Network Setup - Best Practices

R. Rod

n3wb
Joined
Mar 16, 2018
Messages
17
Reaction score
3
Hello,

I'm new to this topic of security cameras. This is the link to my introductory post about the setup that I'm planning at the moment.
When it comes to network security I'm sure there are best practices this group have been adopting with time so I just don't want to re-invent the wheel and I would prefer to get up to speed with what is recommended.

These are the areas that I'm not 100% sure at the moment.

Network Equipment
I have a spare Edgerouter Lite that I can use and I just ordered a GS108PP
I'm regretting having ordered the GS108PP switch because it is unmanaged and, AFAIK, it wouldn't work if I'm planning to use VLAN to segregate the cameras and BI server from the rest of the network.
I have a USG + 8-US-150W + AC Pro Unifi setup at home and I love how easy is to setup everything.
I was wondering if I should just forget about the hardware at hand and stick to the same combination I'm already familiar with.

Network Segregation
Is the common (best) practice to segregate your cameras and BI server on its own VLAN?
If so, what are the rules for that VLAN? How do I provide the minimal access to do maintenance and remote management?

Remote Access & Notifications
Once the setup is completed, how are you guys managing it remotely?
  • VPN?
  • Opening ports + SSL + Dynamic DNS?
What is the mobile application of choice?
If taking the VPN route, do I have to be on the VPN all the time to get notifications or what is the best approach?

Apologies for all the questions.

TIA

R.R
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
3,061
Reaction score
2,020
Location
Houston Tx
 

mikeynags

Getting comfortable
Joined
Mar 14, 2017
Messages
511
Reaction score
308
Location
CT
Hello,

I'm new to this topic of security cameras. This is the link to my introductory post about the setup that I'm planning at the moment.
When it comes to network security I'm sure there are best practices this group have been adopting with time so I just don't want to re-invent the wheel and I would prefer to get up to speed with what is recommended.

These are the areas that I'm not 100% sure at the moment.

Network Equipment
I have a spare Edgerouter Lite that I can use and I just ordered a GS108PP
I'm regretting having ordered the GS108PP switch because it is unmanaged and, AFAIK, it wouldn't work if I'm planning to use VLAN to segregate the cameras and BI server from the rest of the network.
I have a USG + 8-US-150W + AC Pro Unifi setup at home and I love how easy is to setup everything.
I was wondering if I should just forget about the hardware at hand and stick to the same combination I'm already familiar with.

Network Segregation
Is the common (best) practice to segregate your cameras and BI server on its own VLAN?
If so, what are the rules for that VLAN? How do I provide the minimal access to do maintenance and remote management?

Remote Access & Notifications
Once the setup is completed, how are you guys managing it remotely?
  • VPN?
  • Opening ports + SSL + Dynamic DNS?
What is the mobile application of choice?
If taking the VPN route, do I have to be on the VPN all the time to get notifications or what is the best approach?

Apologies for all the questions.

TIA

R.R
Depending on how you design the network, you can use that GS108PP Netgear switch. I have several unmanaged switches that I use the unifi switch to designate what VLAN the u managed switch is on.

Remote access - look at the VPN primer for more detail. This is the only secure remote access method for your network.

Notifications work VPN or not. Setup your camera VLAN for management inbound and only allow what you need for notifications outbound. For me, it’s smtp out and Apple push notifications out. Nothing else outbound for that VLAN. You should also look at the threads on running your own NTP server for time.


Sent from my iPhone using Tapatalk
 

R. Rod

n3wb
Joined
Mar 16, 2018
Messages
17
Reaction score
3
Thanks, I saw that section before. I'm going to read more in details on the VPN section.
 

R. Rod

n3wb
Joined
Mar 16, 2018
Messages
17
Reaction score
3
Depending on how you design the network, you can use that GS108PP Netgear switch. I have several unmanaged switches that I use the unifi switch to designate what VLAN the u managed switch is on.
Understood, however that would require 2 switches to get the job done correct? For my 4 cameras + AP I'm just thinking to get a 8-US-60W switch and get the job done. Thoughts?

Remote access - look at the VPN primer for more detail. This is the only secure remote access method for your network.
Will do

Notifications work VPN or not. Setup your camera VLAN for management inbound and only allow what you need for notifications outbound. For me, it’s smtp out and Apple push notifications out. Nothing else outbound for that VLAN. You should also look at the threads on running your own NTP server for time.
Appreciate the pointers, will take a look.
I need to do more reading on notifications and what is included in BI and its Mobile application. Not sure what is out of the box vs what I need to do myself.

Thanks for your reply!
 

mikeynags

Getting comfortable
Joined
Mar 14, 2017
Messages
511
Reaction score
308
Location
CT
Understood, however that would require 2 switches to get the job done correct? For my 4 cameras + AP I'm just thinking to get a 8-US-60W switch and get the job done. Thoughts?


Will do


Appreciate the pointers, will take a look.
I need to do more reading on notifications and what is included in BI and its Mobile application. Not sure what is out of the box vs what I need to do myself.

Thanks for your reply!
The number if switches will depend on where your cameras are placed. The only problem you will run into with that netgear switch is if you need more than one VLAN. At that point, you’d be better off getting the US-8-60W.

Typically for SMS notifications it’s TCP port 25 which is the SMTP mail port since SMS messages are actually delivered via SMTP and for iPhone if using Apple Push notifications you need TCP port 2195 from the BI server.


Sent from my iPhone using Tapatalk
 

R. Rod

n3wb
Joined
Mar 16, 2018
Messages
17
Reaction score
3
The number if switches will depend on where your cameras are placed. The only problem you will run into with that netgear switch is if you need more than one VLAN. At that point, you’d be better off getting the US-8-60W.

Typically for SMS notifications it’s TCP port 25 which is the SMTP mail port since SMS messages are actually delivered via SMTP and for iPhone if using Apple Push notifications you need TCP port 2195 from the BI server.


Sent from my iPhone using Tapatalk
Yes, I would need another VLAN. This would be a rental so I have to provide WIFI for guests and they shouldn't be able to get to the cameras and BI server.
 

mikeynags

Getting comfortable
Joined
Mar 14, 2017
Messages
511
Reaction score
308
Location
CT
Your unifi setup supports a guest network. You should be able to do that no problem.


Sent from my iPhone using Tapatalk
 
Top