Dual NIC setup on your Blue Iris Machine

[staind204]

I am really struggling with this setup. I wanted to use a Ubiquiti Flex Switch so I would only need to run one ethernet to my attic. I wanted to terminate the ethernet from my basement switch to a 2nd switch w POE injector to the Flex switch in the attic and then run wires to the outdoor cams.

However with the "dual nic" setup, I can't get my Unifi Flex Switch Online. My "second" switch has 1 ethernet going from the switch to the BI PC. The 2nd ethernet goes into a POE injector then into the Flex switch and onto the camera.

The problem is since the Flex switch is coming off the 2nd switch (not hooked into the primary switch with router/internet access), it can never get an IP. I am unable to log into the GUI of the flex switch because it can't get to the router to get an IP. Unfortunately if I can't manage the switch, I cant get it to power the cam. Is there any workaround for this or do I just have to get rid of the flex switch and buy an unmanaged POE? I really want to use the flex switch so I can run less wires but I just can't figure this out and am extremely frusterated.

 

[Teeauu]

I am really struggling with this setup. I wanted to use a Ubiquiti Flex Switch so I would only need to run one ethernet to my attic. I wanted to terminate the ethernet from my basement switch to a 2nd switch w POE injector to the Flex switch in the attic and then run wires to the outdoor cams.

However with the "dual nic" setup, I can't get my Unifi Flex Switch Online. My "second" switch has 1 ethernet going from the switch to the BI PC. The 2nd ethernet goes into a POE injector then into the Flex switch and onto the camera.

The problem is since the Flex switch is coming off the 2nd switch (not hooked into the primary switch with router/internet access), it can never get an IP. I am unable to log into the GUI of the flex switch because it can't get to the router to get an IP. Unfortunately if I can't manage the switch, I cant get it to power the cam. Is there any workaround for this or do I just have to get rid of the flex switch and buy an unmanaged POE? I really want to use the flex switch so I can run less wires but I just can't figure this out and am extremely frusterated.

Ok so shotgunning here. Can you not either provide a static IP to the switch, or make one IP available in DHCP and let the switch grab that?

 

[staind204]

I think the problem is the Flex Switch can't get to the router with the "dual nic" setup. The "POE flex switch" needs to be hanging off the isolated switch going to the NVR BI PC's 2nd NIC (it can't get to my router handing out addresses which I think is by design, anything off my isolated/CAM switch should not get out).

 

[samplenhold]

A POE switch cannot 'power' a cam through another switch. You need to plug each cam into the POE switch, then connect the POE switch to your other switch.

See below

 

[staind204]

A POE switch cannot 'power' a cam through another switch. You need to plug each cam into the POE switch, then connect the POE switch to your other switch.

See below
View attachment 146801

Thanks but I have a poe injector. I think I got it figured out. I was able to get the POE flex switch online by using my regular network. I got in and gave it a static ip in my 2nd NIC/cam address range. Then i plugged it into the switch going to my nvr nic and i could ping the new address but the ubiquiti software still couldnt see it. I completely turned off windows firewall and it worked. So lastly I had to go back in and allow the ubiquiti software access in win defender so I could re-enable the firewall. I still have more testing to do but atleast I can get to my flex switch now.

 

[staind204]

Once we have added 192.168.1.50/24 and re-ip'd the camera away from their default address, is there any reason to leave 192.168.1.50/24 on the 2nd NIC? Can it be safely removed? Any risk to leaving it?

 

[twojciac]

Using two NICs keeps things simple with physical mapping of networks, but this is all achievable using VLANs if you have a smart or managed switch.

Assume your home network is the default, VLAN 1. You can create a second VLAN, we'll use VLAN 2 for this example, where the cameras will connect. All the typical ports will remain in VLAN 1 and you will configure the switch to use VLAN 2 for any ports connecting to cameras. Then on the port connecting to your NVR you will set up a 802.1q trunk. You will then have a physical Ethernet interface and two virtual interfaces for each VLAN. The rest of the guide is applicable, the same overall architecture where you'd setup a default gateway for the interface connecting to VLAN 1 and leave the gateway off VLAN 2's interface.

 

[IReallyLikePizza2]

Using two NICs keeps things simple with physical mapping of networks, but this is all achievable using VLANs if you have a smart or managed switch.

Assume your home network is the default, VLAN 1. You can create a second VLAN, we'll use VLAN 2 for this example, where the cameras will connect. All the typical ports will remain in VLAN 1 and you will configure the switch to use VLAN 2 for any ports connecting to cameras. Then on the port connecting to your NVR you will set up a 802.1q trunk. You will then have a physical Ethernet interface and two virtual interfaces for each VLAN. The rest of the guide is applicable, the same overall architecture where you'd setup a default gateway for the interface connecting to VLAN 1 and leave the gateway off VLAN 2's interface.

I do both, cameras all go on their own VLAN which is heavily firewalled off, and my Blue Iris machine has 2 NIC's, one for the camera VLAN and one for my main LAN, both switchports just untagged access ports

The problem with doing trunks in Windows is that is HOT GARBAGE

 

[reflection]

A POE switch cannot 'power' a cam through another switch. You need to plug each cam into the POE switch, then connect the POE switch to your other switch.

I have three of these. They work pretty well. No issues so far. As long as your cameras don't use too much power (no PTZ), and your PoE switch is decent, you can plug this in to your PoE switch (which will power this device) and then connect cameras to it. I have a Cisco PoE switch and set the port to "power inline static" to pin the port to 30W. Then I have up to 4 cameras connected to it. No issues with IR either.

