Networking best practices?

ThorMan

n3wb
Joined
May 2, 2017
Messages
16
Reaction score
0
Going to a new place, going to install 9 new dahua cameras. Going to build a dedicated 4u PC for blueiris and going to get Ubiquiti EdgeSwitch as the POE switch (not only for cameras but entire house).

What are the best practices as far as networking goes? Keep the cameras on a subnet? Is it worth getting 2 NICs on the blueiris machine?
 

DWW0311

Young grasshopper
Joined
May 13, 2017
Messages
70
Reaction score
17
I typically sandbox the cameras and server within their own vlan, which is a switching concept. You shouldn't need a second nic for that.
 

bennuss

Getting the hang of it
Joined
May 26, 2015
Messages
103
Reaction score
6
Can you explain your sandbox setup does your nic recognize vlans? And if so how do you get out to the internet
 

DLONG2

Known around here
Joined
May 17, 2017
Messages
763
Reaction score
454
What is a good router to use for VLANs for someone like me with only a basic understanding of networking? I read that Ubiquiti VPN routers offer only 16Mbps throughput on VPNs, and I saw another brand with maybe 20 Mbps. Are these speeds acceptable for use with IP cameras if I were planning on having 5 or 6 cameras? If there were a tutorial on how to set up a secure LAN specifically for IP cameras, it would be great.
 

DWW0311

Young grasshopper
Joined
May 13, 2017
Messages
70
Reaction score
17
Can you explain your sandbox setup does your nic recognize vlans? And if so how do you get out to the internet
Sandboxing is a product of routing / firewall rules. They define, or in this case limit, what traffic is allowed to pass where and which hosts / group of hosts (VLAN) are allowed to talk to other VLANs.

NICs are dumb. VLANs are normally implemented on managed switches. If you propose to route between them, you'll need to implement the vlans on a router in order to impose the flow controls. It's not entirely the easiest thing in the world to implement if you don't have a background in / understand managed networks.
 

NoloC

Getting comfortable
Joined
Nov 24, 2014
Messages
701
Reaction score
454
Going to a new place, going to install 9 new dahua cameras. Going to build a dedicated 4u PC for blueiris and going to get Ubiquiti EdgeSwitch as the POE switch (not only for cameras but entire house).

What are the best practices as far as networking goes? Keep the cameras on a subnet? Is it worth getting 2 NICs on the blueiris machine?
I think most folks would agree the goal would be to keep the cams isolated from the internet directly due to security concerns. Depending on your level of expertise there are a few ways to accomplish this. The two nics way with two physically separate networks seems fine and pretty simple to set up. Nics are pretty cheap. I can't see a downside but maybe someone more knowledgeable will chime in.

You could also restict the cameras with firewall rules or create vlans. I was able to do the vlan approach with this little managed switch https://www.amazon.com/TP-Link-8-Port-Ethernet-Desktop-TL-SF1008P/dp/B01BW0AD1W/ref=sr_1_3?tag=ipctk-20&ie=UTF8&qid=1485549183&sr=8-3&keywords=4+port+poe+switch&th=1 . I'm sure there are better out there but this little guy wasn't too bad to configure. So the cams see the BI machine but not the router and the BI machine sees the cams and the router. My router is an Asus AC68U so nothing fancy and I have very little "networking" experience. So I ran around with a laptop pinging to confirm the segments actually existed and restricted access for the cams.

Anyway It's nice not to worry about the cams being exposed. I also use the openvpn server in the Asus for remote access to BI. Asus makes that really easy to set up.
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.

DLONG2

Known around here
Joined
May 17, 2017
Messages
763
Reaction score
454
... You could also restict the cameras with firewall rules or create vlans. I was able to do the vlan approach with this little managed switch https://www.amazon.com/TP-Link-8-Port-Ethernet-Desktop-TL-SF1008P/dp/B01BW0AD1W/ref=sr_1_3?tag=ipctk-20&ie=UTF8&qid=1485549183&sr=8-3&keywords=4+port+poe+switch&th=1 . I'm sure there are better out there but this little guy wasn't too bad to configure. So the cams see the BI machine but not the router and the BI machine sees the cams and the router. My router is an Asus AC68U so nothing fancy and I have very little "networking" experience. So I ran around with a laptop pinging to confirm the segments actually existed and restricted access for the cams.

