Networking setup for Blue Iris

[wsume99]

After reading the Cliff Notes and various posts I think I have decided on my network setup but just want to see if there is a reason not to go forward with my plan.

Right now my network consists of a Ubiquiti edgerouter X, a Unfi 24 port switch and 3 AC pro APs. I have three vlans setup: secure, guest and DMZ. The three vlans all have a wired and wireless component. They cannot communicate with each other but are all connected to the internet. Guest is obviously for guests and DMZ is for all my IOT gadgets like echo dots, Sonos, and my homeseer PC. Secure is for all of my family's devices that don't fit into one of the other 2 categories. Basically I have the three dumb routers setup but using vlans instead of three separate routers.

Now I'm looking to add a BI PC and a wired IP camera network. My plan is to add a fourth vlan for my IP camera network. It would be completely isolated from everything via my firewall rules The BI PC will have two NICs One would be connected to the IP camera vlan and the other would be connected to the DMZ vlan. I plan to setup a VPN server on my ER-X to allow remote access to the BI PC but before I go there I'd like to get my network setup ironed out. So does my setup sound reasonable or have I missed something?

 

[fenderman]

After reading the Cliff Notes and various posts I think I have decided on my network setup but just want to see if there is a reason not to go forward with my plan.

Right now my network consists of a Ubiquiti edgerouter X, a Unfi 24 port switch and 3 AC pro APs. I have three vlans setup: secure, guest and DMZ. The three vlans all have wired and wireless component. They cannot communicate with each other but are all connected to the internet. Guest is obviously for guests and DMZ is for all my IOT gadgets like echo dots, Sonos, and my homeseer PC. Secure is for all of my family's devices that don't fit into one of the other 2 categories. Basically I have the three dumb routers setup but using vlans instead of three separate routers.

Now I'm looking to add a BI PC and a wired IP camera network. My plan is to add a fourth vlan for my IP camera network. It would be completely isolated from everything via my firewall rules The BI PC will have two NICs One would be connected to the IP camera vlan and the other would be connected to the DMZ vlan. I plan to setup a VPN server on my ER-X to allow remote access to the BI PC but before I go there I'd like to get my network setup ironed out. So does my setup sound reasonable or have I missed something?

You dont need two network cards. If vlan 4 is isolated, then place the pc and cameras on vlan 4. Then setup your vpn to connect only to vlan 4.

 

[wsume99]

You dont need two network cards. If vlan 4 is isolated, then place the pc and cameras on vlan 4. Then setup your vpn to connect only to vlan 4.

Ok, but then wouldn't vlan 4 need to be not isolated from the internet? The BI PC would need to have some connectivity to the internet, correct? I am working under the assumption that I don't want the IP cameras exposed to the internet at all. So in this case a firewall rule allowing only the BI PC to communicate out would be ok?

 

[fenderman]

Ok, but then wouldn't vlan 4 need to be not isolated from the internet? The BI PC would need to have some connectivity to the internet, correct? I am working under the assumption that I don't want the IP cameras exposed to the internet at all. So in this case a firewall rule allowing only the BI PC to communicate out would be ok?

Exactly. You would need to create a rule to allow the BI pc out for the push/email/sms notifications - if you plan to use them.