How to Remove Internet Access from BI While Retaining UI3 LAN Access - Can it be done?

A

Alaska Country

Getting comfortable
Jun 10, 2021
557
753
Alaska
Would like to remove internet access from a dual NIC BI Windows 10 computer while at the same time allowing UI3 to be accessible via LAN on two other desk top LAN connected computers. (See system diagram)

System_Diagram.png

The simple answer is to remove the internet cable from the NIC on the BI computer. i.e. 100% no internet. The issue then becomes how to access UI3 on other LAN computers. Plus the Network Time utility on BI that keeps the cameras time synchronized would become inactive.

On the BI machine, NIC-1 is on a subnet at 192.168.55.xxx. (Use the following IP address box checked in IPv4). NIC-1 is only used for Dahua cameras via a 24 port POE unmanaged switch. NIC-2 (BI computer) is set for "Obtain an IP address automatically" box checked in IPv4 which is being used for internet access.

The Asus RT-N16 router has the option to white list using "The Network Services filter which blocks the LAN to WAN packet exchanges and restricts devices from using specific network services." Under "White List" the choices are User Defined, WWW, Telnet and FTP.

Network_Services_Filter.PNG

Would setting up this feature achieve the goal of limiting LAN access to UI3 at 192.168.1.120 on port 81? And at the same time terminate internet access for use on the BI machine and retain internet to the other two LAN desk top computers (1 and 2) that utilize the same router?

If not, there is a Tomato FW update that could installed on the Asus that may have additional features that could be of use.

The other possible option, if feasible, would be to move UI3 access to the camera subnet (192.168.55.xxx), add a second NIC to the other computers and hard wire in a second network. Workable??? Security issues?
 
On my system I have another router plugged into the POE switch feeding the cameras. It is not connected to the internet but provides WIFI to the other pc's in the house. I have a second NIC on my living room laptop which allows it to be connected to the internet full time on the built in NIC and the second NIC is a usb dongle which allows me to be connected to BI and the cameras also.
 
  • Like
Reactions: Alaska Country
Unless I misunderstand entirely, all you need to do is assign NIC-2 a static IP but leave the gateway and DNS fields blank, that way the computer doesn't know how to reach the internet.

In the router, you can create a static DHCP assignment for the BI machine. The BI machine won't actually be using DHCP, but this prevents the router from assigning the address to anything else accidentally and creating a conflict.

Actually that only covers IPv4. You should also disable the IPv6 protocol for NIC-2 in the Blue Iris machine so it doesn't just get online with IPv6 (assuming your ISP and router have IPv6 configured).

1669593528161.png
 
  • Like
Reactions: looney2ns, fenderman, TonyR and 3 others
Appreciate the suggestions. Using WiFi would eliminate adding more cable. Will have to see if the older Windows 10 machine has WiFi and if not if I have a card that would fit.

Did try changing IP4v to a few different IP addresses and clicked off IPv6. Not sure what would be the correct IP address most likely an unused address. Tried 192.168.1.1 and 192.168.1.60. Both did block the internet as stated. Subnet mask of 255.255.255.0 was used with no default gateway.

This part worked for blocking. However, when changed UI3 at 192.168.1.120:81 could no longer be accessed by other LAN computers. At this point did not make any mods to the router.

DHCP_Server.PNG
 
Last edited:
The TP link usb wifi device for 20 buck on amazon has pretty good range
 
What did I miss, why would a wifi adapter be helpful here?

@Alaska Country Simply assign the address 192.168.1.120 to the Blue Iris machine and create a DHCP reservation for it in your router so that address doesn't get assigned to anything else.

Beware of typos when entering addresses, you made a couple in your last post.
 
  • Like
Reactions: fenderman and sebastiantombs
Oh i saw this......."
Will have to see if the older Windows 10 machine has WiFi and if not if I have a card that would fit.
and linked him to this TP LInk....
I wasnt trying to solve the bigger problem :)
Staying outta that, cuz I'm not the guru in that neighborhood.
 
Last edited:
  • Like
Reactions: sebastiantombs
Won't Windows constantly bitch about not being able to get to the internet?
 
Thanks for the heads up on the wrong IP address. Noted and corrected.

