Network Setup Review

srvfan · May 22, 2021

So, after reading some posts, I thought that I would revisit my network setup. I want to make sure that I have everything set to run efficiently and smooth. So far, I have not experienced any issues with speed or security, but again, I want to ensure all is well. I am relatively inexperienced with networking, so I am sure that this may provide a good laugh to some.

To explain my setup properly, I figured I would bring out these points:

I have firewall rules in the EdgeRouter X set to where devices within a VLAN cannot communicate with one another or access the router or switch home page. Only the master network/VLAN has that access.
I have firewall rules in the EdgeRouter X set to prevent separate VLANs from communicating with one another. The only exceptions would be that the master VLAN can access everything, and the VLAN on which the Blue Iris computer sits can access the camera VLAN.
The BI computer does sit on a different VLAN than the cameras. I decided to do this because I wanted to completely eliminate any chance of the cameras gaining any access to the internet. Since I figured that the BI computer would need access to the internet for updates, push notifications, etc., I decided to separate.

I am attaching a PDF of my network layout. I figured it would be easier than trying to write out everything, especially since I would probably leave a detail out. Please excuse the crude layout; I had to create in Excel b/c I could not find any good templates. In the future, I would like to install the network sync tool on my BI computer, but I'm not for sure if I would need to move the computer to the same VLAN as the cameras. Anyway, that is a thought for another thread, but something I'm keeping in the back of my mind. Would anyone see a need to change the structure I currently have?

srvfan · May 23, 2021

Does anyone see a need to change the structure of the network?

SpacemanSpiff · May 23, 2021

srvfan said:
... I am relatively inexperienced with networking...

You might be selling yourself short on that... 6 VLAN setup with cisco is not for beginners. Some might argue you can achieve the same layout at the edge router, and the cisco switch ends up being an extra hop. But, if the cisco switch image is an accurate depiction of the port count you truly have, it certainly serves your needs.

You could consider eliminating the hop between VLAN 20 and VLAN 30 by adding a second ethernet interface to your BI server, and connect direct to your camera switch. This will most likely tweak the communications from cameras to BI while still maintaining the isolation of cameras to their own network.

srvfan · May 23, 2021

Well, I have to admit that I set up the VLANs within the EdgeRouter X. I just created a VLAN for the switch so I could run a single cable from the router to the switch and let the switch handle all the other stuff. Believe me, I have to claim inexperience because I had to watch 10+ videos on both the EdgeRouter and the switch LOL. It seems as though everything is running great so far, so I am pleased.

I think I understand what you are saying about eliminating the hop. I assume that you are speaking of setting up a dual nic on the computer, right?

While the network rack and the BI computer sit in different locations, I have the camera switch running directly into the Cisco switch. I guess I could just install another Ethernet on the computer and then run another cable into the attic to the rack. I guess I will have to study Cliff Notes and Wiki regarding to set up dual nic, not to mention how to install the additional port on the computer. I do believe my inexperience is showing again.

Thanks for the advice.

wittaj · May 23, 2021

If you could set up the EdgeRouter, the Dual NIC is simple LOL.

Heck it is simple even if you didn't set up an EdgeRouter.

Two ethernet ports in the computer and assign each one it's own different IP address range. Plug internet into one and all the cameras into the other.

sebastiantombs · May 23, 2021

A second NIC is basically a plug and play situation. The only configuration work is giving it an IP address and subnet mask. Like @wittaj said, if you can set up the Edge router it isn't even a bump in the road.

srvfan · May 23, 2021

Great, thanks everyone. I understand manually changing the IP address within the computer for the second port. However, since the cameras will still be running into the computer, does that not allow internet access to the cameras? I understand the concept, but I just don’t understand the mechanics of how to prevent the cameras or where the settings would be. I know I will have to deep dive into the resources in the forum, just trying to process in my mind in the meantime.

wittaj · May 23, 2021

By virtual of BI being on the computer, you access the cameras that way - either on that computer or something like remote desktop into it. That computer has access to both IP address ranges.

Since the computer would have two separate IP address cards in it, when you tell BI the cameras are on the IP address of the 2nd NIC, they pull up and are visible then to other devices on the home network via the 1st NIC card and using UI3.

