Dual NIC setup on your Blue Iris Machine

[IReallyLikePizza2]

Can someone smarter than me explain why a separate, isolated switch is needed for the cameras?

Its not. What you are describing is 100% fine

Personally, I have a separate VLAN for cameras which allows for even greater control because I have my tinfoil hat on very tight

It is possible that your camera could be doing sneaky things and end up being able to talk out (This has happened, nefarious firmware is capable of changing MAC Addresses and switching IP settings, etc) however, for a simple home setup its probably not worth worrying about

To your original comment, a separate switch is 1000% never needed, the ideal situation is just having them in a separate VLAN

 

[mrc545]

Its not. What you are describing is 100% fine

Personally, I have a separate VLAN for cameras which allows for even greater control because I have my tinfoil hat on very tight

It is possible that your camera could be doing sneaky things and end up being able to talk out (This has happened, nefarious firmware is capable of changing MAC Addresses and switching IP settings, etc) however, for a simple home setup its probably not worth worrying about

To your original comment, a separate switch is 1000% never needed, the ideal situation is just having them in a separate VLAN

Thank you for the clarity. I have a managed switch as my home distribution switch, but a bunch of smaller 4-8 port PoE unmanaged switches spread throughout. I'll eventually get around to upgrading everything to have proper VLAN separation, but I figured logically everything should still be isolated even if they are riding the same pipe. I even created some iptables rules on my router as a last resort, and haven't had a single hit in the logs.

 

[wittaj]

But at the same time, having all that bandwidth in the "same pipe" can clog and congest the pipeline and slow things down.

My cameras stream over 350Mbps so I don't want that in the same pipeline as my other data. It has to slow it down even if none of the gear is routing. Same reason why they build bypass highways - no sense having that traffic route thru town if they aren't stopping!

 

[IReallyLikePizza2]

Wow 350Mb/s! I'm here with my cams running 125Mb/s like some chump

 

[mrc545]

But at the same time, having all that bandwidth in the "same pipe" can clog and congest the pipeline and slow things down.

My cameras stream over 350Mbps so I don't want that in the same pipeline as my other data. It has to slow it down even if none of the gear is routing. Same reason why they build bypass highways - no sense having that traffic route thru town if they aren't stopping!

You are definitely right. I took that into account when upgrading my primary switch. My aggregate IP camera throughput is about 250 Mbps, but the IP cameras are pretty evenly spread out amongst the smaller access switches that are throughout the house, which are all gigabit (so figure about ~50 Mbps stream overhead per gigabit switch--pretty reasonable). My distro switch where the other switches aggregate is multigig up to 10 gigabit, and my BI PC/NAS/Main PC (with 5-10gbe NICs) all directly connect to that to allow for fast transfers without overloading the downstream switches that are only gigabit.

 

[IReallyLikePizza2]

What the heck, how many cams are you guys running?

 

[wittaj]

A lot lol. And on a 4th Gen CPU under 15% CPU utilization (cross threading lol)

 

[IReallyLikePizza2]

My CPU is under control now I've removed the weird camera, hits 30% max when I have a ton of UI3 open

Maybe I need more cameras...

 

[wittaj]

Yep you need more cameras as we haven't had any good video from you recently lol.

Maybe some PTZs pointed down the street lol.

 

[mrc545]

What the heck, how many cams are you guys running?

26 cams in total. Most are Dahua 4k cams. My throughput used to be higher, but I had to lower the FPS and bitrate on them because something wasn't playing nice between the cams, BI, and Deepstack. I was getting constant crashes in BI. After toning it down some on the camera settings, everything has been running like a sewing machine.

I originally had an i9-9900k for my BI PC, which was getting absolutely crushed (this was before substream functionality came out). Sold that to a friend and built a Threadripper 3970X PC specifically for BI. Substream support came out shortly after.

So after blowing a couple thousand on a completely unnecessary build, BI is only using about 4% CPU with the UI open.

 

[EvanVanVan]

Not having setup my cameras or installed BI yet I'm having difficulty understanding what's capable and secure... I'd like to be able to view my camera feeds from any device on my LAN but obviously not expose them to the internet (some of the Amazon reviews mentioning the cameras calling home scare me, especially with the US banning Dahua and Hikvision cameras). This thread dealing with Dual NICs describes it as an easy way for a secure network. Is there a more better more advanced security method? Is that VLANs? Eventually, I'll setup a separate Wireguard VPN if I want remote access into the LAN to check the cameras.

Thanks

 

[wittaj]

EVERY camera that touches the internet can be exploited, so we recommend not letting any touch the internet.

Dual NIC is very secure and simple and cheap and is as close as you can get to an "air gap" without actually being an air gap because they are two separate devices.

With a VLAN you are putting your trust in the software to isolate it as everything goes to the same switch.

That doesn't mean a managed switch is insecure. VLANS are secure and can provide more granular level control as well, but some can get complicated and one can accidentally give access if it is a complex VLAN like the Edgerouter or many others.

 

[EvanVanVan]

EVERY camera that touches the internet can be exploited, so we recommend not letting any touch the internet.

Dual NIC is very secure and simple and cheap and is as close as you can get to an "air gap" without actually being an air gap because they are two separate devices.

With a VLAN you are putting your trust in the software to isolate it as everything goes to the same switch.

That doesn't mean a managed switch is insecure. VLANS are secure and can provide more granular level control as well, but some can get complicated and one can accidentally give access if it is a complex VLAN like the Edgerouter or many others.

