BI Remote LAN Setup to Prevent Access to Other LAN Computers - How to Setup

[Alaska Country]

Using dual NIC's in the Blue Iris Windows 10 computer. One NIC set for automatic (the internet side), the other NIC set for manual at 192.168.55.xx for all Dahua cameras.

The system has been expanded to a neighbors location by the use of an Ubiquiti Air Max Light Beam 5AC RF link. The issue is the BI cameras on the RF link are on a sub network which prevents access to the BI web server at the remote location.

The neighbor would like to view and playback video on their remote desk top (#3 in the diagram) computer for a set of selected cameras. i.e. no camera management required at the remote site. Intend to use the BI web server GUI at their remote location.

The overall concern is to maintain 100% isolation for any access to the three desktop computers (1, 2, 3) that are connected to the internet at both locations. i.e. no file sharing or trying to gain access to ones personal information or hacks to gain access to any connected LAN computers.

Would one solution be to use Zero Tier to add an additional network to the system? Or are there alternative solutions that are simpler and workable?

The game plan is to NOT use the internet or a phone for video viewing. But to only use the expanded LAN with preferably zero or close to zero internet bandwidth utilization.

System Diagram

 

[sebastiantombs]

I'd set up ZeroTier and create a user in BI that only has access to the cameras you want to share with your neighbor. Then your neighbor can use UI3, login to your BI and only has access to the cameras at his end of things.

 

[Alaska Country]

I'd set up ZeroTier and create a user in BI that only has access to the cameras you want to share with your neighbor. Then your neighbor can use UI3, login to your BI and only has access to the cameras at his end of things.

Yes, I like this.

Do you think that there would be an issue in that only the sub net at 192.168.55.xx would be available at their remote location via the Air Max RF link? That UI3 on 192.168.1.120 (the URL that I use to log into BI3) is on a different network and should not be accessible via the RF link.

 

[sebastiantombs]

ZeroTier will provide access through a totally different IP that isn't even close to your local LAN address schemes. Nothing, machines or people, will see" those addresses when connected with ZT. ZT creates a separate, private, network that is isolated from anything else around it unless you enable that feature and that takes a Linux box from what I've seen. The login to UI3 will need to be the IP provided by ZT along with the correct port, also provided by ZT. Both are easily available in the ZT web console when you authorize the remote computer access in ZT.

 

[TonyR]

Using dual NIC's in the Blue Iris Windows 10 computer. One NIC set for automatic (the internet side), the other NIC set for manual at 192.168.55.xx for all Dahua cameras.

The system has been expanded to a neighbors location by the use of an Ubiquiti Air Max Light Beam 5AC RF link. The issue is the BI cameras on the RF link are on a sub network which prevents access to the BI web server at the remote location.

The neighbor would like to view and playback video on their remote desk top (#3 in the diagram) computer for a set of selected cameras. i.e. no camera management required at the remote site. Intend to use the BI web server GUI at their remote location.

The overall concern is to maintain 100% isolation for any access to the three desktop computers (1, 2, 3) that are connected to the internet at both locations. i.e. no file sharing or trying to gain access to ones personal information or hacks to gain access to any connected LAN computers.

Would one solution be to use Zero Tier to add an additional network to the system? Or are there alternative solutions that are simpler and workable?

The game plan is to NOT use the internet or a phone for video viewing. But to only use the expanded LAN with preferably zero or close to zero internet bandwidth utilization.

System Diagram

View attachment 132859

What is the purpose of the connection in red?

 

[The Automation Guy]

Just to make sure I understand the original situation - the neighbor has internet but doesn't want to use it for playback (maybe a metered connection or slow speed) and you are currently connecting the two networks via a pair of Ubiquiti Air Max Light Beam 5AC RF links?

I believe using Zerotier is going to require that use utilize the internet as the bridge. This means both internet connections will need to handle that data (which isn't a ton, but will be a constant stream of data). Another option would be to use local VLANs if the network gear can support it . Unfortunately looking at the diagram it seems the neighbors network gear is pretty basic, so it may not be able to handle VLANs.

