Dual NIC setup on your Blue Iris Machine

jaclarkaus

Young grasshopper
Joined
Jan 30, 2016
Messages
34
Reaction score
1
Location
Sydney Australia
1. You can put multiple IP addresses on a single NIC in windows, across different subnets to achieve all that can be done with 2 NICs without the complicated hardware. If you want 2 NICs they can be teamed and then used across 2 subnets anyway
2. I use a Ubiquiti Dream Machine which can block specific IP address from the internet, so stops phoning home. Easy
 

jaclarkaus

Young grasshopper
Joined
Jan 30, 2016
Messages
34
Reaction score
1
Location
Sydney Australia
Would think it has to be logically separate. Only benefit physically separate would be is if someone was going to physically attach the system, like connecting it to the mains I guess.

logically separate should stop external access and dialling home.why do they dial home anyway?
 

alastairstevenson

Staff member
Joined
Oct 28, 2014
Messages
15,930
Reaction score
6,779
Location
Scotland
Physically separate blocks the ability of a compromised connected device to be able to access any other connected devices on the same physical network by simply using another IP address.
 

rparge

n3wb
Joined
Jul 29, 2020
Messages
1
Reaction score
0
Location
USA
LOL...some of y'all are really overthinking this dual NIC thing.

Your NICs are going to be assigned static IP addresss BY YOU! In the diagram below, if your home network router is 192.168.1.1 like most people then the home network is 192.168.1.X so make your main BI server NIC (red) have a fixed IP like 192.168.1.100. Then make your Camera side NIC (green) have a fixed address like 192.168.0.100. Only devices on the red side can talk directly to your BI server. Devices (IP cams) on the green side can only be accessed by your BI server and they all have IP addresses 192.168.0.X. If you stick your BI server in a closet without a keyboard, mouse, monitor then use TeamViewer or RDP from any computer on your red side network to pull up the desktop/screen of your Windows 10 BI server. If you are away from home on another network like a mobile phone network (cell tower), a friend's network or any WiFi network anywhere in the world connect to your home network first using VPN. Hopefully, you have a router with built-in VPN capability like OpenVPN...one reason I like ASUS routers. After connecting via VPN to your home network you can access your BI server with TeamViewer or RDP. If you want to access Blue Iris directly then use UI3 on a computer or any mobile device or use the BI app on a mobile phone. You'll turn-off VPN when you get back home. To access BI camera view using UI3 use a Chrome browser and use the address of your BI server. If your BI server (red side) has an IP address of 192.168.1.100 then in the browser you enter the address such as where 81 is the port number.


View attachment 55258


View attachment 55133

Thank you, I got this working fine.
BI = 192.168.1.100:81, and all the cameras at 192.168.0.x, added them in and all worked great.
But in your example, shouldn't the screen shot for the LAN address be 192.168.1.100:81?
 
Joined
Aug 12, 2020
Messages
7
Reaction score
1
Location
Perth
-enter the IP you want to use for your cams. Choose one that will not conflict with anything else like
"192.168.55.10"

Now you can make the cam IPs 192.168.55.xxx - the only number you cannot use is .10. Example of 4 cams would be:
"192.168.55.20"
"192.168.55.21"
"192.168.55.22"
"192.168.55.23"
I think I understand most of it except this part...

How did you choose the IP "192.168.55.10" or is it something you can make up as long as it's within the range and not in use?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,448
Reaction score
47,574
Location
USA
@techierookie - it is arbitrary - just don't use the same last digits twice. Some will do .10 or .20 or .100, but whatever configuration you like within the range works.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
I think I understand most of it except this part...

How did you choose the IP "192.168.55.10" or is it something you can make up as long as it's within the range and not in use?
Yes, I simply made the # up because it did not conflict with anything else. You can do the same and choose your own number. You cannot make that any of your cameras.
 

