Full System Upgrade

sfitz527

n3wb
Joined
Apr 25, 2016
Messages
14
Reaction score
7
Another suggestion would be consider buying a decent UPS to safeguard your NVR and POE switches. We seem to have a power spike or loss a few times a year, I definitely feel safer knowing my surveillance system doesn’t feel that hit every time. A CyberPower CP1500AVRLCD gives me about 2 hours of run time on a 16 channel NVR with 8 cameras running for an idea.
 

YYZed

Getting the hang of it
Joined
Jul 3, 2019
Messages
98
Reaction score
79
Location
Watching over you from everywhere
Another suggestion would be consider buying a decent UPS to safeguard your NVR and POE switches. We seem to have a power spike or loss a few times a year, I definitely feel safer knowing my surveillance system doesn’t feel that hit every time. A CyberPower CP1500AVRLCD gives me about 2 hours of run time on a 16 channel NVR with 8 cameras running for an idea.
Thanks! I have two - one for the switch that will be placed in the garage, and one for the server cabinet that will run the second switch, NVR, and ASUS router. Though, you reminded me that I actually need one more UPS for the ISP modem and the separate router that runs the WiFi system for the house.
 

YYZed

Getting the hang of it
Joined
Jul 3, 2019
Messages
98
Reaction score
79
Location
Watching over you from everywhere
Progress, progress, progress!

Andy was on top of his game and I received the NVR and first batch of cameras one day after they were shipped. Now that's service! I think he was even surprised how fast it got here. My dining room table is full of all of the equipment I've purchased so far...which is extensive.

6CC0B37B-9C60-411D-A7B4-290E97281025.jpeg

I finished making the network connections from the garage area into the room where the server cabinet is and now I’m about to run the cable track and Cat 6 from the box to the closet. Short of cables being cut, I don’t know what you all do to try and prevent them from being visible or unplugged. I decided on using a locking outlet cover to at least help with that.

4375D11B-BE6F-4F23-A5FD-E479E3EEFBBF.jpeg 959ABC72-57C4-494C-89ED-A57527D48467.jpeg


I also put one on the two gang outlet that installed in the closet. At least that way the closet is still functional while also protecting everything. Overkill? Maybe. Peace of mind? You bet! The keystone outlet with the blanks is for any future connections that I might need.

61081BD3-488D-4BCC-AA87-78F49F4B1727.jpeg 4872A115-80DC-4CA2-8E5E-66A7CBA5AEA7.jpeg
 

YYZed

Getting the hang of it
Joined
Jul 3, 2019
Messages
98
Reaction score
79
Location
Watching over you from everywhere
Oh man, this was network infrastructure upgrade day...and what a day it was.

My house is two stories totaling a little over 3,000 sq ft, and the previous...ahem...occupant, thankfully ran some ethernet cables from the downstairs and into the closet where the server cabinet is now housed. However, he only ran two, and for this setup I need four. I decided that I was going to replace the existing cables with my new Cat 6. Wire fishing through holes not originally made for 4 cables ain't no fun, folks! My beautiful wife, bless her and her patience, helped me out by making sure the cables and the fish line were feeding properly. We hit more than a few snags along the way, but all four cables are pulled, terminated, and are doing their job. It was very hot up in the attic area and I was completely filthy by end of it.

Why four cables, you ask?

1. Modem downstairs to Asus router upstairs
2. Asus router to Ubiquiti router downstairs set in bridge mode. The Ubiquiti is the house mesh network system (that works VERY well) and I need it to be able to see the Asus that the camera and switches will reside on. It's now a glorified switch with WiFi and the Asus runs the DHCP.
3. NVR HDMI out to ethernet HDMI extender that hooks up to two televisions downstairs
4. NVR USB out to ethernet USB extender to be able to use the mouse downstairs

I also installed a tv in the master bedroom complete with a wall outlet and painted cover. It receives the signal from the HDMI over ethernet that splits to a wireless HDMI extender. They aren't cheap, but it works perfectly! I've found no easy path to get cabling from the two story side of the house to the one story side, which is why it has to go wireless.

IMG_4824.jpg

IMG_4825.jpg


The backyard got two new low profile 1000 lumen lights to help with visibility and night time camera quality. No complaints from the neighbors, thankfully, but they should be used to it. There have been lights running back there every night for at least 4 years.

IMG_4831.jpg

The next major task is to see if I can get cabling to the front door and then to start with the entire front of the house. The back of the house is all conduit...and I'm not totally looking forward to it even though I think I have devised my plan well.
 

