How to block my IP cameras from the internet and my local network?

Mike 19

n3wb
Joined
Oct 30, 2022
Messages
18
Reaction score
10
Location
DC
I use BI5 and a VPN that runs on a raspberry pi to access my local network when away from home it works great.

Now i would like to block them from getting to the internet and from my local network most all my cameras are hard wired and i set them up on a static ip range 50-75.....192.168.1.50 and so on.

I just upgraded to a UDM Pro this should be very easy to do with firewall rules? I just need a little help.

I know that there is a guide here on doing this with dual NIC cards but both ways should be fine.

Thanks for the info.
 

Mike 19

n3wb
Joined
Oct 30, 2022
Messages
18
Reaction score
10
Location
DC
I don't think the above will work for me as i use many POE switches 5 of them that all feed back to a rack mounted switch Unifi.

My BI pc does have two NIC cards one is a 10GIG and one is a 1GIG that is not used.
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
I have a UDM with Ubiquiti 48 port POE switch.
Initially, I ran with the dual NIC card in my Blue Iris machine back when I had a Netgear Nighthawk router.
When I swapped to a UDM, I went on the path of VLAN & firewall rules.
It was a learning experience. There is no HERE IS GUIDE to follow as every network environment is different.
Took weeks, if not months to learn the in's/out's of firewall rules.

The above mentioned 'taxing of CPU' only applies if your cameras are on one VLAN and your Blue Iris machine is on a different VLAN. This would apply to basically any router since it will tax the CPU regardless of brand.

I have a dedicated VLAN for both cameras & blue iris. I MAC and IP block the cameras from "LAN IN". I only allow Blue Iris out on internet browsing ports for upgrade purposes or to download accessory programs (Dahua Tool box, for example). You get more advanced with firewall rules when you do not allow anything on your IOT or camera/blue iris to access your router GUI at something like 192.168.4.1, only allow NTP, etc.

It is a rabbit hole you will be going down in regards to firewall rules and best configuration for your environment. It sure is fun :)
Hence, easiest and fastest way is to go with the no-brainer dual NIC card route.
 

TonyR

IPCT Contributor
Joined
Jul 15, 2014
Messages
16,447
Reaction score
38,162
Location
Alabama
I don't think the above will work for me as i use many POE switches 5 of them that all feed back to a rack mounted switch Unifi.

My BI pc does have two NIC cards one is a 10GIG and one is a 1GIG that is not used.
You can't move some patch cables that feeds those switches from one NIC to a different NIC?
 

tech_junkie

Getting comfortable
Joined
Sep 2, 2022
Messages
412
Reaction score
417
Location
South Dakota
I use BI5 and a VPN that runs on a raspberry pi to access my local network when away from home it works great.

Now i would like to block them from getting to the internet and from my local network most all my cameras are hard wired and i set them up on a static ip range 50-75.....192.168.1.50 and so on.

I just upgraded to a UDM Pro this should be very easy to do with firewall rules? I just need a little help.

I know that there is a guide here on doing this with dual NIC cards but both ways should be fine.

Thanks for the info.
If they are not wired away from your network, they will still share the bandwidth in the common wire.
But in your case since its 10 Gb network, there shouldn't be bottleneck issues anyways.

If you static and remove the gateway entry, the cam can not go onto the internet.
If you want to hide them from the rest of the network, since you have a 2nd network port, you can static them with a different ip like 10.110.110.X Both cameras and computer.

If you want to hide them from the internet, but be able to assign a computer to access them, then you would netmask the cameras away from the network (255.255.255.128) but the common computer has the whole netmask (255.255.255.0)
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
If they are not wired away from your network, they will still share the bandwidth in the common wire.
But in your case since its 10 Gb network, there shouldn't be bottleneck issues anyways.

If you static and remove the gateway entry, the cam can not go onto the internet.
If you want to hide them from the rest of the network, since you have a 2nd network port, you can static them with a different ip like 10.110.110.X Both cameras and computer.

