Noob Question on Router & Switch

[armadaone]

Hello, I've order a few Duhoa cameras and I am now looking at the network hardware I am going to need. Specifically I think I want the six cameras on a separate network or subnet from the main house so that they can't send any footage anywhere I don't want (IoT) or Chinese servers. I am planning on setting up a separate PC to run Blue Iris with the PoE network switch and I want to be able to open a app on my phone (android) and my wife's (apple) and see the cameras preferably without having to VPN into anything, even though it sounds as if I will need to. I guess then have a few questions:
- Is it possible to do what I have mentioned about without needing VPN in? And if you're VPNed in then are you still able to use your phone for the internet or do you need to just connect the VPN to view the camera and then turn it off when you're done?
- Am I able to use a router with VLANs (such as Ubiquiti EdgeRouter X) that then goes to a unmanaged PoE switch for cameras and another for the home network or would I need to put the camera network on one VLAN with a managed switch and then the home network can be on a unmanaged switch?

Thanks in advance for all of the help!

 

[sebastiantombs]

Accessing your BI server from "outside" will require a VPN. There is no other way to do it. Once a VPN is in place, using the VPN is just like being on your home network and UI3 will work fine to access the BI machine and view or review video. In terms of subnets and VLANs, setting that up on an intelligent switch is one way. Simply adding a second network card to the BI server configured for the camera subnet is a less expensive way to accomplish the same thing with zero management required other than the initial configuration of the second card. The biggest hurdle is the VPN if your router does not include one.

 

[reflection]

If you want to to connect remotely without a VPN, you could try stunnel. Sorry, stunnel can be considered a type of VPN, so technically you are still using a VPN. Stunnel is going to build a TLS tunnel directly from your phone to Blue Iris. You use TLS tunnels each time you access your bank online so it's definitely secure. Stunnel uses the same OpenSSL libraries as OpenVPN (which most routers use) so you are getting the same level of encryption. IMHO it is a little easier than connecting to your VPN each time you use the Blue Iris app.

I use both OpenVPN and stunnel:

- I have OpenVPN setup (on pfSense) when I want to access my home network (for work purposes). I VPN from my macbook to home when I'm traveling.

- My wife, kids, and I use the Blue Iris app to access to the Blue Iris remotely (via stunnel). There is no difference in the app when you are home or away so stunnel makes access completely transparent to them.

 

[FR1TZZ]

- Is it possible to do what I have mentioned about without needing VPN in? And if you're VPNed in then are you still able to use your phone for the internet or do you need to just connect the VPN to view the camera and then turn it off when you're done?

As @reflection stated it can be done with stunnel, I had setup issues with it, mostly in being able to get an SSL Certificate generated. The other caveat is you have to turn on port forwarding, which for some is a big no no. I just wanted to mention that since you are still deciding on how you want to access your BI server.

Here's a Stunnel guide I followed to try and get mine setup. I gave up because of the SSL Certificate deal and have yet to configure my VPN.

- Am I able to use a router with VLANs (such as Ubiquiti EdgeRouter X) that then goes to a unmanaged PoE switch for cameras and another for the home network or would I need to put the camera network on one VLAN with a managed switch and then the home network can be on a unmanaged switch?

I was lucky that my "Home Server" I built for other things has a second NIC. I was able to do what @sebastiantombs said and configured a second subnet for my cameras. Initial setup was the biggest hurdle, but was not that difficult. I have an unmanaged POE switch for my camera network, so regardless of how you split them I wouldn't think you would need to have a managed switch for your camera network unless you want the added security features and functions of a managed switch.

Link to a dual NIC setup guide here on IPC.

 

[klapa]

Thanks in advance for all of the help!

Lot's of good advice above! I used OPENVPN for years when accessing files from my home server while travelling worldwide. It is very secure, runs on Linux or Windows, and is free.

Another easy option for Openvpn you might want to look for is a router with Openvpn embedded in the firmware so you essentially have your own private VPN server in your router. This way, you would not need a decicated file server computer on your network.

There are many such routers available - I myself have an older Buffalo wireless router/ethernet switch with DDWRT firmware which has the openvpn server included in the code.

 

[reflection]

The other caveat is you have to turn on port forwarding, which for some is a big no no.