Then you OpenVPN back into your system to see them when away from home.

srvfan · May 23, 2021

I think I understand now. If I create a new IP range that does not exist in the VLANs and assign to the new port running to the cameras, they will not be able to access the internet. I guess I will just have to change all of the IP addresses manually in each camera.
I know I’m probably not explaining it correctly, but I understand what you are saying. Thank you

wittaj · May 23, 2021

srvfan said:
I think I understand now. If I create a new IP range that does not exist in the VLANs and assign to the new port running to the cameras, they will not be able to access the internet. I guess I will just have to change all of the IP addresses manually in each camera.
I know I’m probably not explaining it correctly, but I understand what you are saying. Thank you

Would it be easier to assign that VLAN a different IP address and then bring all the cameras into the 2nd NIC with that IP address range? I guess that would be the easiest solution if you are going to physically take the cameras off the VLAN.

srvfan · May 23, 2021

wittaj said:
Would it be easier to assign that VLAN a different IP address and then bring all the cameras into the 2nd NIC with that IP address range? I guess that would be the easiest solution if you are going to physically take the cameras off the VLAN.

Yep, it would be a lot easier and less time consuming doing it that way. So since the camera VLAN is currently on 192.168.30.x, I could just plug the cam switch into the new port in the computer and assign that address 192.168.30.1. Then I could probably trash the camera VLAN because that’s all it was built for. Once again, I’m sure I’m not saying it right, but your post clicked on the light for me. :thumb:

wittaj · May 23, 2021

Yes, at that point you could just use a dumb unmanaged switch (like the POE switch if there is an available port) and plug that into the 2nd NIC and assign that second NIC an IP address on the range of your cameras.

srvfan · May 23, 2021

wittaj said:
Yes, at that point you could just use a dumb unmanaged switch (like the POE switch if there is an available port) and plug that into the 2nd NIC and assign that second NIC an IP address on the range of your cameras.

Awesome; thanks for your info! Truly helpful!
On another note, is there a product/port you recommend? My computer is a Dell Optiplex 9020 running Windows 10 Pro. I've checked the back of the computer, and I do not see an open spot where another port could be open. About the most I have done to this computer is add a surveillance hard drive.

wittaj · May 23, 2021

There should be another slot to and in something like this:

Amazon.com: StarTech.com 1 Port PCI 10/100/1000 32 Bit Gigabit Ethernet Network Adapter Card (ST1000BT32): Electronics

www.amazon.com

SpacemanSpiff · May 23, 2021

wittaj said:
There should be another slot to and in something like this:

Amazon.com: StarTech.com 1 Port PCI 10/100/1000 32 Bit Gigabit Ethernet Network Adapter Card (ST1000BT32): Electronics

Amazon.com: StarTech.com 1 Port PCI 10/100/1000 32 Bit Gigabit Ethernet Network Adapter Card (ST1000BT32): Electronics

www.amazon.com

What form factor is the case? SFF? mid-tower? You'll need to be mindful on the height of the card and/or the the flat chrome piece that you see as you look at the ethernet jack. See the third image in the link wittaj shared

They also make USB ethernet adapters as well.

srvfan · May 23, 2021

Thanks @wittaj. That’s exactly what I need. I will pop open the casing and make sure all is well.
@SpacemanSpiff, I have the optiplex tower. When I was searching for a pc, I figured I better steer clear of the SFF because I wanted a lot of room to work in case it was needed. I will definitely review the dimensions to make sure everything is good.
Thanks everyone for the help and advice!

Search

Network Setup Review

srvfan

Getting comfortable

Attachments

srvfan

Getting comfortable

SpacemanSpiff

Known around here

srvfan

Getting comfortable

wittaj

sebastiantombs

Known around here

srvfan

Getting comfortable

wittaj

srvfan

Getting comfortable

wittaj

srvfan

Getting comfortable

wittaj

srvfan

Getting comfortable

wittaj

Amazon.com: StarTech.com 1 Port PCI 10/100/1000 32 Bit Gigabit Ethernet Network Adapter Card (ST1000BT32): Electronics

SpacemanSpiff

Known around here

Amazon.com: StarTech.com 1 Port PCI 10/100/1000 32 Bit Gigabit Ethernet Network Adapter Card (ST1000BT32): Electronics

srvfan

Getting comfortable