Dual NIC setup on your Blue Iris Machine

[sebastiantombs]

True, but for all intents and purposes since Win doesn't do any routing, the subnet of the second NIC IS isolated from the rest of the network for all intents and purposes. I don't use RDP, either the BI phone app or UI3 in the browser on my phone.

In reality there is no "foolproof" way to isolate other than unplug the VMS/NVR from the rest of the local LAN, VPN, second NIC or anything else can be gotten around by a determined hacker once on the system. The likelihood of that happening is probably astronomically low though.

 

[reflection]

True, but for all intents and purposes since Win doesn't do any routing, the subnet of the second NIC is separated from the rest of the network for all intents and purposes. I don't use RDP, either the BI phone app or UI3 in the browser on my phone.

In reality there is no "foolproof" way to isolate other than unplug the VMS/NVR from the rest of the local LAN, VPN, second NIC or anything else can be gotten around by a determined hacker once on the system. The likelihood of that happening is probably astronomically low though.

So you agree with me. fixed it for you

 

[sebastiantombs]

I still disagree simply because a secondary access method is required to get to the second NIV. In your example you cite VPN and RDP. Without the VPN enabling direct access to the network RDP won't work, hence no way to access the second NIC.

 

[reflection]

In reality there is no "foolproof" way to isolate other than unplug the VMS/NVR from the .........

^ This ^

The Windows machine is a path to/from your camera subnet. Don't get me wrong, I'm in favor of the dual-NIC approach. I just don't want people to misunderstand and believe it is an isolated design. It's not.

All these enterprises thought they were "safe" ---> World’s Biggest Data Breaches & Hacks — Information is Beautiful

Most code out there uses open source libraries. There are vulnerabilities yet to be discovered. The log4j bug (CVE severity 10.0 out of 10.0) that was uncovered a couple weeks ago is a perfect example. Luckily it didn't affect BI, but it sure as heck disrupted much of the world. It's important to maintain current security patches. Windows (and BI or other apps) are not immune.

 

[sebastiantombs]

As I have said, and will repeat yet again, a second NIC is isolated, for all intents and purpose, simply because Win10 will not route traffic between the two NICs. To repeat even further, no protection scheme is "foolproof" other than not being internet connected. The case of using a VPN and RDP is like using a key to get through your own locked door and not, at all, similar to hack attempts. That type of access is exactly what a VPN and RDP are designed for and accessing that way, through control of the machine with the dual NIC setup, is exactly what they are designed to provide.

The objective, always, is to make it as difficult as possible for the pajama boys to get into your network. An international group of professional hackers has no interest in a residential surveillance system so I don't consider them much of a threat versus little Johnnie in his pajamas in Mom's basement. A second NIC, at the very least, would surprise little Johnnie IF he ever got into the network.

 

[reflection]

It's ok, it's just semantics. We have different interpretations of the meaning for "isolated." A second NIC is not isolated. It is attached to a Windows machine that has a path to the Internet. I have friends who work on truly isolated government networks. They have to physically drive into their secure facility to access those isolated networks, which are not connected to the Internet.

Whether Johnnie or pro hackers have interest in a home system or not - does not change the fact that a second NIC is not isolated.

At least we both agree that a second NIC adds a layer of protection.

 

[sebastiantombs]

Actually the isolation of a second NIC is easily proven. The cameras/devices on that NIC cannot access the internet. If that's not being isolated I don't know what is.

 

[alastairstevenson]

Actually the isolation of a second NIC is easily proven.

Only because by default in Windows (and Linux) 'ip_forwarding' is turned off on a typical install, assuming no apps have been installed that have needed it to be enabled.
The same concept applies to the embedded Linux in an NVR with PoE ports, though in practice 'ip_forwarding' is usually enabled as a convenience to be able to access the connected cameras.

In truth the use of the term 'isolated' is arguably inappropriate as it applies to physically segregated networks as opposed to those that are logically segregated such as in a dual-NIC OS.
It's fair to say though that the dual-NIC method of segregating 2 networks connected to a Windows PC is simple, and pretty safe.

 

[CCTVCam]

A question that arose for myself from answering someone else's question elsewhere.

Do I need to fix the Gateway Address in my Router? It seems Gateway addresses are usually left blank so my worry is by fixing the Gateway Address in the 1st NIC card in my BI PC, and having the Gateway Address blank in my 2nd NIC, is the 1st NIC going to be discoverable by the 2nd NIC / my wider network / router by some kind of Dynamic Gateway detection?

Alternatively, just so I understand this, if not, does leaving the Gateway Address blank make the network default to some default Gateway value that is in force but not shown?

Just wondering how the spearation works and making sure the Gateway Address I fix isn't discoverable by anything on the wider network and thus "joined".

 

[sebastiantombs]

If the second NIC is on a separate subnet it won't talk, at all, to the first NIC since it is "unaware" of that subnet. If you set a bogus default gateway and DNS address on the second NIC it will further insure that NIC can't talk outside the segregated network. Windows does not route any traffic between the two NICs on its own so there is no worry there.

