Network Advice?

Discussion in 'NVR's, DVR's & Computers' started by XrayDoc88, Jul 10, 2018.

Share This Page

  1. XrayDoc88

    XrayDoc88 n3wb

    Joined:
    Dec 15, 2017
    Messages:
    16
    Likes Received:
    2
    Location:
    United States
    I'm not sure if this is the correct forum for my questions, but I didn't find another section that seemed to cover networking. I want to add 5-6 ip cameras and a computer running Blue Iris to my wired home GB network. My network currently has several computers, satellite receivers, AV receivers, 2 Xboxes, a NAS, 3 smart TVs, 3 wireless access points, etc., etc. I want to be able to access Blue Iris (or possibly the cameras directly) from outside my home. I've read several posts that say DO NOT USE PORT FORWARDING. Instead, setup a VPN. I've never used a VPN, but I'm willing to learn. I've already seen the excellent VPN for newbies post on this site. But I'd also appreciate some suggestions for the best physical layout of adding this new surveillance hardware.

    1. Should I just connect the new cameras and BI computer to my existing POE+ switch?
    2. Should I use a separate POE+ switch for the surveillance hardware?
    3. If the cameras are recording all the time, how do you avoid ruining the bandwidth on your network?
    4. Should the surveillance hardware have a different subnet or VLAN tag?

    I don't know if it is important, but my router is currently a computer running pfSense. I've only enabled one WAN and one LAN port on the machine, but actually have additional NIC ports that could be activated if that helps.

    I clearly could use some advice from the experts that frequent these forums. Thanks!
     
    Last edited: Jul 10, 2018
    mat200 likes this.
  2. Valiant

    Valiant Young grasshopper

    Joined:
    Oct 30, 2017
    Messages:
    66
    Likes Received:
    18
    Location:
    Australia
    For a small network such as yours I'd just use the existing hardware you have and not go to the complexity of extra switches or vlans. You could always make changes later.

    I also use a pfsense box and OpenVPN is relatively easy to set up.

    Regarding ruining your bandwidth, (Q3),. There's nothing to worry about, the cameras pass traffic to the recorder on their own switch ports at a local level (layer 2) and that does not impact WAN bandwidth.
     
    SkyLake and mat200 like this.
  3. tangent

    tangent Known around here

    Joined:
    May 12, 2016
    Messages:
    2,817
    Likes Received:
    1,557
    With a Blue Iris PC the easiest way to segregate your network is to put two NICs in the PC. Connect a PoE switch and cameras to one and the rest of your network to the other, put the two nics in different subnets.
     
    mat200 and Valiant like this.
  4. SouthernYankee

    SouthernYankee Young grasshopper

    Joined:
    Feb 15, 2018
    Messages:
    50
    Likes Received:
    20
    Location:
    Houston Tx
    +1 for what tangent said. This is the exact configuration I use.
     
    mat200 likes this.
  5. XrayDoc88

    XrayDoc88 n3wb

    Joined:
    Dec 15, 2017
    Messages:
    16
    Likes Received:
    2
    Location:
    United States
    With this kind of setup, does the separate subnet for the surveillance gear add a level of security to your home network? Is there a way that your VPN can connect directly to the surveillance subnet without also gaining access to your home network, which is actually upstream of the surveillance network? I'm not sure I really understand the rationale for configuring the hardware like this. Thanks!
     
  6. SkyLake

    SkyLake Getting the hang of it

    Joined:
    Jul 30, 2016
    Messages:
    126
    Likes Received:
    79
    The only problem that can occur with putting two NIC's in a PC, and setting them up with different ip's / subnets, is, when you actually get a virus, or malware on that same pc.. Advanced malware / viruses just scan your network stack, and can connect to either both or to which it wants to connect. When a hacker could make it thru to that same PC, he could just walk to the different subnets.

    VLAN's would be the better choice, but with VLAN you could also be hacked, when using cheap hardware. VLAN hopping -> VLAN hopping - Wikipedia

    There are so many ways to make a system secure, or insecure :D
     
    Last edited: Jul 11, 2018
    Aengus4h likes this.
  7. SouthernYankee

    SouthernYankee Young grasshopper

    Joined:
    Feb 15, 2018
    Messages:
    50
    Likes Received:
    20
    Location:
    Houston Tx
    XrayDoc88... the cameras can not get to the internet. The cameras can not get to any computer but The BI computer. The cameras can not get to your other network devices. The VPN can access the BI computer.
     
  8. XrayDoc88

    XrayDoc88 n3wb

    Joined:
    Dec 15, 2017
    Messages:
    16
    Likes Received:
    2
    Location:
    United States
    Ok, I think I understand now. When I setup the VPN do I actually make it specific to the BI computer or will I just make it specific to my pfSense router?
     
  9. XrayDoc88

    XrayDoc88 n3wb

    Joined:
    Dec 15, 2017
    Messages:
    16
    Likes Received:
    2
    Location:
    United States
    Skylake, well that was a depressing post, despite your smiling emoji. :( How would you suggest attempting to secure your home and surveillance network? What do you think is the best setup?
     
  10. cutterman

    cutterman Young grasshopper

    Joined:
    Jan 25, 2017
    Messages:
    74
    Likes Received:
    13
    Add another subnet to your pfsense router and put the POE switch, BI box, and all the cameras on that. Block access from that subnet to your main network and set up the VPN on the surveillance subnet to connect to the BI machine.
     
  11. Valiant

    Valiant Young grasshopper

    Joined:
    Oct 30, 2017
    Messages:
    66
    Likes Received:
    18
    Location:
    Australia
    You'll use VPN to access your entire network via the pfSense box, so if it's important to access other devices in addition to the CCTV network then it may be beneficial to leave all devices on the same flat network. VLANS are good to separate networks that belong to different people, departments etc. Since they are both yours there is marginal benefit.

    I don't use BI and i'm not sure if you use a separate PC to access the recorder via a client or view live video directly on the BI box itself, but if your viewing PC is on your home network in a separate VLAN to the BI box, then you'll probably need a second NIC in that to belong and connect to the CCTV network (this is an alternative to having a dual NIC in the BI box).
     
  12. SouthernYankee

    SouthernYankee Young grasshopper

    Joined:
    Feb 15, 2018
    Messages:
    50
    Likes Received:
    20
    Location:
    Houston Tx
    I have never picked up a virus on my BI computer. The only thing on the BI computer is BI. I do not even use a browser on the BI computer. I do have IE and Chrome loaded, but do not use them. I update windows manually. I update BI manually. I do not use automatic updates.

    The VPN allows secure access to your network. I connect to the VPN then open UI3 on the BI machine. I can also remote to my other computers.
     
Tags: