Ah. Making headway. All IP cameras on their own subnet/VLAN along with Blue Iris server. Able to still use UI3 through subnets.

Holbs

Getting comfortable
Joined
May 1, 2019
Messages
386
Reaction score
331
Location
Reno, NV
Spent this entire Saturday learning about creating subnets & VLANs through my Ubiquiti UDM router and Ubiquiti 48 port managed switch and Ubiquiti AP. Had to watch lots of YouTube vids (mostly of EdgeRouters since not much UDM vids out there yet) and websites.
Finally. So far, I have 4 subnets & VLANS:
1.) 192.168.1.1 for personal use
2.) 192.168.2.1 for future Radius VPN (gotta wait til my Pixel 4XL arrives for that)
3.) 192.168.3.1 VLAN 3 for general IOT (Denon smart amp, robot vacuum, Roku's, etc)
4.) 192.168.4.1 VLAN 4 for 15 IP cameras & Blue Iris Server
Gots all IP's of cameras blocked via firewall WAN OUT (before, I only had MAC address's blocked which I learned was not wise in itself).
Had to setup additional firewall rules to allow UI3 to connect from 192.168.4.1 to my personal 192.168.1.1 network.
Somehow (by luck) Remote Desktop Protocol now works too. Something I didn't know. If a user is logged in and and running Blue Iris program itself (not the service), any other user that logs in with a new desktop for that new user is unable to open the Blue Iris program since the program is still running on other user. So I guess I will make good practice to use Blue Iris and shut it down before leaving (still will run as a service).
Tested everything out. All 3 Roku's (2 hardwired, 1 wifi) work 100%. Blue Iris server sees all IP cam's and still gets to the internet (will research more about this if good or bad). And very happy to report... my Ecovacs DEEBOT 711 is fully functional for the first time! Is it ok to say that I bought all these IP cameras just to watch my robo-vacuum work? :)
 

AP514

Getting the hang of it
Joined
Dec 10, 2018
Messages
97
Reaction score
37
Location
Texas
Wow..I am scratching my Head ATM..trying to get my Network setup...

I got my Vlans set..Now trying to figure out how to get my BI PC to talk to 2 Vlans or be able to get to the net w/out the Cams being able to..
 

Holbs

Getting comfortable
Joined
May 1, 2019
Messages
386
Reaction score
331
Location
Reno, NV
Wow..I am scratching my Head ATM..trying to get my Network setup...

I got my Vlans set..Now trying to figure out how to get my BI PC to talk to 2 Vlans or be able to get to the net w/out the Cams being able to..
what router? I have Ubiquiti UDM and managed switch.
Lots of hoops to jump through. What I think I did after all subnet VLANS setup:
LAN IN firewall rule to allow all source (local 192.168.1.x) for destination IP of Blue Iris computer & port (192.168.4.2:81)

seems to work :) I'm sure I will tinker and tighten things up the more I learn. Such as, right now I have all local IP's able to connect to the BI computer. May change to only to allow specific computers (main pc, home assistant pc, etc).

To block cameras from internet...I set firewall rule on WAN OUT to block all IPv4 protocols for all camera IP's (for Ubiquiti, you can have a group) but yet leave Blue Iris computer not part of the group so it can get out. I actually do not remember doing it...but there is also a LAN OUT with the same firewall rule.
 
Last edited:

The Automation Guy

Getting the hang of it
Joined
Feb 7, 2019
Messages
48
Reaction score
53
Location
USA
Had to setup additional firewall rules to allow UI3 to connect from 192.168.4.1 to my personal 192.168.1.1 network.
You shouldn't need to add firewall rules to allow UI3 to connect from 4.1 to 1.1 if your 1.1 network as a "Allow All" type of firewall rule where it can talk to the 4.1 subnet.

When you are just getting started with VLANs, it's normal to think that connections need to have permissions on both network sub-addresses to actual pass information, but this is incorrect. As long as your 1.1 network allows connections to the 4.1 network, then devices on the 4.1 network will respond to valid inquires even if there are firewall rules preventing outgoing communication. What his means is that you can completely lock down the 4.1 network and devices on the 1.1 network can still pull up and display the UI3 website because a device on the 1.1 aside initiated the request. Of course if you are limiting the allowed IP addresses to your BI server (in the settings/web server/advanced option) you need to make sure your 1.1 network is listed.

