Looking for some BI networking advice (with hardware implications)

[flippinfleck]

If you do not already have a managed switch in your environment and do not wish to add one, you can go with something like this. It is not what I would recommend as you have to manually ensure that the NTP server is kept up to date or move that service to the BI workstation. In the scenario pictured, BI and cameras have static IPs. Local devices are given DHCP addresses from your local router.

This will completely segregate your cameras from the internet and any management of the cameras will have to be done from the BI workstation.

 

[CrazyAsYou]

If you do not already have a managed switch in your environment and do not wish to add one, you can go with something like this. It is not what I would recommend as you have to manually ensure that the NTP server is kept up to date or move that service to the BI workstation. In the scenario pictured, BI and cameras have static IPs. Local devices are given DHCP addresses from your local router.

This will completely segregate your cameras from the internet and any management of the cameras will have to be done from the BI workstation.

That network diagram is valid but I have a few questions

1. I see the Ras Pi is running NTP, I assume this is an NTP server for the cameras to take a time sync from but, how is the Pi getting it's own time? Are you manually syncing or has the Pi got some level of access to the Internet/NTP server either via the BI workstation or maybe WiFi?
2. The ISP router - Is that acting just as a media converter or is it that your ISP will not allow you to directly connect your own router?
3. Is the ISP router or the Local Router with Wifi or both of them providing Firewall and NAT function for the Internet ingress and egress?

 

[flippinfleck]

That network diagram is valid but I have a few questions

1. I see the Ras Pi is running NTP, I assume this is an NTP server for the cameras to take a time sync from but, how is the Pi getting it's own time? Are you manually syncing or has the Pi got some level of access to the Internet/NTP server either via the BI workstation or maybe WiFi?
2. The ISP router - Is that acting just as a media converter or is it that your ISP will not allow you to directly connect your own router?
3. Is the ISP router or the Local Router with Wifi or both of them providing Firewall and NAT function for the Internet ingress and egress?

As noted, you would have to manually keep the Pi up to date or move the service to the BI workstation. The scenario was a suggestion based on a dual-homed BI workstation with no managed switch to isolate cameras from "home" traffic (pictures are always worth the fifteen minutes it takes to do). Any details of how routers and firewalls are configured would be left up to the user deploying that scenario.

I certainly wouldn't implement it that way though.

 

[Frankenscript]

Hey guys, I appreciate all the input so far. I'm going to map out my specific plan based on what I've learned and post it here for review once I get it done.

Thanks again!

Sent from my ONEPLUS A3000 using Tapatalk

 

[Frankenscript]

Hi guys,

Based on the advice, I've assembled the attached diagram which I believe represents an appropriate configuration of hardware for my purpose. Note, it's important to me to isolate the camera traffic from other traffic on my home LAN so as not to impact speeds (yes, really everything would be fine anyway, but I want to isolate it!), and I don't want the cameras to be accessible to the internet at large, nor do I want the cameras to have access to the internet to phone home or whatever. The Blue Iris PC will be the sole connection, with two NICs (one built-in, one via a PCIe card).

Take a look; is there any problem with this configuration?

EDIT after a week of smooth running: the extra router in the diagram is NOT NEEDED. I've been running from the PC's second NIC directly to the PoE switch, with cams plugged in there. No need for any routing; all works fine. If the router were configured to be just a switch/access point, it could go in there as shown (using only the LAN ports), and in this case it could act as a wireless AP or a switch to connect multiple PoE switches. But it's not needed for a simple situation with just 8 hardwired cameras.

