New guy looking for help on current build list

[ant0007]

Hey guys,

First time building a POE camera system. I’ve read through the wiki and cliff notes and have gathered a list of things I think I will need. I will be starting out with 3 cameras and will eventually build up to 8-10 cameras over time.

As far as the cameras go, the first 2 cameras will be used for capturing motion but mainly for getting good images of anyone who does walk up to our door or driveway with low lighting coming from the garage coach lights. 3rd camera would be overlooking my front yard without any lighting. Would ideally be able to record license plates as well but that’s for another day.

-Currently looking at 3 IPC-T2231T-ZS from Andy through Amazon along with 3 junction boxes. These will be pointed out towards street and driveway.

-250ft of Cat5e cable from Monoprice

-RJ45 connectors and boots

-blue iris

- WD Purple 4TB Surveillance Hard Drive


an 8 port unmanaged POE switch from Netgear for $80


-any used HP Elitedesk or Dell Optiplex that I can find on eBay for under $200 that comes with i5 6500, 8gb of ram and Windows 10.


Is there anything you would suggest I swap out or add?

TIA

 

[mat200]

Hey guys,

First time building a POE camera system. I’ve read through the wiki and cliff notes and have gathered a list of things I think I will need.
I will be starting out with 3 cameras and will eventually build up to 8-10 cameras over time.

As far as the cameras go, I’m looking to capture motion but mainly be able to get good images of anyone who does walk up to our door or driveway. Would ideally be able to record license plates as well but that’s for another day.

-Currently looking at 3 IPC-T2231T-ZS from Andy through Amazon along with 3 junction boxes. These will be pointed out towards street and driveway.

-250ft of Cat5e cable from Monoprice

-RJ45 connectors and boots

-blue iris

- WD Purple 4TB Surveillance Hard Drive

-an 8 port unmanaged POE switcher from Netgear for $80

-any used Dell Optiplex or HP Elitedesk I can find on eBay for under $200 that comes with i5 6500, 8gb of ram and Windows 10.


Is there anything you would suggest I swap out or add?

TIA

Welcome @ant0007

FYI - I recently found a nice Dell Optiplex w/i7-6700 cpu for $200 on Craigslist ( 256 ssd, 8gb ram, win 10 pro )

 

[Holbs]

what prompts you towards the 2231's?
unmanaged switch. Hmm. So, you will have the unmanaged switch AFTER the blue iris pc or before? If after, that's best for security as they can be on their own subnet with no access to the internet.
i5 6500 works, but i believe is more spendier than i7-4770's (which I run 16 cameras from). Add depends on your finances.

 

[ant0007]

what prompts you towards the 2231's?

Seems like the most bang for the buck I can find on Andy’s Amazon aside from the 5442.

unmanaged switch. Hmm. So, you will have the unmanaged switch AFTER the blue iris pc or before? If after, that's best for security as they can be on their own subnet with no access to the internet.

Im not exactly sure which POE switch to get. What would you suggest instead?

i5 6500 works, but i believe is more spendier than i7-4770's (which I run 16 cameras from). Add depends on your finances.

So just to be clear, you would recommend me get an i7-4770 over the current i5-6500 I have listed, correct?

Thanks for responding

 

[ant0007]

Welcome @ant0007

FYI - I recently found a nice Dell Optiplex w/i7-6700 cpu for $200 on Craigslist ( 256 ssd, 8gb ram, win 10 pro )

That’s a nice deal but unfortunately I can’t find any near me.

 

[dudemaar]

That’s a nice deal but unfortunately I can’t find any near me.

I buy them off reputable ebay sellers occasionally.

 

[samplenhold]

Im not exactly sure which POE switch to get. What would you suggest instead?

Managed or unmanaged. It depends on how you plan on isolating the cameras from the internet. A managed switch can allow you to set up a virtual LAN to isolate the cameras. But if you use two NICs in your BI computer (one for the cameras, one for the internet), you can use an unmanaged switch.

The GS108LP is a good switch. It has 30W per port with a total budget of 60w and is upgradeable to 123w. Lifetime warranty. Fanless so it's quiet. It is a Gigabit switch.

As far as your pick on the cameras, make sure you consider the field of view for each location, and the amount of lighting.

 

[Holbs]

Andy is here. Message him. You may get a slight discount as compared to Amazon. Just as fast shipping as Amazon Prime through the use of Andy's DIY wormhole generator. Granted, unsure of the current state of shipping with what's going on and all.
In regards to the i7-4770 vs i5-6770... apparently, I'm not so good at CPU comparisons as I found out some i5's have a better CPU benchmark than my i7. I'll let the CPU guys step in and discuss who know more than me.
For your POE switch... before you buy anything, figure out/ask questions about how to setup a IP camera network that works best for you. For myself, I started off with a 16 port POE switch connected to my #2 installed NIC card in my Blue Iris PC (#1 NIC port was connected to my router). This format does not allow the cameras to have access to the internet. I had no need for a managed, more spendier switch in such a layout.
And for your camera selection, lots of reviews, comments, opinions of cameras here (I specifically stick to one manufacturer for the comfortably factor...which is Dahua). You have to ask yourself what the camera's purpose will serve. Night vision priority? Wide angle? Facial identification? Etc.
Ebay does do free shipping for many items. I where I bought my last 2 Blue Iris computers (one was mid-tower and then a USFF smaller case). You will be hard pressed to find anything more economical than Ebay for computers (other than auctions and craigslist that sporadically show up)