If you want to hide them from the internet, but be able to assign a computer to access them, then you would netmask the cameras away from the network (255.255.255.128) but the common computer has the whole netmask (255.255.255.0)
One day, I'll learn about netmask. For now, I think I have a better shot at learning DIY YouTube heart transplant.
 

tech_junkie

Getting comfortable
Joined
Sep 2, 2022
Messages
412
Reaction score
417
Location
South Dakota
One day, I'll learn about netmask. For now, I think I have a better shot at learning DIY YouTube heart transplant.
I can teach you that. Even though I leared it the difficult way in school for an electronics technology degree no one seems to recognize, nor admire/accept anymore.

netmask is the subtraction of ip addresses. so theoretically if your mask was 0.0.0.0 (not allowed in practice) the network would include all ip addresses.
if the netmask is 255.0.0.0 That means there is one number allowed in the first part of the ip. so if you have an router ip of 192.168.0.1 with this netmask, the network ip pool would be 192.0.0.1 thru 192.255.255.254

I've been doing networking off and on for the past 25 years. Even though I can do this pretty much in my head, I will use calculator tools from time to time like this one:
It has a nice results page that list the networking possibilities.

I am an electronics and computer scientist scholar. So I can't tell you how to perform a heart transplant. However, I can tell you how the life support machine works.
 
Last edited:

tech_junkie

Getting comfortable
Joined
Sep 2, 2022
Messages
412
Reaction score
417
Location
South Dakota
two of my poe switches are outside.
If you put the 2nd net interface and the cameras on a seperate ip adresses not in the router's network, they will network to eachother with the same hardware. no special patching is required. just patch the 2nd network port into the existing network.
 

Mike 19

n3wb
Joined
Oct 30, 2022
Messages
18
Reaction score
10
Location
DC
Can't 192.168.2.1 and 192.168.1.1 talk to one another?
 

sebastiantombs

Known around here
Joined
Dec 28, 2019
Messages
11,511
Reaction score
27,690
Location
New Jersey
One of the problems with removing the gateway, or even spoofing a gateway address, is that some cameras will "explore" on their own looking for a route. Being on a second NIC with not route to the other NIC, at all, eliminates that possibility as well. This is probably as close as you can get to "air gap" and still be able to access the machine from both internal and external networks while keeping the cameras totally hidden.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
True, I've seen various cams and other devices that use hard-coded values for gateways and DNS and test other devices for ways out. Probably OK in most cases and I also change the gateway myself too but really needs to be done independent of the cam itself.
 

CCTVCam

Known around here
Joined
Sep 25, 2017
Messages
2,660
Reaction score
3,480
two of my poe switches are outside.
The location is irrelevent. All you want is your IP cameras onto a switch and then that switch connected to your BI server's 2nd NIC card. Your BI machines 1st NIC card is then connected either direct to your router or via another switch to your router depending on how your internal network is configured as per Tony's excellent diagram above. The idea is to deny the cameras a direct connection to your router.

For the 2 NIC cards, the aim is to have the NIC connected to the cameras on an unreachable IP address, so it cannot communicate with the 1st NIC card and vice versa. This prevents the 2nd NIC talking to the 1st NIC and thus it cannot get access to the internet. This then means the only way the cameras can stream out is through BI which acts as a bridge betwen NIC 2 and NIC1, and this requires you to permit such a stream. BI will then control the route of that stream eg to a TV elsewhere on your internal network for local viewing or to the internet via your routers VPN (you should uses a router with one) for remote viewing. The point here is everything is routed through BI so when BI isn't permitting anything out, it can't get out. When it is, it's permitted to a specific destination only that's either on your LAN or WAN via a VPN which then tunnels it to your remote viewing device. This way the cameras cannot communicate anything out to the wider internet, China, upgrade themselves, respond to pings, open ports, or be hacked (unless the whole general network and then BI are hacked 1st (highly unlikely)).
 
Top