 

[Bubs]

Please keep good note about your "Journey" as I too am about to down that a very similar path with few different twist. I'm currently few step behind you and I look forward to lean from what you have done before me good luck

 

[Frankenscript]

Will do. I've never worked with a dual-NIC PC before; for me that's the confusing thing. But I've collected the bits and pieces (except for the POE switch; arrives Wednesday).
I've got an i5-6500 PC (SSD for OS, 2 TB WD Purple, and a 4 TB WD Purple after I decommission the Hikvision NVR); it has a fresh Win 10 pro on it.
Got the Intel NIC for the second ethernet port; haven't put it in the computer yet.
Got the AC86U Router (haven't set it up yet; currently using a Netgear 4300 I think, which will probably become the second router, past the PC, though I have two others that would do)
Also have a single port power over ethernet injector in case I want to just connect directly to any one camera.

First is to set up the main router. Just need some time to get it done without causing screams from my kids.

Then I plan to set up the PC with the NIC/2TB drive, load Blue Iris, and connect the first camera. My system currently has 5 cameras with two more of the 5321 varifocal turrets on the way from Andy.

I will save all configurations, and write it up as a learn-as-I-go thread. Maybe others will find it useful, even if it's a bit basic stuff for many denizens of this forum.

 

[flippinfleck]

Hi guys,

Based on the advice, I've assembled the attached diagram which I believe represents an appropriate configuration of hardware for my purpose. Note, it's important to me to isolate the camera traffic from other traffic on my home LAN so as not to impact speeds (yes, really everything would be fine anyway, but I want to isolate it!), and I don't want the cameras to be accessible to the internet at large, nor do I want the cameras to have access to the internet to phone home or whatever. The Blue Iris PC will be the sole connection, with two NICs (one built-in, one via a PCIe card).

Take a look; is there any problem with this configuration?

You do not need the extra router in this scenario, the one connected between your POE switch and the BI workstation. Unless that extra router is connected directly to your main router, it will serve no function and will not give your cameras internet access or remote users direct access to the cameras.

 

[Frankenscript]

Thanks. The intent for that router (connected only via the LAN ports, not using it's WAN) is that it would serve to route traffic on the 254 network, between the BI PC and the cameras. Is a router not needed in this scenario? Without one, how does routing occur?

You do not need the extra router in this scenario, the one connected between your POE switch and the BI workstation. Unless that extra router is connected directly to your main router, it will serve no function and will not give your cameras internet access or remote users direct access to the cameras.

Sent from my ONEPLUS A3000 using Tapatalk

 

[Frankenscript]

Oh also the second router serves as wireless access point if I ever want to hook up a WiFi camera (I don't have any and probably never will, but just in case...)

Sent from my ONEPLUS A3000 using Tapatalk

 

[crw030]

@Frankenscript you definitely shouldn't need the "extra router", because I am running that exact configuration (with the physically separated networks) without one. General guidance is that VLANs will do this easily as well, but I wasn't ready to tackle VLANs until I learn more about them.

I am using the HP-1920-8G-POE+ switch where you show a POE switch to power your cameras, with Blue Iris connected to one of the ports and with a fixed 192.168.1.5 IP Address. Since my cameras have so far always wanted to be on the 192.168.1.x subnet, Blue Iris can scan for each new camera that I connect. On the camera side I tell them all 192.168.1.1 is their gateway, and there isn't a device with that IP on that network. It works because Blue Iris is connecting to each camera, and the cameras don't need to connect to anything else (the Blue Iris machine is configured as their time server).

The only nuisances are 1. this approach does consume a port on your POE router that maybe a different configuration wouldn't require allowing an addl camera and 2. to access the camera setup web pages, I have to remote desktop to the Blue Iris machine.

But it's easy setup if you are a network novice, and I feel it is secure from a lot of the threats you hear about these cameras and botnets etc since the cameras can't electronically reach anywhere but the Blue Iris machine. That security came with a $24.95 price tag as I needed to buy a USB network dongle to get a second network port on the laptop I started out with. If yours is a PC, network cards are cheap and you don't even really need a great one.

Try your setup, minus the second router, you'll be golden.

 

[Frankenscript]

Thanks. Will do!

Sent from my ONEPLUS A3000 using Tapatalk

 

[Bubs]

As i start I thing I going to leave the NVR up and running just pull second stream for BI until I get all figured out as most of my can are running off a POE Switch (keep your head down ...if were not for Wife's and Kids this would be easy but would that be any fun!