It's like if I (network 1.1) have a neighbor (4.1 network). As long as I start a conversation with my neighbor, we can have a regular two way conversation like you would expect. But as soon as I stop talking to my neighbor, they are cut off and cannot communicate with me at all. In fact, they can't see me and actually completely forget that I exist. It's like they suddenly become deaf, blind, and dumb. But as soon as I start talking to my neighbor, we can have a normal conversation again. That's how VLANs work when one VLAN can communicate with everyone (your 1.1 network), but the other VLAN (your 4.1 network) is locked down to prevent communication out of that VLAN.
 

Holbs

Getting comfortable
Joined
May 1, 2019
Messages
386
Reaction score
331
Location
Reno, NV
You shouldn't need to add firewall rules to allow UI3 to connect from 4.1 to 1.1 if your 1.1 network as a "Allow All" type of firewall rule where it can talk to the 4.1 subnet.

It's normal to think that connections need to have permissions on both network sub-addresses to actual pass information, but this is incorrect. As long as your 1.1 network allows connections to the 4.1 network, then devices on the 4.1 network will respond to valid inquires. What his means is that you can completely lock down the 4.1 network and devices on the 1.1 network can still pull up and display the UI3 website because a device on the 1.1 aside initiated the request. Of course if you are limiting the allowed IP addresses to your BI server (in the settings/web server/advanced option) you need to make sure your 1.1 network is listed.

It's like if I (network 1.1) have a neighbor (4.1 network). As long as I start a conversation with my neighbor, we can have a regular two way conversation like you would expect. But as soon as I stop talking to my neighbor, they are cut off and cannot communicate with me at all. In fact, they can't see me and actually completely forget that I exist. It's like they suddenly become deaf, blind, and dumb. But as soon as I start talking to my neighbor, we can have a normal conversation again. That's how VLANs work when one VLAN can communicate with everyone (your 1.1 network), but the other VLAN is locked down (your 4.1 network).
you should do Youtube explanation videos :) Ok, that makes sense. You are correct. I thought any between 1.1 and 1.4 could not talk at all without a firewall rule of specific IP ranges.
Good point on the options/advanced. Still learning the details of BI. Would of forgot to change from "all connections" to something IP specific. I assume that is done out of security concerns. As of right now, just Main PC (set to static IP on 192.168.1.x subnet) is the only device that uses UI3. Eventually, home assistant server, Pixel smartphone (oddly, the UDM by default made the VPN connection subnet on 192.168.2.x gotta research that a bit mroe), and maybe a Pi4 here or there for displays will want to have access.
 

The Automation Guy

Getting the hang of it
Joined
Feb 7, 2019
Messages
48
Reaction score
53
Location
USA
you should do Youtube explanation videos :) Ok, that makes sense. You are correct. I thought any between 1.1 and 1.4 could not talk at all without a firewall rule of specific IP ranges.
Good point on the options/advanced. Still learning the details of BI. Would of forgot to change from "all connections" to something IP specific. I assume that is done out of security concerns. As of right now, just Main PC (set to static IP on 192.168.1.x subnet) is the only device that uses UI3. Eventually, home assistant server, Pixel smartphone (oddly, the UDM by default made the VPN connection subnet on 192.168.2.x gotta research that a bit mroe), and maybe a Pi4 here or there for displays will want to have access.
This is just fresh in my mind because I just went through this process myself. I guess that's one of the benefits to being home right now. I've run a pfSense firewall for about a year now, but just changed my network architecture to include VLANs within the last month.

Limiting IP addresses in BI is completely optional, but I highly suggest it. You can put in your entire LAN sub-address if you want (192.168.1.*) which is what I have done, or just the specific computers on the LAN that you want to access it (192.168.1.24, 192.168.1.63, 192.168.1.200 for example).

The next logical step is to set up a VPN server on your router/firewall so that you can access the home network while you are away from home. If/when you do this, you need to include the VPN tunnel address in the list of allowed networks if you are limiting the IP addresses. This one stumped me for a while. I incorrectly assumed that because my remote device was given a local IP address when I connected via VPN, that as long as the local address was listed I was OK. In fact, you do have to list the tunnel IP address subnet as well.
 

