How to Remove Internet Access from BI While Retaining UI3 LAN Access - Can it be done?

Alaska Country · Nov 27, 2022

Would like to remove internet access from a dual NIC BI Windows 10 computer while at the same time allowing UI3 to be accessible via LAN on two other desk top LAN connected computers. (See system diagram)

The simple answer is to remove the internet cable from the NIC on the BI computer. i.e. 100% no internet. The issue then becomes how to access UI3 on other LAN computers. Plus the Network Time utility on BI that keeps the cameras time synchronized would become inactive.

On the BI machine, NIC-1 is on a subnet at 192.168.55.xxx. (Use the following IP address box checked in IPv4). NIC-1 is only used for Dahua cameras via a 24 port POE unmanaged switch. NIC-2 (BI computer) is set for "Obtain an IP address automatically" box checked in IPv4 which is being used for internet access.

The Asus RT-N16 router has the option to white list using "The Network Services filter which blocks the LAN to WAN packet exchanges and restricts devices from using specific network services." Under "White List" the choices are User Defined, WWW, Telnet and FTP.

Would setting up this feature achieve the goal of limiting LAN access to UI3 at 192.168.1.120 on port 81? And at the same time terminate internet access for use on the BI machine and retain internet to the other two LAN desk top computers (1 and 2) that utilize the same router?

If not, there is a Tomato FW update that could installed on the Asus that may have additional features that could be of use.

The other possible option, if feasible, would be to move UI3 access to the camera subnet (192.168.55.xxx), add a second NIC to the other computers and hard wire in a second network. Workable??? Security issues?

Broachoski · Nov 27, 2022

On my system I have another router plugged into the POE switch feeding the cameras. It is not connected to the internet but provides WIFI to the other pc's in the house. I have a second NIC on my living room laptop which allows it to be connected to the internet full time on the built in NIC and the second NIC is a usb dongle which allows me to be connected to BI and the cameras also.

bp2008 · Nov 27, 2022

Unless I misunderstand entirely, all you need to do is assign NIC-2 a static IP but leave the gateway and DNS fields blank, that way the computer doesn't know how to reach the internet.

In the router, you can create a static DHCP assignment for the BI machine. The BI machine won't actually be using DHCP, but this prevents the router from assigning the address to anything else accidentally and creating a conflict.

Actually that only covers IPv4. You should also disable the IPv6 protocol for NIC-2 in the Blue Iris machine so it doesn't just get online with IPv6 (assuming your ISP and router have IPv6 configured).

Alaska Country · Nov 27, 2022

Appreciate the suggestions. Using WiFi would eliminate adding more cable. Will have to see if the older Windows 10 machine has WiFi and if not if I have a card that would fit.

Did try changing IP4v to a few different IP addresses and clicked off IPv6. Not sure what would be the correct IP address most likely an unused address. Tried 192.168.1.1 and 192.168.1.60. Both did block the internet as stated. Subnet mask of 255.255.255.0 was used with no default gateway.

This part worked for blocking. However, when changed UI3 at 192.168.1.120:81 could no longer be accessed by other LAN computers. At this point did not make any mods to the router.

Flintstone61 · Nov 27, 2022

The TP link usb wifi device for 20 buck on amazon has pretty good range

Flintstone61 · Nov 27, 2022

https://a.co/d/6dWlvPe

bp2008 · Nov 27, 2022

What did I miss, why would a wifi adapter be helpful here?

@Alaska Country Simply assign the address 192.168.1.120 to the Blue Iris machine and create a DHCP reservation for it in your router so that address doesn't get assigned to anything else.

Beware of typos when entering addresses, you made a couple in your last post.

Flintstone61 · Nov 27, 2022

Oh i saw this......."
Will have to see if the older Windows 10 machine has WiFi and if not if I have a card that would fit.
and linked him to this TP LInk....
I wasnt trying to solve the bigger problem

Staying outta that, cuz I'm not the guru in that neighborhood.

PatPend · Nov 27, 2022

Won't Windows constantly bitch about not being able to get to the internet?

SpacemanSpiff · Nov 27, 2022

PatPend said:
Won't Windows constantly bitch about not being able to get to the internet?

no

Alaska Country · Nov 27, 2022

Thanks for the heads up on the wrong IP address. Noted and corrected.

The BI "local internal (LAN) access" is already on 192.168.1.120 port 81 and works to view UI3 on other computers connected to the LAN. This is working well.