Anyway It's nice not to worry about the cams being exposed. I also use the openvpn server in the Asus for remote access to BI. Asus makes that really easy to set up.
Hi Nolo. So a managed switch provides the VLAN where the cameras reside, and the VPN is used for remote access to the home network? Member 'looney2ns' also highly recommended the ASUS router in his recent post. Thanks!
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.

NoloC

Getting comfortable
Joined
Nov 24, 2014
Messages
701
Reaction score
454
Yes.

In this switch there are a couple of options as to vlans. 802.1q is the option I used.
 

bennuss

Getting the hang of it
Joined
May 26, 2015
Messages
103
Reaction score
6
Sandboxing is a product of routing / firewall rules. They define, or in this case limit, what traffic is allowed to pass where and which hosts / group of hosts (VLAN) are allowed to talk to other VLANs.

NICs are dumb. VLANs are normally implemented on managed switches. If you propose to route between them, you'll need to implement the vlans on a router in order to impose the flow controls. It's not entirely the easiest thing in the world to implement if you don't have a background in / understand managed networks.
I understand that but still not understanding why sandboxing is better than a separate nic. You restricted the camera vlan i assume from access to the routing gateway but you still have all the traffic passing through the same nic. unless you only have a few cameras. Vlans are just a way of splitting a physical switch logically but the BI server wold still need access to both vlans. can you draw up you logical layout?
 

DWW0311

Young grasshopper
Joined
May 13, 2017
Messages
70
Reaction score
17
I understand that but still not understanding why sandboxing is better than a separate nic. You restricted the camera vlan i assume from access to the routing gateway but you still have all the traffic passing through the same nic. unless you only have a few cameras. Vlans are just a way of splitting a physical switch logically but the BI server wold still need access to both vlans. can you draw up you logical layout?
Sandboxing by definition will require more than one NIC. His question was whether or not he needed a second NIC on his Blueiris machine, and the answer to that is no. Normal implementation with respect to this scenario:

Cameras and server are all within the same VLAN on a separate switch. That switch is connected to one port on a router. Your other clients are connected to other switches (maybe all in the same second vlan, maybe as in my case into many vlans), which are connected to other ports on the router. The router has rules defined on it which specify what traffic is (or in the case of a sandbox - is not) permitted to travel between individual vlans.

Depending on the switch (I'm a Cisco guy, so that's what I know), you can also implement access lists to control traffic between vlans which are collocated on the same switch and thereby achieve the same sandbox within the confines of the switch itself, but in a simple home network setup like what you're discussing, it wouldn't be worth the effort.
 

Attachments

Last edited:

bennuss

Getting the hang of it
Joined
May 26, 2015
Messages
103
Reaction score
6
Your setup is a basic one. I am also a Cisco guy but not an expert. I misunderstood. I thought you wanted to segregate the webserver of blue iris from the cameras which is what I do besides segregating the cameras and server from the rest of the network.
 

DWW0311

Young grasshopper
Joined
May 13, 2017
Messages
70
Reaction score
17
Your setup is a basic one. I am also a Cisco guy but not an expert. I misunderstood. I thought you wanted to segregate the webserver of blue iris from the cameras which is what I do besides segregating the cameras and server from the rest of the network.
That's not my setup. You asked for a basic drawing. Mine comprises 17 different vlans located on 5 different switches and a 5520 wireless fabric routing through a 2901 via fiber uplinks / outpath through a Sophos UTM. I wasn't about to draw all of that out.

Asking honestly - what is the perceived benefit of segregating the webport?
 

rnatalli

Getting the hang of it
Joined
Aug 7, 2016
Messages
140
Reaction score
31
What is a good router to use for VLANs for someone like me with only a basic understanding of networking?
You have the entry-level ones which sell for like $25-$50; I would avoid these like the plague especially if you're looking to do VPN. The higher-end consumer routers like Netgear Nighthawk or ASUS equipped with dual-core ARM chips are better; their hardware is still limited, but they're easier to use and for most home networks, will do fine. With some tweaking, you can get some of these up to 30-40Mbps using OpenVPN. Then you reach stronger performing units running pfSense, Untangle, Sophos, IPFire, etc. These have better performance when running on a modest x86 box and offer a lot more options and features than their consumer router cousins.
 

