How to block my IP cameras from the internet and my local network?

[tech_junkie]

So basically the IP cameras need there own switch and that switch would plug into one of my BI computers NIC cards.

I think i can just move a few things around and get that to work.

Usually you set up a different wired network entirely so the cameras don't hog the bandwidth on the network used for the internet. Even when you connect them directly to a NVR that is a different network than its normal LAN interface.
But anyone running a 10Gb or 100Gb network it wouldn't matter. Because at the most with 64 cameras bandwith would be only ~400MB or approx 1/12 the bandwidth @ 10Gb compared to a 80% with a 1 Gb network.

That is why it really doesn't matter if everything is networked correctly.

 

[Tazz 316]

Since he is using UniFi wouldn't it be simpler to create a new network and create rules to block traffic in/out and assign it to the port the cameras are using.

 

[tech_junkie]

Since he is using UniFi wouldn't it be simpler to create a new network and create rules to block traffic in/out and assign it to the port the cameras are using.

You can always block any ip address from accessing the internet. Even addresses not being used in the router. This applies to 90% of the routers out there, otherwise, they use the MAC address. Some of the older routers it had to be in the subnet but now mostly it don't have to be.

he could do that, or expand his by changing subnet and its just one network with one set of rules. or add another network entry and have two sets of rules. Or static ip network and its limited to its static rules defined.

He can put the cameras in its own 255.255.255.0 ip while the network is in another, but the network at the computer has two network cards and one dhcp to the normal network, and the other static addressed to the cam ip network.
If I didn't want anything else to be able to network to the cameras I would use a different Address that would be too far away from them to network. (192.168.1.1 and 10.20.30.1 for example) in any subnet mask.

It all depends on if the OP wants to use just the 10Gb interface or both the 10Gb and 1Gb interface in the computer

 

[Mike 19]

I got it how can i test it to see if the cameras are blocked?

 

[Mike 19]

Welcome to IPCT!

IMO, it would be easier and possibly quicker to implement the dual NIC schema such as:

View attachment 144250

According to this link, running cams through your UDM Pro will overly burden its CPU ==>> A bit confused how to set Blue Iris Vlan on ubiquiti

My issue with the above image is that i have a POE switch outside that also power a AP. I would loose the AP if i hooked it up like the above image. I only did it that way because i have underground cat6 cable run to a garage that is 175 feet away that powers a few cameras and a AP for the internet.

 

[tech_junkie]

My issue with the above image is that i have a POE switch outside that also power a AP. I would loose the AP if i hooked it up like the above image. I only did it that way because i have underground cat6 cable run to a garage that is 175 feet away that powers a few cameras and a AP for the internet.

I use BI5 and a VPN that runs on a raspberry pi to access my local network when away from home it works great.

Now i would like to block them from getting to the internet and from my local network most all my cameras are hard wired and i set them up on a static ip range 50-75.....192.168.1.50 and so on.

I just upgraded to a UDM Pro this should be very easy to do with firewall rules? I just need a little help.

I know that there is a guide here on doing this with dual NIC cards but both ways should be fine.

Thanks for the info.

because if you don't want them to network to the internet there are several ways from sub netting, the cameras to 255.255.255.128 and change the dhcp gateway (router address ), an ip address 192.168.1.129-192.168.1.254 to deny traffic to and from WAN in the router settings.

 

[TonyR]

..... i have underground cat6 cable run to a garage.....

Direct buried or in conduit?

 

[Mike 19]

So i would assign NIC# 2 a IP of 192.168.2.100 And i guess the cameras would need to go as static 192.168.2.101, 192,168.2.102 etc?

NIC #1 would get a IP from DHCP or i could assign it one as 192.168.1.xxx What would BI be using the IP from NIC #1?

I may buy a new POE switch just to try this, i do have 2 wireless cameras but i guess you could add a AP to POE Switch #1 but you would not be able to mesh. How would i manage the AP though as my UDM Pro would not be able to see it? or would it?

 

[TonyR]

So i would assign NIC# 2 a IP of 192.168.2.100 And i guess the cameras would need to go as static 192.168.2.101, 192,168.2.102 etc?

