Camera Segmentation

[notta]

I have 5 Hikvision camera's connected to my home LAN network. A year ago I purchased a Hikvision NVR and connected the camera's to the NVR. I really like this device and have had zero issues. With that being said, to be perfectly honest I have never been comfortable with those devices being on the same network as my other computers. I would like to segment my camera's onto their own subnet but obviously still be accessible from some device on my network so that I can view the camera's without having to go down to the NVR itself.

I don't need to view the camera's while I'm outside my network so I will not be opening ports on my router and I don't need to connect to each camera through the web browser. I can just manage the camera's through the NVR.

Does anyone have guides on how to achieve this?

 

[gto-guy]

either vlans or separate physical switches that connect to a decent firewall. I would suggest pfsense running on an older desktop (i5 or i7). you can then create the firewall rules and/or nat rules to limit what you want in and out of that subnet from both the internet and your PC subnet.

as another benefit, depending on what you do for wireless in your house, if you do something like this you might be able to setup a "guest" subnet that you can let friends/family use but still be segmented from your PC's.

 

[Aengus4h]

Some would depend on what your router is capable of and whether it can support vlans, likewise your network switches. If your router does support vlans and your cameras and NVR are on their own switch (or one you can dedicate to them only) then you could assign a vlan at the router to one of its ports and connect the switch to this port. You can then configure firewall rules at the router to limit connectivity from the camera vlan to the internet and your default/other vlans, but allow access from the default vlan to the NVR for monitoring.

If your current router can't then perhaps add another smarter router behind your ISP one. Some routers can also offer multiple SSID's and client isolation if you want a guest WiFi and not have to go to the effort of running yet another PC with dual/multi LAN connections burning energy just to handle firewall duties etc...

 

[notta]

Thanks for the reply. While I'm not a network admin I know enough to be dangerous. In preparation for this I have spent a fair bit of money. I replaced my SOHO router with PFSense. The PFSense has 6 NIC's installed so I have plenty of room to segment physically. I purchased a 52 port non POE Cisco SG300 and 10 port SG300 for VLANing. I also added a new Ubiquiti Access Point since I replaced my router that offered the wireless.

Right now I have my main home network LAN VLAN, IOT VLAN, Wireless VLAN, and now I want to create a camera VLAN. I think I'm confused from the standpoint of changing the IP's on the camera devices. The 5 camera's are plugged into the NVR and the NVR itself are on the Wireless VLAN right now. For now I want to just get them isolated so I guess my question is can the camera's basically be any IP address as the NVR is the only one accessing the camera's? Currently all the camera devices are 192.168.1.100 (NVR), 192.168.1.101 Camera (1), 192.168.1.102 Camera (2), 192.168.1.103 Camera (3).... So can I just make the NVR 192.168.81.100 (81 VLAN) and the camera's 10.0.1.101 Camera (1), 10.0.1.102 Camera (2), 10.0.1.103 Camera (3).... and they still be able to communicate? If so I'll make the changes and deal with setting up the rules for my LAN machine to connect to the NVR on the Camera VLAN later.

One more question, is there any way to view camera's from another part of the house without having to have a PC at each monitor? The only way I can think of involves a PC at each camera which eats a lot power and not too mention requires a PC. I don't know if a Raspberry PI would cut it. Let's say I wanted a monitor in my foyer hallway to show the camera's, how would I go about this?

Thanks.

 

[Aengus4h]

ok fair enough if you've already gone the pfsense route.

For the NVR yep you can just move it into the camera vlan with an appropriate IP in that network.

The cameras into the NVR would be on a separate LAN internal to the NVR and not actually on your own networks, so you'd need to update that internal LAN somehow and possibly also the cameras if they don't get picked up automatically. You might be able to get away without changing the camera IP's if that subnet doesn't conflict with the rest of your layout. Alternatively if you're suggesting moving the cameras off the NVR and onto the vlan itself you'd need to update the IP config on each camera and also re-add them to the NVR but you'd not have PoE that way from what you've said about the switches.

Remote monitoring, you could consider an android tablet with the iVMS app, perhaps. Less clunky than PC/screen dotted about. Here I use an old ipad 1 to VNC to my main desktop to pull up camera views when I need to make adjustments which works fine for me.

 

[Q™]

Edit: Never mind...that was a profoundly stupid idea.

 

[gto-guy]

Thanks for the reply. While I'm not a network admin I know enough to be dangerous. In preparation for this I have spent a fair bit of money. I replaced my SOHO router with PFSense. The PFSense has 6 NIC's installed so I have plenty of room to segment physically. I purchased a 52 port non POE Cisco SG300 and 10 port SG300 for VLANing. I also added a new Ubiquiti Access Point since I replaced my router that offered the wireless.