 

[Frankenscript]

@Frankenscript you definitely shouldn't need the "extra router", because I am running that exact configuration (with the physically separated networks) without one. General guidance is that VLANs will do this easily as well, but I wasn't ready to tackle VLANs until I learn more about them.

I am using the HP-1920-8G-POE+ switch where you show a POE switch to power your cameras, with Blue Iris connected to one of the ports and with a fixed 192.168.1.5 IP Address. Since my cameras have so far always wanted to be on the 192.168.1.x subnet, Blue Iris can scan for each new camera that I connect. On the camera side I tell them all 192.168.1.1 is their gateway, and there isn't a device with that IP on that network. It works because Blue Iris is connecting to each camera, and the cameras don't need to connect to anything else (the Blue Iris machine is configured as their time server).

The only nuisances are 1. this approach does consume a port on your POE router that maybe a different configuration wouldn't require allowing an addl camera and 2. to access the camera setup web pages, I have to remote desktop to the Blue Iris machine.

But it's easy setup if you are a network novice, and I feel it is secure from a lot of the threats you hear about these cameras and botnets etc since the cameras can't electronically reach anywhere but the Blue Iris machine. That security came with a $24.95 price tag as I needed to buy a USB network dongle to get a second network port on the laptop I started out with. If yours is a PC, network cards are cheap and you don't even really need a great one.

Try your setup, minus the second router, you'll be golden.

Just as an update, this is working out well for me, though I only have two cameras plugged in so far. Five more soon once I finish tweaking some things and letting it run for a while. I don't have any router between the BI PC and the PoE switch at the moment, and the cameras are talking to the Blue Iris PC just fine. The Cams and the second NIC on the PC are on the 192.168.254.x subnet. The built-in NIC is on the 192.168.1.X typical LAN subnet. So, the PC is easily accessible from elsewhere on my LAN, and I can either use the web interface in BI or Remote Desktop to the PC, to mess with Blue Iris. If I need to mess with the cameras, I do remote desktop to the PC, and connect directly to them via their native pages. The cams intentionally don't have internet access (they can't check for updates, for example) since they are set to a gateway that has no computer there... 129.168.254.1 I think.

One curious time sync thing... I set my BI PC to be an NTP server per instructions on the web. Tweaking a couple registry entries; making a service autostart was all it took I think. Now, when I log into the camera pages, I had thought I would need to configure them to use the address of my BI PC second NIC (for example, 192.168.254.2) but in actuality on my new Dahuas I just had to click "time sync to PC" or something like that. I'm a bit surprised that actually worked. Anybody care to explain how that works, so I can understand?

Thanks

(PS: These two Dahuas are the 5321 turrets, 2.8-12 mm motorized zoom, from Andy. He shipped super fast, no problems at all)

 

[DLONG2]

If a dual NIC PC works for you, then great. In my case, my dedicated PC for Blue Iris is on a separate VLAN from my main PC, the home Wi-Fi, and other network components. All the wired cameras are likewise on the Blue Iris VLAN. At this point, you can use port-forwarding to connect to Blue Iris from the public WAN, but a better option is to use a VPN client to connect to your Blue Iris network from the WAN. How one network device on the LAN side is able to reach another network device across a VLAN involves the use of firewall rules. For instance, I have a Wi-Fi camera connecting to Blue Iris, although the camera is on a different VLAN; the use of firewall rules allows the connection to occur.

 

[DLONG2]

"One curious time sync thing... I set my BI PC to be an NTP server per instructions on the web. Tweaking a couple registry entries; making a service autostart was all it took I think. Now, when I log into the camera pages, I had thought I would need to configure them to use the address of my BI PC second NIC (for example, 192.168.254.2) but in actuality on my new Dahuas I just had to click "time sync to PC" or something like that. I'm a bit surprised that actually worked. Anybody care to explain how that works, so I can understand?"

