Network Setup Questions

Apeezee

n3wb
Joined
Jan 14, 2018
Messages
15
Reaction score
0
Location
Tigard, or
My two Dahuas will show up tomorrow. Trying to get some network prep done beforehand. Been following the Cliff Notes on the wiki.

I have a dedicated PC to run BlueIris. It has two NICs in it. Originally i was thinking i needed to setup a VLAN but the more i thought about it, i don't. Because it's for my home so i dont need to segregate users via VLAN.

Instead it looks like the best option would be to run the second NIC from the blueiris PC to the POE switch and the cameras to that switch. That makes perfect sense.

My question is: is it possible to have multiple uplinks to a switch? In other words, can i plug the uplink from my secure network (regular home network) and the second NIC from the blueiris PC into the switch and then seperate the devices that way? Or does that defeat the whole purpose of second NIC?

I guess i'm just trying to justify the overspend on a managed PoE switch when it looks like i could have just bought a cheaper one. :)

Could i set up a seperate DHCP server on my Edgerouter X to serve the IP cameras, leaving the gateway blank and that would be a way to secure them from internet access?

Am i complicating my life? Should i just run the cameras into the switch and call it a day or try and make use of this nicer switch (only by about 20 bucks)?
 

dvand

n3wb
Joined
Jul 26, 2018
Messages
28
Reaction score
7
Location
US
How do you plan to view the cameras? Only on the blue iris pc?

Sent from my Pixel XL using Tapatalk
 

Apeezee

n3wb
Joined
Jan 14, 2018
Messages
15
Reaction score
0
Location
Tigard, or
I set it up last night. I read that port forwarding to the cameras is bad. Does that count also for the nvr?

I set it up last night to port forward to the webui and I have a dynDNS so I can always point to the webui. That’s pretty much what the BlueIris iOS app does for remote connection right?

Is that bad? I also have team viewer so I could remote in that way as well.

Does the port forwarding to the UI expose me that much with the cameras on a physically separate lan?
 

Apeezee

n3wb
Joined
Jan 14, 2018
Messages
15
Reaction score
0
Location
Tigard, or
Shoot I did read it but I missed that it included NVR on that list.

Even if the NVR is actually a PC with software firewall? I could understand a dedicated NVR may notnjave sodtware firewall but it’s windows 10 PC. Does that make it more secure if I forward that port?

I’m trying to make it easier for my wife to use the cameras as well as we have some baby monitoring cameras as well.
 

dvand

n3wb
Joined
Jul 26, 2018
Messages
28
Reaction score
7
Location
US
I'm not tracking how you have a physically separate Lan if you are able to port forward.



Sent from my Pixel XL using Tapatalk
 

Apeezee

n3wb
Joined
Jan 14, 2018
Messages
15
Reaction score
0
Location
Tigard, or
My PC that is running blue iris has two NICs in it. The cameras are on the non-internet connected NIC and I forward the port to the blueiris WebUI.
 

dvand

n3wb
Joined
Jul 26, 2018
Messages
28
Reaction score
7
Location
US
You're exposing blue iris to the internet. I'm not sure how safe that is but conventional wisdom is that you should use a VPN.

I'm also assuming your blue iris pc isn't setup as a router between the two internal nics.

Sent from my Pixel XL using Tapatalk
 

Apeezee

n3wb
Joined
Jan 14, 2018
Messages
15
Reaction score
0
Location
Tigard, or
It is not setup as a router. The two NICs are not bridged so they don’t communicate to each other. The secondary NIC has no gateway so no internet connection.

I’m just trying to understand why an open port for team viewer or google Remote Desktop is ok per the wiki but not a port for blue iris.
 

dvand

n3wb
Joined
Jul 26, 2018
Messages
28
Reaction score
7
Location
US
I don't believe team viewer and Google remote desktop open any ports.

Sent from my Pixel XL using Tapatalk
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
If you set up a VPN, then you do not need to port-forward from the Blue Iris PC. Instead, when you open the secure tunnel via your VPN, it's as if you were there, at your home, connected directly into your LAN. But the connection is secured and encrypted, so much much safer than exposing a port directly via port-forwarding.

The PC you're using for Blue Iris could also act as your VPN using Open VPN running on that PC. I've not done it that way, but instead am using one of the ASUS routers that supports Open VPN within the router itself. This was very easy to set up, and I can view and operate Blue Iris using the Blue Iris APP on several smart phones. Those phones also have OpenVPN running on them, so I can simply open the secure tunnel (VPN) and then run the BI app, and I'm in. All without using port forwarding out of Blue Iris.

