New IP Cam System - Network Setup

Joined
Oct 13, 2016
Messages
9
Reaction score
0
I am trying to put together a new IP camera system. After reading through these forums I have decided to build a dedicated computer (or buy a refurb. Optiplex) and run XProtect Essential or Blue Iris.

I plan on purchasing a Hikvision DS-2CD2342WD-I (4MM) turret camera and a POE switch.

Right now I am using the standard Comcast (xfinity) gateway/router. I am very concerned about security now that I have been reading on this forum and I have no idea how to setup my network.

Should I buy a new router and a new POE switch? I want to eventually have a few inside cameras that will be view-able from a mobile app, but I also don't want the cameras to be viewed by anyone else. I am also looking for something that will push notifications to my phone or e-mail when there is motion.


Thanks!
 
Joined
Oct 13, 2016
Messages
9
Reaction score
0
I can be convinced to buy and NVR and skip the POE switch. I have never used an NVR or any of the software I mentioned in my first post.

I just want to have a very secure IP camera network that can be viewed on a mobile device and send me notifications.
 

rotorwash

Getting the hang of it
Joined
Aug 22, 2016
Messages
103
Reaction score
20
Location
NE PA
To view video from outside your network, there needs to be a way to gain entry. Sometimes people allow their equipment to be directly accessible from the outside world through port forwarding. Most routers allow for this, either manually or automatically through UPnP (Universal Plug-n-Play). In doing so, you are trusting the vendor 100% that their product is secure, and that the credentials you are using are strong and effective. Another method is to use the "cloud proxy" method some vendors offer. Their devices open an outbound connection to their company's proxy server, and you gain access to your internal resources by accessing their service. The last and most secure method is via VPN (Virtual Private Network). This method sets up an encrypted tunnel from your device to the VPN server on your internal network. This method uses a security device to provide a secure method of access. You are trusting your security to a security specific vendor or technology, and it is a product that you control yourself. This is the method I use to access my Blue Iris application from my phone and tablet computers when I am outside my home network.

If you want security, you will have to set up a VPN. Some routers have this capability. If yours does not, you can install VPN server software on a system on your local network and open the VPN port on your router. I highly recommend this approach whether or not you go with BI or an NVR. Let that decision be driven more from your comfort level and needed features, and let the VPN provide security for either.
 
Joined
Oct 13, 2016
Messages
9
Reaction score
0
Thanks!

VPN sounds like the way to go. So, if I buy a new router, I can plug my cable modem into the new router. I can then plug the switch (or NVR) into a port on the router, and tell the router that the port should be protected by a VPN? If that is correct, are the other ports protected or just that one?
 

rotorwash

Getting the hang of it
Joined
Aug 22, 2016
Messages
103
Reaction score
20
Location
NE PA
Your router essentially has a clean side and a dirty side. The dirty side is the Internet, the clean side is your internal network. If you want to allow communication from the dirty side to the clean side, you need to create a path, like a drawbridge over a moat. The VPN service acts as that secure path. Once a device is connected to the VPN tunnel, they are essentially a node on your internal network. Your router is simply allowing the VPN traffic in, everything else is blocked. Some routers also act as a VPN server. It's not so much as the ports are protected by the VPN. Your entire network will be protected by the router (moat) and the VPN is the drawbridge.

Look for a thread by CaliGirl where she outlines setting up her router as a VPN server. It may help explain as she goes into great detail around her process.
 

rotorwash

Getting the hang of it
Joined
Aug 22, 2016
Messages
103
Reaction score
20
Location
NE PA
I'm glad you are taking the time to understand this BTW. It is critical to understand how this all works. Otherwise you open yourself up to the potential theft of personal information. Believe me, that is no fun.
 
Joined
Oct 13, 2016
Messages
9
Reaction score
0
Thanks for taking the time to write about it. I will read through that thread this evening. Though I do have questions buzzing through my head about using the router as a VPN server.

Is that the same as using a VPN service to mask your location?
Will it slow down my internet access? (I have used VPN services for torrents before, and they were VERY slow)
Will it cover all of the devices on my network?
 
Joined
Oct 13, 2016
Messages
9
Reaction score
0
Follow-up...

Would it be best to buy a router with VPN capabilities or get a router that supports DD-WRT and use that?
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
I'd say DD-WRT it right away, I was doing some research for someone else here and it looks like the ASUS RT-AC56U w/Tomato firmware is a good choice, its capable of VPN Speeds ~20Mbit which is more than most residental upload speeds and thus plenty fast enough.
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
Is that the same as using a VPN service to mask your location?
Will it slow down my internet access? (I have used VPN services for torrents before, and they were VERY slow)
Will it cover all of the devices on my network?
1. No, those are paying someone else to run a VPN Server on their network.. you will run VPN Server on your network, and its free.
2. Not if its capable of VPN Speeds faster than your internet uploads.. the protocol overhead is very minimal, the crypto speeds are often the first bottleneck hit.
3. Yes, when VPN Tunnel is connected its like your at home on your LAN and everything on the network is accessible with your internal IP addresses.

VPN Services for torrents are inherently slow by nature; again that was used for hiding your location.. not securing your connection to your home network so its an apples to oranges comparison.
 
Joined
Oct 13, 2016
Messages
9
Reaction score
0
Thanks. I will look into Tomato; after reading some it seems easier to use than DD-WRT.

I now understand the difference between a VPN Client (used to hide) and a VPN server (used to connect securely).


Thanks everyone!
 
Joined
Oct 13, 2016
Messages
9
Reaction score
0
Is it best to have one switch for the IP cameras, and another switch for my computer network? Or have everything on one switch?
 

rgarjr

n3wb
Joined
Sep 23, 2016
Messages
16
Reaction score
4
Is it best to have one switch for the IP cameras, and another switch for my computer network? Or have everything on one switch?
If you're recording 24/7 then yes one switch will handle all the ip cam traffic and it won't affect the other switch for your computers.

Then again, switches have a lot of throughput bandwidth, so 1 switch would handle all traffic.

i have 2 switches since I need one with PoE for cams and just a regular one for pc's.
 
Joined
Oct 13, 2016
Messages
9
Reaction score
0
I purchased an Asus RT-AC66U. I have flashed the Tomato Shibby firmware. Now I'm not sure what I should do...

Should I use static IP addresses? DNS configuration? DHCP? Do I need a firewall?

Every time I start researching, I just dive deeper down the hole and get confused.


Is there a guide as to what changes and configurations I should make to ensure the security of my home and IP cam network?
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
DHCP w/Static Mapping on the Router..

The default firewall should block all incoming connections, make sure uPnP is not enabled.. then setup OpenVPN
 
Top