The BI "local internal (LAN) access" is already on 192.168.1.120 port 81 and works to view UI3 on other computers connected to the LAN. This is working well.

Added a DHCP reservation.

Assigned_ip.PNG

Went back to the BI machine and changed the IP address on the card that is connected to the internet to 192.168.1.120 with a subnet mask and no default gateway. Tested and the internet is blocked. No connectivity on the LAN for UI3 at 192.168.1.120:81 on other LAN connected computers.
 
  • Like
Reactions: TonyR
You may need to go to Windows Firewall now and create a rule that explicitly allows inbound TCP traffic on port 81. Possibly because your network interface doesn't have a gateway anymore, the old firewall rule that allowed Blue Iris webserver traffic is no longer working? I'm really not sure.

I'm also confused. You say you can access UI3 via LAN machines:

Alaska Country said:
The BI "local internal (LAN) access" is already on 192.168.1.120 port 81 and works to view UI3 on other computers connected to the LAN. This is working well.
Click to expand...

Then you appear to say the opposite.

Alaska Country said:
No connectivity on the LAN for UI3 at 192.168.1.120:81 on other LAN connected computers.
Click to expand...
 
  • Like
Reactions: TonyR, Flintstone61 and Alaska Country
Added an inbound rule for port 81 on one of the LAN connected computers. No go. Received the below message.

Troubleshooter.PNG

Took a look at the firewall on the Windows 10 BI computer. Noticed that there are 6 inbound rules for BI-5. Three for UDP and three for TCP. Two public and four private. Enabled one of the private rules that was disabled and UI3 is now working on the LAN computer. Plus the BI machine can no longer access the internet which is the goal.

Removed the inbound rule for port 81 on the LAN computer and UI3 is still accessible. Thus deleted the rule.

The goal of internet isolation has been achieved. Like the simplicity of this process. To regain internet access to update BI just click on "Obtain an IP address automatically" for the internet connected NIC. And return that same NIC to its original settings to remove internet access.

Did loose access to NetTime at "0.nettime.pool.npt.org". However, it could be a can of worms to achieve internet access to this URL and complicate an otherwise easy process.

A big thank you for all the assistance.....
 
  • Like
Reactions: bp2008 and Flintstone61
Alaska Country said:
Added an inbound rule for port 81 on one of the LAN connected computers.
Click to expand...

That rule needed to be on the Blue Iris machine.

Alaska Country said:
Took a look at the firewall on the Windows 10 BI computer. Noticed that there are 6 inbound rules for BI-5. Three for UDP and three for TCP. Two public and four private. Enabled one of the private rules that was disabled and UI3 is now working on the LAN computer. Plus the BI machine can no longer access the internet which is the goal.
Click to expand...

Yup, weird that it would be disabled. But, you found it.

Did loose access to NetTime at "0.nettime.pool.npt.org". However, it could be a can of worms to achieve internet access to this URL and complicate an otherwise easy process.
Click to expand...

If you have another Windows machine running always (or often at least) then you can install NetTime on that and check the box to allow other computers to sync to it.

Then configure NetTime on the Blue Iris machine to sync to that other machine's IP address frequently, like every 1 hour or something. Be sure to make a DHCP reservation for that other machine so its address doesn't change and invalidate your NetTime configuration on the BI machine.
 
  • Like
  • Love
Reactions: Alaska Country and Flintstone61
Appreciate all of the assistance to setup the BI dual NIC system to work without internet access and still have UI3 available on the LAN.

Net Time is also working using the internet on another desk top computer that is on for 12 hours per day and updating the BI computer and the associated cameras. That is good enough and much better than no time synchronization.

Setup the firewall on the desktop Windows computer for an Inbound Rule to allow for the Net Time connection to the BI computer. (no firewall rules added to the BI computer) However could not locate the remote port number. Used netstat -a but did not list any ports that worked. Thus kept the setting at "All Ports". Assume that this is not an issue. If it is, what would be a correct port for the remote port number?

Nettime_Ports.PNG

Cameras are set for 90 minutes time updates with the exception of a few that only allow for a maximum of 30 minutes between updates. Everything is working well.....
 
  • Like
Reactions: bp2008 and Flintstone61
You must log in or register to reply here.
Top Bottom