This allows me to run one CAT6 from my main PoE switch to my garage and feed 4 cameras. Sure beats running four CAT6 cables from the main PoE switch.

Edit. Forgot the link. 4 Ports POE Extender 10/100M RJ45 25.5W Extend 120M IEEE 802.3af for IP Camera | eBay

 

[twojciac]

The problem with doing trunks in Windows is that is HOT GARBAGE

Blue Iris is the only reason I run Windows, otherwise I've been a Linux and MacOS guy. But I've got an Intel NIC and using PROSet it was simple to setup a trunk and the vlan subinterfaces. Not sure how Realtek or any of the other vendors are. I try to stick with Intel whenever I can.

 

[IReallyLikePizza2]

Blue Iris is the only reason I run Windows, otherwise I've been a Linux and MacOS guy. But I've got an Intel NIC and using PROSet it was simple to setup a trunk and the vlan subinterfaces. Not sure how Realtek or any of the other vendors are. I try to stick with Intel whenever I can.

What version of Windows?

That's good to know, I usually just avoid it. The use case is pretty limited now with most things with VM's in the real world

 

[reflection]

I tried Intel PROSet on my desktop machine but had problems with trunks. When it work, it worked fine. But it kept losing its config and I had to reconfigure the trunk. I finally gave up on it. Maybe it was because VMware Workstation or VirtualBox or HyperV resetting the config.

For BlueIris within ESXi, it was easy enough to create a new interface, so never had to configure a trunk on the BlueIris VM, just on the ESXi host.

 

[TL1096r]

Wow this is thread to be 4 years old this July... Thanks for everyone that added to this thread.

If anyone has a good write-up for setting up VLANS on a specific brand's managed switch please share it here. It would be a setup from a dual NIC setup.

Thanks

 

[Michael11]

I read the entire thread. Thank you everyone!

The few questions I have before attempting dual NIC setup on the machine coming Friday is... 1) Do we need to do anything with IPv6 such as disabling it during the first step when we click on IPv4 and properties? My router shows activity on IPv6 so I want to follow the steps in order. I know I can check after the fact to see if the cameras are isolated, but it'd be nice to know upfront. 2) I was planning on running security software on my BI machine, maybe that's in a different forum. I don't see why it would be an issue, and it would help with the discussion of Windows getting compromised from a camera.

 

[samplenhold]

1) Do we need to do anything with IPv6 such as disabling it during the first step when we click on IPv4 and properties?

No.

2) I was planning on running security software on my BI machine, maybe that's in a different forum.

If this is a question...not a problem.

 

[Virga]

Great thread, of course will have to re-read.
Key realization for me is that it is not just the BI PC that has to be isolated, but the entire eco-system of cameras.

The first thing that stood out for me is that I'll need to change how my cameras are physically connected.
I have an ISP modem-only (currently Starlink, soon to be replaced by Spectrum/Charter), my own router, and three switches including one PoE switch plugged into my Unifi Dream Machine router.
All ethernet runs are home runs to the same location.
IP cameras and other PoE devices connect to the PoE switch (which connects to the router).

Looks like this needs to change if I am reading/understanding the diagrams correctly,
The cameras need to connect to the PoE switch, which needs to connect ONLY to the BI PC.
For other PoE devices I'll have to make new arrangements, either a second PoE switch or port injectors.

 

[wittaj]

Great thread, of course will have to re-read.
Key realization for me is that it is not just the BI PC that has to be isolated, but the entire eco-system of cameras.

The first thing that stood out for me is that I'll need to change how my cameras are physically connected.
I have an ISP modem-only (currently Starlink, soon to be replaced by Spectrum/Charter), my own router, and three switches including one PoE switch plugged into my Unifi Dream Machine router.
All ethernet runs are home runs to the same location.
IP cameras and other PoE devices connect to the PoE switch (which connects to the router).

Looks like this needs to change if I am reading/understanding the diagrams correctly,
The cameras need to connect to the PoE switch, which needs to connect ONLY to the BI PC.
For other PoE devices I'll have to make new arrangements, either a second PoE switch or port injectors.

That is correct.

The 2nd NIC can be had for under $20, so most will just do that. The advantage is a little more physical separation and ease of replacement.

That is correct - the purpose of the dual NIC is to place all of the cameras on one NIC and then the internet to the BI computer with the other NIC.

From this graphic courtesy of @samplenhold, you will notice the cameras are on one IP subnet (192.168.2.xxx) while everything else is on IP subnet 192.168.1.xxx subnet.

Doing so in this format prevents the cameras from talking to the internet. The BI PC will basically act as a firewall.

 

[Virga]

I take it that no routing is needed below the BI PC because the cameras are assigned static IPs.
From your post in a different thread yesterday (where you provided a link to this thread), NIC#1 in above @samplenhold diagram could be a Wifi NIC connecting to Wireless Access Points which connect to the 192.168.1.xxx switch,

 

[wittaj]

I take it that no routing is needed below the BI PC because the cameras are assigned static IPs.
From your post in a different thread yesterday (where you provided a link to this thread), NIC#1 in above @samplenhold diagram could be a Wifi NIC connecting to Wireless Access Points which connect to the 192.168.1.xxx switch,

That is correct - no router or routing is needed since you are manually assigning the IP addresses to the cameras.

Yes, under your scenario NIC1 would be the wifi NIC connected to your router.

 

[SourTurtle]

With this setup, would it be bad to run other programs that interact with or are used by devices on the main network on the Blue Iris PC? If so, what's the concern?