Dual NICs to isolate cameras?

[Olddawg]

My current configuration is as shown below. My question is, to better isolate the cameras should I install a second NIC and can I connect the unmanaged switch with cameras to second NIC or will I need additional hardware. I am not clear how to configure the second NIC.

 

[SouthernYankee]

What you plan on doing will work. Add a second nic. Connect the switch to that nic. Use only static IP address for the cameras and for the second nic. Also change the IP address to be on a different subnet.

 

[Olddawg]

Thank you Southern Yankee. I am not clear on subnet. For example my current nic is 192.168.254.97 so could I make my second nic 192.168.253.97
and then the camera 192.168.253.98

 

[Mr_D]

Thank you Southern Yankee. I am not clear on subnet. For example my current nic is 192.168.254.97 so could I make my second nic 192.168.253.97
and then the camera 192.168.253.98

Yes, that would work, but I would make the subnets more dissimilar so you don't get confused about which is which. The only disadvantage to this setup is that you can only access the cameras directly from the BI PC and the cameras can't reach the Internet even if you want them to. I isolate them with a managed switch and firewall and only let my cameras access the Internet for keeping their clocks accurate. You could solve that by running a time (NTP) server on your BI PC.

 

[catcamstar]

Thank you Southern Yankee. I am not clear on subnet. For example my current nic is 192.168.254.97 so could I make my second nic 192.168.253.97
and then the camera 192.168.253.98

Indeed, you can put your cams on 192.168.253.0/24, everything on "static IP" as that subnet will not have a DHCP server. So cam 1 on 192.168.253.98, cam 2 on 192.168.253.99 and cam 3 on 192.168.253.100. But then nothing behind NIC#2 can talk to anything but the BI server itself (on 192.168.253.97). If you would want to, in case of urgency for example, connect to a cam directly from your 192.168.254.0/24 network, you are either obliged to do teamview on the BI server and take a browser to go to 192.168.253.98, OR you "upgrade" your BI server to route the traffic FROM 192.168.254 subnet TO 192.168.253 subnet (not the inverse).

Or you could possibly for the same price as an additional network card in the BI server opt for something like an edgerouterX ($50-$60), which gives you a handy box which is able to create these subnets for you, with all possible firewallrules etc.

 

[J Sigmo]

Yes, as @catcamstar points out, some of the routers that have VPN capabilities also have the ability to set up different subnets right in the router itself. No need for a second NIC.

Not that having a second NIC is bad, of course. But a VPN-Enabled router may well allow you to do what you want without needing the additional NIC, and might have some other features you'd like to have as well.

I'm using one of the ASUS routers with built-in VPN support, and it's really handy in a lot of ways for managing the individual devices on my network. Not just the cameras, but printers, etc., as well.

And by having your VPN in the router, you will have the ability to use the VPN for other things on your network as well.

 

[Olddawg]

Thanks everyone for the input. My plan is to eventually get a Router with VPN, but I have another nic I plan to use for now although I hadn't thought about the keeping the camera time accurate. My BI Server is headless stuck under a desk that I use RDP to access when needed. I also use the BI UI3 for monitoring when needed. I assume that I can still access BI UI3 on the 192.168.254.97 or via OpenVPN with the cameras configured to the 192.168.25398-100. addresses.

 

[fenderman]

Using a second network card does not preclude the need for VPN.... Your entire network is just as vulnerable as it was before...

 

[Olddawg]

So Fenderman, I am wasting my time putting the cameras on separate NIC on the Bi Server with OpenVPN?

 

[SouthernYankee]

John

I use a duel nic. I also use openVPN from an Asus router. The cameras have no way to get to the internet. This also keeps the cameras away from my other home network PCs and home equipment.

I also use the bi box as a time server.

 

[Mr_D]

I also use the bi box as a time server.

What NTP server software do you use?

 

[Olddawg]

Thanks SouthernYankee. The OpenVpn router is my future plan, but short term I put OpenVpn on the BI server to access UI3. Can you suggest where start studying on making BI a time server?

 

[SouthernYankee]

Network Time Protocol (NTP)

 

[fenderman]

So Fenderman, I am wasting my time putting the cameras on separate NIC on the Bi Server with OpenVPN?

If you also run Vpn you are fine.

 

[Olddawg]

Network Time Protocol (NTP)

Thanks for the link. Very informative.

 

[crw030]

I would definitely encourage you to add the second NIC and move the wire between the unmanaged switch directly to the BI machine 2nd NIC port. Other ways to do it (like VLANs), but that one is stupid simple and separate your most vulnerable devices (ip cameras) from your regular network PCs and prevent them from making any connections beyond the one you want -> a video stream to the BI machine (just my opinion). VLANs work also, lots of smart people here have those working, but dual-NIC is just about idiot-proof -- both schools of thought have a number of people supporting it on these forums. I haven't setup using VLANs, so I can't speak to whether I find it easier or harder (and even that might depend on the equipment I have on hand wouldn't it?) My limited research did indicate "VLAN hopping" was a potential security risk you might want to ensure your equipment/config wasn't vulnerable to.

Does your router have built-in firewall? I'm a little worried if you are putting BI machine (a windows computer) directly connected to your provider internet connection with their crappy hardware as your only protection, best keep that Windows machine up-to-date, or at least install a software firewall. I believe OpenVPN needs just port 1194 UDP/TCP to be forwarded to BI machine, nothing else (someone will check me on this).

 

[Olddawg]

I would definitely encourage you to add the second NIC and move the wire between the unmanaged switch directly to the BI machine 2nd NIC port. Other ways to do it (like VLANs), but that one is stupid simple and separate your most vulnerable devices (ip cameras) from your regular network PCs and prevent them from making any connections beyond the one you want -> a video stream to the BI machine (just my opinion). VLANs work also, lots of smart people here have those working, but dual-NIC is just about idiot-proof -- both schools of thought have a number of people supporting it on these forums. I haven't setup using VLANs, so I can't speak to whether I find it easier or harder (and even that might depend on the equipment I have on hand wouldn't it?) My limited research did indicate "VLAN hopping" was a potential security risk you might want to ensure your equipment/config wasn't vulnerable to.

Does your router have built-in firewall? I'm a little worried if you are putting BI machine (a windows computer) directly connected to your provider internet connection with their crappy hardware as your only protection, best keep that Windows machine up-to-date, or at least install a software firewall. I believe OpenVPN needs just port 1194 UDP/TCP to be forwarded to BI machine, nothing else (someone will check me on this).

My router (Windstream Actiontec T3200) does have built in Firewall but doesn't support VPN. I have OpenVPN installed and using Windows Defender on the BI Server with ports 1194 and 1195. Plan on installing second NIC for unmanaged switch and cameras tomorrow if time permits. Studying about NTP Server right now. I tried setting it up per Configuring a Standalone NtpServer but that method does not appear to be working. Future plan is to get a router with VPN.