Easiest Way to Secure Camera System

username

Getting the hang of it
Joined
Feb 7, 2016
Messages
116
Reaction score
18
If you are using dhcp and static ip in the same network you must take care that you create an 'exclusion' so that the dhcp server won't step on the static addresses. This is also known as a dhcp pool (for allowed dhcp addresses). If no other devices are obtaining an IP from your Asus then this will not be an issue..
Taking the previous post example of .200-.210 you would have a dhcp server offer addresses below .200. So you set your server beginning address (or other devices) at something lower, say 192.168.1.5 and ending at 192.168.1.199 which would allow any device in your network that uses dhcp to grab an address below the .200 shown in the prior message.
 

scquestions

Getting the hang of it
Joined
Jan 19, 2015
Messages
189
Reaction score
17
If you are using dhcp and static ip in the same network you must take care that you create an 'exclusion' so that the dhcp server won't step on the static addresses. This is also known as a dhcp pool (for allowed dhcp addresses). If no other devices are obtaining an IP from your Asus then this will not be an issue..
Taking the previous post example of .200-.210 you would have a dhcp server offer addresses below .200. So you set your server beginning address (or other devices) at something lower, say 192.168.1.5 and ending at 192.168.1.199 which would allow any device in your network that uses dhcp to grab an address below the .200 shown in the prior message.
I'm a little lost now..

My Asus router is almost all default, and the only thing that I'm looking to make static are the cameras. I'm not understanding what I'm supposed to do. An earlier post mentioned going and assigning and IP address manually via the LAN and DHCP Server option within the router.

This is all new to me..

Thank you.
 

TonyR

IPCT Contributor
Joined
Jul 15, 2014
Messages
16,436
Reaction score
38,154
Location
Alabama
I'm a little lost now..

My Asus router is almost all default, and the only thing that I'm looking to make static are the cameras. I'm not understanding what I'm supposed to do. An earlier post mentioned going and assigning and IP address manually via the LAN and DHCP Server option within the router.

This is all new to me..

Thank you.
Log into the Asus router and see what the DHCP pool range is, maybe it's 192.168.1.2 to .100; if so, give your cams IP's from .101 to .199.

In other words, pick and assign static IP's for your cams that are OUTSIDE of the DHCP pool of the router. That way, the router will not try to assign (via DHCP) the same IP's that you've already assigned to your cams to devices that are set for 'Auto' or 'DHCP'. Those devices depend on the router to give them an IP since they do NOT have a static IP like your cams.

Make sense?
 
Last edited:

scquestions

Getting the hang of it
Joined
Jan 19, 2015
Messages
189
Reaction score
17
Log into the Asus router and see what the DHCP pool range is, maybe it's 192.168.1. to .100; if so, give your cams IP's from .101 to .199.

In other words, pick and assign static IP's for your cams that are OUTSIDE of the DHCP pool of the router. That way, the router will not try to assign (via DHCP) the same IP's that you've already assigned to your cams to devices that are set for 'Auto' or 'DHCP'. Those devices depend on the router to give them an IP since they do NOT have a static IP like your cams.

Make sense?
Wow! What a nice explanation!

Thank you!!
 

randytsuch

Pulling my weight
Joined
Oct 1, 2016
Messages
495
Reaction score
176
I meant to come back and add to go outside of your DHCP pool, but didnt :/
select the LAN tab on the left, then DHCP Server Tab
There is a place to input the starting and ending DHCP address range.
I set mine to at something like
192.168.1.2 start
192.168.1.220 end

Then, put the cameras starting at address 221.
You can go up to 254 for reservations with this scheme.
I have other devices I reserve addresses for, pi's and esp's and other stuff that needs a set address.

Randy
 

scquestions

Getting the hang of it
Joined
Jan 19, 2015
Messages
189
Reaction score
17
I meant to come back and add to go outside of your DHCP pool, but didnt :/
select the LAN tab on the left, then DHCP Server Tab
There is a place to input the starting and ending DHCP address range.
I set mine to at something like
192.168.1.2 start
192.168.1.220 end

Then, put the cameras starting at address 221.
You can go up to 254 for reservations with this scheme.
I have other devices I reserve addresses for, pi's and esp's and other stuff that needs a set address.