Create a VLAN for the wireless connection between the two locations. I don't know how those devices work, but I suspect you will create a unique wireless network for just that connection and put that wireless network in the new VLAN. On the neighbor's side, you will need to place his cameras on that VLAN and he will need access to your BI server. On your side of the VLAN, you will need to give access to your BI server to/from that VLAN as well, although I would have the BI system & cameras all on their own unique subnet and not the shared VLAN subnet. This should allow your neighbor to pull up BI via a web browser and allow your BI to see his cameras, but the rest of both of your networks will be isolated from each other. As noted in an earlier post, you'll need to create a unique BI user and limit that user to only the cameras you want them to see.

At least as I sit here and think about it, that concept should work and allow the transfer of data over the wireless connection only (not the internet) and provide isolation for the rest of the network devices. Of course I haven't tried any of this myself, but I think the theories are sound.

 

[Alaska Country]

ZeroTier will provide access through a totally different IP that isn't even close to your local LAN address schemes.

Viewed a few videos and understand the basic concept. ZT will look for a connection and if not available will then use ZT servers for data transfer. The overall plan is to keep the system as a LAN and not use the external internet due to data caps. If ZT could find and then use the RF link for UI3 viewing that would be ideal. If the internet has to be involved for viewing UI3 on Blue Iris, at the remote site, then ZT would be of limited use.

The overall goal is to use the connection (RF link), to the remote site, for both sending camera video data on the subnet at 192.168.55.xx to BI plus allow the remote site to use UI3 on Blue Iris (192.168.1.120) to view assigned cameras, time lines, clips, etc.

 

[Alaska Country]

What is the purpose of the connection in red?
View attachment 132875

That proposed connection is to provide a data connection back to the BI computer for viewing UI3 clips, timelines, etc. As stated above, the cameras and UI3 are on different networks, which is desirable for isolation, but complicates issues when access is required. The goal is to use the data connection between the main and remote sites (RF link) for sending camera video data back to BI and to have the remote site access the Blue Iris UI3 interface.

Like your ideas about using a VLAN, however my skills in networking are in the negative territory. And you are correct in assuming that both ends utilize consumer grade modems, etc.

 

[bp2008]

ZeroTier is not necessary here, in fact it would almost certainly tunnel the connection through the internet.

VLANs are also an unnecessary complication.

What devices are 192.168.66.xx? I don't see those labeled on the diagram.

To give you a proper answer we need a little more information.

For now I will assume some things.

Assumption #1: The two routers are each just configured as relatively basic routers where each router only has one LAN interface that is bridged across all the LAN ports on the router (this would be the default configuration for any consumer-grade router).

That means you only have two isolated networks here, highlighted in blue and red.

The important realization here is that anything within each network can talk to anything else within that network, so it is just a matter of correct software configuration to get REMOTE DESKTOP 3 to talk to BI over the local Airmax link.

Assumption #2: BI machine NIC 1 already has an address in the 192.168.55.xx range in order to access the cameras (which are also static-addressed in the 192.168.55.xx range).

Assumption #3: REMOTE DESKTOP 3 does not have an address in the 192.168.55.xx range because it has received an IP in a different range via DHCP from the red-side router.

If I am correct in all 3 assumptions, then you just need to assign REMOTE DESKTOP 3 a static IPv4 address in the same address range it was already in (avoid creating an address conflict, and assign the gateway and DNS and subnet mask appropriately to ensure it doesn't lose its ability to use the internet). Once REMOTE DESKTOP 3 has a static address, you can use the Advanced button within the IPv4 Properties panel to add additional static IP addresses to the same interface. So just add one address in the 192.168.55.xx range. Then REMOTE DESKTOP 3 can reach BI's web interface via the IP address of BI machine NIC 1.

* Make sure BI Web Server settings has the "Bind exclusively" box EMPTY so that it will be listening on all network interfaces.

 

[TonyR]

That proposed connection is to provide a data connection back to the BI computer for viewing UI3 clips, timelines, etc. As stated above, the cameras and UI3 are on different networks, which is desirable for isolation, but complicates issues when access is required. The goal is to use the data connection between the main and remote sites (RF link) for sending camera video data back to BI and to have the remote site access the Blue Iris UI3 interface.

