@Lemonade I am not familiar with the Panasonic cams so I don't know how much of it is configurable or if there are different accounts of say user vs admin, perhaps a different username and password would allow you to change various settings. You can search the exact model of Panasonic cam and see what the deal is but having a default username and password isn't a huge risk if the cam is behind the firewall (Linksys EA4500) which it is. If you want to play it safe you can configure a firewall rule in your Linksys EA4500 that basically says "Block outbound traffic from <ip address of camera>" which would prevent the camera from making outbound connections to the open internet. Using the direct web interface to the Panasonic cam might need different credentials to make the PTZ functions work, might need a different web browser such as Chrome or Internet Explorer or Edge etc, or the PTZ functionality might not be functioning on that camera any more. I'll touch on your security concerns later in this post.
Blue Iris does have a great many options, a great many of which you probably won't care about. There are excellent
wiki articles and videos on youtube and this sites Blue Iris forum all of which can give you volumes of information about BI. You will not want to run the laptop 24/7 as laptops have fairly poor heat venting due to their compact size and are manufactured with the assumption that they will not be running 24/7. If you run that laptop constantly it will burn out much, much more quickly. You can find many cheap used desktops that have minimal power consumption for sale on eBay or similar sites that will do a far superior job and will last a long time running 24/7. Honestly I wouldn't worry too much about the power consumption for a small desktop, it is the equivalent of running an old incandescent light bulb 24/7 not free but not expensive. While you can configure some outside or 3rd party program to do the daily backup/transfer Blue Iris has the functionality built in. I'll attach a couple of screenshots of my BI config at the end of the post. My BI setup uses two folders <new> & <stored>. New is where real time footage is recorded from the camera by BI. I have a 256gb SSD in that machine and after the OS and BI install has around 200gb free so I chose to allocate 140gb to the <new> folder. The <new> folder exists as a default sub folder of the default Blue Iris install at C:\Blue Iris\New\. I chose 140gb instead of 200gb to allow some breathing room and a little buffer in case the NAS can't be reached I didn't want the BI machine to instantly be full and thus instantly have issues. I figured that 60gb breathing room would buy me some time to be made aware of the issue and take steps to fix it before BI stopped being able to record footage. The second folder is <stored> which is also a default folder of the BI default install and is similarly located at C:\Blue Iris\Stored\ but since this folder exists on the same drive as <new> it doesn't really help me. So I changed where the <stored> folder points to. As you can see in my screenshot the <new> folder config is located at C:\blue iris\new\ and limits the size to 140gb then moves to folder <stored>. With only 1 camera recording 24/7 that 140gb buys me just under 3 days worth of footage. The other screenshot shows the config of the <stored> folder which is located at \\cameras\archive and limits the size to 15,750gb (or 15.7 TB) then deletes any footage beyond that. With only 1 camera recording 24/7 that 15,750gb buys me about 300 days worth of footage. I am planning on adding a great many more cameras, around 14-ish ultimately at which point that crazy big NAS will hold about 21 days of footage for all cameras. The address \\cameras is the name of my QNAP NAS and the \archive\ is the shared folder I made for my footage, I could have just as easily called the QNAP \\banana and the shared folder \happy\.
