Thanks for the reply. While I'm not a network admin I know enough to be dangerous. In preparation for this I have spent a fair bit of money. I replaced my SOHO router with PFSense. The PFSense has 6 NIC's installed so I have plenty of room to segment physically. I purchased a 52 port non POE Cisco SG300 and 10 port SG300 for VLANing. I also added a new Ubiquiti Access Point since I replaced my router that offered the wireless.
Right now I have my main home network LAN VLAN, IOT VLAN, Wireless VLAN, and now I want to create a camera VLAN. I think I'm confused from the standpoint of changing the IP's on the camera devices. The 5 camera's are plugged into the NVR and the NVR itself are on the Wireless VLAN right now. For now I want to just get them isolated so I guess my question is can the camera's basically be any IP address as the NVR is the only one accessing the camera's? Currently all the camera devices are 192.168.1.100 (NVR), 192.168.1.101 Camera (1), 192.168.1.102 Camera (2), 192.168.1.103 Camera (3).... So can I just make the NVR 192.168.81.100 (81 VLAN) and the camera's 10.0.1.101 Camera (1), 10.0.1.102 Camera (2), 10.0.1.103 Camera (3).... and they still be able to communicate? If so I'll make the changes and deal with setting up the rules for my LAN machine to connect to the NVR on the Camera VLAN later.
you can but if you want to keep the camera's in the same vlan/subnet as the dvr then it would be a lot harder (you would have to hairpin on the pfsense box, etc). I would just change your dvr to 10.0.1.x and call it a day. if you really wanted to be a little more secure, you can then modify the nat rules for the 10.0.1.0/24 subnet to only nat on the DVR IP (my example I am using 10.0.1.254). then create an access list to allow traffic from your PC vlan (for the example lets call it 192.168.1.0/24). the next rule we can drop all traffic that isn't from the pc vlan, something like this (fyi I haven't installed
blue iris so I am guessing on the ports, also it has been a while since I have messed with my pfsense so if the rules are wacked tell me and I will log into it later and check):
using 101 as inbound and 102 as outbound access list:
ip access-list 101 permit 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255 --> allows traffic from internal PC vlan to all devices on security vlan
ip access-list 101 permit any 10.0.1.254 0.0.0.0 eq 1030 -->allows outside traffic to dvr on 1030
ip access-list 101 permit any 10.0.1.254 0.0.0.0 eq 554 -->allows outside traffic to dvr on 554
ip access-list 101 deny any any --> will drop all traffic that isn't specifically allowed above
ip access-list 102 permit 10.0.1.0 0.0.0.255 192.168.1.0 0.0.0.255 --> allows traffic from internal PC vlan to all devices on security vlan
ip access-list 102 permit 10.0.1.254 0.0.0.0 eq 1030 any -->allows outside traffic to dvr on 1030
ip access-list 102 permit 10.0.1.254 0.0.0.0 eq 554 any -->allows outside traffic to dvr on 554
ip access-list 102 deny any any --> will drop all traffic that isn't specifically allowed above
If I were me, I would just keep both those switches at layer 2. they can do layer 3 and work but then you lose some control, logging, and ability to direct traffic by nat if it was done in the pfsense box.
One more question, is there any way to view camera's from another part of the house without having to have a PC at each monitor? The only way I can think of involves a PC at each camera which eats a lot power and not too mention requires a PC. I don't know if a Raspberry PI would cut it. Let's say I wanted a monitor in my foyer hallway to show the camera's, how would I go about this?
I have seen quite a few posts here with people using ipads and such. I would think a raspberry PI would work also. there are also some PI style devices that run android so they for sure will work