That makes sense. So how are the cameras viewable via BI? Are they only viewable on the BI PC? There's no secure way of viewing them from any device on the LAN?

 

[Teeauu]

26 cams in total. Most are Dahua 4k cams. My throughput used to be higher, but I had to lower the FPS and bitrate on them because something wasn't playing nice between the cams, BI, and Deepstack. I was getting constant crashes in BI. After toning it down some on the camera settings, everything has been running like a sewing machine.

I originally had an i9-9900k for my BI PC, which was getting absolutely crushed (this was before substream functionality came out). Sold that to a friend and built a Threadripper 3970X PC specifically for BI. Substream support came out shortly after.

So after blowing a couple thousand on a completely unnecessary build, BI is only using about 4% CPU with the UI open.

I currently have 34 with a mix Dahua 4K and Hikavision 4K cameras, all running 15 FPS. Right this moment I am running 9% CPU on an I7-8700 running at 3.20GHz. I use a couple of WDC WD101PURZ-85C62Y0 drives in a RAID configuration. Love substream, make so much of a difference.

 

[concord]

That makes sense. So how are the cameras viewable via BI? Are they only viewable on the BI PC? There's no secure way of viewing them from any device on the LAN?

Within the Settings, select the Web Server tab and turn it on, enter in the IP address of your network card that can get out to the internet, note the default port is 81, (some people change it, others leave it as is). For example, if your router is at 192.168.0.1 and your BI computer connection to it has an IP address of 192.168.0.22, then enter in 192.168.0.22. Your isolated network card, connected to your cameras should be anything but 192.168.0.xxx. If you set your cam network IP range to 192.168.1.xxx, for example, then you'll be ready to go. Just type in your browser

http://192.168.0.22:81

I'd recommend that you make you have your BI computer set to a particular IP address. There a couple ways of doing this (assuming you are dynamically allocating IP addresses on your internet network aka DHCP), in your router:

1) Use the MAC Address of the computer to assign a set IP address, most routers have this ability, or
2) Change the DHCP IP range such that it leaves some IP addresses free. For example set the router range from 192.168.0.100 to 192.168.254, such that any device requesting an IP address on your network will get an IP address from that range. On your BI computer, change it to a static IP address, such as 192.168.0.22.

 

[wittaj]

That makes sense. So how are the cameras viewable via BI? Are they only viewable on the BI PC? There's no secure way of viewing them from any device on the LAN?

You view them via ui3 built into BI. You type into a browser on your LAN the ip address of the bi computer and then the login screen pops up. You are only seeing the video stream of the camera and the camera itself isn't talking to the internet.

Or you remote desktop into the BI computer.

Then setup OpenVPN or some other VPN that you host to view them when away from home.

 

[mrc545]

You view them via ui3 built into BI. You type into a browser on your LAN the ip address of the bi computer and then the login screen pops up. You are only seeing the video stream of the camera and the camera itself isn't talking to the internet.

Or you remote desktop into the BI computer.

Then setup OpenVPN or some other VPN that you host to view them when away from home.

This is the way. Especially if you want to use PKI. If you have a router that can support an OpenVPN server, it should be pretty straightforward. An advantage over using a 'secure' port forwarding setup exclusive to the BI web server, is that not only can you check your cameras while you are away, but you can securely access other resources on your local network, like shared folders.

 

[samplenhold]

Using two NICs on the BI PC is the easiest way to isolate the cams from the internet and still be able to view BI from any other PC on your LAN. See the two diagrams below:

This set up shows the typical ISP supplied gear, a modem/router combination that has the typical four-port RJ45 connectors. This puts the cams on a sub-net (192.168.2.xxx) that has no physical connection to the modem that connects to the internet. The other PCs on the LAN can access the BI PC via UI3 since the BI PC is on the same sub-net (192.168.1.xxx) as the rest of the LAN. The cams and any other items connected to 192.168.2.xxx cannot jump to 192.168.1.xxx via the BI PC.

But this setup does not allow a secure connection from the BI PC to the internet for viewing BI from outside the home LAN UNLESS that ISP supplied modem/router has the ability to run a VPN.



The diagram below is much like the one above with one important difference. The ISP supplied modem/router has been put in 'bridge mode' and a VPN capable router is placed between the ISP gear and the rest of your LAN.

 

[Mac25]

really that simple, so all i am missing is a capable VPN router ?
set the modem to bridge mode and setup my router vpn service.

 

[mrc545]

really that simple, so all i am missing is a capable VPN router ?
set the modem to bridge mode and setup my router vpn service.

Pretty much. I have been using ASUS routers with Merlin FW for a long time now. My router can support 2 simultaneous OpenVPN servers. Whatever you get, be sure to get one that has AES-NI to speed up the crypto.

This link will guide you through setting up your own CA and generating certs: Setting Up Your Own Certificate Authority (CA) | OpenVPN

You generate the certs, paste the relevent certs into the OpenVPN settings on your router, and set up DDNS if you don't have a static IP assigned from your ISP. Generate .ovpn profiles for your client devices, and sneakernet them over (do not send private keys over the internet).

As I had sanity checked some posts ago, you shouldn't need to physically segregate the isolated subnet from the rest of the network. If you assign the second NIC, and all of the IP cameras to a different network with no default gateway, those addresses are non-routable and your router won't know what to do with them. I created an iptables rule on my router just for giggles to block any addresses from my isolated network, and I have had no hits since I made it some weeks ago.