Looking for some BI networking advice (with hardware implications)

Frankenscript

Known around here
Joined
Dec 21, 2017
Messages
1,288
Reaction score
1,197
Hi folks,

I've benefited greatly from the "Choosing hardware for Blue Iris" thread as well as the "How to hit your cameras" threads. Great stuff, along many other threads.

My next step is to move from a Hikvision 8 port NVR to a BI-based system. I can pick out the PC on the cheap based on what I've learned here, and other bits too, but I'm struggling mentally with some of the network implications. Probably there's a thread I just haven't located yet, that details exactly what I need to learn. Could someone please point me in the right direction?

Here is my question:

How exactly does the networking work, on a BI PC, to isolate the cameras from the LAN on which the PC lives?

I'm thinking there would be:
~10 cameras --> connected to a POE switch --> (possibly connected to a router for DHCP for the camera subnet) --> connected to a NIC (probably expansion card) on the BI PC.

The PC's built in NIC would be connected to my house's router on my house's LAN.

I've never worked on a computer that had multiple NICs before, so my brain is struggling with some of the how-to's. Do I need that router for the cameras, or can I just manually configure the IP addresses for the cameras and get by with a POE switch alone?

Let's assume the house LAN is the typical 192.168.1.X subnet, so the BI PC on the LAN might be for example 192.168.1.10. But it has a second NIC installed, configured for let's say 192.168.2.X or for that matter 2.2.2.X or whatever else I set the silly things to be.

Is there a good primer on how to work with multiple NIC PCs, relevant to our work here?

Sorry for showing gross ignorance here...

Thanks for any guidance so I can educate myself properly prior to going the BI route.
 

Dasstrum

IPCT Contributor
Joined
Nov 4, 2016
Messages
578
Reaction score
736
Location
Florida
First off look at the picture attached for a wire diagram:

I’m not sure if I understand your question but you are asking HOW Blue Iris interfaces into a home network?

First off do NOT use DHCP for the cameras. If your set your dhcp pool to something like 192.168.1.1 - 192.168.1.50 then manually set a static IP for each camera outside that DHCP range. So like cam 1: 192.168.1.51 keeping within the same subnet mask (so don’t make a camera 192.168.9.51 if subnet mask is 255.255.255.0)

Doing this will ensure your IP on cams don’t change and causing an IP address error in Blue Iris.
 

Attachments

Frankenscript

Known around here
Joined
Dec 21, 2017
Messages
1,288
Reaction score
1,197
Thanks @Dasstrum

I was hungry and probably fairly incoherent when I wrote my original post. Sorry about that.

Thanks for the picture but I wonder if my optimal situation might be just a little different from the picture.

So, my cameras are for my home, and right now I've got a pretty standard setup here. Internet comes in via cable modem, router connects to the cable modem, and my various computers and NVR connect to the router. Cameras connect to the NVR, and are on their own subnet since the NVR has two ethernet adaptors, one facing the LAN and the other dedicated to the cameras, which are on their own subnet.

I LIKE A LOT that the cameras are isolated from the main home network. I don't want all that camera data out on the home's main LAN; I want to isolate it all on its own subnet. In my home LAN there's lots of me copying files around and streaming from a movie server (I use Emby) and so on; I really don't want the camera streams to eat bandwidth that I use for other stuff.

So I figure the PC that I use to run Blue Iris in place of the NVR should have two ethernet connections, just like the NVR does, one for connecting to the LAN, and another connecting to the POE switch going to the cameras.

I've just never worked with a dual-ethernet PC before, so I am a bit confused as to how it works. So, if I don't assign the cameras addresses by DHCP, I can manually configure them to set addresses on a subnet dedicated to them, defined in the adaptor properties for a supplemental ethernet card for the PC. So, the built in ethernet of the PC connects to the LAN, the extra card connects to the POE switch and cameras. I guess I was wondering if I needed a router between the PC's camera-facing ethernet port and the POE switch. While I'm ok on basic networking stuff, this configuration with dual ethernet in one PC is out of my depth, so I need to learn.

