Easiest Way to Secure Camera System

username · Oct 9, 2017

Mike A. said:
re Asus: click the circle above where it says Clients: (some number). That will bring up a list of connected devices in the right-hand pane. Find the device that you want (may need to hit refresh to update if it's newly added) and click on the image next to it. That will bring up a box where you can change the name of the device, change the associated image,

Thanks for that little tidbit. I always choose view list, never have clicked on the circle. In the list you can edit the name of device but you cannot change the displayed icon as you can if your click on the circle. And the icon upload is something I need to look into.

Learn something new every day!

scquestions · Sep 4, 2018

Mike A. said:
I don't think that you'll be able to completely block the NVR from the Internet and still access it given how Asus does the blocking. Even though you have what's effectively an internal IP provided through the VPN, the blocking works at a lower level. It will look at that connection as Internet traffic. Which it is since what's really happening is that you have an external IP which is routed over to an internal IP by the VPN. You should be able to block outgoing access to the Internet by the NVR by not providing a valid gateway address with the same caveats above as far as access to outside time servers and other services.

I know it has been a while, but I finally got OpenVPN setup, was able to connect to my phone network, but Tiny Cam Monitor Pro wasn't able to connect to my cameras. When on WiFi, they worked. After disconnecting WiFi, they didn't. I haven't been able to figure it out, but now reread your post, so this is probably the issue.

I'm not sure how to not provide a valid gateway address like you're suggesting..

Anyway, I've decided I'm tired of this Lorex NVR. It's really annoying. I'm ready for Blue Iris. So, now I'm trying to figure out the best way to secure Blue Iris. With my Lorex setup, it has never connected to the Internet. That has given me peace of mind. It has been disabled via the Asus router. What is recommended for Blue Iris? Is it best to use OpenVPN via the Asus router or on the desktop computer running Blue Iris? Should Internet access be disabled via the router?

I'd like to access Blue Iris both at home, and away, and make sure it's as secure as possible. I've read the VPN thread, but am still lost on what to do.. Like I said above, VPN on router vs Blue Iris machine, disable or don't disable the Internet, etc..

Thanks everyone for your patience with me. It has been taking me years to get a good setup but it looks like it is finally happening.

fenderman · Sep 4, 2018

scquestions said:
I know it has been a while, but I finally got OpenVPN setup, was able to connect to my phone network, but Tiny Cam Monitor Pro wasn't able to connect to my cameras. When on WiFi, they worked. After disconnecting WiFi, they didn't. I haven't been able to figure it out, but now reread your post, so this is probably the issue.

I'm not sure how to not provide a valid gateway address like you're suggesting..

Anyway, I've decided I'm tired of this Lorex NVR. It's really annoying. I'm ready for Blue Iris. So, now I'm trying to figure out the best way to secure Blue Iris. With my Lorex setup, it has never connected to the Internet. That has given me peace of mind. It has been disabled via the Asus router. What is recommended for Blue Iris? Is it best to use OpenVPN via the Asus router or on the desktop computer running Blue Iris? Should Internet access be disabled via the router?

I'd like to access Blue Iris both at home, and away, and make sure it's as secure as possible. I've read the VPN thread, but am still lost on what to do.. Like I said above, VPN on router vs Blue Iris machine, disable or don't disable the Internet, etc..

Thanks everyone for your patience with me. It has been taking me years to get a good setup but it looks like it is finally happening.

you can use openvpn preferably running on the router.
you may also want to segment the BI pc on a separate vlan..that would require router that supports it..

scquestions · Sep 4, 2018

fenderman said:
you can use openvpn preferably running on the router.
you may also want to segment the BI pc on a separate vlan..that would require router that supports it..

Thank you.

My router has OpenVPN and will allow me to disable Internet access on a device. So, I'd be able to disable the Blue Iris PC from accessing the Internet. Is that good enough or do you really recommend a separate VLAN?

fenderman · Sep 5, 2018

scquestions said:
Thank you.

My router has OpenVPN and will allow me to disable Internet access on a device. So, I'd be able to disable the Blue Iris PC from accessing the Internet. Is that good enough or do you really recommend a separate VLAN?

its good enough...the primary concern is the cameras themselves...

scquestions · Sep 5, 2018

fenderman said:
its good enough...the primary concern is the cameras themselves...

Alright, so I'll setup the computer, update Windows, download and install Blue Iris, and then disable the Internet for the computer via the router.

Then I'll connect via OpenVPN. I'm assuming the Blue Iris mobile app will work via the VPN too?

fenderman · Sep 5, 2018

scquestions said:
Alright, so I'll setup the computer, update Windows, download and install Blue Iris, and then disable the Internet for the computer via the router.

Then I'll connect via OpenVPN. I'm assuming the Blue Iris mobile app will work via the VPN too?

you will want to disable access to the internet for the cameras...
in the blue iris mobile app enter the local ip for BOTH the lan and wan settings.

scquestions · Sep 5, 2018

fenderman said:
you will want to disable access to the internet for the cameras...
in the blue iris mobile app enter the local ip for BOTH the lan and wan settings.

I didn't even think that the cameras were going to be accessible via the Internet theouth the router. I'm used to them going through the NVR where I just needed to disable Internet access to that..

Thank you for letting me know I'll need to disable the Internet on each camera too.

fenderman · Sep 5, 2018

scquestions said:
I didn't even think that the cameras were going to be accessible via the Internet theouth the router. I'm used to them going through the NVR where I just needed to disable Internet access to that..

Thank you for letting me know I'll need to disable the Internet on each camera too.

you can also do this with a dual nic setup in the BI pc.

scquestions · Sep 5, 2018

fenderman said:
you can also do this with a dual nic setup in the BI pc.

I'm not familiar with that but I'll do some research on it. Thanks.

I have another concern.. When the power went out, the cameras continued to record, but when it came back on they were assigned a new IP address. I'm worried that if that were to happen they'd connect to the Internet because the new IP address of the cameras wouldn't be blocked from accessing the Internet.

Maybe going the route you suggested by blocking it via the PC is the solution to that?

fenderman · Sep 5, 2018

scquestions said:
I'm not familiar with that but I'll do some research on it. Thanks.

I have another concern.. When the power went out, the cameras continued to record, but when it came back on they were assigned a new IP address. I'm worried that if that were to happen they'd connect to the Internet because the new IP address of the cameras wouldn't be blocked from accessing the Internet.

Maybe going the route you suggested by blocking it via the PC is the solution to that?

Cameras IP address should always remain static... You can accomplish this in two ways, either set up DHCP reservations in your router or manually assign static IP to the cameras outside the DHCP range.

scquestions · Sep 5, 2018

fenderman said:
Cameras IP address should always remain static... You can accomplish this in two ways, either set up DHCP reservations in your router or manually assign static IP to the cameras outside the DHCP range.

I have an Asus router (which was suggested on here). I see IP address and MAC binding. Is that the same thing? I did a Google search and stuff about a DHCP came up, but when clicking "Yes" to the IP address and MAC binding it didn't provide any additional options. It's just "Yes" or "No".

randytsuch · Sep 5, 2018

With the asus router, select the LAN tab on the left, then DHCP Server Tab on that's on the of the LAN window.
Make sure Enable Manual Assignment is on, then you can add clients to fixed IP addresses, make sure to click apply on the bottom to save the changes.
You may need to reboot the camera, and then it will show up with the ip address you assigned it.

For my cameras, I am doing it at the camera, but every camera has different menus. There should be a network configuration menu that is easy to find that will allow you to specify the camera address.

username · Sep 5, 2018

I didn't use DHCP to assign IP's. I made my cameras non-routable to the internet by defining in the NVR camera setup an ip address in the 192.168.254.x address range w/ gateway of 192.168.254.1. That is one of the address ranges that are defined as non-routable. So the camera's don't go out to the internet. This is confirmed by doing a packet capture of internet traffic through my router. My HikVision NVR has a static IP address assigned. I can VPN into my network and use my mobile device running the HikVision app and access my NVR, and thus view my cameras. My Asus operates as an Access Point inside my network and not directly connected to the world. My network is connected to the Internet via a stateful firewall. The NVR does not broadcast to the internet.

alastairstevenson · Sep 5, 2018

username said:
That is one of the address ranges that are defined as non-routable.

With a NAT router, that's irrelevant. The router translates the address to a routable one.

username said:
So the camera's don't go out to the internet.

