Dual NIC setup on your Blue Iris Machine

mrc545 said:
Can someone smarter than me explain why a separate, isolated switch is needed for the cameras?
Click to expand...

Its not. What you are describing is 100% fine

Personally, I have a separate VLAN for cameras which allows for even greater control because I have my tinfoil hat on very tight

It is possible that your camera could be doing sneaky things and end up being able to talk out (This has happened, nefarious firmware is capable of changing MAC Addresses and switching IP settings, etc) however, for a simple home setup its probably not worth worrying about

To your original comment, a separate switch is 1000% never needed, the ideal situation is just having them in a separate VLAN
 
  • Like
Reactions: sebastiantombs and mrc545
IReallyLikePizza2 said:
Its not. What you are describing is 100% fine

Personally, I have a separate VLAN for cameras which allows for even greater control because I have my tinfoil hat on very tight

It is possible that your camera could be doing sneaky things and end up being able to talk out (This has happened, nefarious firmware is capable of changing MAC Addresses and switching IP settings, etc) however, for a simple home setup its probably not worth worrying about

To your original comment, a separate switch is 1000% never needed, the ideal situation is just having them in a separate VLAN
Click to expand...


Thank you for the clarity. I have a managed switch as my home distribution switch, but a bunch of smaller 4-8 port PoE unmanaged switches spread throughout. I'll eventually get around to upgrading everything to have proper VLAN separation, but I figured logically everything should still be isolated even if they are riding the same pipe. I even created some iptables rules on my router as a last resort, and haven't had a single hit in the logs.
 
But at the same time, having all that bandwidth in the "same pipe" can clog and congest the pipeline and slow things down.

My cameras stream over 350Mbps so I don't want that in the same pipeline as my other data. It has to slow it down even if none of the gear is routing. Same reason why they build bypass highways - no sense having that traffic route thru town if they aren't stopping!
 
  • Like
Reactions: looney2ns, sebastiantombs and mrc545
Wow 350Mb/s! I'm here with my cams running 125Mb/s like some chump

1657488204279.png
 
  • Like
Reactions: looney2ns and sebastiantombs
wittaj said:
But at the same time, having all that bandwidth in the "same pipe" can clog and congest the pipeline and slow things down.

My cameras stream over 350Mbps so I don't want that in the same pipeline as my other data. It has to slow it down even if none of the gear is routing. Same reason why they build bypass highways - no sense having that traffic route thru town if they aren't stopping!
Click to expand...

You are definitely right. I took that into account when upgrading my primary switch. My aggregate IP camera throughput is about 250 Mbps, but the IP cameras are pretty evenly spread out amongst the smaller access switches that are throughout the house, which are all gigabit (so figure about ~50 Mbps stream overhead per gigabit switch--pretty reasonable). My distro switch where the other switches aggregate is multigig up to 10 gigabit, and my BI PC/NAS/Main PC (with 5-10gbe NICs) all directly connect to that to allow for fast transfers without overloading the downstream switches that are only gigabit.
 
What the heck, how many cams are you guys running?
 
My CPU is under control now I've removed the weird camera, hits 30% max when I have a ton of UI3 open

Maybe I need more cameras...
 
  • Like
  • Haha
Reactions: looney2ns and sebastiantombs
IReallyLikePizza2 said:
What the heck, how many cams are you guys running?
Click to expand...

26 cams in total. Most are Dahua 4k cams. My throughput used to be higher, but I had to lower the FPS and bitrate on them because something wasn't playing nice between the cams, BI, and Deepstack. I was getting constant crashes in BI. After toning it down some on the camera settings, everything has been running like a sewing machine.

I originally had an i9-9900k for my BI PC, which was getting absolutely crushed (this was before substream functionality came out). Sold that to a friend and built a Threadripper 3970X PC specifically for BI. Substream support came out shortly after. :(

So after blowing a couple thousand on a completely unnecessary build, BI is only using about 4% CPU with the UI open.
 
  • Wow
Reactions: looney2ns and sebastiantombs
Not having setup my cameras or installed BI yet I'm having difficulty understanding what's capable and secure... I'd like to be able to view my camera feeds from any device on my LAN but obviously not expose them to the internet (some of the Amazon reviews mentioning the cameras calling home scare me, especially with the US banning Dahua and Hikvision cameras). This thread dealing with Dual NICs describes it as an easy way for a secure network. Is there a more better more advanced security method? Is that VLANs? Eventually, I'll setup a separate Wireguard VPN if I want remote access into the LAN to check the cameras.

Thanks
 
EVERY camera that touches the internet can be exploited, so we recommend not letting any touch the internet.

Dual NIC is very secure and simple and cheap and is as close as you can get to an "air gap" without actually being an air gap because they are two separate devices.

With a VLAN you are putting your trust in the software to isolate it as everything goes to the same switch.

That doesn't mean a managed switch is insecure. VLANS are secure and can provide more granular level control as well, but some can get complicated and one can accidentally give access if it is a complex VLAN like the Edgerouter or many others.
 
  • Like
Reactions: sebastiantombs and EvanVanVan
wittaj said:
EVERY camera that touches the internet can be exploited, so we recommend not letting any touch the internet.

Dual NIC is very secure and simple and cheap and is as close as you can get to an "air gap" without actually being an air gap because they are two separate devices.

With a VLAN you are putting your trust in the software to isolate it as everything goes to the same switch.

That doesn't mean a managed switch is insecure. VLANS are secure and can provide more granular level control as well, but some can get complicated and one can accidentally give access if it is a complex VLAN like the Edgerouter or many others.
Click to expand...