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
40
Reaction score
12
Location
Live Oak, FL
Just to make sure I'm following correctly, using this method you would not block the newly assigned Cam IP addresses (connected to the CAM "2nd NIC") on your WAN Router correct? Because if I understand correctly the router connected to your modem (the internet) doesn't actually see the IP addresses of your Cameras because of the physical separation created by the use of two NIC cards? Or is it still a safe practice (or still necessary) to block the camera IP addresses in your firewall settings on your router?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,448
Reaction score
47,574
Location
USA
They would be two separate beginning IP addresses, so you couldn't block the 2nd NIC from the router hooked to 1st NIC. But you would still turn off all internet applicable features on the camera side of things just to be safe.
 

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
40
Reaction score
12
Location
Live Oak, FL
After double clicking "Internet Protocol Version 4 (TCP/IPv4)":
Click the "Use the following IP address"

-enter the IP you want to use for your cams. Choose one that will not conflict with anything else like
"192.168.55.10"

Now you can make the cam IPs 192.168.55.xxx - the only number you cannot use is .10. Example of 4 cams would be:
"192.168.55.20"
"192.168.55.21"
"192.168.55.22"
"192.168.55.23"

Default gateway will be blank.

It will look like this:


------------------------------------------------
------------------------------------------------

Making sure I'm following along correctly again using the example and screenshots from the original post (above),
"-enter the IP you want to use for your cams. Choose one that will not conflict with anything else like
"192.168.55.10"
in this step I would want to use any 192.168.x.x address as long as it's not the same as the subnet that my router and NIC 1 are using correct? For example if if my router, NIC 1 and the BI machine were on a subnet 192.168.55.x I would not want to use the proposed 192.168.55.10 used in the example?



My cameras are Dahua and I was able to access them through IE.

Follow steps below to get this to work so you can simply type 192.168.1.108 in IE.

-Add a similar IP to Dahua so it can log into IE. For example: '192.168.1.55' (you can use any number between 1-254 and not only .55 - just do not use .108 so it doesn't conflict with the Dahua IP).

It will look like this:

------------------------------------------------
------------------------------------------------


Now you are set - plug in each Dahua IP Cam and type 192.168.1.108 into IE - setup the password and change the IP to "192.168.55.20 / .21 / .22 / .23" and so on.

After you setup your password you will see the Dahua GUI - go to:
'settings' tab -> then go to Network -> TCP/IP

The gateway will be 'made-up' so it cannot connect to the internet on your Dahua. Please make sure your Default Gateway is the same IP as your cameras but use .254 so it doesn't conflict with any futures cameras you will add.

It will look like this:



------------------------------------------------
------------------------------------------------


Auto-detect in your cams on Blue Iris by using the 192.168.55.20/21/22 IP
Second question after you add the "similar IP to Dahua so it can log into IE. For example: '192.168.1.55' (you can use any number between 1-254 and not only .55 - just do not use .108 so it doesn't conflict with the Dahua IP)." and change all the IP Addresses of your cameras and Auto-detect them into BI, should you then go back and remove 192.168.1.55 (in the screenshot it appears @TL1096r actually used 192.168.1.50) from the IP addresses on the 2nd NIC? All the camera IP addresses should now be 192.168.55.x in the example and the 192.168.1.x is no longer needed correct? Or is this just and extra step and a waste of time?
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,448
Reaction score
47,574
Location
USA
for the 2nd NIC that is the cameras in that example - you would use the IP address 192.168.1.XX where the XX is a different number for each camera.

for the 1st NIC that is connected to the router, it can be any private IP address other than 192.168.1.XX - if you use that same one, then NIC2 can talk through NIC1.

