259
Reaction score
247
Location
Pearland, Texas
Hey ALL looking for some help setting up some Firewall Rules for my Cams/network.

I have an Edge Router 4. Set up as router on a stick
See my Network setup..Topography.
I want my Vlan 80/BI to be able to give/get info to my cams on Vlan 50 (time ect). I DO NOT want my Vlan 50/cams to get on the net or be able to talk to any Vlan other than Vlan80.
Of course Vlan 80/BI needs to talk to the net.
I will ask more about vpn set up after this is setup and running.
IPCAM-Layout- Firewall rules.jpg
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Why not put Blue Iris & camera's on the same subnet? From my feeble understanding of VLAN subnets, you could have a traffic congestion issue with lots of camera videos crossing VLANs. I do MAC & IP blocking on the camrea's for WAN OUT (I think that is what it is on my Ubiquiti UDM router). I believe I even blocked all ports on my security camera VLAN (blue iris & cams) except for NTP time port. Some local port access is allowed if my main personal VLAN initiates first talks to my security camera VLAN (for remote desktop or Home Assistant purposes).
I did verify my security camera VLAN can not see any other VLAN or out to the internet by slapping in a laptop with a .108 IP scheme for the VLAN and pinging things / port scanning. I always leave 192.168.x.108 empty since that is the default Dahua IP for cameras.
 
Last edited:

AP514

Pulling my weight
Joined
Dec 10, 2018
Messages
259
Reaction score
247
Location
Pearland, Texas
I agree with @Holbs on having the BI PC on the same VLAN as the cams. You could also look at a dual NIC solution for the BI PC as well. There is a good thread with lots of info on configuring the ER-X with BI in mind. The link is here: Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks
Thanks for the link. I will read it thru...and as far as dual Nic. Why have the BI machine on the same subnet then put in a dual Nic when Vlans take care of the dual Nic problem.
I think the Edge 4 Router can handle the traffic with ezzzz along with the GS728TPPv2 (L3 switch)
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
It all depends on how you want to access it remotely. You can set BI’s web server to only be bound the the “internal” NIC on your network and expose that for remote access while your cameras are on the other VLAN totally isolated.


Sent from my iPhone using Tapatalk
 

AP514

Pulling my weight
Joined
Dec 10, 2018
Messages
259
Reaction score
247
Location
Pearland, Texas
Shameless Bump..Need some help on this...OP
and Dual Nic Is not the Answer I am going for...
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Something like this? I have for this firewall LAN IN rule, the ability for my IOT subnet VLAN able to talk to my secure subnet VLAN. This allows my Denon HEOS receiver and only the receiver on the IOT to talk to my Home Assistant PC and only the PC on secure LAN.
Notice the check marks of ADVANCED / STATES - established and related. If my nOObie understanding of firewall rules are correct, this allows the SOURCE: Denon to talk to the DESTINATION: PC if (and this is important) the PC initiates the request FIRST.
This is thru the Ubiquiti GUI interface screen. Unsure if your Edge Router has GUI or has to be done all via command line.
firewall_example.jpg
 

AP514

Pulling my weight
Joined
Dec 10, 2018
Messages
259
Reaction score
247
Location
Pearland, Texas
@Holbs..thanks..this specific stuff is what I am going for...really having a hard time getting my head around these rules and the How to.....
 
Top