 

[Arjun]

Try to get the IPC-3241T Varifocal turrets instead

 

[eric90000]

Managed or unmanaged. It depends on how you plan on isolating the cameras from the internet. A managed switch can allow you to set up a virtual LAN to isolate the cameras. But if you use two NICs in your BI computer (one for the cameras, one for the internet), you can use an unmanaged switch.

Hey, I'm getting my head around this stuff also. Is the only way to fully secure cameras to have them either on a managed switch with a VLAN or else on a separate NIC which has the internet access disabled on the card? Does that mean the cameras cannot be accessed remotely by yourself? Say you're on holidays or something and want to see them on say a phone?

 

[Arjun]

You need to setup a private VPN in order to access your cameras remotely and securely.

Hey, I'm getting my head around this stuff also. Is the only way to fully secure cameras to have them either on a managed switch with a VLAN or else on a separate NIC which has the internet access disabled on the card? Does that mean the cameras cannot be accessed remotely by yourself? Say you're on holidays or something and want to see them on say a phone?

 

[crw030]

managed switch with a VLAN or else on a separate NIC which has the internet access disabled on the card? Does that mean the cameras cannot be accessed remotely by yourself?

Yes, the benefit of either approach is to restrict the cameras from being able to reach out to the internet. Since cameras and NVRs are infrequently patched and known to have a laundry list of vulnerabilities, it's just best to limit access both to them and from them. The dual-nic Blue Iris config the cameras are connected to one NIC which has no internet access at all (the Blue Iris machine is the end point from the cameras perspective), and in that case typically users would use the Blue iris UI3 interface as primary way to view/zoom and review clips. It's the least technical KISS method of security. If you have VLAN aware equipment you can also segregate your cameras with proper VLAN assignment and firewall rules, but this might be slightly more technical to setup, and does require equipment with VLAN support/VLAN aware.

Does that mean the cameras cannot be accessed remotely by yourself? Say you're on holidays or something and want to see them on say a phone?

If you can reach the cameras directly from your phone without first going through a VPN, then you likely have an insecure setup. Search these forums for how to setup OpenVPN on your router, that way you can connect securely to your home LAN while away.

When I am on my phone, I connect OpenVPN for any critical activity since I don't trust Open Wifi points. Once connected I can open UI3 web interface just like I was at home on my own wifi, and view cameras, review clips etc. I only need to remote desktop to the Blue Iris computer when I am configuring the cameras (this is an infrequent activity for me). May or may not meet your exact desires but it's secure.

Don't port forward a camera, or you'll be back in a few days to weeks posting a thread about how your camera is hacked, and how to fix it. Especially now during the COVID-19 deal, lots of people with idle time on their hands broadly scanning networks for vulnerabilities.

 

[eric90000]

Yes, the benefit of either approach is to restrict the cameras from being able to reach out to the internet. Since cameras and NVRs are infrequently patched and known to have a laundry list of vulnerabilities, it's just best to limit access both to them and from them. The dual-nic Blue Iris config the cameras are connected to one NIC which has no internet access at all (the Blue Iris machine is the end point from the cameras perspective), and in that case typically users would use the Blue iris UI3 interface as primary way to view/zoom and review clips. It's the least technical KISS method of security. If you have VLAN aware equipment you can also segregate your cameras with proper VLAN assignment and firewall rules, but this might be slightly more technical to setup, and does require equipment with VLAN support/VLAN aware.


If you can reach the cameras directly from your phone without first going through a VPN, then you likely have an insecure setup. Search these forums for how to setup OpenVPN on your router, that way you can connect securely to your home LAN while away.

When I am on my phone, I connect OpenVPN for any critical activity since I don't trust Open Wifi points. Once connected I can open UI3 web interface just like I was at home on my own wifi, and view cameras, review clips etc. I only need to remote desktop to the Blue Iris computer when I am configuring the cameras (this is an infrequent activity for me). May or may not meet your exact desires but it's secure.

Don't port forward a camera, or you'll be back in a few days to weeks posting a thread about how your camera is hacked, and how to fix it. Especially now during the COVID-19 deal, lots of people with idle time on their hands broadly scanning networks for vulnerabilities.

Thanks a lot for the info! I just read the info page on VPN on this site. Unfortunately my ISP provided router doesn't have any possibility of a VPN and I'm using Nest Wifi as my WAP for stuff around the house. Can I run some sort of VPN software on the BlueIris machine to achieve the same goal? I'm guessing only my unmanaged switch (with all cameras connected) should be connected to the second NIC in the Blue Iris machine, and not the router etc.