For NTP server, I just have the cameras connected to pool.ntp.org on port 123 every 10 minutes. Synching with the PC I believe is just a one-time event, as the time may drift thereafter.

 

[Frankenscript]

"One curious time sync thing... I set my BI PC to be an NTP server per instructions on the web. Tweaking a couple registry entries; making a service autostart was all it took I think. Now, when I log into the camera pages, I had thought I would need to configure them to use the address of my BI PC second NIC (for example, 192.168.254.2) but in actuality on my new Dahuas I just had to click "time sync to PC" or something like that. I'm a bit surprised that actually worked. Anybody care to explain how that works, so I can understand?"

For NTP server, I just have the cameras connected to pool.ntp.org on port 123 every 10 minutes. Synching with the PC I believe is just a one-time event, as the time may drift thereafter.

After I posted the above, it occurred to me that the camera knew all about my PC time since it could just ask via the HTML page I was using. Duh! OK, my brain was in idle or something.

My cameras have no access to the outside world (the internet) on purpose, so syncing them to the server you mention isn't an option, hence my need to use the NTP server on the PC. As long as the PC maintains reasonably accurate time via its own daily sync, I should be good.

I am curious... your cameras sync every ten minutes? Isn't that quite a lot? Just curious about the need. Do these cameras drift that much?

 

[crw030]

I think my cameras defaulted to every 10 minutes. Probably overkill but since it’s just polling the BI server (BI server IP is the NTP client on every camera). I imagine it’s a really quick network packet exchange, so I wouldn’t sweat it.

I can’t speak to the drift that naturally occurs on the cameras, but I wouldn’t think casual consumer usage would need this precision. For me I just like to see the camera’s all tick at the same time, all the time.


Sent from my iPad using Tapatalk

 

[flippinfleck]

Thanks. The intent for that router (connected only via the LAN ports, not using it's WAN) is that it would serve to route traffic on the 254 network, between the BI PC and the cameras. Is a router not needed in this scenario? Without one, how does routing occur?

Sent from my ONEPLUS A3000 using Tapatalk

I know you've already got your system set up and functional with some cameras for testing, though I figured I would reply to this for further details.

When you have a device with more than one interface configured, and those interfaces are configured for different networks, there is no actual routing involved for that device to communicate with other devices on those networks. Routing comes into play when you are leaving one network destined for another. That could be a camera communicating with a domain controller for NTP on a separate VLAN, or your tablet pulling up ipcamtalk.com to check your latest updates.

The important part to remember when configuring a Windows device with multiple interfaces is that only ONE of them should have a default gateway defined. Here is an example of a management workstation with three of the interfaces shown. Take note of the IPv4 Default Gateway. This prevents the Windows workstation from looking to route traffic through networks that have no access beyond their local network.

 

[Frankenscript]

This is good input, thanks.

Indeed, I set up the second NIC without any gateway. It lists as "unidentified network" and there's no way to choose public/private network, as expected. IPCONFIG shows no gateway entry, so it is working as designed.

Initially I thought I needed a router simply to move traffic along between the various cameras and computer (computer and cameras all on the LAN ports, not the WAN port), but this was due to my ignorance. I've learned that no routing etc. is needed for the devices on the same subnet connected via a switch. However, the router, simply acting as a switch would be useful if I need to connect another PoE switch, or if I ever want to connect a wifi device. In that case I'd probably configure the extra router as simply an access point, using just its LAN ports.

So far things are good. Had a small hiccup yesterday with my time server on the BI PC; I had forgotten to open the firewall for UDP packets on port 123, so the cams couldn't get time from the computer. After I sorted that out, my cameras started showing wrong times. Turned out that DST settings were not uniformly applied; I had to go in and make sure DST was enabled and set for a 60 minute bias (default time was 30 minutes on some cams!). With that sorted, and all cameras properly configured for which time zone they are in, all is well.