Holbs

Getting comfortable
Joined
May 1, 2019
Messages
386
Reaction score
331
Location
Reno, NV
This is just fresh in my mind because I just went through this process myself. I guess that's one of the benefits to being home right now. I've run a pfSense firewall for about a year now, but just changed my network architecture to include VLANs within the last month.

Limiting IP addresses in BI is completely optional, but I highly suggest it. You can put in your entire LAN sub-address if you want (192.168.1.*) which is what I have done, or just the specific computers on the LAN that you want to access it (192.168.1.24, 192.168.1.63, 192.168.1.200 for example).

The next logical step is to set up a VPN server on your router/firewall so that you can access the home network while you are away from home. If/when you do this, you need to include the VPN tunnel address in the list of allowed networks if you are limiting the IP addresses. This one stumped me for a while. I incorrectly assumed that because my remote device was given a local IP address when I connected via VPN, that as long as the local address was listed I was OK. In fact, you do have to list the tunnel IP address subnet as well.
noted about VPN tunnel address (which I assume is what UDM says is 192.168.2.x). Only VPN I ever dabbled with was on the Asus Router and went thru simple easy wizard for that, and it worked. With the UDM, I guess gotta do it the 'ol fashion way.
 

Holbs

Getting comfortable
Joined
May 1, 2019
Messages
386
Reaction score
331
Location
Reno, NV
Nice work!

I've broken down my home network into multiple subnets. It works great and I love that it's really super organized.
what is that....9 or 10 subnets? Geez :) I only have 4. I think, the more subnets = more strain on router. Granted, I still need a general Guest WiFI and Girlfriend-of-the-week WiFi. No kids here. I do remember research saying to keep your BI server in same subnet VLAN as cameras else all camera video has to transverse over to a different subnet VLAN to your BI server really bogging down the router CPU.
 

ARAMP1

Getting the hang of it
Joined
Feb 13, 2018
Messages
97
Reaction score
32
Location
Memphis, TN
what is that....9 or 10 subnets? Geez :) I only have 4. I think, the more subnets = more strain on router. Granted, I still need a general Guest WiFI and Girlfriend-of-the-week WiFi. No kids here. I do remember research saying to keep your BI server in same subnet VLAN as cameras else all camera video has to transverse over to a different subnet VLAN to your BI server really bogging down the router CPU.
Yeah, I overbuilt/repurposed a computer for pfSense. 3.5Ghz/32GB of RAM. The system is overkill. It's on a 10GbE set of switches.

My BI machine and all the cameras are on my security LAN.
 

saltwater

Getting the hang of it
Joined
Oct 6, 2019
Messages
71
Reaction score
26
Location
Melbourne, Australia
Spent this entire Saturday learning about creating subnets & VLANs through my Ubiquiti UDM router and Ubiquiti 48 port managed switch and Ubiquiti AP. Had to watch lots of YouTube vids (mostly of EdgeRouters since not much UDM vids out there yet) and websites.
Finally. So far, I have 4 subnets & VLANS:
1.) 192.168.1.1 for personal use
2.) 192.168.2.1 for future Radius VPN (gotta wait til my Pixel 4XL arrives for that)
3.) 192.168.3.1 VLAN 3 for general IOT (Denon smart amp, robot vacuum, Roku's, etc)
4.) 192.168.4.1 VLAN 4 for 15 IP cameras & Blue Iris Server
... snip ... :)
Ok, I've clicked on the 'Watch' button for this thread. You are about six months ahead of me, this week I start laying all my Cat6 cables in my house under construction. Last night I purchased a 5 pack of UniFi ceiling access points in readiness to install at least the bracket components to the ceilings when the plastering is done in a few weeks time. My next job (today) is to purchase Dahua brackets for dome/turret style cameras. Hope I don't stuff that up getting the wrong type.

In the interim, I'm trying to come to grips with all this VLAN stuff, so will keep an eye out for all the little 'gotchas' that crop up in this thread. I'm yet to pull the trigger on the purchase of Ubiquity router and switch.
 