If BlueIris is the end point for the cameras as you say (using a second NIC card), is there any way for the cameras to somehow get access to the internet if the computer has another NIC that's connected to the internet? e.g. for home media server requirements etc. Or should the computer be COMPLETELY isolated from the internet?

Sorry for hi-jacking this thread, maybe this stuff is helpful to the OP.

 

[Arjun]

You have to setup a VPN in your private network. Your router probably has OpenVPN built right in it.

 

[crw030]

ISP provided router doesn't have any possibility of a VPN and I'm using Nest Wifi as my WAP

It looks like the Google Nest Wifi Router (apparently there is a main router and remote access points, not sure don't have one) there are some posts that adding OpenVPN involves rooting the device. I'd wait for Google to add support directly in the interface, since many consumer routers have this functionality I'd expect them to add it eventually.

I've never done it, but both OpenVPN Server & Dynamic DNS updater client (if you have dynamic IP) can run on a Windows box, so I'd look into doing it that way. It will require you to port forward a single OpenVPN port through the firewall (an extra step because your OpenVPN server isn't your firewall), but should still be plenty secure if setup properly. Running OpenVPN directly on your router/firewall is just easiest. You might also look into ngrok (somewhere on these forums is a thread on how to set it up) or Zerotier (with private network certificate) as a workaround. I've not personally used ZeroTier (am test driving it now) but I've seen it recommended over on Level1Techs as a reasonably secure option.

 

[samplenhold]

If BlueIris is the end point for the cameras as you say (using a second NIC card), is there any way for the cameras to somehow get access to the internet if the computer has another NIC that's connected to the internet? e.g. for home media server requirements etc. Or should the computer be COMPLETELY isolated from the internet?

When you set up a BI PC with two NICs, each IP address needs to be on a different subnet. So while your LAN IPs look like 192.168.1.xxx, your cameras and the second NIC need to look like, say 192.168.2.xxx. The cameras cannot jump from one subnet to the other through the computer. So they will have no access to the internet or the rest of your LAN. But you can access BI from the rest of your LAN since the first NIC is on the same subnet. See the diagram below. Sorry my writing is so bad.

 

[eric90000]

When you set up a BI PC with two NICs, each IP address needs to be on a different subnet. So while your LAN IPs look like 192.168.1.xxx, your cameras and the second NIC need to look like, say 192.168.2.xxx. The cameras cannot jump from one subnet to the other through the computer. So they will have no access to the internet or the rest of your LAN. But you can access BI from the rest of your LAN since the first NIC is on the same subnet.View attachment 59044 See the diagram below. Sorry my writing is so bad.

Thank you very much for this explanation and drawing, much appreciated. I think I understand now! If I was to use a Raspberry Pi for the OpenVPN and not a router, that would just connect to the POE switch that the cams are on, correct?

 

[eric90000]

It looks like the Google Nest Wifi Router (apparently there is a main router and remote access points, not sure don't have one) there are some posts that adding OpenVPN involves rooting the device. I'd wait for Google to add support directly in the interface, since many consumer routers have this functionality I'd expect them to add it eventually.

I've never done it, but both OpenVPN Server & Dynamic DNS updater client (if you have dynamic IP) can run on a Windows box, so I'd look into doing it that way. It will require you to port forward a single OpenVPN port through the firewall (an extra step because your OpenVPN server isn't your firewall), but should still be plenty secure if setup properly. Running OpenVPN directly on your router/firewall is just easiest. You might also look into ngrok (somewhere on these forums is a thread on how to set it up) or Zerotier (with private network certificate) as a workaround. I've not personally used ZeroTier (am test driving it now) but I've seen it recommended over on Level1Techs as a reasonably secure option.

Thanks for the info! I will look into a few different possibilities for the VPN

 

[Holbs]

MInd you... if you had to connect & configure each individual camera from your Main PC in a 2 NIC network configuration, you will not be able to (at least, I could not since my setup was simple). I had to either remote desktop in or stand at keyboard/mouse of the Blue Iris PC and use the Blue Iris PC to open a browser pointing to the IP address of the camera I wanted to tinker with. I was fine with doing that as you do not very often have to go back into each camera for configuration other than troubleshooting or wanting to try something new out.

 

[samplenhold]

If I was to use a Raspberry Pi for the OpenVPN and not a router, that would just connect to the POE switch that the cams are on, correct?

I have not tried that, but I think the answer is no. That would give the cameras a direct route to the internet via the POE switch connected to the RP to the internet. You would connect your BI computer via the primary NIC to the RP. You might investigate putting your ISP supplied router in bypass mode and getting a router with built in OpenVPN.

MInd you... if you had to connect & configure each individual camera from your Main PC in a 2 NIC network configuration, you will not be able to (at least, I could not since my setup was simple).

What I have done to solve this issue is the following: My BI server is upstairs. My main PC that I use daily is in my office downstairs. This PC has two RJ45 jacks on the motherboard which I configured one for my main LAN and the other on the same subnet as the POE switches and cameras. That second connection goes to one of my POE switches. So I have access to each camera from both machines.