How do you setup dual LAN?

[czrabode]

Hi. As suggested by the Cliff Notes, I got another NIC card and installed it in my Dell OptiPlex so I can do the dual-LAN setup that is recommended. I plan on creating an secure and non-secure network.

But my question is, after I plug in the POE to the other ethernet port, what do I do next?

Is there an old thread outlining this or any reference? Or maybe you can describe it to me?

Thanks!

 

[Mr_D]

Go into Control Panel and edit the properties of the 2nd NIC to assign it an IP address and subnet mask. For example, you could make it 192.168.80.10 with a subnet mask of 255.255.255.0. All of your cameras will need to be on the same network as the PC, so they could use 192.168.80.20, 192.168.80.21, etc. with the same subnet mask. You can leave the gateway and DNS entries blank. I'm assuming the 2nd NIC is solely for connecting to an isolated network containing your cameras which do not need Internet access.

 

[SouthernYankee]

Stating the obvious. I have the second NIC connected to a POE switch. All the cameras connect to that switch or switches off that switch. Keep the networks physically seperate except for the BI pc.

 

[czrabode]

Go into Control Panel and edit the properties of the 2nd NIC to assign it an IP address and subnet mask. For example, you could make it 192.168.80.10 with a subnet mask of 255.255.255.0. All of your cameras will need to be on the same network as the PC, so they could use 192.168.80.20, 192.168.80.21, etc. with the same subnet mask. You can leave the gateway and DNS entries blank. I'm assuming the 2nd NIC is solely for connecting to an isolated network containing your cameras which do not need Internet access.

Thanks. That took care of it. Any suggestions on setting up the Windows 10 firewall on the Blue Iris PC?


Sent from my iPhone using Tapatalk

 

[Mr_D]

Thanks. That took care of it. Any suggestions on setting up the Windows 10 firewall on the Blue Iris PC?


Sent from my iPhone using Tapatalk

I just left mine at the defaults. It's behind your router which is your actual firewall.

 

[catcamstar]

The fun part in this setup: how to reach the (web)interfaces of the "secured" devices? You might want to have a tablet/phone VPNwise connect to the "secured" part, which implies some routing/NAT'ing/loopback ;-)

 

[Mr_D]

The fun part in this setup: how to reach the (web)interfaces of the "secured" devices? You might want to have a tablet/phone VPNwise connect to the "secured" part, which implies some routing/NAT'ing/loopback ;-)

Yeah that's why I setup a separate subnet for the cameras and BI so my firewall controls what crosses in/out. BI can access the Internet. I can access BI or the cameras from my main subnet. The cameras cannot access the Internet except for hitting one time server by IP address.

 

[czrabode]

I just left mine at the defaults. It's behind your router which is your actual firewall.

Unfortunately, my Google WiFi router has a rudimentary firewall. Do you have any suggestions on how I should set up my Windows 10 firewall on my Blue Iris computer prevent the cameras from accessing the internet?

 

[Mr_D]

Unfortunately, my Google WiFi router has a rudimentary firewall. Do you have any suggestions on how I should set up my Windows 10 firewall on my Blue Iris computer prevent the cameras from accessing the internet?

The Google Wifi firewall is fine. It's main job is to reject unsolicited traffic coming from the Internet.

The cameras can't access the Internet through the BI PC because Windows 10 is not a router. Even if it were, configuring the cameras with a blank gateway and DNS address would keep them from reaching the Internet.

 

[danieldbird]

Hi. As suggested by the Cliff Notes, I got another NIC card and installed it in my Dell OptiPlex so I can do the dual-LAN setup that is recommended. I plan on creating an secure and non-secure network.

But my question is, after I plug in the POE to the other ethernet port, what do I do next?

Is there an old thread outlining this or any reference? Or maybe you can describe it to me?

Thanks!

What NIC card did you get fort he Dell Optiplex? I just bought a Dell Optiplex 9020, but the chassis is slim and I can't find a NIC card for it .

 

[Mr_D]

What NIC card did you get fort he Dell Optiplex? I just bought a Dell Optiplex 9020, but the chassis is slim and I can't find a NIC card for it .