IAmATeaf

Getting comfortable
Joined
Jan 13, 2019
Messages
947
Reaction score
501
Location
United Kingdom
I'd like to know how you came to the conclusion that I didn't listen to him. I neither said, nor implied anything of the sort. He's posted in this thread exactly once, which was an hour before my reply. In fact, I agreed with his information in my reply, thanked him, and said clear as day that I would purchase ANOTHER 4Tb. Meaning, I already have one 4Tb drive and I will purchase a second. The NVR can hold two, and the price difference between buying one 8Tb or two 4Tb drives is negligible. Reading comprehension!
Both he and I said the same thing, the key here is the word “an” so maybe it is you who needs some “Reading comprehension” ?
 

IAmATeaf

Getting comfortable
Joined
Jan 13, 2019
Messages
947
Reaction score
501
Location
United Kingdom
Stay off my thread. I'm done with your nonsense.
LOL. You asked for advice, people including me replied, you failed to understood the content of the reply and then for whatever reason chose to try and lecture and belittle.

The thread is not yours or mine to dictate and unless the forum owner(s) tell me otherwise, what l read and reply to will entirely be my choice.

Anyway best of luck with your install, most of the people here, including myself like to help where we can but most, again including myself won’t put up with condescending nonsense.
 

YYZed

Getting the hang of it
Joined
Jul 3, 2019
Messages
98
Reaction score
79
Location
Watching over you from everywhere
LOL. You asked for advice, people including me replied, you failed to understood the content of the reply and then for whatever reason chose to try and lecture and belittle.

The thread is not yours or mine to dictate and unless the forum owner(s) tell me otherwise, what l read and reply to will entirely be my choice.

Anyway best of luck with your install, most of the people here, including myself like to help where we can but most, again including myself won’t put up with condescending nonsense.
Your reply provide no other useful information except that I should listen to someone. Looney is obviously well respected around here because I've read tons of his reviews and other solid advice. You don't have to put up with my obviously irritated tone, nor do you have to reply to a thread just to reply. I can't stop you, obviously, but you might take a second thought before hitting the reply button next time and ask yourself if you really need to. Once you start poking at someone saying things like "You should have...etc" sometimes they don't appreciate another voice in the room echoing what was already said. His information was not disregarded.

Looney said he would have started with an 8Tb. I already have a 4Tb drive and I said I would get another to get it to 8Tb. The drive was already installed and it can't go back. At least that would get me to his starting point. Mistake on my part perhaps? Time will tell. I'm the one out money if it doesn't work and I'll live and learn and pass on the good word to someone else. I used the tools on this site to check what I thought I would need, and maybe the data is outdated or not real world enough. However, I may not need what some of you need in regards to length of time for storage.
 

YYZed

Getting the hang of it
Joined
Jul 3, 2019
Messages
98
Reaction score
79
Location
Watching over you from everywhere
Apologies to anyone reading the previous back and forth. Back to the regularly scheduled program!

Today was anti-manual labor day!

After hours of going up and down stairs, sweating in the attic, and getting filthy, I decided I would work on setting up the VPN and the primary network the cameras will be on. I followed the great primer that was posted here and it didn't go smoothly at first, but that wasn't any fault of the instructions. My ISP is Frontier FiOS and we had their branded router set up that was receiving the signal from the ONT via coax and then out to my Asus RT86U. Their router is locked down more than I would like and I couldn't easily (if even possible) set it into bridge mode to pass the public WAN IP to my Asus . So, to heck with the Frontier router. I got in contact with their tech support and had them turn on the ethernet port on the ONT so that it would allow me to instead use the Asus as the primary router. I plugged the ethernet line to one of the new ports I made in the server cabinet room and it was instant success. The VPN setup was smooth sailing after that and it is running flawlessly. It's a two birds with one stone situation because that will also kick the $10/mo rental fee off our bill, which came at a good time because the promotional period is about to expire and that cost would have been added to it.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,188
Reaction score
774
Hi @YYZed, did you already proceed with the NVR or not? If not, I see in your Bill of Material you added a POE switch. Just that you know: there are NVR models that do included onboard POE ports. Main advantage: these cams are already "isolated" from your network. But it requires that all your camera cabling terminate at your NVR. Advantage of a stand-alone POE switch: you can easily install it at cable termination point, plus you can easily switch NVR. But you may require vlan isolation of your camera gear to protect your "inner" network (eg NAS/outbound phone-home systems/... ). For the hard drives: I also started with a 2TB in slot 1 or my NVR5216, but since a while, I simply added a 6TB. 8TB in total. Advantage of having 2 disks: you can specify the "load" of the recordings eg cam 1-2-3 on disk 2 and cam 4-5 on disk 1 and so forth.