Randy
My router already has a starting and ending address, so I'll leave that and start assigning cameras after that.

Thank you!


So, my plan is to disconnect the modem to make sure there isn't an Internet connection, then plug in the cameras (via the switch), assign each camera an IP address outside the DHCP range, disable Internet to each camera, plug in the computer and disable Internet access to the computer, and then plug the modem back in. That should do it, right?

Then I'll just need to get OpenVPN setup and hopefully the Blue Iris app will work outside of the house without a problem. I wasn't able to use Tiny Cam Monitor Pro via the VPN so hopefully the same issue won't appear with Blue Iris.
 

randytsuch

Pulling my weight
Joined
Oct 1, 2016
Messages
495
Reaction score
176
My router already has a starting and ending address, so I'll leave that and start assigning cameras after that.

Thank you!


So, my plan is to disconnect the modem to make sure there isn't an Internet connection, then plug in the cameras (via the switch), assign each camera an IP address outside the DHCP range, disable Internet to each camera, plug in the computer and disable Internet access to the computer, and then plug the modem back in. That should do it, right?

Then I'll just need to get OpenVPN setup and hopefully the Blue Iris app will work outside of the house without a problem. I wasn't able to use Tiny Cam Monitor Pro via the VPN so hopefully the same issue won't appear with Blue Iris.
If the router ending address is 25x (default may be 254, you can't use 255), then you would need to change it lower. You can't go above 254.

I'm not sure about disabling internet access to the PC, my BI PC has internet access, but I have antivirus sw on it too, just to make sure nothing bad gets on it.
 

scquestions

Getting the hang of it
Joined
Jan 19, 2015
Messages
189
Reaction score
17
I have the SSD and Purple drive installed. Right now I'm trying to figure out what to do under Disk Management in Windows 10. Is it best for the Purple drive to be a "New Spanned Volume", "New Striped Volume", "Convert to Dynamic Disk", or "Convert to MBR Disk"?

I'm at this step because I noticed Blue Iris isn't seeing the Purple drive (nor is the computer, with the exception of the Disk Management).
 
Last edited:

scquestions

Getting the hang of it
Joined
Jan 19, 2015
Messages
189
Reaction score
17
I have the SSD and Purple drive installed. Right now I'm trying to figure out what to do under Disk Management in Windows 10. Is it best for the Purple drive to be a "New Spanned Volume", "New Striped Volume", "Convert to Dynamic Disk", or "Convert to MBR Disk"?

I'm at this step because I notivno Blue Iris isn't seeing the Purple drive (nor is the computer, with the exception of the Disk Management).
Nevermind. When right clicking on the white space it has a "Simple Volume" option. That will probably work fine.
 

scquestions

Getting the hang of it
Joined
Jan 19, 2015
Messages
189
Reaction score
17
Log into the Asus router and see what the DHCP pool range is, maybe it's 192.168.1.2 to .100; if so, give your cams IP's from .101 to .199.

In other words, pick and assign static IP's for your cams that are OUTSIDE of the DHCP pool of the router. That way, the router will not try to assign (via DHCP) the same IP's that you've already assigned to your cams to devices that are set for 'Auto' or 'DHCP'. Those devices depend on the router to give them an IP since they do NOT have a static IP like your cams.

Make sense?
I'm stuck on this part.. The IP address for the cameras won't stay at when I set them to. They keep changing back to another IP. I don't know what is wrong.
 

scquestions

Getting the hang of it
Joined
Jan 19, 2015
Messages
189
Reaction score
17
If the router ending address is 25x (default may be 254, you can't use 255), then you would need to change it lower. You can't go above 254.

