IPcam VLAN setup question about DNS

P

prsmith777

Getting comfortable
Dec 23, 2019
315
442
Colorado
I currently have a locked down VLAN called IPCAM on a Unifi system that is working well. I have BI on a windows desktop with a dual NIC--one NIC is on the Home LAN and the other is on the IPCAM VLAN with no gateway. I also have NTP server on the BI box. VLAN IPCAM has no internet or local subnet access.

I am moving on from Unifi to pfSense and in the process of setting up the new IPCAM VLAN.

I plan on setting up the VLAN with DHCPand no internet or subnet access. Since I have the NTP server on BI, don't need to allow access out for that. But was wondering if I need to allow DNS access to pfSense. I statically map all my cams in DHCP. I don't see a need for DNS, unless I am missing something. So basically the IPCAM VLAN will have no firewall rules in it at all....pretty unusual.
 
I surmise pfsense will be only your router/firewall. That said, it is strongly encouraged that you do not configure your network in a manner that would expose your router with any of the video traffic. The current dual NIC in BI that you have eliminates the need to have any IPCAM VLAN set-up on your pfsense device.
Also, DHCP on your IPCam VLAN does offer a convenience, however it will come back and bite you at some point. I prefer manually setting all cams to a static IP versus DHCP (or DHCP reservations).
If you are intent on DHCP for IPCAM VLAN, maybe consider setting it up on the BI server and bind it only to the IPCAM VLAN NIC
 
  • Like
Reactions: looney2ns and alastairstevenson
SpacemanSpiff said:
I surmise pfsense will be only your router/firewall. That said, it is strongly encouraged that you do not configure your network in a manner that would expose your router with any of the video traffic.
...
Click to expand...

Neglected to mention... this is more of a performance recommendation, versus good security practice. Though both apply.
 
  • Like
Reactions: alastairstevenson
How and what are you using for a NTP Server on the BI machine? More specifically how does the NTP Server update itself to keep accurate time?!?
 
SpacemanSpiff said:
I surmise pfsense will be only your router/firewall. That said, it is strongly encouraged that you do not configure your network in a manner that would expose your router with any of the video traffic. The current dual NIC in BI that you have eliminates the need to have any IPCAM VLAN set-up on your pfsense device.
Also, DHCP on your IPCam VLAN does offer a convenience, however it will come back and bite you at some point. I prefer manually setting all cams to a static IP versus DHCP (or DHCP reservations).
If you are intent on DHCP for IPCAM VLAN, maybe consider setting it up on the BI server and bind it only to the IPCAM VLAN NIC
Click to expand...
Reason for DHCP is when adding new cameras to the IPCAM VLAN. I have managed switches so its easy to assign a port to this VLAN for this purpose. I have selected a small DHCP pool with most addresses available for static settings.

I forgot that I need to block traffic to the LAN, which I have added as a firewall rule. PfSense default it to not allow any vlan traffic. So now no traffic can hit the router other than DHCP. DHCP server is per interface, so it is already bound to the VLAN interface. The one NIC card is set on this VLAN. I don't foresee any problems using DHCP.
 
The big problem with DHCP is that if there's a power outage you're not entirely guaranteed that everything will return with the same addresses. Many people have found that out the hard way.
 
  • Like
Reactions: looney2ns
Teken said:
How and what are you using for a NTP Server on the BI machine? More specifically how does the NTP Server update itself to keep accurate time?!?
Click to expand...

Setting up NetTime Time Sync Tool on Windows 10

This is a great way to sync all your cameras. If cameras are not synced correctly they could be thrown out as evidence. This will not adjust for Daylight Savings - you must enter DST Start and End time in your Camera. I want to thank @mikeynags for all the information to get this up and running...
ipcamtalk.com ipcamtalk.com

I added NetTime program to BI box. Dual NIC is my friend here. Cams can access NetTIme on the vlan NIC and time is updated via internet on the other NIC
 
sebastiantombs said:
The big problem with DHCP is that if there's a power outage you're not entirely guaranteed that everything will return with the same addresses. Many people have found that out the hard way.
Click to expand...
True. but all my cams have static mapping, which is same as DHCP reservation, so they will be fine. DHCP is only for adding new cams. I could turn it off and only turn it on when needed
 
alastairstevenson said:
If all the devices on the IPCAM VLAN address each other by IP address, not by network name, and there is no ability to exchange network packets outside the IPCAM VLAN, then access to a Domain Name Server (DNS) isn't needed.
Click to expand...
This were my thoughts as well. Thanks for confirming. Wont be doing DNS.
 
prsmith777 said:
I forgot that I need to block traffic to the LAN, which I have added as a firewall rule.
...
Click to expand...
Sounds like you have a single managed switch the hosts both IPCAM and HOME network connections that are isolated/segmented by VLAN assignments. Are you including the IPCAM VLAN on the ethernet port that uplinks your switch to the PFSense device?
 
SpacemanSpiff said:
Sounds like you have a single managed switch the hosts both IPCAM and HOME network connections that are isolated/segmented by VLAN assignments.
Click to expand...

Sort of. I have a dedicated 48 port POE managed switch which is trunked to my main switch. All the cams are on this ipcam switch.

Are you including the IPCAM VLAN on the ethernet port that uplinks your switch to the PFSense device?
Click to expand...

All the ipcam switch ports except the trunk to main switch are assigned to vlan ipcam. Pfsense is on the main switch on LAN which is the native interface and technically not a vlan.

I am new to pfssense but it is my understanding that LAN network is wide open to all other networks including vlans. So I am planning to have a block rule for vlan ipcam to access LAN.
 
For the same (security) reason you added a DENY rule to pfsense blocking IPCAM VLAN traffic, you should consider disconnecting the POE camera switch from your main switch.
 
SpacemanSpiff said:
For the same (security) reason you added a DENY rule to pfsense blocking IPCAM VLAN traffic, you should consider disconnecting the POE camera switch from your main switch.
Click to expand...
What security reason are you referencing? OP has VLANs and firewall rules separating and/or blocking the traffic.
 
prsmith777 said:
So now no traffic can hit the router other than DHCP.
Click to expand...

You might consider allowing the cameras access to the pfSense's NTP server. It's how I keep my system all on the same time. It's generally port 123 and you can open just that port to your VLAN firewall address. For example, if your pfSense firewall main address is 192.168.1.1 and you have your CCTV VLAN set up for 192.168.20.X, then you can allow access to port 123 at 192.168.20.1 and it hits the firewall without having to open access to the 192.168.1.X network.
 
mikeynags said:
What security reason are you referencing? OP has VLANs and firewall rules separating and/or blocking the traffic.
Click to expand...
Removing as many failure points as possible. If there is no other traffic from the IPCAM switch, remove the physical link to eliminate any chance of traffic being passed in the event the IPCAM VLAN gets turned up on the trunk port, or the rule(s) get disabled or mangled in pfsense, etc.
 
You must log in or register to reply here.
Top Bottom