How are your camera vlan setup?

[dannieboiz]

I started to setup VLANs on my network for the camera and as I'm doing this I think my process is counter productive in terms of security just because of how I'm doing this.

my BI PC is on VLAN 1, 10.10.1.1
Camera on VLAN 20, 10.10.20.1

I have created a trunk for all the camera ports and the BI PC to see Vlan 1 and VLAN 20. Then I realised that this is a waste of time in term of security since VLAN 1 and 20 can see each other. Or is it now?

In reality, the BI PC should be on the same VLAN 20 as the cameras, correct?

 

[SpacemanSpiff]

Many here follow these recommendations, not sure if you've read these yet:

Dual NIC setup on your Blue Iris Machine

In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs: Router Security - Subnets and IP addresses...

ipcamtalk.com

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

 

[dannieboiz]

Many here follow these recommendations, not sure if you've read these yet:

Dual NIC setup on your Blue Iris Machine

In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs: Router Security - Subnets and IP addresses...

ipcamtalk.com

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

I have not seen those but will be reading them now.

 

[sebastiantombs]

Your BI machine can be on any VLAN of the system. You just need a rule to allow it to access the camera VLAN.

 

[dannieboiz]

Your BI machine can be on any VLAN of the system. You just need a rule to allow it to access the camera VLAN.

I have a L2 POE switch that I run everything off of, I assume this will be configured on my gateway? In my case it's PFSense

 

[sebastiantombs]

It should be in the switch itself if it does any routing at all.

 

[dannieboiz]

It should be in the switch itself if it does any routing at all.

Let me dig through this, I have cheap chinese Ovolink POE switch, the configuration and lingo is anything but.

 

[sebastiantombs]

Like looney2ns says "buy once, cry once".

 

[dannieboiz]

Like looney2ns says "buy once, cry once".

LOL I hear ya, I have a 48 port Cisco POE switch that I replace this with but the noise on those fans was too loud to be in my office. Been waiting to pick up a Ubiquiti POE switch but have not gotten to it yet.

 

[sebastiantombs]

I stick to 16 port PoE switches. No fans to worry about plus, after working in server rooms for years, "fan noise?? what fan noise??".

 

[dannieboiz]

I stick to 16 port PoE switches. No fans to worry about plus, after working in server rooms for years, "fan noise?? what fan noise??".

I have more than 16 POE devices hence 24 ports. My rack sits in my closet next to the desk I sit at 8 hours a day, it can get annoying.

 

[sebastiantombs]

I have more than 16 cameras, too, so I have two 16 port switches. A little redundancy in case on fails while waiting for a replacement.

 

[Old Timer]

I have a L2 POE switch that I run everything off of, I assume this will be configured on my gateway? In my case it's PFSense

If you are running PFSense on a device that has extra Ethernet ports, you can add a second network to run all of your security on and set rules under >firewall >rules > security lan
I use a Protectili fanless and have 6 ports to play with. One is dedicated to security cameras and has all WAN traffic blocked. Use your open VPN to remote access.




Or you can use a managed switchs to build and route your Vlan. For a inexpensive managed switch,

https://smile.amazon.com/gp/product/B00K4DS5KU/

 

[dannieboiz]

If you are running PFSense on a device that has extra Ethernet ports, you can add a second network to run all of your security on and set rules under >firewall >rules > security lan
I use a Protectili fanless and have 6 ports to play with. One is dedicated to security cameras and has all WAN traffic blocked. Use your open VPN to remote access.

View attachment 134106


Or you can use a managed switchs to build and route your Vlan. For a inexpensive managed switch,

https://smile.amazon.com/gp/product/B00K4DS5KU/

Actually this is a great idea... I do have ports to spare on the PFSense box.

 

[Old Timer]

PFsense can do VLANS, but I figured out this way and it's simple (KISS) and very easy to set up.

You can still use a PC on the LAN port to connect to the cameras and Blue Iris.

I also enable the NTP in the PFSense for all of the cameras to sync with. Works better then setting one up on the blueiris PC.

 

[dannieboiz]

KISS is definitely the way to go. It's been on my bucket list and I never got to it. We are upping cybersecurity by 10 fold these days at work and I figure might as well do it for my house as well. I don't trust the built in camera access. This will make me feel better waking around the house naked.

 

[Old Timer]

If someone ever got into my cameras, they would run away screaming!