Some people will make the NICs one number off eachother, so NIC1 would be 192.168.2.XX, and others make them completely opposite so that you don't get confused like 172.16.25.XX
 
Last edited:

Arjun

Known around here
Joined
Feb 26, 2017
Messages
9,015
Reaction score
11,032
Location
USA
Nothing wrong with a dual NIC setup :)
Just make sure that any remote connection requests to the BI machine are automatically denied
 

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
40
Reaction score
12
Location
Live Oak, FL
Nothing wrong with a dual NIC setup :)
Just make sure that any remote connection requests to the BI machine are automatically denied

@Arjun since you mention this, is it advisable to firewall off the BI Machine's IP address in your router settings? Technically you don't need an internet connection once the BI Machine is setup and running, correct? If you have an NTP installed on the BI Machine locally. Someone mentioned that this wouldn't work with an ASUS router in a post on different thread. But lets say I don't want/need to Remote Desktop in, I'm just going to use UI3 and the app. Once the VPN connection is made I'll be "on the local network" and able to use UI3 and the app without the BI Machine needing to talk to the outside (the internet). And if I need to update/download any software then I can just change the firewall settings in the router as needed, this way the BI Machine isn't just sitting connected to the outside internet 24/7.
 
Joined
Aug 8, 2018
Messages
7,386
Reaction score
25,889
Location
Spring, Texas
is it advisable to firewall off the BI Machine's IP address in your router settings
That is no more necessary than any other item on your LAN. When using a dual NIC setup, the BI machine is no different than your laptop, Xbox, or desktop PC that you access the internet with. The cam side is isolated from the internet.

If you do not have an internet connection, you will not get any of the updates to BI.
 

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,448
Reaction score
47,574
Location
USA
You may also want to use a 3rd party application at some point like Sentry or Plate Recognizer that are integrated with BI, so the BI machine would need access for those. Just FYI if you firewall it and later try one of those or others out there.
 

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
40
Reaction score
12
Location
Live Oak, FL
That is no more necessary than any other item on your LAN. When using a dual NIC setup, the BI machine is no different than your laptop, Xbox, or desktop PC that you access the internet with. The cam side is isolated from the internet.

If you do not have an internet connection, you will not get any of the updates to BI.

How do you go about doing what @Arjun said about automatically denying remote connections to the BI Machine? Is this a windows setting, a BI setting, or a network/router setting? Trying to make sure I understand what Arjun is referring to and making sure I do that.
 

Arjun

Known around here
Joined
Feb 26, 2017
Messages
9,015
Reaction score
11,032
Location
USA
There was a setting for the specific NIC to deny remote connection requests; in fact, I just came across that the other day, but can't find the setting; Windows 10 updates keeps moving settings around. This was the closest I could find How to Disable Remote Access in Windows 10 - Securicy

However, I am not too confident in managing settings in the new User Interface within Windows 10. Miss the good old Control Panel days

How do you go about doing what @Arjun said about automatically denying remote connections to the BI Machine? Is this a windows setting, a BI setting, or a network/router setting? Trying to make sure I understand what Arjun is referring to and making sure I do that.
 

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
40
Reaction score
12
Location
Live Oak, FL
Also, since these devices are apparently so good and so sneaky at dialing home and compromising your network information, no one's worried that malware could make it from the cams to the BI machine and then out to the rest of the world that way? If this is possible then the only way to prevent this is to VLAN the cams off so they can't talk to any other devices on your network thus sneaking information out via another device on your network which is connected to the internet. Using the Dual NIC setup instead of a VLAN the Cams are talking directly to an internet connected machine and thus able to spread malware, correct? I keep reading about these devices sending your network info back "home" and it doesn't seem farfetched that if the person(s) that installed this malware really want to get this information out and back to them that the malware could then spread to your BI machine? Thoughts? Too Tom Clancy and farfetched?

Edit: I don't know if you put the cams on a different VLAN than the BI Machine if BI would still be able to grab the RTSP stream. I'm prob over thinking all that, it was just the first thing that came to mind when I started reading about the Dual NIC setup.

Edit 2: I guess the BI Machine would still be able to talk to the rest of the devices on the Network and if there was some malware that really wanted out and could spread from device to device on your network it will find a way.
 
Last edited:
Top