Ah. Making headway. All IP cameras on their own subnet/VLAN along with Blue Iris server. Able to still use UI3 through subnets.

[Holbs]

Spent this entire Saturday learning about creating subnets & VLANs through my Ubiquiti UDM router and Ubiquiti 48 port managed switch and Ubiquiti AP. Had to watch lots of YouTube vids (mostly of EdgeRouters since not much UDM vids out there yet) and websites.
Finally. So far, I have 4 subnets & VLANS:
1.) 192.168.1.1 for personal use
2.) 192.168.2.1 for future Radius VPN (gotta wait til my Pixel 4XL arrives for that)
3.) 192.168.3.1 VLAN 3 for general IOT (Denon smart amp, robot vacuum, Roku's, etc)
4.) 192.168.4.1 VLAN 4 for 15 IP cameras & Blue Iris Server
Gots all IP's of cameras blocked via firewall WAN OUT (before, I only had MAC address's blocked which I learned was not wise in itself).
Had to setup additional firewall rules to allow UI3 to connect from 192.168.4.1 to my personal 192.168.1.1 network.
Somehow (by luck) Remote Desktop Protocol now works too. Something I didn't know. If a user is logged in and and running Blue Iris program itself (not the service), any other user that logs in with a new desktop for that new user is unable to open the Blue Iris program since the program is still running on other user. So I guess I will make good practice to use Blue Iris and shut it down before leaving (still will run as a service).
Tested everything out. All 3 Roku's (2 hardwired, 1 wifi) work 100%. Blue Iris server sees all IP cam's and still gets to the internet (will research more about this if good or bad). And very happy to report... my Ecovacs DEEBOT 711 is fully functional for the first time! Is it ok to say that I bought all these IP cameras just to watch my robo-vacuum work?

 

[AP514]

Wow..I am scratching my Head ATM..trying to get my Network setup...

I got my Vlans set..Now trying to figure out how to get my BI PC to talk to 2 Vlans or be able to get to the net w/out the Cams being able to..

 

[Holbs]

Wow..I am scratching my Head ATM..trying to get my Network setup...

I got my Vlans set..Now trying to figure out how to get my BI PC to talk to 2 Vlans or be able to get to the net w/out the Cams being able to..

what router? I have Ubiquiti UDM and managed switch.
Lots of hoops to jump through. What I think I did after all subnet VLANS setup:
LAN IN firewall rule to allow all source (local 192.168.1.x) for destination IP of Blue Iris computer & port (192.168.4.2:81)

seems to work I'm sure I will tinker and tighten things up the more I learn. Such as, right now I have all local IP's able to connect to the BI computer. May change to only to allow specific computers (main pc, home assistant pc, etc).

To block cameras from internet...I set firewall rule on WAN OUT to block all IPv4 protocols for all camera IP's (for Ubiquiti, you can have a group) but yet leave Blue Iris computer not part of the group so it can get out. I actually do not remember doing it...but there is also a LAN OUT with the same firewall rule.

 

[The Automation Guy]

Had to setup additional firewall rules to allow UI3 to connect from 192.168.4.1 to my personal 192.168.1.1 network.

You shouldn't need to add firewall rules to allow UI3 to connect from 4.1 to 1.1 if your 1.1 network as a "Allow All" type of firewall rule where it can talk to the 4.1 subnet.

When you are just getting started with VLANs, it's normal to think that connections need to have permissions on both network sub-addresses to actual pass information, but this is incorrect. As long as your 1.1 network allows connections to the 4.1 network, then devices on the 4.1 network will respond to valid inquires even if there are firewall rules preventing outgoing communication. What his means is that you can completely lock down the 4.1 network and devices on the 1.1 network can still pull up and display the UI3 website because a device on the 1.1 aside initiated the request. Of course if you are limiting the allowed IP addresses to your BI server (in the settings/web server/advanced option) you need to make sure your 1.1 network is listed.

It's like if I (network 1.1) have a neighbor (4.1 network). As long as I start a conversation with my neighbor, we can have a regular two way conversation like you would expect. But as soon as I stop talking to my neighbor, they are cut off and cannot communicate with me at all. In fact, they can't see me and actually completely forget that I exist. It's like they suddenly become deaf, blind, and dumb. But as soon as I start talking to my neighbor, we can have a normal conversation again. That's how VLANs work when one VLAN can communicate with everyone (your 1.1 network), but the other VLAN (your 4.1 network) is locked down to prevent communication out of that VLAN.

 

[Holbs]

You shouldn't need to add firewall rules to allow UI3 to connect from 4.1 to 1.1 if your 1.1 network as a "Allow All" type of firewall rule where it can talk to the 4.1 subnet.

It's normal to think that connections need to have permissions on both network sub-addresses to actual pass information, but this is incorrect. As long as your 1.1 network allows connections to the 4.1 network, then devices on the 4.1 network will respond to valid inquires. What his means is that you can completely lock down the 4.1 network and devices on the 1.1 network can still pull up and display the UI3 website because a device on the 1.1 aside initiated the request. Of course if you are limiting the allowed IP addresses to your BI server (in the settings/web server/advanced option) you need to make sure your 1.1 network is listed.

