Menu
What's new

Remote access to BI while isolating from home network

T

techierookie

n3wb
Joined
Aug 12, 2020
Messages
9
Reaction score
1
Location
Perth
The idea is to be able to access the cameras remotely on my iPhone (via the BI app) while also isolating all cameras and BI server away from my home network. In the event of a worst case scenario, I want to ensure that if the BI server gets compromised, at least everything else on my home network won't be under threat.

Just wanted to check whether the below setup will work before I purchase the hardware required.
  • Set up a BI server with dual NIC (NIC-A will have Internet access and NIC-B will not)
  • Connect cameras to an unmanaged TP-link POE switch which then connects to NIC-B
  • Assign static IP to all cameras with random gateway ranges
  • Connect NIC-A to a VLAN port on the router (Dream Machine)

Questions:
  1. Should I opt for a managed switch to connect the cameras and create an additional VLAN?
  2. Should I add any necessary firewall rules on the router?
  3. Rather than connecting NIC-A directly to the router, should I connect to the home switch (in a separate VLAN) which then connects to the router? Would this bottleneck the network?
 
Holbs

Holbs

IPCT+ Member
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Your camera's are safe as they are on NIC-B, since they will be on different subnet. To make things clear for an example: main personal subnet network would be 192.168.0.x while the NIC-B camera subnet network would be 192.168.5.x
Unmanaged POE switch after NIC-B is fine, I did the same.
Yes, assign static IP to all cameras with random gateway in the camera GUI themselves but do leave 192.168.x.108 unused as that is the default IP for cams (at least for Dahua).
No need for managed switch after NIC-B.
Only additional firewall settings on your UDM is to setup rules to allow UI3 to talk between your main PC and Blue Iris PC, same for Remote Desktop or whatever you use for remote desktop usage.
Is ok to connect NIC-A to either your router or home switch. Depending on the switch in question and it's cpu/process power (I have Ubiquiti 48 port managed switch so I gots the POWER!), you should have no problems. Try it out. If no worky, plug directly into router.
If you figure out how to use the Ubiquiti's Radius VPN server, that would be great as I'm stuck with it :)
 
Last edited:
bp2008

bp2008

Staff member
IPCT+ Member
Joined
Mar 10, 2014
Messages
12,673
Reaction score
14,018
Location
USA
1) No, your plan to connect NIC-A to a specific VLAN on the router should be fine.
2) Yes
3) Only if you wanted more devices on that VLAN which would otherwise consist of only your router and the BI machine.

Holbs said:
do leave 192.168.x.108 unused as that is the default IP for cams (at least for Dahua).
Click to expand...
The third byte isn't random or anything. It is always 192.168.1.108 for Dahua.
 
Holbs

Holbs

IPCT+ Member
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
bp2008 said:
1) No, your plan to connect NIC-A to a specific VLAN on the router should be fine.
2) Yes
3) Only if you wanted more devices on that VLAN which would otherwise consist of only your router and the BI machine.



The third byte isn't random or anything. It is always 192.168.1.108 for Dahua.
Click to expand...
got a little too happy with my x's
 
mikeynags

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
940
Location
CT
techierookie said:
The idea is to be able to access the cameras remotely on my iPhone (via the BI app) while also isolating all cameras and BI server away from my home network. In the event of a worst case scenario, I want to ensure that if the BI server gets compromised, at least everything else on my home network won't be under threat.

Just wanted to check whether the below setup will work before I purchase the hardware required.
  • Set up a BI server with dual NIC (NIC-A will have Internet access and NIC-B will not)
  • Connect cameras to an unmanaged TP-link POE switch which then connects to NIC-B
  • Assign static IP to all cameras with random gateway ranges
  • Connect NIC-A to a VLAN port on the router (Dream Machine)

Questions:
  1. Should I opt for a managed switch to connect the cameras and create an additional VLAN?
  2. Should I add any necessary firewall rules on the router?
  3. Rather than connecting NIC-A directly to the router, should I connect to the home switch (in a separate VLAN) which then connects to the router? Would this bottleneck the network?
Click to expand...
If your BI server gets compromised, your entire network(s) will be as well seeing as though the BI server will live on both your networks. The separation of the cameras is mainly to keep them from phoning home etc. types of things cameras do. Keep everything behind the VPN, block the cams from the Internet and you will cut the risk down dramatically.
 
reflection

reflection

Getting comfortable
Joined
Jan 28, 2020
Messages
348
Reaction score
261
Location
Virginia
3) yes if you want to apply firewall rules only for your BI machine and not the rest of your home subnet. This gives you some flexibility to lock down your BI a little more. For example, you might have a rule that only allows RDP to and from your home subnet. So if your BI server does get compromised, it won't have free access to your home subnet. To do this, your managed switch would have to support per VLAN ACLs or you routing everything through your router which does the inter-vlan routing and firewalling (or you can do what I do and virtualize BI which gives you even more flexibility).
 
T

techierookie

n3wb
Joined
Aug 12, 2020
Messages
9
Reaction score
1
Location
Perth
mikeynags said:
If your BI server gets compromised, your entire network(s) will be as well seeing as though the BI server will live on both your networks.
Click to expand...
Would this also be the case even if I create a VLAN for one of the ports on the router and exclusively connect the BI Server to it?

I will be accessing the BI Server either physically on the PC itself or through TeamViewer.
 
Last edited:
reflection

reflection

Getting comfortable
Joined
Jan 28, 2020
Messages
348
Reaction score
261
Location
Virginia
techierookie said:
Would this also be the case even if I create a VLAN for one of the ports on the router and exclusively connect the BI Server to it?

I will be accessing the BI Server either physically on the PC itself or through TeamViewer.
Click to expand...
Yes, you would have more security. You still need to apply firewall rules for your BI subnet. This gives you some flexibility to lock down your BI a little more. For example, you might have a rule that only allows TeamViewer ports to and from your home subnet. So if your BI server does get compromised, it won't have free access to your home subnet. To do this, your managed switch would have to support per VLAN ACLs or you routing everything through your router which does the inter-vlan routing and firewalling (or you can do what I do and virtualize BI which gives you even more flexibility).
 
You must log in or register to reply here.
Top