BI Network Configuration

Philly · Jan 13, 2019

Hello:

Could you please help me with the newbie question on network configuration.
In order to have Cams on a different network (like most people setup additional NIC) will 1 managed switch would do it?

Router>Switch>PC
same Switch > POE Cams?

What is the best practice to setup CAMs connected to the managed switch please.

Thank you again!

SouthernYankee · Jan 13, 2019

There are a number of ways to accomplish this.

I use two nic cards in the bi PC. One connects to the router, the other connects to a simple switch that connects to multiple POE switches. The nice have different IP address. All is on the camera side are static

Philly · Jan 13, 2019

Is it any way to set up without 2 NIC cards and just with a switch?

davej · Jan 13, 2019

I think most people here use a pc with an added NIC card. The pc motherboard has a built-in NIC so they then have at least two networks available (or more if it was a multi-NIC card). They then use a gigabit (uplink side) PoE switch to connect and power all of the cameras. The cameras are each at 100mbps so the PoE switch provides an efficient way to combine all the camera traffic and get it to the BI server without clogging up your entire home network. Also since the cameras on on their own subnet they are more protected from hacking attempts. Some people here promote the use of managed switches, but that is up to you.

crw030 · Jan 13, 2019

^^this, except I haven’t seen any need for gigabit uplink. Just as long as you cam handle the camera feeds on that network. I used a USB Ethernet adapter for uplink for a year that only tested about 250 Mbit or something, with no problems.

StevenP · Jan 21, 2019

you can add a second IP address to your NIC if you are using static IP addressing, you can put a second subnet that matches the camera, only that PC will be able to access them. But that that doesn't help you at all with bandwidth on you network, But it does isolate the cameras.

Dauv · Feb 4, 2019

StevenP said:
you can add a second IP address to your NIC if you are using static IP addressing, you can put a second subnet that matches the camera, only that PC will be able to access them. But that that doesn't help you at all with bandwidth on you network, But it does isolate the cameras.

View attachment 38316

Any chance you can expand on this process? I would love to know more abut how to do this the right way.

StevenP · Feb 4, 2019

Dauv said:
Any chance you can expand on this process? I would love to know more abut how to do this the right way.

Expand on what part?
So, IDK that i would say this is the Right way for what he wanted to do, its A way.
we use second Addresses on equipment as more of a backdoor into the box when it is placed on a customers network. when we need to service it, we can always connect to it.

its also a good way to have a 192.168.0.x or 192.168.1.x setup so you can communicate with new equipment.

Dauv · Feb 4, 2019

Thanks StevenP,
Sorry for the confusion.
I am in the midst of trying to make my entire home network more secure/robust/accessible through OpenVPN. I would like to change the entire LAN to a non common IP config like 192.168.60.x to ensure or at least make it a lot less likely that I will be denied when trying to access my network through VPN from some place that might be using the common 192.168.1.x layout.

The only reason I am not jumping right in now with making changes is that I am trying to figure out the best way to do this without having to climb up on ladders to access the wireless cams I have, in order to change their IP's to the new standard.

The main problem I have is that there are several cams in my system that each access a different WAP which each have a different (hidden) SSID.

How would you go about this? My fear is that once I change the IP layout on each of the routers (WAP's) on my LAN that I will have to manually climb up, hook up an ethernet cable and reconfigure each cam to reach the WAP's newly change IP. I realize that I won't have to change the SSID on the WAP's but once the IP's are changed, the cams won't see them until their IP config is changed... Also, I wont be able to change their (cams) internal IP's once the link is broken.....

Sort of stuck in my own mud at this point.... Is it inevitable that I will have to hardline into each cam to get this done?

davej · Feb 5, 2019

I just looked at my gateway router logs and the router seems to know about my camera sub-nets. How can this happen? I can't reach the the cameras on the subnet with my browser. Are the cameras somehow getting past the BI server? Do I need to edit the firewall? (question edited for clarity 3:23pm)

NoloC · Feb 5, 2019

Dauv said:
I would like to change the entire LAN to a non common IP config like 192.168.60.x to ensure or at least make it a lot less likely that I will be denied when trying to access my network through VPN from some place that might be using the common 192.168.1.x layout.

