Dual NIC setup on your Blue Iris Machine

Setting up VLANs is also recommended, you should also use hardware-based Firewall (like Ubiquiti's Security Gateway); makes it easier to configure VLANs and inbound/outbound Firewall rules

Also, since these devices are apparently so good and so sneaky at dialing home and compromising your network information, no one's worried that malware could make it from the cams to the BI machine and then out to the rest of the world that way? If this is possible then the only way to prevent this is to VLAN the cams off so they can't talk to any other devices on your network thus sneaking information out via another device on your network which is connected to the internet. Using the Dual NIC setup instead of a VLAN the Cams are talking directly to an internet connected machine and thus able to spread malware, correct? I keep reading about these devices sending your network info back "home" and it doesn't seem farfetched that if the person(s) that installed this malware really want to get this information out and back to them that the malware could then spread to your BI machine? Thoughts? Too Tom Clancy and farfetched?

Edit: I don't know if you put the cams on a different VLAN than the BI Machine if BI would still be able to grab the RTSP stream. I'm prob over thinking all that, it was just the first thing that came to mind when I started reading about the Dual NIC setup.

Edit 2: I guess the BI Machine would still be able to talk to the rest of the devices on the Network and if there was some malware that really wanted out and could spread from device to device on your network it will find a way.
 
  • Like
Reactions: CaseyJones
The cameras are physical stopped at the BI PC. the BI PC is not set to route. If your are running Defender or other AV it will not be able to download software for the camera to BI PC .

Physical separation is a little more secure than a VLAN. In a Vlan you a dependent on the software to provide the security, You are also dependent of the user setting the vlan up correctly.

I have been using two nics for years and have never had a camera mac address reach the router. I have seen packets on the camera network that I can not explain.

You just need to be vigilant and secure, all software has bugs and holes. In August in a Hack contest, a group hacked a DOD satellite.

 
... the only way to prevent this is to VLAN the cams off so they can't talk to any other devices on your network thus sneaking information out via another device on your network which is connected to the internet.
VLAN tagging is great if the tags are only seen and processed by trusted equipment. It's a great way to pass routing policy data between devices that make firewall and routing policy decisions. Any other device that can access or spoof VLAN tagged frames means using it for security is a bad idea. It's not encrypted … like having a plain text logon password in each data packet; a very good reason to only let trusted devices have access to them.

The BI machine must not connection share and ought to enforce really strict policies on the CAM interface. Windows makes this fairly easy (except for Windows itself). You can also reduce the attack vector by never running a browser on that machine and by limiting the amount of new software installed there.
 
  • Like
Reactions: Arjun
I prefer physical separation, so the cams can in no way get through to the internet as the network adapters aren’t set to allow any traffic through.
Exactly, don't give the 2nd NIC for the cameras a DG. Nothing can connect to them other than the BI machine. Simple and effective.
 
Not at all with WIndows 10. I can't remember if anything happens with earlier versions.
No - this has always been a supported option on PCs with more than one NIC configured. Technically neither NIC needs one unless you want to get outbound traffic to another network which is not local, hence the need for the gateway.
 
  • Like
Reactions: Teeauu
So I think I have finally gotten this set up correctly please correct me if I have veered off course somewhere:
Router has a static assigned ip of 192.168.87.2
Connected computer with blue iris assigned ip of 192.168.87.13
Nic #2 that runs the switch is set to 192.168.88.101
I have a managed switch that I am not sure what the ip is, its a Cisco managed sg300 28 port that I hard reset. Using it for the time being until I can get an unmanaged one.
First camera set up with an ip of 192.168.88.102

I am able to use my phone and switch openvpn on and log into Blue Iris using UI3 and see the camera just fine so I think so far so good right?
My hitch is when I plug another camera into the switch and try to use the Amcrest config tool it does not find the new camera I just plugged in. What do I need to correct here? The first cam I installed was an indoor ptz that was not poe and I temporarily plugged it into the asus router to access the interface where I changed the ip address to the 192.168.88.102 and was able to find it after plugging it into the switch via entering the ip in google chrome, however I couldn't find it using the Amcrest config tool. I tried plugging the second cam into the router and a power source to access it like I did the first but no dice. When I look at my network map on the router none of the cameras show up. Am I a complete networking idiot?
 
Well you are using sub-nets 87 and 88 for your system. I don't know about Amcrest, but if it is like Dahua, the default IP address is 192.168.1.108. So if it is plugged into 192.168.88.xxx then it will not be seen since the sub-net is 1 of the cam and the switch is 88.

The reason Dahua uses 192.168.1.108 is most every setup from an IP is using 192.168.1.xxx.
 
  • Like
Reactions: SouthernYankee
@redman19
The cameras are NOT suppose to show up on the router. That is the purpose of using the second NIC. The cameras are isolated from the router and the internet.
You need to plug the new camera into the router or a switch , on the 87 network, Then use the config to find the camera (most likely 192.168.1.108) and set it to the 88 network, unplug the camera and put it on the 88 network.

The second network has only has Static addresses, it does not have access to the internet or DHCP.
 
@redman19
The cameras are NOT suppose to show up on the router. That is the purpose of using the second NIC. The cameras are isolated from the router and the internet.
You need to plug the new camera into the router or a switch , on the 87 network, Then use the config to find the camera (most likely 192.168.1.108) and set it to the 88 network, unplug the camera and put it on the 88 network.

The second network has only has Static addresses, it does not have access to the internet or DHCP.
Ok that’s what I thought, I am new to networking and thought i had the gist but wanted to be sure. Sounds like I really need to pick up a small poe switch for initial set up since the other will be in the attic.
 
  • Like
Reactions: SouthernYankee
I usually use a laptop and change it's IP address to a static IP like 192.168.1.100, then connect network cable directly to camera, using either a POE injector or the power supply included with the camera and then access it via web browser to 192.168.1.108 (or you could use the ip config tool instead) to change cam IP address to static 192.168.88.xxx. Then disconnect cam and connect it to your POE Cisco switch.

Note usually when hard reset, the Cisco switch defaults to 192.168.1.254, with login/password as cisco.... EDIT: some managed switches can be turned into an unmanged switch. I have a different brand, it has a physical toggle switch between managed/unmanged mode. If want to switch to unmanged, I would try disabling CDP, LLDP and auto smart ports on the switch.
 
Last edited:
Note usually when hard reset, the Cisco switch defaults to 192.168.1.254, with login/password as cisco.... EDIT: some managed switches can be turned into an unmanged switch. I have a different brand, it has a physical toggle switch between managed/unmanged mode. If want to switch to unmanged, I would try disabling CDP, LLDP and auto smart ports on the switch.

I’ll take a look to see if I can swap it over to unmanaged thanks. It’s way more switch than I need, and I don’t think looking at the specs it’ll hold up in the attic heat over time. I just happened to have it after renovating the phone and internet systems at our insurance office. I’ll probably sell it off before long.
 
Setting up VLANs is also recommended...

+1

Most enterprises would opt for the VLAN approach....but of course, most of us are home users so the Dual NIC design is going to be a little easier.
 
Last edited:
I am just setting up a system and Blue Iris seems impressive. I have a HP 590 that I want to use but it is very limited on slots, however i do have wireless and ethernet on the 590, is there a way to use both of those for the dual nic setup or do i need to use a USB ethernet adapter that I bought for my FireTV because no longer use?

I am willing to buy a router that has VLAN but to be honest every router that I have found for $200 or less they all claim VLAN but it is only IPTV VLAN, suggestions for a router would be ok also if there is good guides on how to setup the VLAN (seen several Dream Machine videos that walk you through it and seem easy enough however that is $300).