BI dedicated server + POE switch, how to integrate/secure?

[Nocturn]

OK so based on everyone's help, I picked up a refurb Dell Precision i7-6700 with 16Gb ram, and active 10 Pro seat, and a 256SSD for about $400. I also picked up a 10 port POE switch BVlink with giga-uplink for about $65. IL get a WD purple drive next and hopefully everything will play nice with my 8 Lorex 3MP cams.

So, assuming its best to keep the camera system on its own isolated network (since there are hanging cat-5 cables outside now) how do i get it to connect online for remote access without also connecting it to my existing network?

Im not an IT guy so this setup is new for me... and I dont see much about this aspect written in the BI wiki.

 

[SouthernYankee]

I have two nic cards in the BI PC. One connected to the IP cameras and One connected to my home network. The Home network is 192.168.1.xxx the camera network is 192.168.2.xxx . All the cameras and the BI PC have static IP addresses. The cameras can not connect to the internet only to the BI PC.

Also on the BI PC run a NTP time server so that the Cameras can get the current accurate time with out access to the internet.

The next part is that the connection to the home network is via a VPN. I use OPENVPN. I use an ASUS router which support OPENVPN. There are a number of posts and directions on setting up a VPN. There are a number of other methods of setting up a VPN.

another possible solution is to place all the cameras and PC on the home network,. Then use the ASUS route parental controls to block the cameras MAC / IP for accessing the internet.

I am paranoid, so I use the two nic method.

1) how is the home network connected to the Internet. Is it a modem and a seperate router or a single unit modem/router.
2) manufacture and model number of the above device or devices?
3) who is your internet provider?

 

[Q™]

OpenVPN is quite a...



What router are you running?​

 

[fenderman]

OK so based on everyone's help, I picked up a refurb Dell Precision i7-6700 with 16Gb ram, and active 10 Pro seat, and a 256SSD for about $400. I also picked up a 10 port POE switch BVlink with giga-uplink for about $65. IL get a WD purple drive next and hopefully everything will play nice with my 8 Lorex 3MP cams.

So, assuming its best to keep the camera system on its own isolated network (since there are hanging cat-5 cables outside now) how do i get it to connect online for remote access without also connecting it to my existing network?

Im not an IT guy so this setup is new for me... and I dont see much about this aspect written in the BI wiki.

No one is going to connect to your network by way of Ethernet hanging outside, ever.

 

[Nocturn]

Everything on my home network is connected to a switch, which itself is connected to an ASUS router (RT-AC87U). The cable modem feeds in to that directly.

I’m pretty sure it supports vpn, but admittedly I need to educate myself how.

Pardon my ignorance but Does a VPN essentially allow me to remote in to the BI-PC from my daily PC (to see what’s going on) or is the VPN needed for seeing feeds from my mobile phones while I’m out?. Thanks for the patience, learning as I go here.

 

[Nocturn]

No one is going to connect to your network by way of Ethernet hanging outside, ever.

Maybe I’m making this a bigger deal by doing a separate netwprk then? Would it be bad to simply joint them?

 

[fenderman]

Maybe I’m making this a bigger deal by doing a separate netwprk then? Would it be bad to simply joint them?

I not saying you shouldnt, my point was that no one is going to mess with your outdoor connection. The most important thing is to block the cameras access outbound and inbound from the net.

 

[Q™]

Your Asus router supports the OpenVPN Standard. Learn how to set it up. You need the VPN to safely access your network when you are not at home on your LAN. When you are operating inside your LAN you do not need a VPN. When you are away from home the VPN will allow you to safely access any device which runs on your home LAN (workstations, servers, printers, or cameras). Running a VPN means you don’t have to expose your home network (LAN) by port forwarding.

 

[Clint3200]

I have two nic cards in the BI PC. One connected to the IP cameras and One connected to my home network. The Home network is 192.168.1.xxx the camera network is 192.168.2.xxx . All the cameras and the BI PC have static IP addresses. The cameras can not connect to the internet only to the BI PC.

Also on the BI PC run a NTP time server so that the Cameras can get the current accurate time with out access to the internet.

The next part is that the connection to the home network is via a VPN. I use OPENVPN. I use an ASUS router which support OPENVPN. There are a number of posts and directions on setting up a VPN. There are a number of other methods of setting up a VPN.