 

[SpacemanSpiff]

"A default gateway is the node in a computer network using the Internet protocol suite that serves as the forwarding host to other networks when no other route specification matches the destination IP address of a packet."

That said, leaving the default gateway value blank on the NIC connected to your camera network prevents them from leaving the network (this is a good thing). As @sebastiantombs said, windows does not route traffic between two NIC's.

The gateway address in your router is upsteam to your Internet service provider (ISP). If you erase that, you will no longer be able to access the Internet.

 

[IAmATeaf]

Unless you actually have a router on the same network as the 2nd NIC then it doesn’t really matter what you set the default gateway to.

My home network is 192.168.0.0 and I have router on that network on 192.168.0.1. The 2nd NIC is set to the network 192.168.1.0 and there is no router on that network capable of routing the traffic between the 2 subnets.

You could enable routing in Windows and that would allow software routing between the 2 subnets but as already pointed out this isn’t enabled by default.

 

[MickPB]

For a simple solution without any network knowledge - I am quite happy with using a POE hub for the cameras and the second NIC in the BI machine and a second rj45 on a USB plug in the PI with Home Assistant. I also have just used a cable between that HUB and the internet when I wanted to upgrade the cameras.

 

[alastairstevenson]

I also have just used a cable between that HUB and the internet when I wanted to upgrade the cameras.

Assuming that the 1st NIC in the BI PC is connected to the router (internet) does this imply that the 2nd NIC is on the same address range as the 1st NIC and router?

 

[SouthernYankee]

no the second nic has it own subnet address. So all the cameras are on a different sub net.
on my system the router is 192.168.1.1, the first nic on the BI computer is 192.168.1.235 which is connected to the router.

All addresses on the second subnet are static, the second subnet does not support DHCP.
So the second nic on the BI computer is 192.168.2.235. all the cameras are on 192.168.2.201 to 192.168.2.220
I use 235 for the BI computer on both subnets just to keep is simple, no technical reason to do this.

 

[Freubel]

I use 192.168.1.1 for the lan and 192.168.2.1 for the camera's. Only thing filled in on the camera network is the subnet. Everything else is empty. Unfortunatly you have to fill in a gateway in the dahua camera's so i have them all point to 192.168.2.245. Should be imposible for the camera's to reach out to the internet if i'm correct.

 

[Mike A.]

I use 192.168.1.1 for the lan and 192.168.2.1 for the camera's. Only thing filled in on the camera network is the subnet. Everything else is empty. Unfortunatly you have to fill in a gateway in the dahua camera's so i have them all point to 192.168.2.245. Should be imposible for the camera's to reach out to the internet if i'm correct.

Practically you're likely OK but since you said "impossible" not really impossible. I've seen various cams do things independent of settings. A Dahua cam that I have when set to a bogus DNS server will search for Google's DNS servers using IP addresses 8.8.8.8 and 8.8.4.4 coded into the firmware. Others still reach out to their P2P network no matter how you have things set to turn that off. Some Wyze cams that I have when blocked from the Internet run down a long list of time, DNS, and P2P servers coded into the firmware trying to find what they need. The same could easily apply to a list of common gateway addresses, assuming .1 on whatever current subnet, by searching neighboring IP addresses for a way out, etc. I've seen at least one post here where someone showed a cam doing just that along with spoofing a MAC address to avoid blocks, etc.. If something doesn't play nicely, then the usual rules don't necessarily apply. Again, likely good but not something that you can absolutely count on.

 

[Freubel]

Practically you're likely OK but since you said "impossible" not really impossible. I've seen various cams do things independent of settings. A Dahua cam that I have when set to a bogus DNS server will search for Google's DNS servers using IP addresses 8.8.8.8 and 8.8.4.4 coded into the firmware. Others still reach out to their P2P network no matter how you have things set to turn that off. Some Wyze cams that I have when blocked from the Internet run down a long list of time, DNS, and P2P servers coded into the firmware trying to find what they need. The same could easily apply to a list of common gateway addresses, assuming .1 on whatever current subnet, by searching neighboring IP addresses for a way out, etc. I've seen at least one post here where someone showed a cam doing just that along with spoofing a MAC address to avoid blocks, etc.. If something doesn't play nicely, then the usual rules don't necessarily apply. Again, likely good but not something that you can absolutely count on.

Absolutley correct. There is no such thing as impossible. I should have said most unlikely.

 

[alastairstevenson]

I also have just used a cable between that HUB and the internet when I wanted to upgrade the cameras.

no the second nic has it own subnet address. So all the cameras are on a different sub net.

I was curious how access to the internet for updates was possible when the camera segment on the 2nd NIC was on a different IP address range from that used by the router.

 

[wittaj]

Most of us here do not update our camera firmware. And if we do, we download it to the BI computer and then install from there to the camera.

I would not recommend someone putting a cable from the "non-internet" system to the internet system. That is how the cams get access to phone home.