Cameras without VLAN?

[impossiblefievel]

Hi all,

Ive currently got a ring doorbell, but I'm looking at adding to my security with some cameras, the Annke c500, for outdoor and Eufy Indoor 2k, for indoor.

I was planning on plugging the Annke into a 5-port POE switch (TL-SG1005P) to power it, with room for expansion later, connected to my ISP provided router, but have seen that the best way to ensure security for my network would be to use a VLAN, and openvpn into it when not at home, obviously the above switch doesn't support a VLAN.

So I'm curious as to what would be the real-world issues for the rest of my network devices with using this switch without a VLAN? Every other device on it is connected by WiFi.

Also would the Eufy camera be a risk too? How would I put that on a VLAN?

I already have UPnP disabled on the router and have also disabled wpad in internet settings (I read that's a good idea).

Thanks in advance

 

[sebastiantombs]

First comment is that if you want good video from cameras avoid the consumer level ones like Eufy and Annke just to name two. Stick with Dahua or Hikvision for the best bang for your bucks.

The simplest way to isolate cameras is to add a second NIC to the machine that manages the cameras and make it a totally different subnet. That keeps the cameras completely off the internet since Windows will not route traffic between the two NICs unless you specifically enable that routing.

Secure Network

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

 

[impossiblefievel]

Thank you for your reply,

I was going to use the Annke and Eufy cameras due to the onboard storage with SD card, but with the option to add an NVR at a later date (for the Annke camera).

So there wouldn't currently be an NVR or PC for them to be plugged into.

Reading the guide that you posted, if I don't forward ports, for security, then I assume I wouldn't be able to view them remotely either?

 

[wittaj]

Dahua and Hik have availability for SD cards as well and can be used without a VMS until you decide to add one.

 

[looney2ns]

Thank you for your reply,

I was going to use the Annke and Eufy cameras due to the onboard storage with SD card, but with the option to add an NVR at a later date (for the Annke camera).

So there wouldn't currently be an NVR or PC for them to be plugged into.

Reading the guide that you posted, if I don't forward ports, for security, then I assume I wouldn't be able to view them remotely either?

You need to study that link again. That's not what it says.

 

[impossiblefievel]

Dahua and Hik have availability for SD cards as well and can be used without a VMS until you decide to add one.

Thank you, I didn't realise that, I only found Annke, Reolink and Hilook with SD card storage.

You need to study that link again. That's not what it says.

That's just me assuming, wrongly.

 

[sebastiantombs]

Additionally, both Dahua and Hikvision offer free VMS software for their products.

 

[qflyer]

The simplest way to isolate cameras is to add a second NIC to the machine that manages the cameras and make it a totally different subnet. That keeps the cameras completely off the internet since Windows will not route traffic between the two NICs unless you specifically enable that routing.

Main reason I've installed cameras is to keep an eye on things when I'm out of town, which is a lot of the time. Being out in the country, internet options are nil but I finally got starlink a couple months back. It's not easy to set up BI to work with starlink (at least not for me), and I think that's because I don't have a static IP with starlink. Also, upload speeds are terrible. The easiest thing for me right now is to log in remotely via google remote desktop and navigate BI on my tablet as if I were at home on the PC. It's not good, but it's the best I've got.

1 gig fiber is being run to the area now and is supposed to be available by this fall, and I plan to spend a lot of time setting up a legit home network once fiber is here.

If I go with an additional NIC to isolate everything from the main network, I still need remote access. If I'm going to give the 2nd network access out, is there a reason to have a 2nd NIC? Why not just use a VLAN? Still learning about VLAN, VPN, etc. I just don't see the point of a 2nd network card if that network gets access outside the local network for remote viewing.

Any recommendations on routers for when fiber gets here? Been looking at ubiquity EdgeRouter simply because there are tons of tutorials on youtube.

 

[sebastiantombs]

If the machine running BI has two NICs, one on your "regular" LAN with internet access and one on the "private" LAN for the cameras, you can still access the BI machine remotely using a VPN or ZeroTier assuming you have internet access from the outside. Several people here have set that up, I believe, using StarLink but with a regular ISP connection it should be no problem at all. The idea of the "private" LAN is to keep the cameras off the internet entirely for security purposes, both them phoning home and to prevent them from being hacked for use in a botnet or as a gateway into your LAN.

 

[qflyer]

If the machine running BI has two NICs, one on your "regular" LAN with internet access and one on the "private" LAN for the cameras, you can still access the BI machine remotely using a VPN or ZeroTier assuming you have internet access from the outside. Several people here have set that up, I believe, using StarLink but with a regular ISP connection it should be no problem at all.

