Dual NIC setup on your Blue Iris Machine

[crw030]

I won't be able to log into the cameras from any other computer on my network, right?

While I'm sure some network wiz might come along and provide a workaround, like maybe the Blue Iris machine can port forward traffic between the two networks with a little configuration.

However, in the simplest scenario, if you just have the basic 2-NIC setup then accessing the camera interfaces you have to physically remote desktop to the Blue Iris machine. At least that is how I access my camera interfaces as I use the 2-NIC method. However, I am very satisfied with Blue Iris as a primary interface to the camera streams, but it might not work for everyone.

 

[Sybertiger]

Thanks!
Once I put my cameras on their own network, behind my Blue Iris PC, I won't be able to log into the cameras from any other computer on my network, right? I'll have log into them using the Blue Iris PC. Not that it's a big deal, or that I do that often. I thought I read where there was a way to log into them from other PCs (not on that network), but maybe not. I've been reading so much lately I can't keep track of it all.

Use TeamViewer or RDP from any computer in your home network. If you are away from home then use VPN to connect to your home network through your VPN connection on your router then use TeamViewer, et al to logon to your BI server.

 

[nowandthen]

Use TeamViewer or RDP from any computer in your home network. If you are away from home then use VPN to connect to your home network through your VPN connection on your router then use TeamViewer, et al to logon to your BI server.

Thanks! I'll give that a try.

 

[crw030]

FYI, I have always used remote desktop to setup my cameras (I login to my Blue Iris machine) because I feel like the network separation is the most secure option for someone that doesn't fully understand VLANs.

However, just a quick Google, I was able to get the following also working. Although, I am not an expert in how this reduces security, I was able to at least see that it is possible to do this:

Initial Network Info you need to know:
My in-home "camera" network is 192.168.33.X -- it has only one device on it: the Blue Iris Computer at: 192.168.33.31
the Blue Iris machine has a 2nd NIC, and it is on subnet 192.168.1.X -- there I have multiple cameras, but for testing I wanted to pullup the interface on a specific camera.

On the Blue Iris machine I was able to do the following two steps:
configure windows port forward for traffic if received on a specific port: netsh interface portproxy add v4tov4 listenaddress=192.168.33.31 listenport=9108 connectaddress=192.168.1.108 connectport=80
configure windows firewall to allow inbound traffic on that port so it doesn't get rejected by Windows firewall on Blue Iris computer: Windows Defender Firewall >> Advanced Settings >> Inbound Rules >> Add a Rule >> TCP, Port Number: 9108 >> Allow

With that config I can pull up the camera admin interface on any computer by opening a browser

http://192.168.33.31:9108

, but I'm not 100% certain of the security implications.

 

[Sybertiger]

FYI, I have always used remote desktop to setup my cameras (I login to my Blue Iris machine) because I feel like the network separation is the most secure option for someone that doesn't fully understand VLANs.

However, just a quick Google, I was able to get the following also working. Although, I am not an expert in how this reduces security, I was able to at least see that it is possible to do this:

Initial Network Info you need to know:
My in-home "camera" network is 192.168.33.X -- it has only one device on it: the Blue Iris Computer at: 192.168.33.31
the Blue Iris machine has a 2nd NIC, and it is on subnet 192.168.1.X -- there I have multiple cameras, but for testing I wanted to pullup the interface on a specific camera.

On the Blue Iris machine I was able to do the following two steps:
configure windows port forward for traffic if received on a specific port: netsh interface portproxy add v4tov4 listenaddress=192.168.33.31 listenport=9108 connectaddress=192.168.1.108 connectport=80
configure windows firewall to allow inbound traffic on that port so it doesn't get rejected by Windows firewall on Blue Iris computer: Windows Defender Firewall >> Advanced Settings >> Inbound Rules >> Add a Rule >> TCP, Port Number: 9108 >> Allow

With that config I can pull up the camera admin interface on any computer by opening a browser

http://192.168.33.31:9108

, but I'm not 100% certain of the security implications.

NEVER port forward....IPCamTalk 101: How to Secure Your Network (Don't Get Hacked!)

 

[crw030]

NEVER port forward....IPCamTalk 101: How to Secure Your Network (Don't Get Hacked!)

I am well aware of the recommendation not to port forward unsafe internet traffic through your firewall. This port-forward is actually only between two internal networks, basically between the two NICs on a Windows computer, so it might not have quite the same security implications.

 

[RubberDucky]

...However, just a quick Google, I was able to get the following also working...

"Quick google"... Really? lol

The main thing I never liked about my WIFI + 1 NIC setup (aka dual NIC setup) was my gDMSS phone app no longer worked even at home on my internal WIFI LAN (couldn't access the cameras). Now it can. Cool.

The cameras still can't phone home as far as I can see, and overall doesn't seem much different in security than two vlans with a rule allowing one to talk to the other on a specific port. Although it shows how easy it is for a compromised computer to use netsh to gain access to basically anything...

Anyway until someone proves otherwise, I say good job in figuring this out.

 

[crw030]

The cameras still can't phone home as far as I can see, and overall doesn't seem much different in security than two vlans with a rule allowing one to talk to the other on a specific port.

