Network Advice?

XrayDoc88

Getting the hang of it
Joined
Dec 15, 2017
Messages
125
Reaction score
30
Location
United States
I'm not sure if this is the correct forum for my questions, but I didn't find another section that seemed to cover networking. I want to add 5-6 ip cameras and a computer running Blue Iris to my wired home GB network. My network currently has several computers, satellite receivers, AV receivers, 2 Xboxes, a NAS, 3 smart TVs, 3 wireless access points, etc., etc. I want to be able to access Blue Iris (or possibly the cameras directly) from outside my home. I've read several posts that say DO NOT USE PORT FORWARDING. Instead, setup a VPN. I've never used a VPN, but I'm willing to learn. I've already seen the excellent VPN for newbies post on this site. But I'd also appreciate some suggestions for the best physical layout of adding this new surveillance hardware.

1. Should I just connect the new cameras and BI computer to my existing POE+ switch?
2. Should I use a separate POE+ switch for the surveillance hardware?
3. If the cameras are recording all the time, how do you avoid ruining the bandwidth on your network?
4. Should the surveillance hardware have a different subnet or VLAN tag?

I don't know if it is important, but my router is currently a computer running pfSense. I've only enabled one WAN and one LAN port on the machine, but actually have additional NIC ports that could be activated if that helps.

I clearly could use some advice from the experts that frequent these forums. Thanks!
 
Last edited:

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
For a small network such as yours I'd just use the existing hardware you have and not go to the complexity of extra switches or vlans. You could always make changes later.

I also use a pfsense box and OpenVPN is relatively easy to set up.

Regarding ruining your bandwidth, (Q3),. There's nothing to worry about, the cameras pass traffic to the recorder on their own switch ports at a local level (layer 2) and that does not impact WAN bandwidth.
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
4,338
Reaction score
3,519
With a Blue Iris PC the easiest way to segregate your network is to put two NICs in the PC. Connect a PoE switch and cameras to one and the rest of your network to the other, put the two nics in different subnets.
 

XrayDoc88

Getting the hang of it
Joined
Dec 15, 2017
Messages
125
Reaction score
30
Location
United States
With a Blue Iris PC the easiest way to segregate your network is to put two NICs in the PC. Connect a PoE switch and cameras to one and the rest of your network to the other, put the two nics in different subnets.
With this kind of setup, does the separate subnet for the surveillance gear add a level of security to your home network? Is there a way that your VPN can connect directly to the surveillance subnet without also gaining access to your home network, which is actually upstream of the surveillance network? I'm not sure I really understand the rationale for configuring the hardware like this. Thanks!
 

SkyLake

Getting comfortable
Joined
Jul 30, 2016
Messages
358
Reaction score
301
The only problem that can occur with putting two NIC's in a PC, and setting them up with different ip's / subnets, is, when you actually get a virus, or malware on that same pc.. Advanced malware / viruses just scan your network stack, and can connect to either both or to which it wants to connect. When a hacker could make it thru to that same PC, he could just walk to the different subnets.

VLAN's would be the better choice, but with VLAN you could also be hacked, when using cheap hardware. VLAN hopping -> VLAN hopping - Wikipedia

There are so many ways to make a system secure, or insecure :D
 
Last edited:

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
XrayDoc88... the cameras can not get to the internet. The cameras can not get to any computer but The BI computer. The cameras can not get to your other network devices. The VPN can access the BI computer.
 

XrayDoc88

Getting the hang of it
Joined
Dec 15, 2017
Messages
125
Reaction score
30
Location
United States
XrayDoc88... the cameras can not get to the internet. The cameras can not get to any computer but The BI computer. The cameras can not get to your other network devices. The VPN can access the BI computer.
Ok, I think I understand now. When I setup the VPN do I actually make it specific to the BI computer or will I just make it specific to my pfSense router?
 

XrayDoc88

Getting the hang of it
Joined
Dec 15, 2017
Messages
125
Reaction score
30
Location
United States
The only problem that can occur with putting two NIC's in a PC, and setting them up with different ip's / subnets, is, when you actually get a virus, or malware on that same pc.. Advanced malware / viruses just scan your network stack, and can connect to either both or to which it wants to connect. When a hacker could make it thru to that same PC, he could just walk to the different subnets.

VLAN's would be the better choice, but with VLAN you could also be hacked, when using cheap hardware. VLAN hopping -> VLAN hopping - Wikipedia

There are so many ways to make a system secure, or insecure :D
Skylake, well that was a depressing post, despite your smiling emoji. :( How would you suggest attempting to secure your home and surveillance network? What do you think is the best setup?
 

cutterman

Getting the hang of it
Joined
Jan 25, 2017
Messages
100
Reaction score
15
Add another subnet to your pfsense router and put the POE switch, BI box, and all the cameras on that. Block access from that subnet to your main network and set up the VPN on the surveillance subnet to connect to the BI machine.
 

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
Ok, I think I understand now. When I setup the VPN do I actually make it specific to the BI computer or will I just make it specific to my pfSense router?
You'll use VPN to access your entire network via the pfSense box, so if it's important to access other devices in addition to the CCTV network then it may be beneficial to leave all devices on the same flat network. VLANS are good to separate networks that belong to different people, departments etc. Since they are both yours there is marginal benefit.

I don't use BI and i'm not sure if you use a separate PC to access the recorder via a client or view live video directly on the BI box itself, but if your viewing PC is on your home network in a separate VLAN to the BI box, then you'll probably need a second NIC in that to belong and connect to the CCTV network (this is an alternative to having a dual NIC in the BI box).
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
I have never picked up a virus on my BI computer. The only thing on the BI computer is BI. I do not even use a browser on the BI computer. I do have IE and Chrome loaded, but do not use them. I update windows manually. I update BI manually. I do not use automatic updates.

The VPN allows secure access to your network. I connect to the VPN then open UI3 on the BI machine. I can also remote to my other computers.
 
Top