That makes sense. So how are the cameras viewable via BI? Are they only viewable on the BI PC? There's no secure way of viewing them from any device on the LAN?
 
mrc545 said:
26 cams in total. Most are Dahua 4k cams. My throughput used to be higher, but I had to lower the FPS and bitrate on them because something wasn't playing nice between the cams, BI, and Deepstack. I was getting constant crashes in BI. After toning it down some on the camera settings, everything has been running like a sewing machine.

I originally had an i9-9900k for my BI PC, which was getting absolutely crushed (this was before substream functionality came out). Sold that to a friend and built a Threadripper 3970X PC specifically for BI. Substream support came out shortly after. :(

So after blowing a couple thousand on a completely unnecessary build, BI is only using about 4% CPU with the UI open.
Click to expand...
I currently have 34 with a mix Dahua 4K and Hikavision 4K cameras, all running 15 FPS. Right this moment I am running 9% CPU on an I7-8700 running at 3.20GHz. I use a couple of WDC WD101PURZ-85C62Y0 drives in a RAID configuration. Love substream, make so much of a difference.
 
EvanVanVan said:
That makes sense. So how are the cameras viewable via BI? Are they only viewable on the BI PC? There's no secure way of viewing them from any device on the LAN?
Click to expand...

Within the Settings, select the Web Server tab and turn it on, enter in the IP address of your network card that can get out to the internet, note the default port is 81, (some people change it, others leave it as is). For example, if your router is at 192.168.0.1 and your BI computer connection to it has an IP address of 192.168.0.22, then enter in 192.168.0.22. Your isolated network card, connected to your cameras should be anything but 192.168.0.xxx. If you set your cam network IP range to 192.168.1.xxx, for example, then you'll be ready to go. Just type in your browser
1659882483629.png

I'd recommend that you make you have your BI computer set to a particular IP address. There a couple ways of doing this (assuming you are dynamically allocating IP addresses on your internet network aka DHCP), in your router:

1) Use the MAC Address of the computer to assign a set IP address, most routers have this ability, or
2) Change the DHCP IP range such that it leaves some IP addresses free. For example set the router range from 192.168.0.100 to 192.168.254, such that any device requesting an IP address on your network will get an IP address from that range. On your BI computer, change it to a static IP address, such as 192.168.0.22.
 
Last edited:
  • Like
Reactions: UAVISO, EvanVanVan and sebastiantombs
EvanVanVan said:
That makes sense. So how are the cameras viewable via BI? Are they only viewable on the BI PC? There's no secure way of viewing them from any device on the LAN?
Click to expand...

You view them via ui3 built into BI. You type into a browser on your LAN the ip address of the bi computer and then the login screen pops up. You are only seeing the video stream of the camera and the camera itself isn't talking to the internet.

Or you remote desktop into the BI computer.

Then setup OpenVPN or some other VPN that you host to view them when away from home.
 
  • Like
Reactions: EvanVanVan
wittaj said:
You view them via ui3 built into BI. You type into a browser on your LAN the ip address of the bi computer and then the login screen pops up. You are only seeing the video stream of the camera and the camera itself isn't talking to the internet.

Or you remote desktop into the BI computer.

Then setup OpenVPN or some other VPN that you host to view them when away from home.
Click to expand...

This is the way. Especially if you want to use PKI. If you have a router that can support an OpenVPN server, it should be pretty straightforward. An advantage over using a 'secure' port forwarding setup exclusive to the BI web server, is that not only can you check your cameras while you are away, but you can securely access other resources on your local network, like shared folders.
 
  • Like
Reactions: Teeauu and sebastiantombs
Using two NICs on the BI PC is the easiest way to isolate the cams from the internet and still be able to view BI from any other PC on your LAN. See the two diagrams below:

This set up shows the typical ISP supplied gear, a modem/router combination that has the typical four-port RJ45 connectors. This puts the cams on a sub-net (192.168.2.xxx) that has no physical connection to the modem that connects to the internet. The other PCs on the LAN can access the BI PC via UI3 since the BI PC is on the same sub-net (192.168.1.xxx) as the rest of the LAN. The cams and any other items connected to 192.168.2.xxx cannot jump to 192.168.1.xxx via the BI PC.

But this setup does not allow a secure connection from the BI PC to the internet for viewing BI from outside the home LAN UNLESS that ISP supplied modem/router has the ability to run a VPN.

Network Topology 0B.JPG

The diagram below is much like the one above with one important difference. The ISP supplied modem/router has been put in 'bridge mode' and a VPN capable router is placed between the ISP gear and the rest of your LAN.

Network Topology 6a.JPG
 
  • Like
Reactions: karlocikovic, looney2ns, EvanVanVan and 1 other person
really that simple, so all i am missing is a capable VPN router ?
set the modem to bridge mode and setup my router vpn service.
 
Mac25 said:
really that simple, so all i am missing is a capable VPN router ?
set the modem to bridge mode and setup my router vpn service.
Click to expand...

Pretty much. I have been using ASUS routers with Merlin FW for a long time now. My router can support 2 simultaneous OpenVPN servers. Whatever you get, be sure to get one that has AES-NI to speed up the crypto.

This link will guide you through setting up your own CA and generating certs: Setting Up Your Own Certificate Authority (CA) | OpenVPN

You generate the certs, paste the relevent certs into the OpenVPN settings on your router, and set up DDNS if you don't have a static IP assigned from your ISP. Generate .ovpn profiles for your client devices, and sneakernet them over (do not send private keys over the internet).

As I had sanity checked some posts ago, you shouldn't need to physically segregate the isolated subnet from the rest of the network. If you assign the second NIC, and all of the IP cameras to a different network with no default gateway, those addresses are non-routable and your router won't know what to do with them. I created an iptables rule on my router just for giggles to block any addresses from my isolated network, and I have had no hits since I made it some weeks ago.
 
You must log in or register to reply here.
Top Bottom