Cameras on LAN

dryfly

Getting the hang of it
Joined
May 25, 2015
Messages
258
Reaction score
46
I have 2 systems running, both with Hikvision cameras. One is a BI computer, and the other is a Hikvision NVR. On both systems I have the cameras on POE switches connected to the LAN.

I have seen various posts recommending subnets using 2 nic cards on a BI computer using one nic to feed the cameras directly to the computer, not the LAN. Also, I've seen recommendations on NVR's to run the cameras directly into the NVR and not on the LAN.

At this time I do not use any remote access devices, and certainly don't have any ports forwarded. My question: is my system safe with the cameras connected to the LAN? If not, how do cameras on a LAN access the internet causing issues?

Also, once a VPN (Asus router/OpenVPN) is established, is any of this a concern?
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
Security is always a concern.

Your setup will work for now. But I would block the cameras IP / Mac addresses at your router, to prevent the cameras from Calling home. Some routers support this feature.

All cameras have questionable security.

On the router disable up uPNP.

Set up a time service on your network so the cameras can get the correct time locally.
 
Joined
Apr 20, 2019
Messages
2
Reaction score
0
Location
63357
If you do not need /want remotely view the cameras and have a monitor connected to the HDMI of the DVR for viewing. Then the safest system is “Air Gaped” from the internet. In that all cameras connect directly to the DVR and the DVR has no connections to anything connected in any way to the internet.

Walta
 

RoCam

n3wb
Joined
May 17, 2019
Messages
15
Reaction score
3
Location
Netherlands
If your router / switch supports is you might consider using vlans. That way you won’t have to use multiple network cards and all traffic can be router through a firewall.
 

thomaswde

Getting the hang of it
Joined
Feb 18, 2017
Messages
44
Reaction score
62
Location
NW, GA
1st, ALWAYS be sure UPNP is disabled at your router, pretty much every router out there will let you toggle this off, if it won't get one that will.
Doing that and only connecting to your home network via a VPN would cover a lot of your bases and put you in decent shape.
2nd, your best option to secure yourself further (which is IMO whatever is the safest & most maintainable for you) depends very much on the network equipment you're running and your personal networking skill level, there are just so many ways to secure your cameras from firewall rules, VLAN, air gap, etc, etc.
 

dryfly

Getting the hang of it
Joined
May 25, 2015
Messages
258
Reaction score
46
1st, ALWAYS be sure UPNP is disabled at your router, pretty much every router out there will let you toggle this off, if it won't get one that will.
Doing that and only connecting to your home network via a VPN would cover a lot of your bases and put you in decent shape.
2nd, your best option to secure yourself further (which is IMO whatever is the safest & most maintainable for you) depends very much on the network equipment you're running and your personal networking skill level, there are just so many ways to secure your cameras from firewall rules, VLAN, air gap, etc, etc.
Well, my networking skills are pretty basic so I'm relying on info from this forum. UPnP is disabled on my router. The only way I see to block cameras from internet is through "parental controls" where instead of blocking a computer, I enter the MAC address for each camera.

Again, my basic question is am I better off connecting my cameras directly to the NVR (using it's subnet) instead of having the cameras connected through a switch to the router, thereby having them on my LAN?

Air gap would be fine for now, but is more trouble if I want to access the camera directly through my network to make adjustments. I'm still assuming when I get an Asus router with OpenVPN upp and running none of this will be an issue. I'm not familiar with how to get a VLAN implemented.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
the parental controls is what I use to block the mac address of the cameras.
the cameras connected directly to the NVR so that they have different ip address range, the cameras are isolated from the home network.

Asus route is great for openVPN. you can use openVPN to access your NVR.
 

dryfly

Getting the hang of it
Joined
May 25, 2015
Messages
258
Reaction score
46
the parental controls is what I use to block the mac address of the cameras.
the cameras connected directly to the NVR so that they have different ip address range, the cameras are isolated from the home network.

Asus route is great for openVPN. you can use openVPN to access your NVR.
My LAN is 192/168/.0.xxx and if cameras are connected to NVR the camera addresses become 192.168.254.xxx. In this case should each camera be set up to be blocked by "parental controls" or just block the NVR MAC addresse only, since the cameras are behind the NVR?
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
great info. looking to try to make a more secure setup and so much information I am trying to get all in one place.

I was reading that you can remove network gateway from camera
--allows any device on the same subnet access the device but doesn't know how to get back to internet
--will not affect remote viewing from blue iris
 

Valiant

Pulling my weight
Joined
Oct 30, 2017
Messages
305
Reaction score
174
Location
Australia
My LAN is 192/168/.0.xxx and if cameras are connected to NVR the camera addresses become 192.168.254.xxx. In this case should each camera be set up to be blocked by "parental controls" or just block the NVR MAC addresse only, since the cameras are behind the NVR?
The MAC addresses behind the NVR are not seen or broadcast on your LAN subnet. Implementing parental controls is pointless. Only the NVR MAC address will be seen by your router.

If you block your NVR MAC then you'll likely lose any remote access to the NVR.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
Most NVRs have two IP addresses, one for the home network and one for the camera network. This is the case if the cameras are connected directly to the NVR. This is normally done by plugging the cameras into the Poe connectors on the back of the NVR. Some nvrs do not have Poe connectors or support more cameras then the number of Poe RJ45 connectors. In this case the cameras are on the home network.

For security ALL camera Mac address need to be blocked at the router if at all possible. All it takes is to plug a camera into the home network one time for debugging or testing and you may get hacked. It is better to be very safe then very sorry.
 
Last edited:
Top