I am paranoid, so I use the two nic method.

After thorough research before buying some Dahua cams, this is the way I set things up as well. Picked up a TP-Link NIC on Amazon for like $15, got an 8-port POE switch, put the Cameras/POE on the new NIC on separate subLAN, have Blue Iris?PC on the other NIC subLAN.
I also use OPEN VPN... trying to setup my old router for OPEN VPN was a b!tc#, so I ended buying a Netgear AC1750...followed the instructions on the VPN section and it was a piece of cake.

I also would add: --turn off uPNP everywhere possible (How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk)

 

[Nocturn]

After thorough research before buying some Dahua cams, this is the way I set things up as well. Picked up a TP-Link NIC on Amazon for like $15, got an 8-port POE switch, put the Cameras/POE on the new NIC on separate subLAN, have Blue Iris?PC on the other NIC subLAN.
I also use OPEN VPN... trying to setup my old router for OPEN VPN was a b!tc#, so I ended buying a Netgear AC1750...followed the instructions on the VPN section and it was a piece of cake.

I also would add: --turn off uPNP everywhere possible (How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk)

Thanks for that. So is the point of having two NICs to allow a single BI PC to access both networks without those networks spilling on to each other?

Bigger picture question, What is the drawback with simple placing the POE cameras and POE switch right on your existing home network?(I am using switches, which I thought directed traffic more accurately than hubs)

And finally, Are you using a VPN to remote-in to your BI-PC while youre out and about?


T.I.A.

 

[Clint3200]

First, I'm not a security expert. But, what I setup was the advice of the security experts lol. My understanding is that if the IP cams are on a totally different subnet/NIC, they can't "phone home", get hijacked, or even connect to the internet (I have the gateway and DNS blanked on that subnet.

On the open VPN, yes, that is the how only I can access Blue Iris from afar. The VPN connects so that it is like I am at home. I have the BI app on my phone and have the local IP settings in the BI app. 2 steps: Connect using open VPN app, then open the BI app on phone. Can see live view and recordings from afar.

 

[SouthernYankee]

@Nocturn
The two nics separate the two networks, so the cameras are on a seperate network. This is primarily done for security. This also prevent the cameras from interfering with your home network, and your home network from interfering with the cameras. So your cameras do not effect the online game playing and the 4k tv movies you are streaming.

My wife and I use the VPN to access BI when out of the house. We use the BI android app and OpenVPN. OpenVPN is set up on my asus router.

Hubs are old technology, every thing now should be using a switch.

 

[Nocturn]

You guys rock, thank you

Would I need a second router for the second network, or does the uplink of the POE switch just connect directly to that 2nd NIC on the BL-PC? (while the cams use the powered ports)

 

[SouthernYankee]

The router is for the internet only and providing IP addresses for new devices.

On the second network all the cameras and the BI computer will have static address so there is no need for a router.

The POE switch connects to the second NIC on the BI PC via an ethernet cable.

 

[Nocturn]

sweet, Thanks again

 

[Q™]

Would I need a second router for the second network, or does the uplink of the POE switch just connect directly to that 2nd NIC on the BL-PC? (while the cams use the powered ports)

Using 2 LAN cards to separate your cameras from yous LAN is complicating things...unnecessarily IMO. I'd suggest it will be simpler for you to run your cameras on your LAN and use a VPN to secure your camera and your LAN from the bad guys. You can complicate things at a later date, after you understand everything better. Walk before you run.

 

[fenderman]

Using 2 LAN cards to separate your cameras from yous LAN is complicating things...unnecessarily IMO. I'd suggest it will be simpler for you to run your cameras on your LAN and use a VPN to secure your camera and your LAN from the bad guys. You can complicate things at a later date, after you understand everything a tab better. Walk before you run.

Who knows, by that time Q might have a contest for a free gigabit network card

 

[Q™]

Hmmm. Come to think of it I do have a number of old 3Com ISA 10MPS cards laying around.

This is what happens when one can't bring one's self to throw anything out...for 25 years.

 

[awsum140]

I don't know what you're talking about Q. Now where is that 8 bit VGA card with 256K of RAM I saw the other day?