It's like if I (network 1.1) have a neighbor (4.1 network). As long as I start a conversation with my neighbor, we can have a regular two way conversation like you would expect. But as soon as I stop talking to my neighbor, they are cut off and cannot communicate with me at all. In fact, they can't see me and actually completely forget that I exist. It's like they suddenly become deaf, blind, and dumb. But as soon as I start talking to my neighbor, we can have a normal conversation again. That's how VLANs work when one VLAN can communicate with everyone (your 1.1 network), but the other VLAN is locked down (your 4.1 network).

you should do Youtube explanation videos Ok, that makes sense. You are correct. I thought any between 1.1 and 1.4 could not talk at all without a firewall rule of specific IP ranges.
Good point on the options/advanced. Still learning the details of BI. Would of forgot to change from "all connections" to something IP specific. I assume that is done out of security concerns. As of right now, just Main PC (set to static IP on 192.168.1.x subnet) is the only device that uses UI3. Eventually, home assistant server, Pixel smartphone (oddly, the UDM by default made the VPN connection subnet on 192.168.2.x gotta research that a bit mroe), and maybe a Pi4 here or there for displays will want to have access.

 

[The Automation Guy]

you should do Youtube explanation videos Ok, that makes sense. You are correct. I thought any between 1.1 and 1.4 could not talk at all without a firewall rule of specific IP ranges.
Good point on the options/advanced. Still learning the details of BI. Would of forgot to change from "all connections" to something IP specific. I assume that is done out of security concerns. As of right now, just Main PC (set to static IP on 192.168.1.x subnet) is the only device that uses UI3. Eventually, home assistant server, Pixel smartphone (oddly, the UDM by default made the VPN connection subnet on 192.168.2.x gotta research that a bit mroe), and maybe a Pi4 here or there for displays will want to have access.

This is just fresh in my mind because I just went through this process myself. I guess that's one of the benefits to being home right now. I've run a pfSense firewall for about a year now, but just changed my network architecture to include VLANs within the last month.

Limiting IP addresses in BI is completely optional, but I highly suggest it. You can put in your entire LAN sub-address if you want (192.168.1.*) which is what I have done, or just the specific computers on the LAN that you want to access it (192.168.1.24, 192.168.1.63, 192.168.1.200 for example).

The next logical step is to set up a VPN server on your router/firewall so that you can access the home network while you are away from home. If/when you do this, you need to include the VPN tunnel address in the list of allowed networks if you are limiting the IP addresses. This one stumped me for a while. I incorrectly assumed that because my remote device was given a local IP address when I connected via VPN, that as long as the local address was listed I was OK. In fact, you do have to list the tunnel IP address subnet as well.

 

[ARAMP1]

Nice work!

I've broken down my home network into multiple subnets. It works great and I love that it's really super organized.

 

[Holbs]

This is just fresh in my mind because I just went through this process myself. I guess that's one of the benefits to being home right now. I've run a pfSense firewall for about a year now, but just changed my network architecture to include VLANs within the last month.

Limiting IP addresses in BI is completely optional, but I highly suggest it. You can put in your entire LAN sub-address if you want (192.168.1.*) which is what I have done, or just the specific computers on the LAN that you want to access it (192.168.1.24, 192.168.1.63, 192.168.1.200 for example).

The next logical step is to set up a VPN server on your router/firewall so that you can access the home network while you are away from home. If/when you do this, you need to include the VPN tunnel address in the list of allowed networks if you are limiting the IP addresses. This one stumped me for a while. I incorrectly assumed that because my remote device was given a local IP address when I connected via VPN, that as long as the local address was listed I was OK. In fact, you do have to list the tunnel IP address subnet as well.

noted about VPN tunnel address (which I assume is what UDM says is 192.168.2.x). Only VPN I ever dabbled with was on the Asus Router and went thru simple easy wizard for that, and it worked. With the UDM, I guess gotta do it the 'ol fashion way.

 

[Holbs]

Nice work!

I've broken down my home network into multiple subnets. It works great and I love that it's really super organized.

what is that....9 or 10 subnets? Geez I only have 4. I think, the more subnets = more strain on router. Granted, I still need a general Guest WiFI and Girlfriend-of-the-week WiFi. No kids here. I do remember research saying to keep your BI server in same subnet VLAN as cameras else all camera video has to transverse over to a different subnet VLAN to your BI server really bogging down the router CPU.

 

[ARAMP1]

what is that....9 or 10 subnets? Geez I only have 4. I think, the more subnets = more strain on router. Granted, I still need a general Guest WiFI and Girlfriend-of-the-week WiFi. No kids here. I do remember research saying to keep your BI server in same subnet VLAN as cameras else all camera video has to transverse over to a different subnet VLAN to your BI server really bogging down the router CPU.

Yeah, I overbuilt/repurposed a computer for pfSense. 3.5Ghz/32GB of RAM. The system is overkill. It's on a 10GbE set of switches.

