Need advice on VLAN for cams

Springer · Apr 29, 2018

Greetings, I am looking to segment my cameras on to their own VLAN. I have avoided this to date because Blue Iris is running on my main PC.

I have a few managed POE switches for my cameras that will allow me to set up VLAN.

So a few question come to mind:
Do I need to multihome my PC so that the BI server will be accessible to the VLAN ?
Using i a VLAN how would I be able to control the cameras from a machine on a different network segment?
When I VPN into my LAN how would I be able to gain access to either segment?

copex · Apr 29, 2018

i would fit two LAN cards, and have one for the cameras vlan and one for the main network vlan.

if you have l2 switches, on l3 switches or using a vlan capable router you would have to setup intervlan routing, but this would allow accesses between both lans and then you may as well leave it all on one lan, so you would have to setup 3 vlan cameras, server, main and setup the routing so cameras can route server, main can route to server and blaock access between cameras and main. ok if you know what you are doing.

i dont know much about BI, you could access the BI server but not the cameras using L2 switches and two lans cards, so you would remotely access the cameras on the main lan as you do now.

hope it helps

Xeddog · Apr 30, 2018

I am just curious why you want to do this at all?

Wayne

YAEMISH · Apr 30, 2018

If your switches are capable, you could put them on a separate VLAN and give that VLAN a gateway so that you can talk to other systems on the network and prevent the cameras from being difrectly accessed via the Internet. That way you wouldn't need to dual-home.

Springer · May 2, 2018

Xeddog said:
I am just curious why you want to do this at all?

Wayne

Some of the cheap Chinese cams I have are trying to call home but can't because I have the gateway set at the cameras IP address. I have used some sniffing software (Wireshark) to prove this behavior and it is something to be concerned about. The cameras also have ports open (Telnet Port 23) that should not be. Not too sure if that could be a problem if I am behind a NAT router, but it is still troubling.

So having a VLAN helps keep the cameras in a their own sandbox so to speak. If the cameras are on a separate subnet network they should not be able to see or do anything nasty to my other computers/equipment on my lan, or use the cameras as bots to stage attacks on other networks.

YAEMISH said:
If your switches are capable, you could put them on a separate VLAN and give that VLAN a gateway so that you can talk to other systems on the network and prevent the cameras from being difrectly accessed via the Internet. That way you wouldn't need to dual-home.

Interesting idea, but wouldn't that allow the cameras to access my subnet as well ?

Mr_D · May 2, 2018

See my post #18 here: Ideal router

Basically, the cameras are on their own VLAN. When I get a PC for Blue Iris, it will live there too. The firewall regulates access between VLANs.

Aengus4h · May 3, 2018

@Springer - I have done this for similar reasons, preferring to keep the cameras segregated from my main network and also then making any external connections not able to be used to gain access to my servers/desktops/internet, so in effect completely isolated from the viewpoint of an attacker. This was achieved by setting up vlan's on my netgear switches and draytek router, with firewall rules set to block any outbound access from the CCTV vlan to any other with the exception of NTP for the NVR/DVR only. The inter-switch trunks need to be configured to correctly tag all vlan streams and this works just fine over powerline/EoP too if using that as the carrier between areas.

In my setup the desktop/user LAN can access the CCTV lan for monitoring/configuration, also via firewall rules. All cameras and NVR/DVR are on the CCTV vlan. For remote access the VPN inbound terminates to the user vlan so can also access the NVR/DVR via its internal IP address without issues.

Pedro Tera · May 3, 2018

Pardon my ignorance, I have only started to learn...

I am going to be using a pfSense router with a managed switch, which allows for vlans.
If my blue iris pc has 2 NICs, would I be better served to connect one to the ipcam vlan and one to my main/home vlan?
Or would I be better to only use one NIC and connect to the home vlan.

I was hoping that option one would work - which would mean that I can just block the ipcam vlan from outside access altoghether, but at the same time would be able to access the cams through a "service" running on the bi pc...

Option two would require more work for me on pfSense routing, which would mean more ways for me to screw it up...

Mr_D · May 3, 2018

Pedro Tera said:
Pardon my ignorance, I have only started to learn...

I am going to be using a pfSense router with a managed switch, which allows for vlans.
If my blue iris pc has 2 NICs, would I be better served to connect one to the ipcam vlan and one to my main/home vlan?
Or would I be better to only use one NIC and connect to the home vlan.

I was hoping that option one would work - which would mean that I can just block the ipcam vlan from outside access altoghether, but at the same time would be able to access the cams through a "service" running on the bi pc...

Option two would require more work for me on pfSense routing, which would mean more ways for me to screw it up...

Either should work, but I favor just one NIC with the BI PC on the same subnet as the cameras. The way I have mine setup, the camera/BI subnet is reachable from my private LAN. If you need the BI computer to make outbound connections, you just need to set an "allow" rule in the firewall for its IP address above the deny rule.

crw030 · May 3, 2018

I don't disagree with Mr_D solution, but for the technically challenged, the two-nic solution will also be perfectly working solution and 1. doesn't require a managed/vlan capable switch and 2. configuration can't be screwed up imho (if you are a network novice) because it's physically separate networks (not just logically). Just food for thought if you consider yourself vlan challenged. You do have to think in terms of different subnets (so cameras on NIC #2 with subnet 192.168.1.X would mean your regular LAN would have to go somewhere else 192.168.11.X to keep it simple).