Your current router does not have built in VPN capabilities, you are correct. However you "might" be able to load a 3rd party firmware on that router such as openwrt.org which could then load OpenVPN and grant you VPN functionality without changing your router hardware. If your EA4500 is a v1 or v2 you can load openwrt.org on to it, if however it is v3 you cannot. Or an easier solution is just wait and buy a new router in the future that does come with VPN functionality right off the bat. When you say "...I'll just run a VLAN for guest wifi and stick with the VPN for remote access." That sounds like your only wifi network would be the VLAN guest wifi network, if that is the case then devices on your guest wifi will NOT be able to see the cameras feeds. If however you were to have 2 wifi networks a guest wifi that is a separate VLAN and a wifi network that is on the same network segment as your internal network that you could have your wifi devices on that second wifi and they WILL have access to the camera feeds. The BI android app likely doesn't require a VPN but it does require some means of reaching the BI computer to see the feeds. There are 2 different methods of accomplishing remote viewing of your cameras, they are "port forwarding" and "VPN". By default your EA4500, acts as a one way valve, it allows any device on your internal private network to talk out to the open Internet without restriction, and conversely it does NOT allow ANY communications from the open Internet in to your private network. In this sense the EA4500 is much like the entry door on your home, it cannot be opened from the outside, but you are able to open it from the inside. Thus you can exit the house anytime you like to anywhere you like but a stranger can't just walk into your home. Port forwarding is the process by which TCP and/or UDP ports on your public IP Address are forwarding thru your EA4500 in to a specific internal IP Address thus enabling communication with that device from the outside world. This is the same way a website works, the physical server hardware that the website exists on is behind a firewall and TCP port 80 is port forwarded from the public IP Address of that site to the internal private IP Address of that physical server. TCP port 80 is where unencrypted web browsing takes place. Take for example the website
Vons - Official Site which is the site of the US supermarket of the same name. The address
www.vons.com resolves to the public IP Address of 45.60.12.113 which is the public side of some firewall. TCP port 80 is port forwarded from 45.60.12.113 to whatever the internal private IP Address of that physical websites server is, lets say the internal private IP Address of that server is 192.168.1.10 for discussions sake. When I open my Google Chrome web browser and type
www.vons.com and press enter here is what happens. My computer checks to see if it knows what
www.vons.com resolves to, if it does it proceeds to the next step, if it doesn't it asks my DNS server what
www.vons.com resolves to. The DNS system will tell me that
www.vons.com equals 45.60.12.113 so my computer sends a request on TCP port 80 to 45.60.12.113 saying essentially "hey show me your website". The firewall that protects that website server receives my request and forwards that traffic on thru itself to 192.168.1.10 and the web server software responds back to me with the
www.vons.com website which displays in my browser window. This whole process takes a faction of a second. The reason that our example of
www.vons.com is using port forwarding and not a VPN is that they want their site to be publicly accessible. If it were behind a VPN I would not be able to reach their site as a member of the general public. But that port forwarding means that the entire global Internet can reach
www.vons.com which the company likely wants since someone somewhere might want to visit that website, but it also means that site can be probed or attacked from anywhere in the world.
www.vons.com is relying on their web server to be able to withstand that attacks and probes that it undoubtedly receives by virtue of being on the open Internet.
www.vons.com hopefully spends the appropriate amount of money annually to make sure their web server is patched and maintained which is what IT guys are for. A VPN is in broad strokes the same thing, it is a public IP Address that is accessible to the global Internet. The difference is easiest to explain in an analogy, the publicly accessible web server is like a Kwikset or Schlage deadbolt lock which is pretty good at withstanding attacks and being picked. A VPN is like an armored vault door with high security locks. A VPN is designed with security and protection in mind first and foremost, a web server is not. Additionally the site
www.vons.com because it is on TCP port 80 is unencrypted meaning any data that is sent between your computer and that site is in plain text and readable by any device along the path of communication, sounds scarier than it really is with the exception of wifi. The site is unencrypted because the company Vons chose not to have it encrypted, had their web designers not make it encrypted, and so it is not encrypted. If they choose to they could convert it to an encrypted site and then it would be
Vons - Official Site (note the extra "s" in the beginning) and would transmit traffic on TCP port 443 instead. Having given this whole long explanation is to allow me to say this, you can use port forwarding to grant remote access to your Blue Iris machines and the camera feeds on it should you wish. It isn't ideal which is why it is strongly suggested on this site and many others that you not port forward your cameras. The real risk to port forwarding is how strong is the "lock" on the device you are forwarding to, is it a cheap kwikset or a robust fortress. Another consideration in port forwarding is which ports are forwarded, there are 65536 TCP ports and 65536 UDP ports. The first 1024 are called the "well known" ports as they have predefined roles to play, the ports from 1025 to 65536 are called the "high ports" and can be used for whatever you like without concern. If you forward common ports such as 80, 443, 25, 110, etc which are web, encrypted web, smtp email, pop email respectively they are much more likely to be found, probed and perhaps attacked than say a random high port such as 49712. My BI installation uses port 81 I don't remember if that was the default or I chose it specifically.
UI3 is just an alternative layout for the web interface of the BI cameras. I will attach a couple of screenshots of the default BI web ui vs ui3. Think of it like rearranging your furniture in the living room, same basic furniture but in a layout you find more pleasing based on personal preference.
You can always add 2 way audio later when you are ready.
It isn't clear to me if you are looking at 4 or 5 cameras overall, not sure if "The side/driveway" and "one for a side door" are the same camera or not. The BI software is able to scale to as many cameras as any human could possibly want. The hardware you run it on might not, I would suggest you use the wiki article
@looney2ns mentioned to spec a system suitable to 5 cameras of whatever resolution you decide, I still recommend the camera I originally suggested as it has both an excellent day and night picture for all your camera locations you mentioned.
That was lengthy. Enjoy