My BI machine and all the cameras are on my security LAN.

 

[saltwater]

Spent this entire Saturday learning about creating subnets & VLANs through my Ubiquiti UDM router and Ubiquiti 48 port managed switch and Ubiquiti AP. Had to watch lots of YouTube vids (mostly of EdgeRouters since not much UDM vids out there yet) and websites.
Finally. So far, I have 4 subnets & VLANS:
1.) 192.168.1.1 for personal use
2.) 192.168.2.1 for future Radius VPN (gotta wait til my Pixel 4XL arrives for that)
3.) 192.168.3.1 VLAN 3 for general IOT (Denon smart amp, robot vacuum, Roku's, etc)
4.) 192.168.4.1 VLAN 4 for 15 IP cameras & Blue Iris Server
... snip ...

Ok, I've clicked on the 'Watch' button for this thread. You are about six months ahead of me, this week I start laying all my Cat6 cables in my house under construction. Last night I purchased a 5 pack of UniFi ceiling access points in readiness to install at least the bracket components to the ceilings when the plastering is done in a few weeks time. My next job (today) is to purchase Dahua brackets for dome/turret style cameras. Hope I don't stuff that up getting the wrong type.

In the interim, I'm trying to come to grips with all this VLAN stuff, so will keep an eye out for all the little 'gotchas' that crop up in this thread. I'm yet to pull the trigger on the purchase of Ubiquity router and switch.

 

[The Automation Guy]

what is that....9 or 10 subnets? Geez I only have 4. I think, the more subnets = more strain on router. Granted, I still need a general Guest WiFI and Girlfriend-of-the-week WiFi. No kids here. I do remember research saying to keep your BI server in same subnet VLAN as cameras else all camera video has to transverse over to a different subnet VLAN to your BI server really bogging down the router CPU.

It's easy to get carried away when you start to create vlans.

I have 6 - regular lan, ip phone system, CCTV, IOT crap, gaming systems, and guest network.

I don't think the vlans use up to many resources. I'm running pfSense on a HP t620 plus thin client along with one "always on" VPN tunnel to my parents house for off site backup and support of their network and a VPN server to connect into my network. I also run pfBlockerNG.

I think my normal CPU usage hovers around 10-20% with spikes to about 80% occasionally and about one gb memory used (4gb on board with 3.5gb available).

 

[ARAMP1]

I have 6 - regular lan, ip phone system, CCTV, IOT crap, gaming systems, and guest network.

Yeah, that's basically my setup with an addition with a Managment VLAN which has all my switches, access points, server IPMI, etc on it. My DMZ VLAN is all of my TVs, Rokus, Chromecasts, etc. My IoT/Utility VLAN has my thermostats, Smartthings, Ring, etc.

I did a Maintenance VLAN which is just a direct onboard NIC (doesn't go through my main 10GbE switch) so if/when I mess a setting up in my VLANs or main trunk switch, I still have access to my pfSense machine. (learned to have that one the hard way).

 

[reflection]

I did a Maintenance VLAN which is just a direct onboard NIC (doesn't go through my main 10GbE switch) so if/when I mess a setting up in my VLANs or main trunk switch, I still have access to my pfSense machine. (learned to have that one the hard way).

The old "OOB VLAN" trick

 

[catcamstar]

With respect of Ubiquity firewalls, I always refer to this diagram for all possible communications (eg intervlan/WAN/ISP):

 

[Hammerhead786]

Wow..I am scratching my Head ATM..trying to get my Network setup...

I got my Vlans set..Now trying to figure out how to get my BI PC to talk to 2 Vlans or be able to get to the net w/out the Cams being able to..

If your managed switch is a layer 3 switch, you can set up inter-vlan routing. I have a Procurve 26260 set up with 3 vlans. Cams on one vlan, BI pc on another and home network on the third. An access list prevents the cams talking to anything other than the BI pc. BI pc can access the internet and I can access the cams remotely using Openvpn. Home network can't access the cams directly, but can access the BI pc.

 

[AP514]

Yup I can do Vlan routing.... but I Have to admit..I am feeling a little overwhelmed..ATM. Have ACL.....
I know I can... just figuring out how is my issue ATM.

Feel free to start a Conversation....

 

[The Automation Guy]

If you haven't seen Lawrence Systems YouTube channel, I highly recommend it. Tom Lawrence does a great job in sharing detailed walkthroughs on how to set a lot of this up.

Lawrence Systems

Lawrence Systems YouTube channel offers a look at how we run our company, the products we use and solutions we provide for our clients. We discuss and create...

www.youtube.com

 

[AP514]

Well, just looking for some Free help...that is why we are here, To learn and Share........

I already am a watcher

 

[Hammerhead786]

Yup I can do Vlan routing.... but I Have to admit..I am feeling a little overwhelmed..ATM. Have ACL.....
I know I can... just figuring out how is my issue ATM.

Feel free to start a Conversation....

Check out the attached pdf of my set up. It may give you some guidance. Feel free to ask me any questions and provide the configuration of your network including the models of each device you are using.