My old configuration (with a laptop), I had to get a USB NIC to add the second network capability (cost $29) but on a regular PC it will either have dual-nic or you can drop in a PCIE network card for under $20. Configuration is also very simple and clear, Ethernet#1 is IP subnet to rest-of-world and Ethernet#2 is connected to POE switch and talks to the cameras and cameras no longer have a path to the internet. But this limits access to the cameras to either the BI PC (think remote desktop for camera configs and firmware updates) or via the BI web UI if you just need to watch the streams. Remote Desktop I believe creates a Windows PRO dependency or requires some other secure Remote Desktop application.

BTW, I have pfSense as my router/firewall and if you have only 2 NICS the recommended configuration for pfSense is #1 is dedicated to WAN and #2 is dedicated to LAN. You would need to implement VLANs or add additional NICs to further subdivide your internal network (I chose a 4-port Intel NIC card to make my pfSense a 5-port device with 4 distinct & firewalled subnets). I cannot find the supporting post with that recommendation, but I think it just has something to do with misconfiguration leading to LAN exposure directly to the internet.

Mr_D · May 3, 2018

crw030 said:
I don't disagree with Mr_D solution, but for the technically challenged, the two-nic solution will also be perfectly working solution and 1. doesn't require a managed/vlan capable switch and 2. configuration can't be screwed up imho (if you are a network novice) because it's physically separate networks (not just logically). Just food for thought if you consider yourself vlan challenged.

My old configuration (with a laptop), I had to get a USB NIC to add the second network capability (cost $29) but on a regular PC it will either have dual-nic or you can drop in a PCIE network card for under $20. Configuration is also very simple and clear, Ethernet#1 is IP subnet to rest-of-world and Ethernet#2 is connected to POE switch and talks to the cameras and cameras no longer have a path to the internet.

This is essentially the approach that pre-made NVRs take. The cameras are on a separate network and only reachable from the NVR, or in this case, the BI PC. I like to be able to reach my cameras directly so I went with the VLAN/firewall route.

copex · May 3, 2018

Pedro Tera said:
Pardon my ignorance, I have only started to learn...

I am going to be using a pfSense router with a managed switch, which allows for vlans.
If my blue iris pc has 2 NICs, would I be better served to connect one to the ipcam vlan and one to my main/home vlan?
Or would I be better to only use one NIC and connect to the home vlan.

I was hoping that option one would work - which would mean that I can just block the ipcam vlan from outside access altoghether, but at the same time would be able to access the cams through a "service" running on the bi pc...

Option two would require more work for me on pfSense routing, which would mean more ways for me to screw it up...

i would go for the 2 lan options, configure two ports on the switch of for each vlan. on the pc the lan for the cameras assign a static ip address and leave the gateway blank, on the home lan configure the static ip address with a gateway as this will be used for internet access.

as long as BI remote app and web access is by the BI PC then the cameras can be isolated on there own lan, pfscnce could sit on the home network with no need to setup vlans....

Pedro Tera · May 3, 2018

Thanks to everyone for the help!

I think I have enough information to start playing around and see what works best for me, at least as far as the networking part is concerned...

Springer · May 5, 2018

Thanks for all the ideas. This is great food for thought.
A home automation PC needs access to the BI system & cameras. Probably easier if all of the HA devices get moved into the VLAN.

Any ideas how could I VPN into a VLAN segment if the VPN server lives on the main network ?

Sparkey · May 6, 2018

Great thread. Just went the 2 NIC route with the cams on there own subnet. Now I can sleep better knowing Mr. Wong can't access them and they can't access my LAN.

Aengus4h · May 6, 2018

Springer said:
Thanks for all the ideas. This is great food for thought.
A home automation PC needs access to the BI system & cameras. Probably easier if all of the HA devices get moved into the VLAN.

Any ideas how could I VPN into a VLAN segment if the VPN server lives on the main network ?

basically you set up a route from the main VLAN to the camera one, when you connect via VPN onto the main VLAN you can then access the camera VLAN just the same as if you were sat at home on your PC. So you would need the camera VLAN to be presented to your router, just have a rule any-any-deny from the camera VLAN out to anywhere and that'll keep it isolated and you should be good...

Search

Need advice on VLAN for cams

Springer

Young grasshopper

copex

Getting the hang of it

Xeddog

Getting comfortable

YAEMISH

n3wb

Springer

Young grasshopper

Mr_D

Getting comfortable

Aengus4h

Getting the hang of it

Pedro Tera

n3wb

Mr_D

Getting comfortable

crw030

Mr_D

Getting comfortable

copex

Getting the hang of it

Pedro Tera

n3wb

Springer

Young grasshopper

Sparkey

Pulling my weight

Aengus4h

Getting the hang of it