I figured that but it's unlikely the "Remote Desktop 3" is on a subnet that can view the BI server or the cams.
If it was, then the remote cams would be accessed through the router, not a good idea.

I'd add a NIC 2 to the "Remote Desktop 3" and give it a static IP subnet of 192.168.55.XXX and plug it into the switch for the remote cams, as the drawing below. If that RF link as set up as a Layer 2 transparent bridge then it's as good as an Ethernet cable and you can connect to the BI server and cams and via UI3.
Password protect the server's Admin and maybe set up a User in BI with the desire rights, etc.

Like your ideas about using a VLAN, however my skills in networking are in the negative territory. And you are correct in assuming that both ends utilize consumer grade modems, etc.

That was someone else.

 

[Alaska Country]

ZeroTier is not necessary here, in fact it would almost certainly tunnel the connection through the internet.

VLANs are also an unnecessary complication.

What devices are 192.168.66.xx? I don't see those labeled on the diagram.

Looks like this will work. Appreciate your comments and suggestions.

In an earlier post, the sub net was listed at .66 which has been corrected to .55. The 192.168.55.xx is the camera subnet (all cameras on 192.168.55.12, 192.168.55.14, etc.) that is on a separate NIC in the Blue Iris computer. Plus it is the same sub net that is on the RF link to the remote site.

If you have any suggestions as to links onYouTube videos that would assist in setup, please post.

 

[Alaska Country]

I'd add a NIC 2 to the "Remote Desktop 3" and give it a static IP subnet of 192.168.55.XXX and plug it into the switch for the remote cams, as the drawing below.

Will have to check with the end user and ask if they have any objection to installing a NIC in their computer. If yes, then it will be a matter of adding a run of CAT-5e to their system for the additional data connection.

As a second thought, will there be isolation from the remote site so that they can not type in the IP address of a camera (192.168.55.12) and access its interface? Would assume so, but if they do not have the user/password then they would be blocked at the login screen.

 

[TonyR]

As a second thought, will there be isolation from the remote site so that they can not type in the IP address of a camera (192.168.55.12) and access its interface?

No, but you should have a user and strong password already set in the camera's webGUI login, right?

Would assume so, but if they do not have the user/password then they would be blocked at the login screen.

Correct.
And the "user" set up in BI for their login to UI3 would NOT have "Admin" rights either, along with other settings as you want.

 

[Alaska Country]

Good call on the passwords. Yes, everything has a password.

The remote user just informed me that they only use an Apple laptop. Guess a second NIC is no longer the solution in this case. The ultimate solution is to just say that live camera viewing is not possible under this scenario and leave it at that.

 

[bp2008]

Not all is lost @Alaska Country. Just take your BI machine NIC 1 and add a second IP address that is in the remote user's IP address range that they use on the Apple laptop. Use the same subnet mask they have there (255.255.255.0 most likely). Then they can connect to your BI instance via that address from ANY device on their network, be it a laptop, desktop, phone, TV, anything.

When choosing an address, it would be advisable to choose one that is not within the DHCP pool of their router to ensure there is no conflict in the future.

 

[mikeynags]

https://a.co/d/3BnJDZl

Boom!- 2nd adapter for the mac for under $15.


Sent from my iPhone using Tapatalk

 

[Alaska Country]

Yes, that will work to access the camera network on 192.168.55.xx. By entering the camera IP address and login information the cameras are all accessible. However, do not want the remote site to have any access to camera settings, only UI3 on Blue Iris.

Tried your suggestion on the HP Win 11 laptop and it works well. Wired Ethernet on the sub network with the USB network adapter and WiFi to access the internet.

The concern is that UI3 on the Blue Iris machine is not accessible via the 192.168.55.xx camera sub network which supplies an RF link to the remote site. My GUI for Blue Iris is 195.168.1.120 and works using any computer on my side of the LAN.

Is there a way to access Blue Iris on the sub net camera network on 192.168.55.xx and yet keep the cameras 100% isolated from the internet? Or is there a different IP address that can be used via the camera sub network for this purpose?