Making sure cameras aren't "calling home"?

[AndrewNorCal]

I want to make sure I have this set up correctly so my cameras aren't calling China under my nose.

Here's what I've got:

Blue Iris on a Windows 11 PC. It's hardwired to the main network router (172.16.blah.blah). It has a SECOND network card (192.168.1.x) that runs to a PoE switch then to all the cameras.

The cameras are a mix of Q-See (Dahua) and ReoLink cameras. (I have a Revotech mini camera coming too.)

Some will accept a blank default gateway entry. Others demand something in the same IP range as the camera's static IP address, so I can't just leave those blank.

What's the best practice?

Obviously, the ones that I can leave blank should be blank, but what should I set the "mandatory" default gateways to? 0.0.0.0, maybe if possible, but otherwise what? (I believe I read in a different thread in my hunting here today said that setting them to, say, 192.168.1.254—an unused address—will cause unnecessary traffic.)

And is there anything I should set in Windows or on my main router?

Oh, and FWIW, I do access BI from offsite using ZeroTier and also use a browser on the real LAN from a different room/device than the BI box.

Thanks!!
Andrew

 

[wittaj]

You are good UNLESS you went in and bridged the two IP subnet together on the BI computer.

Try setting the gateway as the IP address of the camera if it is requiring one.

 

[mikeynags]

You should be all set then. The cameras are on the network attached to the 2nd NIC. From what you've described, there is no default gateway that would route the traffic out. The 2nd NIC in the BI machine should have no default gateway configured either. You can plug in a bogus IP in 192.168.1.x for the gateway for those cameras that insist on one.

 

[Mike A.]

I like using the IP of the cam itself for the gateway and DNS. I've seen a few that would go searching or use hard-coded defaults if left blank or set to 0.0.0.0. They shouldn't be able to get out anyway with the physical network segregated but they may keep trying and fill logs with attempts if you have a firewall or DNS blocker that logs such things. Pointing them to themselves minimizes that.

 

[Ri22o]

This is how my network is set up. There is a rule set in my router for .10.XX to keep those devices segregated, but the camera network is kept separate with hardware via the dual NIC.

 

[Perimeter]

If I deny every camera and NVR internet access in the router, will that do the trick too? Or do I run the risk that SmartPSS breaches that security? SmartPSS only has firewall exception for private network.