The Automation Guy

Getting the hang of it
Joined
Feb 7, 2019
Messages
48
Reaction score
53
Location
USA
what is that....9 or 10 subnets? Geez :) I only have 4. I think, the more subnets = more strain on router. Granted, I still need a general Guest WiFI and Girlfriend-of-the-week WiFi. No kids here. I do remember research saying to keep your BI server in same subnet VLAN as cameras else all camera video has to transverse over to a different subnet VLAN to your BI server really bogging down the router CPU.
It's easy to get carried away when you start to create vlans.

I have 6 - regular lan, ip phone system, CCTV, IOT crap, gaming systems, and guest network.

I don't think the vlans use up to many resources. I'm running pfSense on a HP t620 plus thin client along with one "always on" VPN tunnel to my parents house for off site backup and support of their network and a VPN server to connect into my network. I also run pfBlockerNG.

I think my normal CPU usage hovers around 10-20% with spikes to about 80% occasionally and about one gb memory used (4gb on board with 3.5gb available).
 

ARAMP1

Getting the hang of it
Joined
Feb 13, 2018
Messages
97
Reaction score
32
Location
Memphis, TN
I have 6 - regular lan, ip phone system, CCTV, IOT crap, gaming systems, and guest network.
Yeah, that's basically my setup with an addition with a Managment VLAN which has all my switches, access points, server IPMI, etc on it. My DMZ VLAN is all of my TVs, Rokus, Chromecasts, etc. My IoT/Utility VLAN has my thermostats, Smartthings, Ring, etc.

I did a Maintenance VLAN which is just a direct onboard NIC (doesn't go through my main 10GbE switch) so if/when I mess a setting up in my VLANs or main trunk switch, I still have access to my pfSense machine. (learned to have that one the hard way).
 
Last edited:

reflection

Getting the hang of it
Joined
Jan 28, 2020
Messages
138
Reaction score
81
Location
Virginia
I did a Maintenance VLAN which is just a direct onboard NIC (doesn't go through my main 10GbE switch) so if/when I mess a setting up in my VLANs or main trunk switch, I still have access to my pfSense machine. (learned to have that one the hard way).
The old "OOB VLAN" trick :)
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,342
Reaction score
863
With respect of Ubiquity firewalls, I always refer to this diagram for all possible communications (eg intervlan/WAN/ISP):
 

Hammerhead786

Pulling my weight
Joined
Apr 23, 2018
Messages
247
Reaction score
157
Wow..I am scratching my Head ATM..trying to get my Network setup...

I got my Vlans set..Now trying to figure out how to get my BI PC to talk to 2 Vlans or be able to get to the net w/out the Cams being able to..
If your managed switch is a layer 3 switch, you can set up inter-vlan routing. I have a Procurve 26260 set up with 3 vlans. Cams on one vlan, BI pc on another and home network on the third. An access list prevents the cams talking to anything other than the BI pc. BI pc can access the internet and I can access the cams remotely using Openvpn. Home network can't access the cams directly, but can access the BI pc.
 

AP514

Getting the hang of it
Joined
Dec 10, 2018
Messages
97
Reaction score
37
Location
Texas
Yup I can do Vlan routing.... but I Have to admit..I am feeling a little overwhelmed..ATM. Have ACL.....
I know I can... just figuring out how is my issue ATM.

Feel free to start a Conversation.... ;)
 

The Automation Guy

Getting the hang of it
Joined
Feb 7, 2019
Messages
48
Reaction score
53
Location
USA
If you haven't seen Lawrence Systems YouTube channel, I highly recommend it. Tom Lawrence does a great job in sharing detailed walkthroughs on how to set a lot of this up.

 

AP514

Getting the hang of it
Joined
Dec 10, 2018
Messages
97
Reaction score
37
Location
Texas
Well, just looking for some Free help...that is why we are here, To learn and Share........

I already am a watcher :)
 

Hammerhead786

Pulling my weight
Joined
Apr 23, 2018
Messages
247
Reaction score
157
Yup I can do Vlan routing.... but I Have to admit..I am feeling a little overwhelmed..ATM. Have ACL.....
I know I can... just figuring out how is my issue ATM.

Feel free to start a Conversation.... ;)
Check out the attached pdf of my set up. It may give you some guidance. Feel free to ask me any questions and provide the configuration of your network including the models of each device you are using.
 

Attachments

Top