Good luck with your installation!!!
CC
 

YYZed

Getting the hang of it
Joined
Jul 3, 2019
Messages
98
Reaction score
79
Location
Watching over you from everywhere
Hi @YYZed, did you already proceed with the NVR or not? If not, I see in your Bill of Material you added a POE switch. Just that you know: there are NVR models that do included onboard POE ports. Main advantage: these cams are already "isolated" from your network. But it requires that all your camera cabling terminate at your NVR. Advantage of a stand-alone POE switch: you can easily install it at cable termination point, plus you can easily switch NVR. But you may require vlan isolation of your camera gear to protect your "inner" network (eg NAS/outbound phone-home systems/... ). For the hard drives: I also started with a 2TB in slot 1 or my NVR5216, but since a while, I simply added a 6TB. 8TB in total. Advantage of having 2 disks: you can specify the "load" of the recordings eg cam 1-2-3 on disk 2 and cam 4-5 on disk 1 and so forth.

Good luck with your installation!!!
CC
The NVR that I’m using is the non-POE version, and it will utilize two POE switches in order to split the system into two halves - front of the house and back of the house. I need the two because of the current infrastructure that’s already installed, and bringing that much cabling to one point would be awful in my case.

As far as what goes in and out on my network I have the following -

- General internet traffic from our cell phones, tablets, and computers
- Roku smart tv and an Amazon Fire Stick
- Nest thermostat

I think that’s it from what I can remember. Everything is working without port forwarding or UPNP enabled. I went down the list of things to make sure were turned off and I’m pretty sure I got it all. I updated the firmware on the ASUS to Merlin and my options for tweaking are there. If I need to go one more level with a VLAN I can certainly give it a go.
 
Last edited:

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,188
Reaction score
774
The NVR that I’m using is the non-POE version, and it will utilize two POE switches in order to split the system into two halves - front of the house and back of the house. I need the two because of the current infrastructure that’s already installed, and bringing that much cabling to one point would be awful.

As far as what goes in and out on my network I have the following -

- General internet traffic from our phones, tablets, and computers
- Roku smart tv and an Amazon Fire Stick
- Nest thermostat
You know your physical infrastructure better than us - a "dual" POE setup is even smarter than a single one: if one of your POE switches crash, you still have your second switch.
Do however keep in mind that the uplinks from the POE switch towards your NVR might get "saturated" - the data coming from the 2 POE switches has to end into the NVR one way or the other.

Regarding your list of computers/devices: think about which device can talk with any other (LAN/WAN) device. You have the physical networking topology (eg all IPC cables go into POE switch which goes directly to the NVR --> by doing so, nobody can communicate directly to the IPC, but the IPC can also not communicate to your NAS/internet/chinese hacking server), but you also have a logical networking topology (eg many users on the forum try "smart" techniques to put a non-existing gateway so the IPC's can not talk to internet - but many vendors are getting smart, and they do network probing to "find" a decent (working) gateway independantly of the values you entered). By knowing this (and if it does keep you up at night), you can think about vlans and their proper "segragations": you can tell state (for example) that your smart TV can see your NAS, but your IPC's cannot.

Hope this helps!
CC
 

YYZed

Getting the hang of it
Joined
Jul 3, 2019
Messages
98
Reaction score
79
Location
Watching over you from everywhere
You know your physical infrastructure better than us - a "dual" POE setup is even smarter than a single one: if one of your POE switches crash, you still have your second switch.
Do however keep in mind that the uplinks from the POE switch towards your NVR might get "saturated" - the data coming from the 2 POE switches has to end into the NVR one way or the other.

Regarding your list of computers/devices: think about which device can talk with any other (LAN/WAN) device. You have the physical networking topology (eg all IPC cables go into POE switch which goes directly to the NVR --> by doing so, nobody can communicate directly to the IPC, but the IPC can also not communicate to your NAS/internet/chinese hacking server), but you also have a logical networking topology (eg many users on the forum try "smart" techniques to put a non-existing gateway so the IPC's can not talk to internet - but many vendors are getting smart, and they do network probing to "find" a decent (working) gateway independantly of the values you entered). By knowing this (and if it does keep you up at night), you can think about vlans and their proper "segragations": you can tell state (for example) that your smart TV can see your NAS, but your IPC's cannot.

