Network Advice?

[XrayDoc88]

I'm not sure if this is the correct forum for my questions, but I didn't find another section that seemed to cover networking. I want to add 5-6 ip cameras and a computer running Blue Iris to my wired home GB network. My network currently has several computers, satellite receivers, AV receivers, 2 Xboxes, a NAS, 3 smart TVs, 3 wireless access points, etc., etc. I want to be able to access Blue Iris (or possibly the cameras directly) from outside my home. I've read several posts that say DO NOT USE PORT FORWARDING. Instead, setup a VPN. I've never used a VPN, but I'm willing to learn. I've already seen the excellent VPN for newbies post on this site. But I'd also appreciate some suggestions for the best physical layout of adding this new surveillance hardware.

1. Should I just connect the new cameras and BI computer to my existing POE+ switch?
2. Should I use a separate POE+ switch for the surveillance hardware?
3. If the cameras are recording all the time, how do you avoid ruining the bandwidth on your network?
4. Should the surveillance hardware have a different subnet or VLAN tag?

I don't know if it is important, but my router is currently a computer running pfSense. I've only enabled one WAN and one LAN port on the machine, but actually have additional NIC ports that could be activated if that helps.

I clearly could use some advice from the experts that frequent these forums. Thanks!

 

[Valiant]

For a small network such as yours I'd just use the existing hardware you have and not go to the complexity of extra switches or vlans. You could always make changes later.

I also use a pfsense box and OpenVPN is relatively easy to set up.

Regarding ruining your bandwidth, (Q3),. There's nothing to worry about, the cameras pass traffic to the recorder on their own switch ports at a local level (layer 2) and that does not impact WAN bandwidth.

 

[tangent]

With a Blue Iris PC the easiest way to segregate your network is to put two NICs in the PC. Connect a PoE switch and cameras to one and the rest of your network to the other, put the two nics in different subnets.

 

[SouthernYankee]

+1 for what tangent said. This is the exact configuration I use.

 

[XrayDoc88]

With a Blue Iris PC the easiest way to segregate your network is to put two NICs in the PC. Connect a PoE switch and cameras to one and the rest of your network to the other, put the two nics in different subnets.

With this kind of setup, does the separate subnet for the surveillance gear add a level of security to your home network? Is there a way that your VPN can connect directly to the surveillance subnet without also gaining access to your home network, which is actually upstream of the surveillance network? I'm not sure I really understand the rationale for configuring the hardware like this. Thanks!

 

[SkyLake]

The only problem that can occur with putting two NIC's in a PC, and setting them up with different ip's / subnets, is, when you actually get a virus, or malware on that same pc.. Advanced malware / viruses just scan your network stack, and can connect to either both or to which it wants to connect. When a hacker could make it thru to that same PC, he could just walk to the different subnets.

VLAN's would be the better choice, but with VLAN you could also be hacked, when using cheap hardware. VLAN hopping -> VLAN hopping - Wikipedia

There are so many ways to make a system secure, or insecure

 

[SouthernYankee]

XrayDoc88... the cameras can not get to the internet. The cameras can not get to any computer but The BI computer. The cameras can not get to your other network devices. The VPN can access the BI computer.

 

[XrayDoc88]

XrayDoc88... the cameras can not get to the internet. The cameras can not get to any computer but The BI computer. The cameras can not get to your other network devices. The VPN can access the BI computer.

Ok, I think I understand now. When I setup the VPN do I actually make it specific to the BI computer or will I just make it specific to my pfSense router?

 

[XrayDoc88]

The only problem that can occur with putting two NIC's in a PC, and setting them up with different ip's / subnets, is, when you actually get a virus, or malware on that same pc.. Advanced malware / viruses just scan your network stack, and can connect to either both or to which it wants to connect. When a hacker could make it thru to that same PC, he could just walk to the different subnets.

VLAN's would be the better choice, but with VLAN you could also be hacked, when using cheap hardware. VLAN hopping -> VLAN hopping - Wikipedia

There are so many ways to make a system secure, or insecure

Skylake, well that was a depressing post, despite your smiling emoji. How would you suggest attempting to secure your home and surveillance network? What do you think is the best setup?

 

[cutterman]

Add another subnet to your pfsense router and put the POE switch, BI box, and all the cameras on that. Block access from that subnet to your main network and set up the VPN on the surveillance subnet to connect to the BI machine.

 

[Valiant]

Ok, I think I understand now. When I setup the VPN do I actually make it specific to the BI computer or will I just make it specific to my pfSense router?

You'll use VPN to access your entire network via the pfSense box, so if it's important to access other devices in addition to the CCTV network then it may be beneficial to leave all devices on the same flat network. VLANS are good to separate networks that belong to different people, departments etc. Since they are both yours there is marginal benefit.

I don't use BI and i'm not sure if you use a separate PC to access the recorder via a client or view live video directly on the BI box itself, but if your viewing PC is on your home network in a separate VLAN to the BI box, then you'll probably need a second NIC in that to belong and connect to the CCTV network (this is an alternative to having a dual NIC in the BI box).

 

[SouthernYankee]

I have never picked up a virus on my BI computer. The only thing on the BI computer is BI. I do not even use a browser on the BI computer. I do have IE and Chrome loaded, but do not use them. I update windows manually. I update BI manually. I do not use automatic updates.

The VPN allows secure access to your network. I connect to the VPN then open UI3 on the BI machine. I can also remote to my other computers.