Yes

NIC #1 would get a IP from DHCP or i could assign it one as 192.168.1.xxx What would BI be using the IP from NIC #1?

BI NIC #1 could also be a unique static IP, at perhaps 192.168.1. 200, depending on your router's LAN IP and its DHCP pool.

How would i manage the AP though as my UDM Pro would not be able to see it? or would it?

The AP can also be a unique, static IP in the 192.168.1.XXX subnet, again from outside your router's DHCP pool.
If it's a wireless router being used as an AP, turn off its DHCP server and give it a unique, static LAN IP outside of your current Internet router's DHCP pool.

 

[Mike 19]

I'm confused about how to add wireless to the above image.

Wouldn't i just add a AP to the POE Switch #1 ports and the APs IP would need to be 192.168.2.xxx.

 

[sebastiantombs]

Why do you need WiFi on a camera network?

 

[Gargoile]

Logon to your UDM Pro

Go to settings
Firewall & Security
Firewall Rules
Create Rule
Type: pick internet out
Description : Block MAC address out to internet
Rule Applied: Before Predefined Rules
Action: Drop
IPv4 Protocol: ALL

Source
Source/Type: Source/IP group
IPv4 Address Group : Any
Port Group: Any
MAC Address: Enter the MAC address of the camera

Destination
Destination Type: Port/IP Group
IPv4 Address Group: Any
Port Group: Any
Advanced: Auto

You will need to set a rule for each camera's MAC address and this will block all the cameras from reaching the mother-ship.

 

[Gargoile]

I'm confused about how to add wireless to the above image.

Wouldn't i just add a AP to the POE Switch #1 ports and the APs IP would need to be 192.168.2.xxx.

You need to create a VLAN for your cameras. Then all the cameras, wired and WiFi can be on the same IP range on the same VLAN away from everything else..

Follow all these videos on how to setup your UDM. There are 9 videos but you may not have all that he has going on. This helped me a lot on understanding what to do.

 

[TonyR]

I'm confused about how to add wireless to the above image.

Wouldn't i just add a AP to the POE Switch #1 ports and the APs IP would need to be 192.168.2.xxx.

No.
The subnet with Internet access is 192.168.1.XXX in the image....see the modem/router connected to the Internet?

 

[Mike 19]

Why do you need WiFi on a camera network?

Because i have wireless IP cameras and hardwired.

 

[Mike 19]

You need to create a VLAN for your cameras. Then all the cameras, wired and WiFi can be on the same IP range on the same VLAN away from everything else..

Follow all these videos on how to setup your UDM. There are 9 videos but you may not have all that he has going on. This helped me a lot on understanding what to do.

I have watched his videos he does not say how to create a rule to block the internet.

 

[Mike 19]

No.
The subnet with Internet access is 192.168.1.XXX in the image....see the modem/router connected to the Internet?

I don't want it for the internet, i have a few wireless IP cameras that would need a way to connect.

 

[Mike 19]

Logon to your UDM Pro

Go to settings
Firewall & Security
Firewall Rules
Create Rule
Type: pick internet out
Description : Block MAC address out to internet
Rule Applied: Before Predefined Rules
Action: Drop
IPv4 Protocol: ALL

Source
Source/Type: Source/IP group
IPv4 Address Group : Any
Port Group: Any
MAC Address: Enter the MAC address of the camera

Destination
Destination Type: Port/IP Group
IPv4 Address Group: Any
Port Group: Any
Advanced: Auto

You will need to set a rule for each camera's MAC address and this will block all the cameras from reaching the mother-ship.

That looks like the easiest way yet!

 

[TonyR]

I don't want it for the internet, i have a few wireless IP cameras that would need a way to connect.

Then connect it to NIC #2 with a static 192.168.2.XXX IP!
I still don't think you're seeing the difference and reasoning for the 2 different subnets (192.168.1.XXX and 192.168.2.XXX) and 2 different NIC's, 1 & 2.

 

[TonyR]

That looks like the easiest way yet!

That's good to hear.....fingers crossed that you can implement that OK.