Menu
What's new

Edgerouter Light

noxcuses

noxcuses

n3wb
Joined
Mar 12, 2015
Messages
12
Reaction score
1
I recently upgraded my home network to a Ubiquiti Edgerouter light, a AC-Pro AP, and a couple AC-In Wall units. I've very pleased with the coverage and performance of the system.. It works well with 3 Firesticks streaming video, phones, computers, and all my IOT gear. I'm in the process of designing my camera setup at the moment. From reading posts on this forum.. here is what I'm thinking (any advice would be great)...
1. Set up the free port (ETH2) on Edgerouter as a physically isolated network. Only BI PC & 5 IP Cameras.
2. Block all outgoing traffic on (ETH2).
3. Have the Blue Iris PC on (ETH2) able to communicate to network on (ETH1)
4. Block all traffic from (ETH1) network to ETH2 network except for BI-PC.

Is that the best way to setup the camera network? I've found several videos that are close but not exactly how to set up the firewall rules of ERL.
 
bp2008

bp2008

Staff member
IPCT+ Member
Joined
Mar 10, 2014
Messages
12,680
Reaction score
14,041
Location
USA
You'll want the BI-PC to have internet access so you can log in remotely.

It is easier to just put a second network adapter in the BI-PC so you have one network interface for your LAN and the other for your cameras. Then you don't have to worry about routing and firewall rules.
 
giomania

giomania

IPCT Contributor
Joined
Jun 1, 2017
Messages
780
Reaction score
538
bp2008 said:
You'll want the BI-PC to have internet access so you can log in remotely.

It is easier to just put a second network adapter in the BI-PC so you have one network interface for your LAN and the other for your cameras. Then you don't have to worry about routing and firewall rules.
Click to expand...
I did his on my (soon to be) BI machine, but when I went to enable the second NIC for my IoT LAN, Windows popped up a warning that it may cause issues, so I didn’t execute. I can’t remember the exact wording, however.


Sent from my iPhone using Tapatalk
 
noxcuses

noxcuses

n3wb
Joined
Mar 12, 2015
Messages
12
Reaction score
1
bp2008 said:
You'll want the BI-PC to have internet access so you can log in remotely.

It is easier to just put a second network adapter in the BI-PC so you have one network interface for your LAN and the other for your cameras. Then you don't have to worry about routing and firewall rules.
Click to expand...
Good idea.. That would save quite a bit of rule config.

How would BI know which network card to use for remote access vs. cameras? Or does it even need to know?
 
giomania

giomania

IPCT Contributor
Joined
Jun 1, 2017
Messages
780
Reaction score
538
noxcuses said:
Good idea.. That would save quite a bit of rule config.

How would BI know which network card to use for remote access vs. cameras? Or does it even need to know?
Click to expand...
You are still going to need firewall rules which is why I recommended using the wizard I noted above

It really is fantastic and creates the rules that the majority of people need which only allows established/related connections between subnets.

Another thing to consider for your “insecure“ subnet is a separate Wi-Fi SSID on a VLAN for your IOT devices. I know the ubiquity wireless access points are capable of this with Unifi switches.

I am moving to UniFi over time and currently have a hybrid system with an edgerouter and two UniFi switches, but the UniFi software cannot configure the EdgeRouter, so I will need the Unifi security gateway as well.




Sent from my iPhone using Tapatalk
 
giomania

giomania

IPCT Contributor
Joined
Jun 1, 2017
Messages
780
Reaction score
538
bp2008 said:
You'll want the BI-PC to have internet access so you can log in remotely.

It is easier to just put a second network adapter in the BI-PC so you have one network interface for your LAN and the other for your cameras. Then you don't have to worry about routing and firewall rules.
Click to expand...
giomania said:
I did his on my (soon to be) BI machine, but when I went to enable the second NIC for my IoT LAN, Windows popped up a warning that it may cause issues, so I didn’t execute. I can’t remember the exact wording, however.


Sent from my iPhone using Tapatalk
Click to expand...
Since you brought this up, I was wondering if you could review this section from my "Cliff Notes" and advise if it is accurate? I am not sure that pointing the cameras to the secure BI server IP address is accurate? I would think you could point the cameras to the non-secure BI server IP address for time server capabilities?

Blue Iris Server with Dual LAN
Concept & Configuration

Similar to the way Dahua NVR’s use a separate subnet for the cameras, you can set up a Blue Iris computer the same way by using two network interfaces. If the motherboard on the computer does not have dual LAN interfaces, and there is a spare PCI-E slot, just get an additional Network Interface Card (NIC), like this one. Use one of the network interfaces for your secure LAN, and the other one for the non-secure camera LAN. The Blue Iris PC needs to have access to Ethernet cables for both of the secure and non-secure networks, which need to be on different subnets; i.e. 192.168.1.X secure, and 192.168.0.X non-secure. If you use any managed switches on your network, ensure their IP Address is changed accordingly.


The non-secure network would connect to the PoE switch w/all your cameras, which should all be configured with static IP addresses, and firewall rules that prevent the cameras from directly accessing the internet or the secure LAN subnet. With this configuration, only the Blue Iris server will be able to access both the (secure) LAN and the (non-secure) camera network.


The Blue Iris computer acts as the time server for the cameras, and the cameras point to the secure LAN IP address for this computer (i.e. 192.168.1.X secure). To allow the communication from the cameras to the time server IP address, set a firewall rule to allow port 123/UDP to pass through the firewall of the non-secure network.
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.
bp2008

bp2008

Staff member
IPCT+ Member
Joined
Mar 10, 2014
Messages
12,680
Reaction score
14,041
Location
USA
noxcuses said:
Good idea.. That would save quite a bit of rule config.

How would BI know which network card to use for remote access vs. cameras? Or does it even need to know?
Click to expand...
You'd assign static addresses to your cameras and to the second LAN port on the BI-PC, and make those addresses part of a different subnet. Windows would know the networks available on each network interface and route the traffic appropriately.
 
giomania

giomania

IPCT Contributor
Joined
Jun 1, 2017
Messages
780
Reaction score
538
@bp2008
And they all have the same gateway assigned on the (Non-secure) subnet?
 
Last edited:
You must log in or register to reply here.
Top