Yeah, it's definitely possible but it's way beyond my abilities/understanding. I'm not computer illiterate, but it sure feels like it going through some of this BI remote access stuff,

 

[sebastiantombs]

there's a definite learning curve for sure, but it is doable. The upload speeds of StarLink are the killer though, but the main console of BI only uses about a megabit the way I've got it configured and can be reduced as well. The biggest problem is DDNS problems with StarLink.

 

[qflyer]

there's a definite learning curve for sure, but it is doable. The upload speeds of StarLink are the killer though, but the main console of BI only uses about a megabit the way I've got it configured and can be reduced as well. The biggest problem is DDNS problems with StarLink.

Yeah, starlink upload speeds are so bad remote access via google remote desktop refreshes the screen once every 3-5 seconds. The only thing I can really do with it is flag a clip to review when I get home. Totally unusable for anything else. I love starlink as it's literally the only way to get over 1 mbps up or down where I live, but fiber has already been run, and now it's just a waiting game to get the house connected. I'm not going to put much effort into configuring BI remote access on starlink since I won't have it more than a few months. Gigabit fiber is going to be a game changer, and I'll spend however much time I need to learn and set up a solid network.

 

[impossiblefievel]

The idea of the "private" LAN is to keep the cameras off the internet entirely for security purposes, both them phoning home and to prevent them from being hacked for use in a botnet or as a gateway into your LAN.

This is my concern with just plugging a camera straight into my router via a switch, if the switch had a VLAN ability would this make it a private LAN from the rest of my devices?

 

[sebastiantombs]

Whatever you do, don't plug the cameras in using the router. Routers, consumer grade routers, are not made for the high levels of traffic, bandwidth, used by security cameras. Security cameras stream full bandwidth constantly with no buffering like using Netflix or other streaming services use. Security cameras will easily overload a consumer grade router.

Plug the VMS or NVR directly into the same switch that the cameras are connected to to keep that traffic off of your local network and off of the router.

 

[impossiblefievel]

Ahh, thank you, I was hoping to do without an NVR or Blue Iris etc.. but was aiming for something a bit better than WiFi Ring type cameras...

I'll keep looking for now.

 

[TonyR]

It's not easy to set up BI to work with starlink (at least not for me), and I think that's because I don't have a static IP with starlink.

Aside from the fact that you pretty much hijacked this thread away from the OP, your issue is not because you don't have a "static IP", because if that was the case you could use DDNS.

It's because of 1 or more reasons: the WAN IP is not "public" and it likely behind a CGNAT (Carrier Grade Network Address Translation) schema. Also, IPv6 could be a factor. Never the less, several members of this forum have set up Blue Iris with Starlink using Zerotier; there are threads of that here==>> Zero Tier remote access to Blue Iris

Good luck !

 

[RasputinThe2nd]

I don't know Zerotier, but Tailscale just works for any network topology (including CGNAT, v6-only and even UDP blocking).

 

[CCTVCam]

What Sebastian said above however note the VPN he mentioned is not a subscription VPN but rather a router that has it's own VPN built in. They are 2 different things and the former won't get you remote access (it's made for outgoing connections so your isp can't easily see you veiwing dodgy sites), whilst the latter will give you a secure incoming connection to your camera BI machine.

 

[tech_junkie]

This is my concern with just plugging a camera straight into my router via a switch, if the switch had a VLAN ability would this make it a private LAN from the rest of my devices?

virtually, yes, because it can be set to be isolated from the non vlan devices. How ever the drawback to VLAN connections they share the same physical media (Ethernet wiring) so their switching priority is last on the network. Even if that Vlan has QOS switch ports which only guarantees priority on that switch only.
Hence that is why camera networks work the best with wiring them separate from a general home/office network.

 

[wittaj]

^ +1 above!

That is why most of us run the dual NIC system.

The dual NIC is cheaper and faster, and depending on the number of cameras, better than VLANs (although true VLAN users will refute it).

For example, the EdgeRouter X is claimed to be somewhere between 800Mbps to 1Gbps, but you see tests all over where people are only getting in the 700Mbps range.

On my isolated NIC, my cameras are streaming non-stop between 280Mbps to 350Mbps depending on motion. This is full-on, never stopping to take a breath. Even if someone has a gigabit router, a 3rd of non-buffering 24/7 data will impact its speed.

I would just as soon not have that much video data going thru a device if it doesn't need to. Has to slow the system down.