I don't think you need to worry about that as your connection through the OpenVPN server will assign a different subnet to the client. Take a look at the settings. My ASUS has the stock firmware and I recall you have flashed yours but I think this will still be in the settings for OpenVPN. The default on mine was 10.8.0.x . So when I log in for example from my phone, I can see in the server settings that the client has connected and been assigned as IP of something like 10.8.0.6 . If I connect to my BI box it sees the connection as coming from 10.8.0.6 although it is also a 192.168.1.x device.

My home network is 192.168.1.x

Dauv · Feb 5, 2019

NoloC said:
I don't think you need to worry about that as your connection through the OpenVPN server will assign a different subnet to the client. Take a look at the settings. My ASUS has the stock firmware and I recall you have flashed yours but I think this will still be in the settings for OpenVPN. The default on mine was 10.8.0.x . So when I log in for example from my phone, I can see in the server settings that the client has connected and been assigned as IP of something like 10.8.0.6 . If I connect to my BI box it sees the connection as coming from 10.8.0.6 although it is also a 192.168.1.x device.

My home network is 192.168.1.x

That is all correct, but the problem is (as I understand it) that if your home network is on 192.168.1.x and you go to a place with public wifi and they are also using 192.168.1.x and you try to connect your VPN on your laptop (not your phone which never uses 192.168.1.x), you will then be on their 192.168.1.x network when you initiate the VPN connection, so your VPN will assume you are tying to connect from within your home LAN and It will then not allow you to access your LAN through the VPN. The VPN connection will still be established, but you will not be able to navigate your LAN.

Sorry if did not explain that the right way, but that is what I have been able to gather over on DD-WRT over the last year or so... There is no loopback feature/setting in these VPN enabled routers so everything needs to be on it's own subnet..... Please correct me if I am wrong.... No shame here.

NoloC · Feb 5, 2019

The 192 stuff isn't routable so I don't believe your VPN server would ever see that address. It would see the public ip of the establishment. All done through the magic of NAT.

I could be wrong. It would be easy to test by going to any place with your laptop and logging in to your VPN server to see what ip it reports for the client.

crw030 · Feb 5, 2019

NoloC said:
I could be wrong. It would be easy to test by going to any place with your laptop and logging in to your VPN server to see what ip it reports for the client.

Just Try WhatsMyIP.com.

Example: On Mobile data I get a local 100.x.x.x IP address assigned to my phone by Verizon network, and a NAT IP of 174.x.x.x
Connect OpenVPN: Phone network settings and OpenVPN report the Private/Local IP (192.168.99.x which is configured for the VPN tunnel on my VPN server) and Public IPV4 matching my home public internet IP.
Since connected to VPN, it reports my Home internet IP, I am tunneled into that network and appear to be coming from "inside" my home network.

If you were on a coffee shop wi-fi, I'd expect you will see a Local IP depending on however they setup their network (possibly 192.168.x.x) and their public facing IP after NAt traversal.

58chev · Feb 6, 2019

Dauv said:
That is all correct, but the problem is (as I understand it) that if your home network is on 192.168.1.x and you go to a place with public wifi and they are also using 192.168.1.x and you try to connect your VPN on your laptop (not your phone which never uses 192.168.1.x), you will then be on their 192.168.1.x network when you initiate the VPN connection, so your VPN will assume you are tying to connect from within your home LAN and It will then not allow you to access your LAN through the VPN. The VPN connection will still be established, but you will not be able to navigate your LAN.

Makes no difference. I have used VPN from my daughters house one her network which is 192.168.1.x to my network 192.168.1.x and it works seamlessly.

as for changing the IP's on your WAP's and cameras, could you not remote to your wifi camera, change the IP. Then change the IP on your WAP? No need to then use a ladder to get to your cameras.

Whoaru99 · Feb 27, 2019

OpenVPN clearly suggests against using common subsets because of potential for conflict.

https://openvpn.net/community-resources/numbering-private-subnets/

Search

BI Network Configuration

Philly

Getting the hang of it

SouthernYankee

Philly

Getting the hang of it

davej

Getting the hang of it

crw030

StevenP

n3wb

Dauv

Young grasshopper

StevenP

n3wb

Dauv

Young grasshopper

davej

Getting the hang of it

NoloC

Getting comfortable

Dauv

Young grasshopper

NoloC

Getting comfortable

crw030

58chev

Pulling my weight

Whoaru99

Pulling my weight