Correct port setup for Router - Switch - BI PC

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
My Dahua switch and BI PC are both connected directly to my router (and working OK) but within the forum I now read that the ideal setup is to connect both the router and BI PC directly to the switch and the switch then to the router (i.e. Ideally the BI PC should not be connected directly to the router). While my setup is working OK today, its later I worry about as I start to introduce more cameras.

See diagram below (which I copied from another post on this forum), which I understand, is the correct setup.



My switch is a Dahau DH-PFS3110-8P-96 (see pic and link attached)

https://dahuawiki.com/index.php?action=ajax&title=-&rs=SecureFileStore::getFile&f=/4/4b/Datasheet_Transmission_8_port_PoE_Switch_DH-PFS3110-8P-96_v001.004.pdf

That particular switch has 8 x 10/100M POE RJ45 ports and 1 x RJ45 Ethernet uplink port and 1 x SPF Fibre uplink port both of which are rated to 1000M.

I have two questions, which relate to the right ports to use here:

1. Can I use the Ethernet port to connect my router and the SPF port (with convertor to RJ45) to connect my PC?

2. If not (maybe only one uplink can be chosen) do I plug the router into one of the 8 RJ45 10/100M ports and the PC into the RJ45 1000M uplink port?

Thanks for help.
 

Attachments

Last edited:

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
Sorry for the file. Tried to post the diagram but it wouldn't copy.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
The general rule is that camera traffic should not run through the router.

Not knowing the remainder of your network configuration,
I would purchase a 4 port gigabyte switch. Plug the router, the Bi PC and the Dahau DH-PFS3110-8P-96 into that switch.

My router only has two network connection , one to the modem and one to a 16 port gigabyte switch.
I use a two nic cards in the BI PC so there is no camera traffic on my home network.
 

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
Thank you for your response Southern Yankee, which I greatly appreciate.

I have managed to get my system working quiet well on the bench with BI, but as I read more within the forum I have seen that I can optimise it further. As you also stated eliminating camera traffic from the network was one of those findings. To date I have been holding back on installing OpenVPN until I get the basics sorted, but remote access and proper security is critical for me.

I realise now I was scant on some of the detail so I am now attaching a couple of network diagrams and further information to provide a clearer picture.

System Components:
  • Huawei ONU ONT modem/ terminal. This is supplied by the ISP and no choice here.
  • Asus RT-AC 68U router
  • HP Elitedesk G4 SFF i5 8500 8gb ram, HP SSD 250gb, 2 x 4tb WD purple drives (installed internally).
  • Dahua PFS 3110-8Port-96v switch
  • Dahua range of up to 7- 8 cameras mostly HDW5231R-ZE and one HFW2831T-ZS
  • APC Pro 1500GI UPS
Software
  • Windows 10 pro
  • Latest version of BI
  • Intend to install OpenVPN
Notes

This system is in a remote location, which has very unreliable power supply. There are many outages and the supply is not consistent; hence the use of the UPS.

The PC and associated hardware is all dedicated to CCTV, with the only exception being that there is a separate alarm system with iComm connection into the router. I want to leave this attached to a port on the router and as a standalone. That way a failure of the switch will not affect the alarm. Separately it has its own battery backup and a mobile dialler with SIM.

The router services wifi for the usual gadgets, but there are no other connections to the ports (just the alarm and whatever I connect for the CCTV).

Solutions

In first the diagram below I have drawn up what I understand is your suggestion and how I envisage it would look integrated as my system.

Diagram One.jpg

In the next diagram I have presented another layout for opinion. I’m not sure whether it will work or not.

Diagram Two.jpg
The second layout would be more attractive for me (if it works) because it eliminates the need for another switch, which in turn helps me manage the amount of power that I am using in an outage. It also means less chance of a hardware failure with one less switch.

A few questions:

1. In your suggestion (the first diagram) will I be able to access OpenVPN (via the switch)?

2. Is the second diagram a viable option?

3. Currently my PC only has one LAN port. For the second option I guess I would need a dual port NIC or could I connect (say the router the router to the PC) using some other kind of adaptor (eg I see there are USB 3.0/ RJ45 adaptors)?

Sorry for the long screed. If you have time to answer that would be great and opinion from others is also very welcome. Thanks again.
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
You can't eliminate the Dahua POE switch else the cams won't work/be powered? So replace the Gigabit switch with the Dahua in the 2nd diagram.

People recommend the 2nd diagram as it separates the cams from the internet, so all cams would then need to be accessed via the BI PC if for example you wanted to change their config or update their firmware. In essence you would be running 2 networks, one on the internet side and one with all the cams on it.
 

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
Thanks IAmATeaf.

Actually that’s a good pick up on your part.

I meant to show the switch in the second diagram as the Dahua POE.

Accessing the cameras remotely via the PC and over OpenVPN is how I would ideally like to set it up “if possible”.

If that second diagram works (with the Dahua Poe switch) then how about the connection to the PC? Do I need two RJ45 uplink ports on the PC (which I understand means I require a new dual port NIC, as I only have one uplink port today) or is there another way to deal with the physical connection of the switch and router to the PC.
 

Walrus

Getting comfortable
Joined
Nov 19, 2018
Messages
593
Reaction score
449
Location
Ontario
You connect like diagram one, but eliminate the 4 port gigabyte switch.

Then to restrict the cams from accessing the internet and phoning home to China, you go in the Asus router settings and restrict their static IPs or MAC addresses from accessing the internet (not sure which, as I didn't have to do this. I have two NICs).
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
Yes you would need a 2nd LAN card if you wanted to go with diagram 2. Even with a VPN in place camera direct access will only be available direct from the BI PC as that will be the only device that has access to that network via the 2nd LAN card.
 