Added a DHCP reservation.

Went back to the BI machine and changed the IP address on the card that is connected to the internet to 192.168.1.120 with a subnet mask and no default gateway. Tested and the internet is blocked. No connectivity on the LAN for UI3 at 192.168.1.120:81 on other LAN connected computers.

bp2008 · Nov 28, 2022

You may need to go to Windows Firewall now and create a rule that explicitly allows inbound TCP traffic on port 81. Possibly because your network interface doesn't have a gateway anymore, the old firewall rule that allowed Blue Iris webserver traffic is no longer working? I'm really not sure.

I'm also confused. You say you can access UI3 via LAN machines:

Alaska Country said:
The BI "local internal (LAN) access" is already on 192.168.1.120 port 81 and works to view UI3 on other computers connected to the LAN. This is working well.

Then you appear to say the opposite.

Alaska Country said:
No connectivity on the LAN for UI3 at 192.168.1.120:81 on other LAN connected computers.

Alaska Country · Nov 28, 2022

Added an inbound rule for port 81 on one of the LAN connected computers. No go. Received the below message.

Took a look at the firewall on the Windows 10 BI computer. Noticed that there are 6 inbound rules for BI-5. Three for UDP and three for TCP. Two public and four private. Enabled one of the private rules that was disabled and UI3 is now working on the LAN computer. Plus the BI machine can no longer access the internet which is the goal.

Removed the inbound rule for port 81 on the LAN computer and UI3 is still accessible. Thus deleted the rule.

The goal of internet isolation has been achieved. Like the simplicity of this process. To regain internet access to update BI just click on "Obtain an IP address automatically" for the internet connected NIC. And return that same NIC to its original settings to remove internet access.

Did loose access to NetTime at "0.nettime.pool.npt.org". However, it could be a can of worms to achieve internet access to this URL and complicate an otherwise easy process.

A big thank you for all the assistance.....

bp2008 · Nov 28, 2022

Alaska Country said:
Added an inbound rule for port 81 on one of the LAN connected computers.

That rule needed to be on the Blue Iris machine.

Alaska Country said:
Took a look at the firewall on the Windows 10 BI computer. Noticed that there are 6 inbound rules for BI-5. Three for UDP and three for TCP. Two public and four private. Enabled one of the private rules that was disabled and UI3 is now working on the LAN computer. Plus the BI machine can no longer access the internet which is the goal.

Yup, weird that it would be disabled. But, you found it.

Did loose access to NetTime at "0.nettime.pool.npt.org". However, it could be a can of worms to achieve internet access to this URL and complicate an otherwise easy process.

If you have another Windows machine running always (or often at least) then you can install NetTime on that and check the box to allow other computers to sync to it.

Then configure NetTime on the Blue Iris machine to sync to that other machine's IP address frequently, like every 1 hour or something. Be sure to make a DHCP reservation for that other machine so its address doesn't change and invalidate your NetTime configuration on the BI machine.

Alaska Country · Nov 28, 2022

Appreciate all of the assistance to setup the BI dual NIC system to work without internet access and still have UI3 available on the LAN.

Net Time is also working using the internet on another desk top computer that is on for 12 hours per day and updating the BI computer and the associated cameras. That is good enough and much better than no time synchronization.

Setup the firewall on the desktop Windows computer for an Inbound Rule to allow for the Net Time connection to the BI computer. (no firewall rules added to the BI computer) However could not locate the remote port number. Used netstat -a but did not list any ports that worked. Thus kept the setting at "All Ports". Assume that this is not an issue. If it is, what would be a correct port for the remote port number?

Cameras are set for 90 minutes time updates with the exception of a few that only allow for a maximum of 30 minutes between updates. Everything is working well.....

bp2008 · Nov 28, 2022

Remote ports are typically random so you don't consider them in firewall rules.

Search

How to Remove Internet Access from BI While Retaining UI3 LAN Access - Can it be done?

Alaska Country

Getting comfortable

Broachoski

Getting comfortable

bp2008

Alaska Country

Getting comfortable

Flintstone61

Known around here

Flintstone61

Known around here

bp2008

Flintstone61

Known around here

PatPend

Pulling my weight

SpacemanSpiff

Known around here

Alaska Country

Getting comfortable

bp2008

Alaska Country

Getting comfortable

bp2008

Alaska Country

Getting comfortable

bp2008