Just search for a low profile PCI Express Ethernet adapter.

 

[IAmATeaf]

Just search for a low profile PCI Express Ethernet adapter.

This or do what I did and get the hacksaw and files out to make it fit Joking aside I had an old card lying around which is why I "modded" it not suggesting you do the same unless you feel really comfortable doing it. All I did was install it into the machine, with a perm marker draw a line where I would need to bend the metal to form a tab. Then I removed the flat plate itself from the card, bent it over, cut off the excess and then reshaped the newly bent over tab using the cut off pieces tab as a template.

 

[danieldbird]

Thanks guys, managed to pick up a second-hand Intel gigabit NIC for $10. Same one on amazon was $166NZD? What the..

 

[TL1096r]

Go into Control Panel and edit the properties of the 2nd NIC to assign it an IP address and subnet mask. For example, you could make it 192.168.80.10 with a subnet mask of 255.255.255.0. All of your cameras will need to be on the same network as the PC, so they could use 192.168.80.20, 192.168.80.21, etc. with the same subnet mask. You can leave the gateway and DNS entries blank. I'm assuming the 2nd NIC is solely for connecting to an isolated network containing your cameras which do not need Internet access.

Good advice but in the Dahua configuration tool it will not allow you to leave the gateway blank. What would you put there to make it work?

 

[Mr_D]

Good advice but in the Dahua configuration tool it will not allow you to leave the gateway blank. What would you put there to make it work?

Any IP address on the same subnet that isn't a router would work. So 192.168.20.254 for example. Just exclude that IP from your DHCP scope if you have a DHCP server and don't configure any hosts to use that IP address.

 

[IAmATeaf]

I just the default gateway on the cams to .1, server is .30 and cams start at .50 There is no dhcp server on the dedicated cam lan so everything is static.

 

[catcamstar]

Any IP address on the same subnet that isn't a router would work. So 192.168.20.254 for example. Just exclude that IP from your DHCP scope if you have a DHCP server and don't configure any hosts to use that IP address.

I care to disagree: there are other threads in this forum where people have discovered that an NVR (? or was it an IPC) was using "brute force" to find an internet hole: if it couldn't reach the internet through the 'left blank/non working' gateway, it started scanning the network until it found a working internet gateway.

So be warned: this absolutely was a good idea in 2001, but in 2019, we have to be smarter! Secure your network, no matter what. Dual NIC, vlan, mother-in-laws, it doesn't matter. Protect your gear.

Hope this helps!
CC

 

[IAmATeaf]

If the person gets onto the same lan yes they can scan but if the cams are on a separate lan then without any routing they can scan all they like. In my case the only way to access the cams is via the BI pc so they’d need to get onto that before they could access the cams.

On another note, does this sort of thing actually happen on a domestic installation? Can’t see why a hacker would even want to waste their time unless it’s just for laughs.

 

[VorlonFrog]

Thanks guys, managed to pick up a second-hand Intel gigabit NIC for $10. Same one on amazon was $166NZD? What the..

Some people have more $$$ than sense.

 

[catcamstar]

If the person gets onto the same lan yes they can scan but if the cams are on a separate lan then without any routing they can scan all they like. In my case the only way to access the cams is via the BI pc so they’d need to get onto that before they could access the cams.

On another note, does this sort of thing actually happen on a domestic installation? Can’t see why a hacker would even want to waste their time unless it’s just for laughs.

One little botnet is indeed for the laughs, but imagine 10.000 "smart"fridges colliding into a botnet to some federal institution. That an "evil" laugh

But then again, I fully agree with you: dual nic is much easier, yet if you want to configure a cam without "screen" access to the BI pc, you are "lacking" flexibility. And yes, you could do RDP on that BI pc, but then you have to "open services" on that BI pc which makes that again "high" vulnerable. I already wrote it many times on this forum, and to @TL1096r : there is no ideal networking configuration, it all depends on the requirements, the budget, the flexibility, the learning curve etc. Yes, an 8th grader could setup a dual nic BI pc setup and be satisfied with it, going for vlans and managed switches is not something you would do a Sunday afternoon if you never had seen a single firewall rule, nor TCPIP stack configurations.