Since you already have a PC dedicated to Blue Iris, both of those ways of implementing a VPN would be available to you.

I need to set up the VPN on at least one other PC (to act as another "client" if you will) so I can view the cameras and operate Blue Iris remotely from that PC over the internet, but this is supposedly easy to implement as well. I need to study the various notes and WIKI articles here to figure out how to do that, but if I have questions, I'll start another thread or find one that is more "on topic" for that rather than hijack this one.

I'm a novice at this networking stuff, but setting up the Open VPN in the Asus router was easy when I used a step-by-step discussion of this.
 

Apeezee

n3wb
Joined
Jan 14, 2018
Messages
15
Reaction score
0
Location
Tigard, or
I don't believe team viewer and Google remote desktop open any ports.

Sent from my Pixel XL using Tapatalk
Hmmm. I wonder what protocol they use because it has to get through the firewall somehow.

I could use my PC to setup OpenVPN and do it that way but I dunno if I wanna add another layer.
 

Apeezee

n3wb
Joined
Jan 14, 2018
Messages
15
Reaction score
0
Location
Tigard, or
If you set up a VPN, then you do not need to port-forward from the Blue Iris PC. Instead, when you open the secure tunnel via your VPN, it's as if you were there, at your home, connected directly into your LAN. But the connection is secured and encrypted, so much much safer than exposing a port directly via port-forwarding.

The PC you're using for Blue Iris could also act as your VPN using Open VPN running on that PC. I've not done it that way, but instead am using one of the ASUS routers that supports Open VPN within the router itself. This was very easy to set up, and I can view and operate Blue Iris using the Blue Iris APP on several smart phones. Those phones also have OpenVPN running on them, so I can simply open the secure tunnel (VPN) and then run the BI app, and I'm in. All without using port forwarding out of Blue Iris.

Since you already have a PC dedicated to Blue Iris, both of those ways of implementing a VPN would be available to you.

I need to set up the VPN on at least one other PC (to act as another "client" if you will) so I can view the cameras and operate Blue Iris remotely from that PC over the internet, but this is supposedly easy to implement as well. I need to study the various notes and WIKI articles here to figure out how to do that, but if I have questions, I'll start another thread or find one that is more "on topic" for that rather than hijack this one.

I'm a novice at this networking stuff, but setting up the Open VPN in the Asus router was easy when I used a step-by-step discussion of this.

I have a higher end router so could do a vpn but I don’t like having to set it up on each client. I have baby cams that my in laws watch so I don’t wanna have to keep their phones and iPads going with vpn
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
I have a higher end router so could do a vpn but I don’t like having to set it up on each client. I have baby cams that my in laws watch so I don’t wanna have to keep their phones and iPads going with vpn
The way I understand it, you can automate the VPN connect and disconnect with an app that you run on the phones if you want to. It just opens the VPN, then launches the BI client, then closes the VPN when you close the BI client.

But I set it up so you have to manually fire up the VPN client, touch the "on-off" switch, minimize the VPN, and then fire up BI on the phone. It's fast and easy. So much so, that my wife doesn't complain about it at all. So it might be worth setting it up and playing with it on your own phone first, then show that to your other folks, and if they feel like they can handle it, go ahead and set them all up with users and the apps on their phones. It's a good, secure way to access all of this.

I have all of my cameras blocked from the internet in the router. I don't even have them on a separate network adaptor. This is all done in the Asus router, as well. I could set the cameras up on a different subnet, or even use a completely separate network interface and put them on their own network that has no direct internet connection. But from what I've seen, just blocking the cameras from the internet with the router accomplishes all of the security that's needed.

But I wouldn't allow the cameras or even BI to port-forward. To me, that opens things up foo much.

Edit to add:

I also block my printers and any other network appliances that don't need to talk to the internet. I'm not sure I trust my DirecTV box, or my one "smart TV", but they've got to have internet access to operate, of course. I have an industrial "Programmable Automation Controller" (like a PLC) system set up to run my sprinklers, a smoker, and some other things, and I've got it on my home network. But I have it blocked from the internet, too. People don't realize how vulnerable PLCs and the like are if they're on a network that has internet access.
 
Top