I'm not sure about disabling internet access to the PC, my BI PC has internet access, but I have antivirus sw on it too, just to make sure nothing bad gets on it.
I went ahead and changed the range, and added each camera to an IP outside the range, but the IP address isn't sticking. It will change back to another IP (automatic) within the range, not the one I set it to.
 

scquestions

Getting the hang of it
Joined
Jan 19, 2015
Messages
189
Reaction score
17
I went ahead and changed the range, and added each camera to an IP outside the range, but the IP address isn't sticking. It will change back to another IP (automatic) within the range, not the one I set it to.
They're all appearing as static now, but they are not sticking with the IP address I set it to outside the range, it is showing the IP address that was automatically assigned inside the range, just as static now.
 

scquestions

Getting the hang of it
Joined
Jan 19, 2015
Messages
189
Reaction score
17
So, since they're all appearing as static, I've left them alone. They're not outside the DHCP range but it seems to be working fine. Is there anything I should be worried about at this point?
 

crossStreet

Young grasshopper
Joined
Jun 9, 2018
Messages
31
Reaction score
13
Location
UK
Sorry if this has already been mentioned. One simple solution for network security is to ban all outgoing packets from cameras and Nvr IP adresses in you router. Incoming packets are not allowed by the router by default.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
So, since they're all appearing as static, I've left them alone. They're not outside the DHCP range but it seems to be working fine. Is there anything I should be worried about at this point?
Hi there - this is against all networking best practices. The moment that one of your (dynamic) devices (like gsm, tablet, .. ) or friends pass by with their gear, you'll have your DHCP server distribute IP addresses within the DHCP range, on which you have planted fixed IP addresses. The DHCP server is not checking whether (or not) any address is taken (by accident or incidentially) - then you'll have your IPC's disconnected without any warning, and who knows you'll need that particular footage because your friends destroyed your flatscreen in camera view.

So stick to the basics: if your DHCP server starts distributing from .100, you can go down the .99 .98 road to fix IP addresses on your "server" and "IPC" components.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Sorry if this has already been mentioned. One simple solution for network security is to ban all outgoing packets from cameras and Nvr IP adresses in you router. Incoming packets are not allowed by the router by default.
True, but then you'll loose also "push notification" functionality, for Dahua you'll need outbound 2195. I only opened that port, plus NTP, all the rest is reachable through VPN.
 

scquestions

Getting the hang of it
Joined
Jan 19, 2015
Messages
189
Reaction score
17
Hi there - this is against all networking best practices. The moment that one of your (dynamic) devices (like gsm, tablet, .. ) or friends pass by with their gear, you'll have your DHCP server distribute IP addresses within the DHCP range, on which you have planted fixed IP addresses. The DHCP server is not checking whether (or not) any address is taken (by accident or incidentially) - then you'll have your IPC's disconnected without any warning, and who knows you'll need that particular footage because your friends destroyed your flatscreen in camera view.

So stick to the basics: if your DHCP server starts distributing from .100, you can go down the .99 .98 road to fix IP addresses on your "server" and "IPC" components.
I was trying to assign an IP address for each camera but it wouldn't stay, it continued to change back to one automatically created. It finally changed from automatic to static (don't know how) but it still won't allow me to change the IP address to one outside the DHCP range.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
Scquestions
provide a screen shot of the IP range in your router. On an ASUS router this is LAN->DHCP server
Log in to your camera with IE web browser. Take a screen shot of the network TCP/IP setting. On a dahau camera Network->TCP/IP the TCP/IP tab
 
Last edited:

scquestions

Getting the hang of it
Joined
Jan 19, 2015
Messages
189
Reaction score
17
Scquestions
provide a screen shot of the IP range in your router. On an ASUS router this is LAN->DHCP server
Log in to your camera with IE web browser. Take a screen shot of the network TCP/IP setting. On a dahau camera Network->TCP/IP the TCP/IP tab
I'll do this when I'm able (later tonight). Thank you.

I've also noticed I'm not able to access the web interface from another computer. Maybe that's because I have the internet disabled on the Blue Iris computer via the router. But I would think I'd still be able to access it when on the same network, but it isn't allowing me.
 
Top