I would say based on some of the camera hacking youtube vids I've watched, this definitely increases your risk (since the webserver is probably vulnerable, now it is exposed to your home network), if anyone ever makes it inside your firewall on your home network (like due to a compromised IoT device, smart fridge, Raspberry Pi or open wifi network foothold), but you also have some real problems anyway.

But still not the same as exposing ports forwarded directly through your primary firewall such that any script kid that can use Shodan can find your exposed web interface imho!

Just documenting here and now, if someone remaps all their cameras using this method and then port forwards all of them through their firewall, I am not responsible for you completely compromising your entire network.

 

[Sybertiger]

I am well aware of the recommendation not to port forward unsafe internet traffic through your firewall. This port-forward is actually only between two internal networks, basically between the two NICs on a Windows computer, so it might not have quite the same security implications.

Something about malicious firmware on some Chinese cams and opening up things so your malicious Chinese cams (for example) can now access your home network directly. It's not all that hard to use TeamViewer or RDP to connect to your BI server then logon to your IP cams. And, with your ASUS router I assume you have VPN setup so you can access your BI server from anywhere in the world from another computer or your Android device, et al.

 

[crw030]

It's not all that hard to use TeamViewer or RDP to connect to your BI server

I agree completely, I use RDP and VPN, that would still be my recommendation, but maybe this is a convenient workaround during setup or something for someone that wants to use the dual-NIC config instead of VLAN approach but hates that minor inconvenience.

 

[Riclyo]

So I was able to set the dual nic up thanks to TL's step by step instructions. My only issue was that it isolated my unifi managed poe switch from it's controller.
is there a way around this? I put controller software on the BI computer and it sees the poe switch but cannot manage it without a router/gateway.
I'm not very network savvy so please take it easy on me.

 

[wittaj]

@TL1096r - wow what an incredible write-up that you put together (and acknowledge all those mentioned that assisted)!

So in your diagram below:



I understand the Dual NIC Computer (BI Machine) and how NIC1 gives you internet access and NIC2 accesses the cams and no internet.

Here is where my NOOB brain is having difficulty following (even after reading dozens of different posts and topics here):

1. When you are connected to the router say by wifi on your phone, how is the phone able to get access to viewing the cams over the BI or gDMSS app? My NOOB mind is having trouble grasping how anything other than the Dual NIC Computer is able to see the camera feeds? I am assuming it is something within the hardware of the computer that allows that to happen, but I am struggling with understanding how that then prevents the cameras from being accessed from the outside? Can someone explain that in layman terms?
2. If I were to connect another computer to the POE+Switch, that computer would not have access to the internet, correct? If that computer were on the same subnet as NIC2, could that computer access the cams GUI?
3. If my number 2 assumption is correct, could that same computer connected to the POE+ switch via ethernet have the wifi card set up to NIC1 subnet and access the internet yet still keep the cams isolated?

 

[crw030]

So I was able to set the dual nic up thanks to TL's step by step instructions. My only issue was that it isolated my unifi managed poe switch from it's controller.
is there a way around this? I put controller software on the BI computer and it sees the poe switch but cannot manage it without a router/gateway.

This feels mostly like a Ubiquity Unifi question, and I'm still puzzled somewhat by mine. However, more than likely discovery & management is via specific ports which you could probably passthru the Blue Iris computer. I just use a dumb POE switch, and my controller is plugged directly into my Ubiquity switch so no issues with it.

 

[crw030]

When you are connected to the router say by wifi on your phone, how is the phone able to get access to viewing the cams over the BI or gDMSS app?

For phone/iPad/SmartTV to Blue Iris via UI3 (webserver on Blue Iris). Not familiar with gDMSS, but quick read it looks like it is setup using P2P, which I wouldn't ever want to do myself. Any app that expects to reach the cameras directly will have issues, which could probably be addressed by going the VLAN route instead. This is more of a SIMPLE+SECURE approach, P2P would be SIMPLE+INSECURE approach.

If I were to connect another computer to the POE+Switch, that computer would not have access to the internet, correct? If that computer were on the same subnet as NIC2, could that computer access the cams GUI?

Yes just like the Blue Iris machine can access the camera GUI, if you RDP to the Blue Iris computer you can pull up camera login screens, make changes etc.

If my number 2 assumption is correct, could that same computer connected to the POE+ switch via ethernet have the wifi card set up to NIC1 subnet and access the internet yet still keep the cams isolated?

I guess so, but why you would need another one when you have the Blue Iris computer capable of providing that linkage?

 

[wittaj]

@crw030 thanks for the reply -

regarding gDMSS, there is a way set it up by IP address versus the P2P option, which works very well when you are home, but not so well when away from home LOL (unless you VPN in to get on home network), but then all the cams and everything at home are on the same network and then trusting that turning off P2P, uPnP, and using parental controls to prevent cam access to internet actually works. What I want to do is get further isolation of the cams on another subnet and trying to figure out if dual NIC or VLAN is the better option.