Does this make sense? Is there a recommended ethernet card to use for this purpose? Or just any one off Amazon / Ebay?

Thanks!
 

Dasstrum

IPCT Contributor
Joined
Nov 4, 2016
Messages
578
Reaction score
736
Location
Florida
Ok that explanation makes a little more sense. I’m not sure if BI is able to use a “dual nic setup”

What I suggest doing is getting a managed switch and setting up a VLAN. This is essentially what you are trying to do.

You can dedicate 1 port on the managed switch to be in its own subnet and essentially isolated from the rest of the network.
 

Dasstrum

IPCT Contributor
Joined
Nov 4, 2016
Messages
578
Reaction score
736
Location
Florida
Router > managed switch >


——————————-port 2 > POE switch > cameras
Managed switch{
——————————-port 1 > BI Machine


Setup port 1 and 2 into the same VLAN
 

CrazyAsYou

Getting comfortable
Joined
Mar 28, 2018
Messages
246
Reaction score
262
Location
England, Near Sheffield
You don’t need to go down the route of using a managed switch and VLANs - The cheapest and simplest way of doing things is to add another network card to your PC and have it connected to a cheap PoE switch for the cameras.


Your PC will be part of two networks:

Network 1: Your current home LAN with router to the Internet (192.168.1.1 – 254)

Network 2: New PC interface connected to new PoE switch which connects to the cameras. (192.168.2.1 – 254)


You’ll have two networks/subnets on you PC, your PC will do 99% of the routing work for you, it will know that the current network has internet access and the router will no doubt give the PC its network 1 IP settings along with a default gateway (the internet routers IP) via DHCP from the router. In summary you’re not changing anything you have now for network 1. I would assume Network 1 is already 192.168.1.0/255.255.255.0 which is a standard home router setup. with the router IP @ 192.168.1.1 and clients on the network getting IPs in rest of the range via DHCP from the router.


The 2nd (new) network will not need or have a default gateway as it will only need to talk to the cameras. You manually configure the PC network interface to have IP 192.168.2.1 with a subnet mask of 255.255.255.0 (a /24 network) you’ll then give cameras IPs from the rest of the range anything from 192.168.2.2 to 192.168.2.254 the subnet mask will be 255.255.255.0 on all devices. No device on Network 2 will need a default gateway or have access to the internet.

Almost any cheap 1gig PCI or PCIe networt card from amazon will do.
 

Frankenscript

Known around here
Joined
Dec 21, 2017
Messages
1,288
Reaction score
1,197
@Dasstrum : OK, let me investigate this option. I understand how the managed switch would enable the creation of a VLAN for the camera equipment and the BI machine, but then wouldn't the BI machine itself be isolated from an thus inaccessible to the other computers on my LAN? I will need to be able to remote into the BI computer from the LAN. Also, would having this VLAN setup actually isolate the camera traffic from the rest of the network to avoid bandwidth constraints? I know they would be on a separate subnet, but wouldn't the camera streams still be eating bandwidth on the main LAN?

@CrazyAsYou : Yes, this is exactly what I was planning. Thanks. Since I've never needed to configure a computer this way it's a bit new / odd to me but with guidance I'm sure I'll get it all running.
 

Frankenscript

Known around here
Joined
Dec 21, 2017
Messages
1,288
Reaction score
1,197
If you need any help at all let me know, if you get really really stuck once you have the new hardward in place we could even have a team viewer session but I doubt it will come to that.
Thanks. Mostly I just wanted to make sure my plan of a secondary NIC was correct and that there was no need for a router between it and the POE switch.

I love learning new stuff!

Sent from my ONEPLUS A3000 using Tapatalk
 

giomania

IPCT Contributor
Joined
Jun 1, 2017
Messages
780
Reaction score
538
You don’t need to go down the route of using a managed switch and VLANs - The cheapest and simplest way of doing things is to add another network card to your PC and have it connected to a cheap PoE switch for the cameras.