Hope this helps!
CC
Having the POE switches separate from the NVR was also part of the plan in case of hardware failure. It’s exactly like you said - they don’t all go down at once. Even If the NVR fails I still have access to the cameras (eg, via SmartPSS) at least in some capacity. I’m also curious to see if I get any traffic issues once it’s all running. I hit my network pretty hard sometimes with FTP, and even with the amount of volume going in or out at once I still have not managed to noticeably slow it down. Of course, that’s all coming from one machine and not from a company of IPC’s all going to the same entry point. I know you’re taking about actual saturation at the router, and I’m as curious as you to see what it does.

That helps tremendously and it makes a lot of sense. I did a quick search of the usefulness of a VLAN and it was like a lightbulb going on as to why they are used.

My question is that with what I have and now and what I have done with the recommended security settings to try and lock it up, am I being being set up for any major vulnerabilities by having it all on one? I still need off site access to my system and the VPN covers that well, but is it enough?
 
Last edited:

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,188
Reaction score
774
My question is that with what I have and now and what I have done with the recommended security settings to try and lock it up, am I being being set up for any major vulnerabilities by having it all on one? I still need off site access to my system and the VPN covers that well, but is it enough?
You haven't described your logical network layout (yet), I sense that you were going to in the next post :) I come from an enterprise networking standard, where every company needs to apply vlans. I always thought (until a couple of years) that vlans would not "make sense" in a "home" environment, but I was mistaken. I have described the following already a couple of times in previous posts, but as this is going to be "your installation thread", I'm gonna recapitulate what I wrote before, and you can work on for your own environment/requirements.

Scenario #1:
- you make one big flat network: 1 router, 1 gateway, 1 subnet (some DHCP, some fixed IP). I suggest your "server components (including your cams)" fixed IP, all the rest DHCP. Advantage: everything in the LAN sees everything, no need to tweak mobile apps to view your cams. But.... your cams, when hijacked or part of a botnet, can easily cryptolock your cams, fridge, NAS and other gear. Also firewall requirements on your router become "complex", as you have to work with individual ips to block them from accessing the internet (calling home), but also for inbound traffic control, this is messy

Scenario #2:
- you make a layered network: 1 "main" router with WAN (ISP) gateway access, distributing subnet A, but another router distributing subnet B. In B you put your CAMS, but also your openvpn server (through port forwarding on router A). Nobody can have unauthorised access from A to B, yet you have to mess around to isolate B to A (as an upstream gateway will find its way). Like I wrote before, some peeps make this a "scenario 2b", in which they "configure" a subnet B in the cams without having a router B, and they "hope" they'll never find router A. But to me, that's fake and even more dangerous.

Scenario #3:
- you create virtual network (vlan): 1 "main" router with WAN (ISP) gateway access, and from that router, you define your vlans (which then can be propagated towards managed switches (trunking) OR to unmanaged switches (then all devices on that switch fall into the tagged port vlan). Then you can work on restrictions per vlan (and if you want per IP, but vlans are much more easy). Even OpenVPN access will be an easy task to setup to each vlan.

Does this all sound expensive? Back in the days, yes! But today: no... Even without throwing away your existing materials (you can re-use your existing wireless stuff and switches, even if they are unmanaged), but that "main" router can be created with an Ubiquity ER-X, starting $50! It has a couple of ethernet ports to do port/physical vlan tagging, but it is also capable of vlan trunking.

Hope this helps, if you need more cheese to cake, let me know.
Good luck!
CC
 
Last edited:

YYZed

Getting the hang of it
Joined
Jul 3, 2019
Messages
98
Reaction score
79
Location
Watching over you from everywhere
That is absolutely a tremendous amount of amazing information you just posted! Thank you very much for taking the time to type that all again. I understood every bit of it but I do still have a question or two -

I want to go with scenario #3. No doubt about it. My first question is what access do the devices on the LAN have with the VLAN? While I could live without using the iDMSS app while at home (I have tv’s that display my cameras in a couple spots, but not everywhere), I’d like to still have that option.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,188
Reaction score
774
That is absolutely a tremendous amount of amazing information you just posted! Thank you very much for taking the time to type that all again. I understood every bit of it but I do still have a question or two -

I want to go with scenario #3. No doubt about it. My first question is what access do the devices on the LAN have with the VLAN? While I could live without using the iDMSS app while at home (I have tv’s that display my cameras in a couple spots, but not everywhere), I’d like to still have that option.
You're welcome. Sharing is caring, right?

