Ip cams/nvrs better on secure net side or vlan side?

[thelosticon]

Hello all, wondering whats better for my ip cams and nvr setup. In the process of trying to achieve some isolation between the more sensative and private decices like phones and pc's and all the evergrowing smart home iot stuff. Was wondering where my cams and nvr fit into this setup. Are they better off on the main lan or migrate them to the vlan side of things. I dont use any sort of port forwarding, zero in fact, no upnp or p2p of any kind. All my cams are reachable thru openvpn server only, so am i correct in assuming that theres no harm in leaving them on my "secure" side of things or is it still recommended to isolate them on the virtual side along with the smart home iot stuff?

 

[SpacemanSpiff]

Get yourself comfy and have a read... IP Cam Talk Wiki

Cameras should be on their own network, whether you choose to achieve this as a physical LAN or as a VLAN is your choice based on your knowledge of networking.. or your desire to learn networking. Install two NIC's in your BI machine to keep the camera network isolated, while still allowing yourself to easily access the BI machine for viewing, etc.

edit: spelling

 

[thelosticon]

Might just read that entire 16pg thread

 

[dryfly]

Get yourself comfy and have a read... IP Cam Talk Wiki

Cameras should be on their own network, whether you choose to achieve this as a physical LAN or as a VLAN is your choice based on your knowledge of networking.. or your desire to learn networking. Install two NIC's in your BI machine to keep the camera network isolated, while still allowing yourself to easily access the BI machine for viewing, etc.

edit: spelling

Question please. My LAN default gateway is 192.168.200.xxx. My cameras are directly interfaced with my NVR and show up as 192.168.254.xxx. Would this be considered as their own network and provide any degree of safety?

 

[SpacemanSpiff]

Question please. My LAN default gateway is 192.168.200.xxx. My cameras are directly interfaced with my NVR and show up as 192.168.254.xxx. Would this be considered as their own network and provide any degree of safety?

What is the subnet mask for both networks you've mentioned?
Is this a PoE NVR?

 

[The Automation Guy]

While I agree that cameras should be on their own isolated VLAN, the biggest question is if your cameras have internet access if they are on your main network or are you blocking access to the internet on those devices through a firewall rule, etc? Normally people leave their main network open to the internet so that all devices can access it without issue. By putting your devices on their own VLAN, you can limit internet access (as well as access to your other VLANs, including the main network) without much trouble vs having them on your main network and having to manually block each camera. Putting the cameras on their own VLAN only takes a little more to set up, but makes the maintenance and security much easier to manage.

 

[NightLife]

Don't forget Your camera(s) may have a desire to call home as well. Good to place them on a Security VLAN, disable cross-VLAN-communication via RFC1918 (creating an alias, and firewall rule), and so on.

 

[dryfly]

What is the subnet mask for both networks you've mentioned?
Is this a PoE NVR?

Yes it's a POE NVR. Subnet mask is same on both 255.255.255.0

 

[dryfly]

While I agree that cameras should be on their own isolated VLAN, the biggest question is if your cameras have internet access if they are on your main network or are you blocking access to the internet on those devices through a firewall rule, etc? Normally people leave their main network open to the internet so that all devices can access it without issue. By putting your devices on their own VLAN, you can limit internet access (as well as access to your other VLANs, including the main network) without much trouble vs having them on your main network and having to manually block each camera. Putting the cameras on their own VLAN only takes a little more to set up, but makes the maintenance and security much easier to manage.

By "limiting access" would an NVR on a VLAN still provide for remote access using OpenVPN?

 

[SpacemanSpiff]

Others here will correct me if I am wrong, but I believe the PoE ports on the NVR that the cameras are connected to are essentially a separate network switch. Also, as you mentioned earlier, the cameras assigned their own network IP scheme (192.168.254.0/24). Both of these are helpful in isolating your security cameras from the Internet.

The LAN Ethernet port of the NVR is connected to your home network (192.168.200.0/24). This will allow you to still access the NVR via OVPN when you are not home.

 

[The Automation Guy]

By "limiting access" would an NVR on a VLAN still provide for remote access using OpenVPN?

As long as your OpenVPN is set up correctly (you have to specify which VLANs you can access via the VPN), the answer is yes.

 

[bigredfish]

If it’s a Dahua PoE NVR, the PoE ports are on a separate network/switch by default at 10.1.1.x. They can only be reached by going through the NVR interface on the local network of the NVR