IPcam VLAN setup question about DNS

prsmith777

Getting comfortable
Joined
Dec 23, 2019
Messages
268
Reaction score
379
Location
Colorado
I currently have a locked down VLAN called IPCAM on a Unifi system that is working well. I have BI on a windows desktop with a dual NIC--one NIC is on the Home LAN and the other is on the IPCAM VLAN with no gateway. I also have NTP server on the BI box. VLAN IPCAM has no internet or local subnet access.

I am moving on from Unifi to pfSense and in the process of setting up the new IPCAM VLAN.

I plan on setting up the VLAN with DHCPand no internet or subnet access. Since I have the NTP server on BI, don't need to allow access out for that. But was wondering if I need to allow DNS access to pfSense. I statically map all my cams in DHCP. I don't see a need for DNS, unless I am missing something. So basically the IPCAM VLAN will have no firewall rules in it at all....pretty unusual.
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
I surmise pfsense will be only your router/firewall. That said, it is strongly encouraged that you do not configure your network in a manner that would expose your router with any of the video traffic. The current dual NIC in BI that you have eliminates the need to have any IPCAM VLAN set-up on your pfsense device.
Also, DHCP on your IPCam VLAN does offer a convenience, however it will come back and bite you at some point. I prefer manually setting all cams to a static IP versus DHCP (or DHCP reservations).
If you are intent on DHCP for IPCAM VLAN, maybe consider setting it up on the BI server and bind it only to the IPCAM VLAN NIC
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
I surmise pfsense will be only your router/firewall. That said, it is strongly encouraged that you do not configure your network in a manner that would expose your router with any of the video traffic.
...
Neglected to mention... this is more of a performance recommendation, versus good security practice. Though both apply.
 

Teken

Known around here
Joined
Aug 11, 2020
Messages
1,521
Reaction score
2,747
Location
Canada
How and what are you using for a NTP Server on the BI machine? More specifically how does the NTP Server update itself to keep accurate time?!?
 

prsmith777

Getting comfortable
Joined
Dec 23, 2019
Messages
268
Reaction score
379
Location
Colorado
I surmise pfsense will be only your router/firewall. That said, it is strongly encouraged that you do not configure your network in a manner that would expose your router with any of the video traffic. The current dual NIC in BI that you have eliminates the need to have any IPCAM VLAN set-up on your pfsense device.
Also, DHCP on your IPCam VLAN does offer a convenience, however it will come back and bite you at some point. I prefer manually setting all cams to a static IP versus DHCP (or DHCP reservations).
If you are intent on DHCP for IPCAM VLAN, maybe consider setting it up on the BI server and bind it only to the IPCAM VLAN NIC
Reason for DHCP is when adding new cameras to the IPCAM VLAN. I have managed switches so its easy to assign a port to this VLAN for this purpose. I have selected a small DHCP pool with most addresses available for static settings.

I forgot that I need to block traffic to the LAN, which I have added as a firewall rule. PfSense default it to not allow any vlan traffic. So now no traffic can hit the router other than DHCP. DHCP server is per interface, so it is already bound to the VLAN interface. The one NIC card is set on this VLAN. I don't foresee any problems using DHCP.
 

sebastiantombs

Known around here
Joined
Dec 28, 2019
Messages
11,511
Reaction score
27,690
Location
New Jersey
The big problem with DHCP is that if there's a power outage you're not entirely guaranteed that everything will return with the same addresses. Many people have found that out the hard way.
 

prsmith777

Getting comfortable
Joined
Dec 23, 2019
Messages
268
Reaction score
379
Location
Colorado
How and what are you using for a NTP Server on the BI machine? More specifically how does the NTP Server update itself to keep accurate time?!?

I added NetTime program to BI box. Dual NIC is my friend here. Cams can access NetTIme on the vlan NIC and time is updated via internet on the other NIC
 

prsmith777

Getting comfortable
Joined
Dec 23, 2019
Messages
268
Reaction score
379
Location
Colorado
The big problem with DHCP is that if there's a power outage you're not entirely guaranteed that everything will return with the same addresses. Many people have found that out the hard way.
True. but all my cams have static mapping, which is same as DHCP reservation, so they will be fine. DHCP is only for adding new cams. I could turn it off and only turn it on when needed
 

prsmith777

Getting comfortable
Joined
Dec 23, 2019
Messages
268
Reaction score
379
Location
Colorado
If all the devices on the IPCAM VLAN address each other by IP address, not by network name, and there is no ability to exchange network packets outside the IPCAM VLAN, then access to a Domain Name Server (DNS) isn't needed.
This were my thoughts as well. Thanks for confirming. Wont be doing DNS.
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
I forgot that I need to block traffic to the LAN, which I have added as a firewall rule.
...
Sounds like you have a single managed switch the hosts both IPCAM and HOME network connections that are isolated/segmented by VLAN assignments. Are you including the IPCAM VLAN on the ethernet port that uplinks your switch to the PFSense device?
 

prsmith777

Getting comfortable
Joined
Dec 23, 2019
Messages
268
Reaction score
379
Location
Colorado
Sounds like you have a single managed switch the hosts both IPCAM and HOME network connections that are isolated/segmented by VLAN assignments.
Sort of. I have a dedicated 48 port POE managed switch which is trunked to my main switch. All the cams are on this ipcam switch.

Are you including the IPCAM VLAN on the ethernet port that uplinks your switch to the PFSense device?
All the ipcam switch ports except the trunk to main switch are assigned to vlan ipcam. Pfsense is on the main switch on LAN which is the native interface and technically not a vlan.

I am new to pfssense but it is my understanding that LAN network is wide open to all other networks including vlans. So I am planning to have a block rule for vlan ipcam to access LAN.
 

TechieTech

Getting the hang of it
Joined
Aug 11, 2021
Messages
79
Reaction score
79
Location
USA
If your switch can act as a DHCP server, you can leave the firewall off the camera VLAN entirely.
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
For the same (security) reason you added a DENY rule to pfsense blocking IPCAM VLAN traffic, you should consider disconnecting the POE camera switch from your main switch.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
For the same (security) reason you added a DENY rule to pfsense blocking IPCAM VLAN traffic, you should consider disconnecting the POE camera switch from your main switch.
What security reason are you referencing? OP has VLANs and firewall rules separating and/or blocking the traffic.
 

The Automation Guy

Known around here
Joined
Feb 7, 2019
Messages
1,374
Reaction score
2,734
Location
USA
So now no traffic can hit the router other than DHCP.
You might consider allowing the cameras access to the pfSense's NTP server. It's how I keep my system all on the same time. It's generally port 123 and you can open just that port to your VLAN firewall address. For example, if your pfSense firewall main address is 192.168.1.1 and you have your CCTV VLAN set up for 192.168.20.X, then you can allow access to port 123 at 192.168.20.1 and it hits the firewall without having to open access to the 192.168.1.X network.
 

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,456
Reaction score
2,431
Location
USA
What security reason are you referencing? OP has VLANs and firewall rules separating and/or blocking the traffic.
Removing as many failure points as possible. If there is no other traffic from the IPCAM switch, remove the physical link to eliminate any chance of traffic being passed in the event the IPCAM VLAN gets turned up on the trunk port, or the rule(s) get disabled or mangled in pfsense, etc.
 
Top