masontech

n3wb
Joined
Dec 11, 2018
Messages
1
Reaction score
0
Location
united states
Sandboxing by definition will require more than one NIC. His question was whether or not he needed a second NIC on his Blueiris machine, and the answer to that is no. Normal implementation with respect to this scenario:

Cameras and server are all within the same VLAN on a separate switch. That switch is connected to one port on a router. Your other clients are connected to other switches (maybe all in the same second vlan, maybe as in my case into many vlans), which are connected to other ports on the router. The router has rules defined on it which specify what traffic is (or in the case of a sandbox - is not) permitted to travel between individual vlans.

Depending on the switch (I'm a Cisco guy, so that's what I know), you can also implement access lists to control traffic between vlans which are collocated on the same switch and thereby achieve the same sandbox within the confines of the switch itself, but in a simple home network setup like what you're discussing, it wouldn't be worth the effort.
What brand of router are you using for this setup?
 

Sparkey

Pulling my weight
Joined
Apr 3, 2015
Messages
237
Reaction score
159
I'm using the 2 NIC approach. All the cams are on a separate subnet not connected to the Internet. Easy to setup and since the motherboard Blueiris is running on has 2 onboard NIC's there was no additional expense.
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
I'm using dual-NIC approach because I don't have a managed switch, and it was stupid simple. It guarantees the cameras are segregated from everything else (and the internet). Technically, properly configured VLAN's also segregate the cameras and limit internet access, but that requires a managed switch capable of VLAN's and also requires proper configuration. Proper configuration is more difficult if you don't know what you are doing, and the effects of misconfiguration are significantly more risk of exposure and cameras "calling home". I'm not arguing both aren't viable, just one is a whole lot easier for a novice.

So what are the negative aspects for using a dual-nic configuration? The one's I've personally experienced are:
  • You cannot configure the cameras without first using a remote-desktop app to connect to the Blue Iris machine, because ONLY the BI machine can actually reach the camera network.
  • You need to run a time service on the Blue Iris machine, since the cameras will never be able to connect to any other time service
  • single points of failure is increased (Blue Iris machine or EITHER NIC fails, and the whole system appears to "go down"), some of this can be addressed with NIC teaming but in a dual-NIC configuration this becomes prohibitive (teaming both networks results in 4 single-port cards not two).
  • Cameras are unable to send email alerts directly, so this is essentially unusable. You could (in theory) run an SMTP mail service on the BI machine, or do some type of forwarding (I haven't investigated this).
  • Your hardware must support adding another NIC or have two ethernet ports on the mainboard (i.e. very small form factors with limited PCIE slots will face challenges here)
  • increases cost by at least $15 for a new NIC
  • you can probably reduce the number of switches you need to buy, but they will need to support VLANs (i.e. might be more expensive, but also might be higher quality switches).

Some positives of dual-NIC config:
  • Since I mostly have Dahua cameras, and they typically default to 192.168.1.108 brand new, it was super easy just to make that network (the one BEHIND the BI machine 192.168.1.x network), this was easy because my primary network is not 192.168.1.X (some novice users may have this as their primary network configured by their provider or router out-of-box, and it would have to be changed first).
  • This approach works with the dumbest, cheapest switches you can buy
  • this approach moves your POE switches primarily to the camera network
  • Network Cards are cheap
  • The networking configuration works or doesn't work (pretty clearly one or the other) but there is no risks associated with misconfiguration (i.e. even a novice cannot inadvertently expose cameras to the internet or permit them to reach unknown destinations)
  • the "uplink" (connecting BI to primary network) network card doesn't even have to be all that great, I used a USB 10/100 dongle on an old laptop for 2 years and it worked fine. The main bandwidth requirements is between the cameras and the BI computer. This keeps ALL that traffic off the primary network (minor benefit as switches can handle massive amounts of switching traffic))
  • inbound network connections to Blue Iris machine can be firewalled, because you only need web access to Blue Iris (port 81 for me) and RDP/VNC/Chrome Remote everything else can be blocked by default.
  • any transients present on long camera runs are less likely to take out your main network.
 
Last edited:
Top