I am really leaning toward going the dual NIC route if that means that when I am on home wifi (NIC1), that I can access the cams on NIC2 with the phone viewing app. It is the cheaper route with less learning curve, but I don't want it taking a step backwards or adding more steps in terms of accessing on the phone with the app.

 

[RubberDucky]

As I found out when I did it....gDMSS quits working with the dual NIC setup since it can't see the cams directly. FWIW, It doesn't use P2P (although it sounds like it has the option to do so based on above comment). Certainly there is no need to and I have P2P turned off on my cams.

That's the nice thing about BI versus Smartpss. BI has a built in webserver and the UI3 interface is quite good. So it works well with the dual NIC setup either using your phone on the local lan or when VPNing in from outside. Luxriot EVO free also is a good option with similar setup that works well.

 

[crw030]

I am really leaning toward going the dual NIC route if that means that when I am on home wifi (NIC1), that I can access the cams on NIC2 with the phone viewing app.

I think this might be more complicated than you like with dual-NIC unless you can connect the app to Blue Iris streams or willing to port-forward at the Blue Iris machine and the app supports that. I don't use apps, I only use UI3 for all access on TV, iPad, phone (on wifi), and phone (over vpn).

The benefit of dual-nic is complete, idiot-proof isolation -- but that is also a curse if you are wanting to use any app etc which expects to reach the cameras via local subnet or public IP (either via P2p, uPNP, or port forward). The reason it works fine with Blue Iris is because Blue Iris provides the web server, and the utility (UI3) provides capability to interact with standard camera functions. Only the setup becomes more complicated due to the need to RDP/Teamviewer onto the Blue Iris machine to reach the camera interfaces.

In your case, if you need to use the cameras from an app, you might have to look at learning the basics of VLAN's and you might need VLAN capable hardware at certain points in your network.

 

[SouthernYankee]

The purpose of the two NICs is so you can not see the cameras, they are isolated.

 

[nowandthen]

VPN in to Blue Iris, if you use it, or to your NVR and view the cameras through those interfaces. I have a monitor connected to my BI PC and have it switched on whenever I am in the den or in the garage (another monitor wired to the garage). I have a wireless keyboard on the BI PC. If and when I need to adjust cameras, it's no big deal to do it on the BI PC. I currently have Hik cameras, it seems some settings must be done in the cameras themselves, so I'll just connect to them while on the BI PC. I was just curious if there was a secure way to get to the cameras on the 2nd NIC from other PCs on my network. It sounds like too much trouble and possibly compromising the whole point of the cameras being on the 2nd NIC. I'm OK using the BI PC exclusively to connect to the cameras.

I saw somewhere, if you add a NIC card, you should connect the cameras, via a POE switch in my case, to the NIC that is built into the motherboard, and connect to your LAN using the NIC card. I assume this is because of the high amount of data coming into the PC from the cameras and the motherboard NIC path is more efficient than the NIC card. Do I have that right?

 

[wittaj]

I think this might be more complicated than you like with dual-NIC unless you can connect the app to Blue Iris streams or willing to port-forward at the Blue Iris machine and the app supports that. I don't use apps, I only use UI3 for all access on TV, iPad, phone (on wifi), and phone (over vpn).

The benefit of dual-nic is complete, idiot-proof isolation -- but that is also a curse if you are wanting to use any app etc which expects to reach the cameras via local subnet or public IP (either via P2p, uPNP, or port forward). The reason it works fine with Blue Iris is because Blue Iris provides the web server, and the utility (UI3) provides capability to interact with standard camera functions. Only the setup becomes more complicated due to the need to RDP/Teamviewer onto the Blue Iris machine to reach the camera interfaces.

In your case, if you need to use the cameras from an app, you might have to look at learning the basics of VLAN's and you might need VLAN capable hardware at certain points in your network.

So I thought I would give this UI3 a look and yeah I like that and I can certainly go along with using that on my phone (probably better than the gDMSS LOL). So I could connect it fine while on that wifi "subnet" (10.10.xx.xx) and in BI it showed the web server as that subnet.

I guess I have to figure out the idiot proof isolation I messed up LOL. I have another subnet going in the house (192.168.xx.xx). For temporary purposes I tried to use the ethernet card as NIC1 and wifi as NIC2 to see if I could make it work before running out and buying another card. I must have messed something up there. I opened up the settings in BI and it now showed the web server as the 192.168.xx.xx address (which I assume it is supposed to show the address of the NIC that has internet access), but it wouldn't open.

So I turned off wifi and unplugged ethernet and reset adapters and tried again. Now I cannot get the web server to change over to the subnet with internet access. So I repeated and then reversed which NIC was accessing the cams and which NIC is accessing the internet and still no dice.

Edit: went back to original setting and saw a post in another thread from @SouthernYankee that said the BI Machine has to be on the internet access NIC, so now I see that the BI Web Server is back to the subnet with internet access, but still cannot pull it up in Chrome when on that subnet? As a bonus, doing this I found a switch I thought was a gigabit is only 100MB, so getting that swapped out!

Edit: I can open up UI3 using the 192. address on the BI machine, but no other computer on the 192. address can access it.

Time to play with it again, but is there something obvious or not obvious that I am missing, like an "oh yea, make sure you..."