Your PC will be part of two networks:

Network 1: Your current home LAN with router to the Internet (192.168.1.1 – 254)

Network 2: New PC interface connected to new PoE switch which connects to the cameras. (192.168.2.1 – 254)


You’ll have two networks/subnets on you PC, your PC will do 99% of the routing work for you, it will know that the current network has internet access and the router will no doubt give the PC its network 1 IP settings along with a default gateway (the internet routers IP) via DHCP from the router. In summary you’re not changing anything you have now for network 1. I would assume Network 1 is already 192.168.1.0/255.255.255.0 which is a standard home router setup. with the router IP @ 192.168.1.1 and clients on the network getting IPs in rest of the range via DHCP from the router.


The 2nd (new) network will not need or have a default gateway as it will only need to talk to the cameras. You manually configure the PC network interface to have IP 192.168.2.1 with a subnet mask of 255.255.255.0 (a /24 network) you’ll then give cameras IPs from the rest of the range anything from 192.168.2.2 to 192.168.2.254 the subnet mask will be 255.255.255.0 on all devices. No device on Network 2 will need a default gateway or have access to the internet.

Almost any cheap 1gig PCI or PCIe networt card from amazon will do.
"No device on Network 2 will need a default gateway or have access to the internet."

Forgive my ignorance, but would the elimination of a gateway on the cameras preclude their access to a time server on the internal network (LAN)? My cameras all have a space to input an IP address for a time server, so I think the elimination of the gateway does not matter, but I thought I would check to be sure.

All my cameras have the gateway set for my non-secure subnet (network), and I have firewall rules in my Ubiquiti USG to prevent the cameras from accessing the internet and secure network, but your method requires less configuration.

Thanks.

Mark
 
Last edited:

DognamedTank

Getting the hang of it
Joined
Feb 24, 2018
Messages
90
Reaction score
41
I have my network setup with a Dual-Nic BI server. I had two routers sitting around, so to simply things, I have all of my cameras (POE switches really) connected to the one router's LAN side. I also have the BI machine connected to the LAN connection on the router. There is no connection to the WAN. The other NIC of the BI machine is connected to the LAN connection to my internet facing router. My VPN server runs on the internet facing router. My BI server runs a NTP server to sync time on the cameras.

This keeps the cameras from internet access, but I can access the BI machine when connected to VPN. By design, I can't access the camera configuration pages unless I am on the BI machine or other machine I connect to my camera subnet. If I'm going to be away from home for an extended period, I'll start up a VNC server to connect to the BI server on the VPN if I really need to configure the cams.

The only real hang up I had was the BI server wouldn't always have internet. I fixed it by going into the advanced TCP/IP settings and changing the interface metric from Auto to 1 (see attached pic).
upload_2018-4-10_13-19-49.png

Both routers are configured with different IP ranges and the BI server is set to use static IP addresses.
 

Frankenscript

Known around here
Joined
Dec 21, 2017
Messages
1,288
Reaction score
1,197
I have my network setup with a Dual-Nic BI server. I had two routers sitting around, so to simply things, I have all of my cameras (POE switches really) connected to the one router's LAN side. I also have the BI machine connected to the LAN connection on the router. There is no connection to the WAN. The other NIC of the BI machine is connected to the LAN connection to my internet facing router. My VPN server runs on the internet facing router. My BI server runs a NTP server to sync time on the cameras.

This keeps the cameras from internet access, but I can access the BI machine when connected to VPN. By design, I can't access the camera configuration pages unless I am on the BI machine or other machine I connect to my camera subnet. If I'm going to be away from home for an extended period, I'll start up a VNC server to connect to the BI server on the VPN if I really need to configure the cams.

The only real hang up I had was the BI server wouldn't always have internet. I fixed it by going into the advanced TCP/IP settings and changing the interface metric from Auto to 1 (see attached pic).
View attachment 28526

Both routers are configured with different IP ranges and the BI server is set to use static IP addresses.
This is exactly what I want to do. Thanks. By the way what ntp server do you run?

