Menu
What's new

Networking Questions - VLANS

CCTVCam

CCTVCam

Known around here
Joined
Sep 25, 2017
Messages
2,676
Reaction score
3,508
Hi,

Just a quick question on VLANS.

I understand most on here use Asus routers.

I thought VLANS were essential to stop your wider network being hacked from your BI server. However, upon checking, Asus routers don't support VLANS apart for IP tv and then only WAN not LAN.

Are most people not using VLANS and if so how are you stopping access to the internet of your BI server except via VPN?
 
S

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,476
Reaction score
2,488
Location
USA
The router does not necessarily need to have VLAN support. You can still set-up VLAN's if your switches support them.

If you use dedicated unmanaged switches solely for your camera/recorder LAN connections, you've achieved the same thing a Virtual LAN (VLAN) provides.

Edit:
Having two network cards (NIC) in your BI server will allow you to keep your camera traffic isolated/protected from your 'everyday' network used by printers, TV's, game devices, etc.
One BI NIC is connected to the 'exclusive' hardware for cameras, the 2nd NIC is connected to the 'everyday' network. Both networks have different IP ranges, to they will not be able to natively communicate with each other

Dual NIC setup on your Blue Iris Machine

In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs: Router Security - Subnets and IP addresses...
ipcamtalk.com ipcamtalk.com
 
wittaj

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
25,209
Reaction score
49,110
Location
USA
Even with a VLAN, you are more than likely still giving the BI server internet access.

What you want to do is not giving the cameras internet access. Most that do not setup a VLAN will do the dual NIC in the BI server.
 
NightLife

NightLife

Getting comfortable
Joined
Sep 10, 2021
Messages
490
Reaction score
1,096
Location
Canada
If you're planning ahead, and you're going to be running the BI, cameras, IoT devices, and multiple VLANs (tagged and untagged) and so on now or in the future it would likely be worthwhile adding a VLAN-aware AP into the mix.
 
ARAMP1

ARAMP1

Pulling my weight
Joined
Feb 13, 2018
Messages
243
Reaction score
171
Location
Memphis, TN
I have a "Security VLAN" with just my Blue Iris computer and cameras on it. By the nature of VLANs, they block inter-VLAN traffic. I have rules that block the camera IP addresses from accessing the internet. I also have specific rules to allow my regular network to have access to my Security VLAN so I can we can use phones and computers to view cameras.
 
CCTVCam

CCTVCam

Known around here
Joined
Sep 25, 2017
Messages
2,676
Reaction score
3,508
Thanks. Networking is my weak point. I'm confused by this step though:

"Add a similar IP to Dahua so it can log into IE. For example: '192.168.1.55' (you can use any number between 1-254 and not only .55 - just do not use .108 so it doesn't conflict with the Dahua IP)."

Prior to this stage we've set up the 2nd NIC for the POE switch right?

So what are we setting up in this stage downwards? What is "Dahua" here? The cameras, the BI Server on the 1st NIC or are these still settings for the POE switch on the 2nd NIC?

Does this interface exist within the cameras ie are we changing this in the camera interface or is this still in the 2nd NIC?

Also, if still for the 2nd NIC do we need to configure the 1st NIC or does it get it's information straight from the Router.

This is where I'm getting confused.
 
whoami ™

whoami ™

Pulling my weight
Joined
Aug 4, 2019
Messages
230
Reaction score
224
Location
South Florida
I highly recommend looking into a Netgate pfSense firewall appliance. Side note: Unifi switches make making VLANS super easy as long as your router supports them. If not, a Layer 3 switch is the answer.
 
S

SpacemanSpiff

Known around here
Joined
Apr 15, 2021
Messages
1,476
Reaction score
2,488
Location
USA
CCTVCam said:
Thanks. Networking is my weak point. I'm confused by this step though:

"Add a similar IP to Dahua so it can log into IE. For example: '192.168.1.55' (you can use any number between 1-254 and not only .55 - just do not use .108 so it doesn't conflict with the Dahua IP)."

Prior to this stage we've set up the 2nd NIC for the POE switch right?

So what are we setting up in this stage downwards? What is "Dahua" here? The cameras, the BI Server on the 1st NIC or are these still settings for the POE switch on the 2nd NIC?

Does this interface exist within the cameras ie are we changing this in the camera interface or is this still in the 2nd NIC?

Also, if still for the 2nd NIC do we need to configure the 1st NIC or does it get it's information straight from the Router.

This is where I'm getting confused.
Click to expand...
Dahua equipment is factory set to boot with a static IP of 192.168.1.108.

You should add the 192.168.1.55 IP to the second NIC that connects your cameras. Performing this step allows you to add new cameras without the need for changing the IP address of the 2nd NIC (192.168.55.10) in the BI computer. This step is optional, but it will be a time saver when adding new cams.

If you choose not to, when adding a new camera you'll need to:
  1. Set the camera (2nd) NIC to a 192.168.1.x (not .108) address. (This will break communication with all existing cameras)
  2. Plug in new cam, assign a static IP on the new cam
  3. Change the camera (2nd) NIC BACK to the IP (192.168.55.10) you previously assigned it (This will restore communication to existing cameras)
  4. Complete the process of setting up the new cam and adding to BI, etc
There are other methods to initialize a new camera using a second computer, but it will require a PoE injector or switch & most likely involve temporarily changing the second machine's IP as noted above

CCTVCam said:
...
Also, if still for the 2nd NIC do we need to configure the 1st NIC or does it get it's information straight from the Router.
Click to expand...
The 1st NIC will receive its IP info from the router (via DHCP). However, most here set a static IP to the first NIC, as well. This ensures the same IP will used when accessing the UI3. It should be noted, the static assignment to NIC#1 should be within the network range of what the router currently uses on it's LAN connections.
 
CCTVCam

CCTVCam

Known around here
Joined
Sep 25, 2017
Messages
2,676
Reaction score
3,508
whoami ™ said:
I highly recommend looking into a Netgate pfSense firewall appliance. Side note: Unifi switches make making VLANS super easy as long as your router supports them. If not, a Layer 3 switch is the answer.
Click to expand...
Bit late now just bought a new Asus Router. Also Netgate have just increased prices by $50, so a 2100 is now $349, add on a Ubuiti Gateway and with your modem you're the best part of $700. It goes a bit beyond my budget but thanks for the suggestion.
 
mikeynags

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,035
Reaction score
940
Location
CT
CCTVCam said:
Bit late now just bought a new Asus Router. Also Netgate have just increased prices by $50, so a 2100 is now $349, add on a Ubuiti Gateway and with your modem you're the best part of $700. It goes a bit beyond my budget but thanks for the suggestion.
Click to expand...
Why would you need the Ubiquiti gateway if you buy the Netgate? The Netgate would take its place.
 
OICU2

OICU2

BIT Beta Team
Joined
Jan 12, 2016
Messages
832
Reaction score
1,367
Location
USofA
If you're tech savvy you can build a pfSense firewall router/VPN device from a cheap HP thin client T730 or T610 on ebay. Pretty much just install the pfSense software. The software is free open source , no need to buy Netgate.
 
You must log in or register to reply here.
Top