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
You connect like diagram one, but eliminate the 4 port gigabyte switch.

Then to restrict the cams from accessing the internet and phoning home to China, you go in the Asus router settings and restrict their static IPs or MAC addresses from accessing the internet (not sure which, as I didn't have to do this. I have two NICs).
Thanks Walrus. Yes I intend to block the cam ip addresses from the internet. Today I have it all working in test mode in another location but will do this along with the VPN when I access the other router on site.
 

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
Yes you would need a 2nd LAN card if you wanted to go with diagram 2. Even with a VPN in place camera direct access will only be available direct from the BI PC as that will be the only device that has access to that network via the 2nd LAN card.
Ok so it sounds like I need a new NIC adaptor with dual ports. Will look into my options there, but most likely will try to go with a genuine HP solution. Thanks for your help.
 

Walrus

Getting comfortable
Joined
Nov 19, 2018
Messages
593
Reaction score
449
Location
Ontario
Yes, if you wanted to connect like diagram #2, and physically separate the cams from the internet, and save you from buying another switch. The point of the additional gigabit switch in diagram 1 is so you aren't bottlenecking your BI PC with a 10/100 connection on the Dahua switch.

You shouldn't need a NIC adapter with dual ports. This would give you 3 ports. The port you have now should be attached to the motherboard.
 
Last edited:

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
Both solutions work.
The first solution, is the easiest to set up, just wire it and you are done.
The second solution hides the cameras for the internet completely, but takes a little more work in setting up and an understanding of Windows network setup. If you need direct access to the cameras I would recommend solution one.

if using solution two you will need to add a single ethernet port card to the BI pc.

Both solutions will allow openVPN access to the BI PC.

The first solution may allow openVPN access directly to the cameras. The second solution prevent direct openVPN access to the cameras.

OpenVPN via the the ASUS router allows access to all devices directly on your home network. OpenVPN will not not allow direct access to the cameras in solution two.

If you need direct access to the cameras in solution two you will need to use RDP or teamviewer, RDP only works on some versions of windows.

In solution one if you want to completely remove camera access to the internet, use the ASUS parental controls to block the cameras mac address.
 

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
Yes, if you wanted to connect like diagram #2, and physically separate the cams from the internet, and save you from buying another switch. The point of the additional gigabit switch in diagram 1 is so you aren't bottlenecking your BI PC with a 10/100 connection on the Dahua switch.

You shouldn't need a NIC adapter with dual ports. This would give you 3 ports. The port you have now should be attached to the motherboard.

Both solutions work.
The first solution, is the easiest to set up, just wire it and you are done.
The second solution hides the cameras for the internet completely, but takes a little more work in setting up and an understanding of Windows network setup. If you need direct access to the cameras I would recommend solution one.

if using solution two you will need to add a single ethernet port card to the BI pc.

Both solutions will allow openVPN access to the BI PC.

The first solution may allow openVPN access directly to the cameras. The second solution prevent direct openVPN access to the cameras.

OpenVPN via the the ASUS router allows access to all devices directly on your home network. OpenVPN will not not allow direct access to the cameras in solution two.

If you need direct access to the cameras in solution two you will need to use RDP or teamviewer, RDP only works on some versions of windows.

In solution one if you want to completely remove camera access to the internet, use the ASUS parental controls to block the cameras mac address.
Thanks Walrus and Southern Yankee

I must admit being still a little confused. As it sounds like I can only access the cameras remotely under option one then I had best go that path as thats one of my major requirements. It also seems like the Dahua switch without a gigabyte port to connect the PC to is an oversight on my part at purchase.

Appreciate the inputs.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
the operative word in my write up was DIRECT. By that I mean access the camera after you login to openVPN by knowing the cameras IP address. Entering the ip address into a supported web browser and connecting to the camera.

The question is do you need EASY DIRECT ACCESS to the cameras via openVPN ? if yes the use solution one.

You can see all the video data from the cameras in blue iris with either solution.

I would start with solution one as it is the easiest to get everything up and running.
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
An advantage of solution 2 is that the Asus routers can only block 16 devices from the internet. That sounds like a lot, but you may well have more things in your home that should be blocked.

Right now, I'm running solution 1. But I am maxed out for blocking items from the internet, so I will need to go to solution 2 before I can add another camera.

I have a programmable automation controller system that I block, and that includes three items so far (the main controller and two remote I/O racks), several printers, some other devices, and of course some cameras. It adds up quickly when you start examining all of the ethernet and wireless devices you discover on your LAN.

I have a single NIC card coming tomorrow, and I'll rewire things to use solution 2 to get the cameras all off of my main home LAN, and have them only accessible via the BI PC.

I have, in the past, accessed cameras directly from a different PC at home, and even from a PC at work via the VPN. I was able to adjust some camera settings that way.

Once I go to solution 2, I will give that ability up, and have to do all administration of the cameras from the BI PC only. But I have a separate monitor, mouse, and keyboard for the BI PC, so that won't be an issue. And this will get around the Asus limitation of blocking a maximum of 16 devices from the internet.

Of course I will still be able to remotely view the camera video, audio, clips, alerts, etc., via the blue iris PC just as I always have with solution 1. You only give up DIRECT camera access when you use solution 2. And direct access is only used when setting up the cameras via their web interfaces.

Once you have the cameras set up, you don't need direct access to them.

The Blue Iris PC acts as a web server giving you access to the live camera feeds and all recorded camera data. So you don't need access to the cameras' own web servers except when changing the cameras' internal settings. Usually, you get that all set up when you are first installing a new camera and then you leave it alone.
 
Top