Sent from my ONEPLUS A3000 using Tapatalk
 

DognamedTank

Getting the hang of it
Joined
Feb 24, 2018
Messages
90
Reaction score
41
This is exactly what I want to do. Thanks. By the way what ntp server do you run?

Sent from my ONEPLUS A3000 using Tapatalk
I run the NTP server built into Windows 10. There are a lot of guides if you google Use Windows 10 NTP Server. I think the one I used was HERE. Be sure to allow port 123 on any firewall you may have on your BI server. I then point the camera to the BI server address that is on the same subnet as the camera, port 123.
 

CrazyAsYou

Getting comfortable
Joined
Mar 28, 2018
Messages
246
Reaction score
262
Location
England, Near Sheffield
I don't understand why you have a spare router acting just as a switch between your BI server and your camera PoE switch? Also Windows has many options for hosting it's own NTP server for the cameras if needed but it makes sense to use what is built in.
 

DognamedTank

Getting the hang of it
Joined
Feb 24, 2018
Messages
90
Reaction score
41
I don't understand why you have a spare router acting just as a switch between your BI server and your camera PoE switch? Also Windows has many options for hosting it's own NTP server for the cameras if needed but it makes sense to use what is built in.
The router isn't acting as a switch, it is acting as a router. I didn't want to configure everything on my BI machine to do the routing, or give the CPU anything else to do.
 

Frankenscript

Known around here
Joined
Dec 21, 2017
Messages
1,288
Reaction score
1,197
So, it's acting as a router, but not as a gateway, as nothing is plugged to the WAN port. Is this correct?

Sent from my ONEPLUS A3000 using Tapatalk
 

CrazyAsYou

Getting comfortable
Joined
Mar 28, 2018
Messages
246
Reaction score
262
Location
England, Near Sheffield
That is correct. It is also the WiFi access point for my doorbell cam and other WiFi cams.
Ok so it's not acting as a "Router" It's acting as a Switch and a WiFi Access Point - Something is a Router when it routes network traffic between two or more different subnets at layer 3 IP. A Switch switches traffic at layer 2 based on MAC address and an Access point is nothing more than switching with a few extra layers of media/protocol conversation and encryption.

If you want Wifi on that private camera network, you can have it setup as you have now or you could connect any of the LAN ports on the old router to the PoE switch and you would have roughly the same setup.

People always fall into the same trap with the little cable/ADSL ISP routers because it common to call them routers people assume they always do routing which is only the case when they sit between two networks/subnet (home network and internet).

The truth is they are multifunctional devices often running some sort of custom tiny Linux build and almost always included features;

Routing
Software Firewall
Network Address Translation (NAT)
Switching
DNS client/server
DHCP client/server
NTP client/server
Wifi Access Point​

Many have no also started to include USB ports and the option to use the “Router” as a file sharing network attached storage (NAS) and/or media device

As you can see far more than just a “Router” but that’s what it still gets call. They will only use the features enable via they interface and required by the current physical and configuration setup.

Although these things are pretty good all-round devices they are doing most of the above features in software, without dedicated hardware and on limited CPU/memory resources. Often a cheap dedicated switch will out perform the switching interfaces on an ADSL router. Where ever possible try to disable all the features not needed for current setup to lower demands on the hardware. the best examples when NOT using the router to bridge home network to internet and its for an internal LAN only are the software firewall, any NAT accerlation, any media services as they often put the most demand on the CPU ans can have an impacting on switching if the network packets have to be handled in software.
 

DognamedTank

Getting the hang of it
Joined
Feb 24, 2018
Messages
90
Reaction score
41
@CrazyAsYou ,Things I learn, thank you. I guess you could say I'm using my "router" to simplify my setup and to assign my IP addresses. It's an ASUS RT-AC87U, and it has been keeping up pretty well with all of the traffic so far. I have also disabled a lot of the features I don't need in my setup, but your post is a good reminder to go revisit those setting again.
 
Top