With Virtual Host enabled on the Hikvision NVR, they can, provided they have a valid gateway set, as per your configuration.
Virtual Host enables the Linux 'IP_forward' facility that forwards packets between the LAN and POE interfaces of the NVR.

username · Sep 6, 2018

alastairstevenson said:
With a NAT router, that's irrelevant. The router translates the address to a routable one.

My router is not using NAT. I admit to not understanding how it can work w/o NAT but it does. It does provide a translation in this configuration. It does not use ip_tables. The router is capable of being configured for NAT but it works differently when configured in that manner. I've never taken the time to sort it out.

alastairstevenson said:
With Virtual Host enabled on the Hikvision NVR, they can, provided they have a valid gateway set, as per your configuration.
Virtual Host enables the Linux 'IP_forward' facility that forwards packets between the LAN and POE interfaces of the NVR.

Although Virtual Host is enabled multicast is not configured nor is a gateway configured. I have not seen any packets on my WAN interface that relate to HikVision. I suppose it is possible that they occasionally go out and I missed them.

alastairstevenson · Sep 6, 2018

This is going to sound a bit picky, but it's as much about informing other readers as anything.
It's about NVR POE-connected cameras being able to connect out to the internet, so a good topic.

NAT=Network Address Translation. It doesn't reference any specific method of implementing this.

username said:
My router is not using NAT. I admit to not understanding how it can work w/o NAT but it does. It does provide a translation in this configuration.

That does sound like its actually doing NAT, maybe it has different modes.

username said:
Although Virtual Host is enabled multicast is not configured nor is a gateway configured.

username said:
I made my cameras non-routable to the internet by defining in the NVR camera setup an ip address in the 192.168.254.x address range w/ gateway of 192.168.254.1.

username said:
w/ gateway of 192.168.254.1

That's a valid gateway setting that will allow the cameras to send packets outside the NVR POE subnet.

username · Sep 6, 2018

Granted, maybe this isn't the correct place for this topic. I took 'securing the system' as preventing access to the WAN.
A few years ago you mentioned non-routable addressing for cameras and I gave it a try. It works well for me, so thank you for that suggestion.
The gateway of 192.168.254.1 is set in my POE camera GUI. It is not set on the NVR. My NVR has a static IP and gateway addr of my router.
This allows my non-routable camera IP to talk to the NVR. I just did another packet capture. Nothing leaves my LAN interface and transits to the WAN interface from the cameras or the NVR. I can access the NVR from VPN once I've connected to my network.
My router does not forward these packets because they are non-routable.
Given the broad range of devices available to users my method may not be useful to others due to constraints of their setup.

scquestions · Sep 6, 2018

randytsuch said:
With the asus router, select the LAN tab on the left, then DHCP Server Tab on that's on the of the LAN window.
Make sure Enable Manual Assignment is on, then you can add clients to fixed IP addresses, make sure to click apply on the bottom to save the changes.
You may need to reboot the camera, and then it will show up with the ip address you assigned it.

For my cameras, I am doing it at the camera, but every camera has different menus. There should be a network configuration menu that is easy to find that will allow you to specify the camera address.

Thank you!

So, I'll get each camera to show up on the Asus router, then disable Internet access to each one, and follow the instructions above to assign an IP address to each camera.

Now, do you recommend that I keep the IP address that is automatically assigned, or is part of assigning "around the DHCP list" coming up with a completely new IP address?

randytsuch · Sep 6, 2018

scquestions said:
Thank you!

So, I'll get each camera to show up on the Asus router, then disable Internet access to each one, and follow the instructions above to assign an IP address to each camera.

Now, do you recommend that I keep the IP address that is automatically assigned, or is part of assigning "around the DHCP list" coming up with a completely new IP address?

Up to you, but I gave my cameras a new IP, and group them together, ie use something like 192.168.1.200 to 210 for my cameras so they all have similar addresses.

Search

Easiest Way to Secure Camera System

username

Getting the hang of it

scquestions

Getting the hang of it

fenderman

scquestions

Getting the hang of it

fenderman

scquestions

Getting the hang of it

fenderman

scquestions

Getting the hang of it

fenderman

scquestions

Getting the hang of it

fenderman

scquestions

Getting the hang of it

randytsuch

Pulling my weight

username

Getting the hang of it

alastairstevenson

username

Getting the hang of it

alastairstevenson

username

Getting the hang of it

scquestions

Getting the hang of it

randytsuch

Pulling my weight