Right now I have my main home network LAN VLAN, IOT VLAN, Wireless VLAN, and now I want to create a camera VLAN. I think I'm confused from the standpoint of changing the IP's on the camera devices. The 5 camera's are plugged into the NVR and the NVR itself are on the Wireless VLAN right now. For now I want to just get them isolated so I guess my question is can the camera's basically be any IP address as the NVR is the only one accessing the camera's? Currently all the camera devices are 192.168.1.100 (NVR), 192.168.1.101 Camera (1), 192.168.1.102 Camera (2), 192.168.1.103 Camera (3).... So can I just make the NVR 192.168.81.100 (81 VLAN) and the camera's 10.0.1.101 Camera (1), 10.0.1.102 Camera (2), 10.0.1.103 Camera (3).... and they still be able to communicate? If so I'll make the changes and deal with setting up the rules for my LAN machine to connect to the NVR on the Camera VLAN later.

you can but if you want to keep the camera's in the same vlan/subnet as the dvr then it would be a lot harder (you would have to hairpin on the pfsense box, etc). I would just change your dvr to 10.0.1.x and call it a day. if you really wanted to be a little more secure, you can then modify the nat rules for the 10.0.1.0/24 subnet to only nat on the DVR IP (my example I am using 10.0.1.254). then create an access list to allow traffic from your PC vlan (for the example lets call it 192.168.1.0/24). the next rule we can drop all traffic that isn't from the pc vlan, something like this (fyi I haven't installed blue iris so I am guessing on the ports, also it has been a while since I have messed with my pfsense so if the rules are wacked tell me and I will log into it later and check):

using 101 as inbound and 102 as outbound access list:

ip access-list 101 permit 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 --> allows traffic from internal PC vlan to all devices on security vlan
ip access-list 101 permit any 10.0.1.254 0.0.0.0 eq 1030 -->allows outside traffic to dvr on 1030
ip access-list 101 permit any 10.0.1.254 0.0.0.0 eq 554 -->allows outside traffic to dvr on 554
ip access-list 101 deny any any --> will drop all traffic that isn't specifically allowed above​

ip access-list 102 permit 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255 --> allows traffic from internal PC vlan to all devices on security vlan
ip access-list 102 permit 10.0.1.254 0.0.0.0 eq 1030 any -->allows outside traffic to dvr on 1030
ip access-list 102 permit 10.0.1.254 0.0.0.0 eq 554 any -->allows outside traffic to dvr on 554​

ip access-list 102 deny any any --> will drop all traffic that isn't specifically allowed above

If I were me, I would just keep both those switches at layer 2. they can do layer 3 and work but then you lose some control, logging, and ability to direct traffic by nat if it was done in the pfsense box.

One more question, is there any way to view camera's from another part of the house without having to have a PC at each monitor? The only way I can think of involves a PC at each camera which eats a lot power and not too mention requires a PC. I don't know if a Raspberry PI would cut it. Let's say I wanted a monitor in my foyer hallway to show the camera's, how would I go about this?
​

I have seen quite a few posts here with people using ipads and such. I would think a raspberry PI would work also. there are also some PI style devices that run android so they for sure will work​

 

[notta]

Thanks for the replies guys. Some good stuff here.

If I were me, I would just keep both those switches at layer 2. they can do layer 3 and work but then you lose some control, logging, and ability to direct traffic by nat if it was done in the pfsense box.

Can you explain what you mean here? I did change the switch over to layer 3 more for a learning experience.

My camera's were on the same subnet as my other devices on my network but it appears they have a different IP range since being plugged into the NVR. I never changed the IP addresses and I could have sworn I set them statically. I did an Angry IP Scan of the subnet and the only device coming up is a web server for the NVR (this will need to be dealt with as I plan on using the NVR and not the web portal which could be a vulnerability if I don't keep the firmware updated). That is a good thing then even though I don't know how that happened.

So I drew up a quick diagram trying to understand what I'm trying to do. It is attached. So it appears that the camera's are behind the NVR so I'm good there. I just need to deal with the NVR itself. I want to connect the IVMS machine to the NVR so I can view my camera's. As I said I don't "trust" the IVMS software so I am thinking that the IVMS machine will need to be on it's own VLAN separated from my normal LAN. That machine does need Internet access though. So as stated I will dual-home the IVMS machine. One NIC for normal functions and the other NIC for connection to the NVR, so then I can disable the camera NIC when not needed on the IVMS machine.

My question now that I've drawn it up, do I really even need the purple cable going from the switch to the PFSense box? There is no need for the NVR to get out so all I would need to do is lock down the ports so only the purple NVR and the purple IVMS machine can talk to each other? I do see issues where if my clocks on the camera's start getting out of date I would not be able to connect to an NTP server. I guess I could set up something internal to address that.

Now I know all this is overkill and sounds tin-foil-hatish but I'm doing this for multiple reasons and one of the most important reasons is to learn more about networking. I want everything to be as secure as possible so this is a great opportunity for me to learn.

 

[gto-guy]

if a switch is running layer 3 means that it can route between subnets. if it is running in layer 2 then it has to use something else to do the routing, it will only forward packets.

looking at your diagram, first the link(s) between your pfsense box and switch. you only need 1 link if you set it up as a trunking port on the switch side and then on the pfsense side, tag the vlan. in your diagram, I would use green for internal data and purple for video. your IVMS and dvr only needs to be on the security video (purple) vlan. I would not connect the IVMS to your pc vlan (green). you can create access and route rules in pfsense (since the pfsense would be acting at the router if the switches are running layer2). you can create internet in/out rules in pfsense to control what can get to the IVMS and dvr using a mix of access lists and nat rules. for ease of use (future reconfig), I suggest setting everything to dhcp, and on your dhcp server to just add reservations for everything you need at a static address (like the DVR and IVMS). btw, most PC's (windows or Linux) don't like to have multiple nics on separate subnets. it can do weird things with data flow sometimes.

since your cameras plug direct into the dvr, most likely they are already segregated since the built in switch is probably working on a different subnet and/or it isn't tagging. I am guessing the dvr runs a separate network that the cameras themselves plug into that you can't hit direct from the management interface of the dvr.

is this the most simpliest way, no but it is a secure way to do it.