So imagine you go for the full-vlan-option. Which means, in an ideal world, your wifi devices reside in their own (v)LAN. Some routers (eg asus ones) do have "guest wifi" which means that these wifi devices are automatically "restricted" for WAN only (eg read emails) but NOT for LAN access (eg hack your NAS), but the same magic can happen with vlans: your devices are properly secured in their own network. Opening iDMSS app would not show anything. Which is a good thing for "visitors", but for your precious mobile device, it is ... unuseful :) But there are a couple of things that you can work with:

Option 1: you define "rules" (which are meaningful routings) that (as example) your phone (and not the misses) can access FROM wifi-vlan TO IPC-vlan. And hoppa, iDMSS works as a charm. --> takes 2 minutes in an ER-X to implement
Option 2 (my preferred way): you don't define "rules", as "rules" equal "management time/maintenance" because at each time you have a new device, you need to update these damn rules. But you configure an OpenVPN server on the ER-X, and work that when connecting with profileX opens the gates to IPC-vlan.

Why is this my preferred way: you can then, all the time, everywhere on the world, keep your OpenVPN client tunnel active. ALL your traffic will be encrypted and secured, and most of all: you can access your feeds ANYTIME and EVERYWHERE. On the couch, on the plane, on the moon... The sky is the limit! But .. OpenVPN is not done in 2 minutes (okok, 5 minutes max if you know what you're doing).

So coming back to your requirements: for the TV (as it might not run an openVPN client), you have to use option 1, but for all other "smarter" devices, I'd go for #2.

Hope this helps you out!
If not.. shoot!
CC
 

YYZed

Getting the hang of it
Joined
Jul 3, 2019
Messages
98
Reaction score
79
Location
Watching over you from everywhere
You're welcome. Sharing is caring, right?

So imagine you go for the full-vlan-option. Which means, in an ideal world, your wifi devices reside in their own (v)LAN. Some routers (eg asus ones) do have "guest wifi" which means that these wifi devices are automatically "restricted" for WAN only (eg read emails) but NOT for LAN access (eg hack your NAS), but the same magic can happen with vlans: your devices are properly secured in their own network. Opening iDMSS app would not show anything. Which is a good thing for "visitors", but for your precious mobile device, it is ... unuseful :) But there are a couple of things that you can work with:

Option 1: you define "rules" (which are meaningful routings) that (as example) your phone (and not the misses) can access FROM wifi-vlan TO IPC-vlan. And hoppa, iDMSS works as a charm. --> takes 2 minutes in an ER-X to implement
Option 2 (my preferred way): you don't define "rules", as "rules" equal "management time/maintenance" because at each time you have a new device, you need to update these damn rules. But you configure an OpenVPN server on the ER-X, and work that when connecting with profileX opens the gates to IPC-vlan.

Why is this my preferred way: you can then, all the time, everywhere on the world, keep your OpenVPN client tunnel active. ALL your traffic will be encrypted and secured, and most of all: you can access your feeds ANYTIME and EVERYWHERE. On the couch, on the plane, on the moon... The sky is the limit! But .. OpenVPN is not done in 2 minutes (okok, 5 minutes max if you know what you're doing).

So coming back to your requirements: for the TV (as it might not run an openVPN client), you have to use option 1, but for all other "smarter" devices, I'd go for #2.

Hope this helps you out!
If not.. shoot!
CC
This helps me out in a huge way! If you don't mind, I'm going to shoot you a PM with some other info and questions since it pertains to my specific setup. I really appreciate you popping on my thread to share your knowledge!
 

JNDATHP

Pulling my weight
Joined
Oct 16, 2018
Messages
307
Reaction score
231
Location
USA
We use UniFi equipment and our iOS devices have an always on VPN. We’re out of town right now on hotel WiFi and feel okay because we are using a VPN to get back to our home even while surfing and especially banking.

Blue Iris is giving us our alerts just fine using a 192.168.x.x address.

Thanks to this forum I implemented our VPN and am I so glad I did.
 
Last edited:

YYZed

Getting the hang of it
Joined
Jul 3, 2019
Messages
98
Reaction score
79
Location
Watching over you from everywhere
We use UniFi equipment and our iOS devices have an always on VPN. We’re out of town right now on hotel WiFi and fell okay because we are using a VPN to get back to our home even while surfing and especially banking.

Blue Iris is giving us our alerts just fine using a 192.168.x.x address.

Thanks to this forum I implemented our VPN and am I so glad I did.
How's your data usage with having VPN running all the time? I'm on a the highest data cap "unlimited" plan, but my wife is currently not.
 

JNDATHP

Pulling my weight
Joined
Oct 16, 2018
Messages
307
Reaction score
231
Location
USA
Indiscernible overhead.

In May I was working for a company and was using Alexa to play business news using our VPN.

I am now working out of my house and so am using my own WiFi.

CC37DA8E-12D2-407A-953D-2463F89EC2CA.png
 
Last edited:
Top