Port forwarding is generally a big no no if you forward to an unsecure service. When you port forward, you basically open a port on your router and send that traffic to another device.

If you enable OpenVPN on your router, in essence you are "opening" that port. Typically people use TCP port 443. This allows the OpenVPN daemon listening on port 443 to establish a connection.

In the same manner, if you had a different device behind your router doing OpenVPN, you would open TCP port 443 and pass that port along to your OpenVPN server.

In the same manner, if you are running stunnel on your Blue Iris server, you would open TCP port 443 and pass port that along to your Blue Iris server running stunnel.

 

[reflection]

stunnel install video:

 

[FR1TZZ]

Port forwarding is generally a big no no if you forward to an unsecure service. When you port forward, you basically open a port on your router and send that traffic to another device.

If you enable OpenVPN on your router, in essence you are "opening" that port. Typically people use TCP port 443. This allows the OpenVPN daemon listening on port 443 to establish a connection.

In the same manner, if you had a different device behind your router doing OpenVPN, you would open TCP port 443 and pass that port along to your OpenVPN server.

In the same manner, if you are running stunnel on your Blue Iris server, you would open TCP port 443 and pass port that along to your Blue Iris server running stunnel.

So would you say stunnel is just as safe as a vpn since you are establishing that SSL connection?

 

[spile]

A vpn on your router or a Raspberry Pi is a cost effective solution and very easy to use. I would recommend the pivpn/Wireguard combination.

 

[reflection]

So would you say stunnel is just as safe as a vpn since you are establishing that SSL connection?

It's a TLS tunnel (not SSL, but some people use that term synonymously) and yes it's just as secure because it is a VPN which uses the same crypto. Blue Iris is an app, so IMHO securing it to the app makes more sense than building a tunnel to your entire home network just for Blue Iris. If you have other needs, then yes, build the VPN to your home as needed. Here are some drawings I put together to elaborate.

For a Bank app, you don't connect to the bank's data center at the gateway router, your secure session goes directly to the HTTPS service running on a VM (linux in this example). The Bank's data center will open TCP port 443 and the linux VM also opens 443. This is a very simple example because there are other devices in the path to include firewalls, IDS and load balancers, but they let the encrypted traffic through.

Similarly, the Blue Iris app will access your home Blue Iris server via HTTPS. Stunnel provides that TLS wrapper. You have to open the appropriate ports that stunnel is listening on (both on your gateway router and Windows VM). In this example, it's TCP 8443. The remote user connects with the Blue Iris server seemlessly. This is great if you have many users. This is also a simplified diagram of my home network because I too have multiple firewalls and IDS (I have a load balancer too but it's use for something else):


With OpenVPN on your phone, you are creating a phone to site VPN. The VPN app on your smart phone builds a tunnel to the VPN service on your router. You have to open TCP port 443 on your gateway router (sometimes done automatically for you). Your entire home network is available to your phone. This is great if you want to access your cameras directly or other IoT devices at home. For people who are just accessing Blue Iris, having the entire home network connected is not necessary.

 

[catcamstar]

With openVPN, you are creating a site-to-site VPN. The VPN app on your smart phone builds a tunnel to the VPN service on your router. You have to open TCP port 443 on your gateway router (sometimes done automatically for you). Your entire home network is available to your phone. This is great if you want to access your cameras directly or other IoT devices at home. For people who are just accessing Blue Iris, having the entire home network connected is not necessary.
View attachment 67790

Almost perfectly described, although the drawn OpenVPN connection (and especially with only one mobile device) is not a Site2Site VPN connection. With one device, it is a classic "client-server" tunnel, but indeed, the whole LAN is "exposed" (unless you work with vlans for example). Or, if you install the OpenVPN service on the BI Windows Box, it can be limited to that device too, hence it is almost similar to the options above. If you would connect a full LAN (eg your office) to your home LAN (eg your house), thén you could decide for a site2site VPN tunnel. With all benefits (and disadvantages) coming with that setup.

Hope this helps!
CC

 

[reflection]

Almost perfectly described, although the drawn OpenVPN connection (and especially with only one mobile device) is not a Site2Site VPN connection. With one device, it is a classic "client-server" tunnel, but indeed, the whole LAN is "exposed" (unless you work with vlans for example). Or, if you install the OpenVPN service on the BI Windows Box, it can be limited to that device too, hence it is almost similar to the options above. If you would connect a full LAN (eg your office) to your home LAN (eg your house), thén you could decide for a site2site VPN tunnel. With all benefits (and disadvantages) coming with that setup.

Hope this helps!
CC

Agreed, site2site was not the right term. Thanks for pointing that out. Corrected.

 

[armadaone]

Wow, I go away on holidays and come back to this. Thank you to everyone who has contributed to the thread! I bought a second NIC card and I think I am going to try and setup the stunnel to Blue Iris. Thanks again all!

 

[armadaone]

I've been messing around with this for a while and maybe I misunderstood a bit. I followed the steps exactly for setting up the second NIC card. Now I have the issue that can login into the web interface on the BI machine but I can't log into the web interface from any other device on the "home network" side of the setup ie NIC1 that is connected to the internet and not NIC2 where the cameras lie. I tried from both my phone on WiFi and another hardwired computer. From what I have been reading in the forums and my networking knowledge I think I should be able to login to the web interface and if that is the case I'll keep on reading the forums trying to figure out what is the issue.

 

[FR1TZZ]

What address are you using to access the BI machine from other devices? You should be using the NIC1 IP address along with port 81. Something like

http://NIC1IPADDRESS:81/ui3.htm

Also pretty sure I followed this video:

 

[armadaone]

I'm logging in with my NIC1 static IP 10.0.0.10:81/ui3.htm. It works on the BI machine just nothing else.

edit: That's the same video I was watching after I set up the NIC.

 

[SouthernYankee]

starting simple


1)What is the internal address of your router ?
2) What are the TWO ip address of you BI machine ?
3) What are the IP addresses of your Cameras ?

With the two NIC setup you will not be able to directly access your cameras except from the BI PC. (except if you remote into the bI PC)

4) Are you remotely accessing your home network remotely, or are you on the home network ?
5) Are you using Stunnel or a router based VPN to access remotely ?

6) In detail what are you trying to do that is not working ? Use specific information, system names , ip addresses....

======================================
Private ip addresses. Local IP addresses. These addresses are NOT used by the internet. They are for your local home/business network.
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

Note there is no reason to redact local ip addresses when posting.
--------------------------------------------------------------------

 

[armadaone]

starting simple


1)What is the internal address of your router ?
2) What are the TWO ip address of you BI machine ?
3) What are the IP addresses of your Cameras ?

With the two NIC setup you will not be able to directly access your cameras except from the BI PC. (except if you remote into the bI PC)

4) Are you remotely accessing your home network remotely, or are you on the home network ?
5) Are you using Stunnel or a router based VPN to access remotely ?

6) In detail what are you trying to do that is not working ? Use specific information, system names , ip addresses....

======================================
Private ip addresses. Local IP addresses. These addresses are NOT used by the internet. They are for your local home/business network.
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

Note there is no reason to redact local ip addresses when posting.
--------------------------------------------------------------------

1) The internal address of my router is: 10.0.0.1
2) The IP address of my machine is 10.0.0.10 and 192..168.55.10.
3) Camera IP addresses are: 192.168.55.21, 192.168.55.20

4) I am on the home network.
5) Once I get everything working locally I will finish setting up stunnel if I can get my garbage router to properly port forward,

6) I thought I had correctly set up my cameras on a separate network from the internet but I cant seem to access BI from any machine other then the BI machine itself. Going to 10.0.0.10/81 on the BI machine takes me to the BI login but that address from any other device on the home network 10.0.0.XX times out.

 

[ccb056]

If you're having a dedicated PC for BI then you might want to get a dedicated PC for pfSense - much better router than anything you get at a box store

 

[SouthernYankee]

@armadaone

1) From the other devices on your network can you ping the BI machine 10.0.0.10 ?
2) does the BI 10.0.0.10 connect directly to the router ?
3) the physical routing from the other home devices on your network to the BI machine, does the traffic pass trough the router.
4) what is the mand model number of your router ?
5) are you attempting to port forward port 81 ?
6) Does BI connect to the cameras ?

Change the port number in BI to something like 8081 not 81.