This is a good idea, but using a separate VLAN is still useful even if you have two network cards. For example, if you want to use the same network switch for other devices too. Configure the switch ports used by the cameras, and the switch port used by the second network card, to use the camera VLAN untagged and as the PVID.
Not safe to by Hikvision equipment since banned in US?
- Thread starter Pinebrook 12
- Start date
I'm new to this and would like to understand this better. I can see how I would want the cameras to have no access to the Internet. But if I want to access my recordings remotely through Blue Iris, that's OK, right? IOW, the cameras send the feed to BI. I don't access the cameras remotely, but can still view the feeds via BI. Is that considered safe?
Yes.
And you can isolate only the cameras from the Internet but allow BI to be remotely accessible via the Internet to view its cameras by using, among other methods, two NIC's in the BI server as show below. Each NIC is on a subnet diffeernt from the other NIC.
This is a good diagram.
You'll also want to enable Windows' NTP server, update the firewall on the BI PC to allow the cams to connect to UDP port 123 (NTP), and configure the cameras to use it as their NTP server, so they can keep their time in sync, otherwise they'll drift over time. By default, they use a public time server, but that won't work without internet access. I use Windows Server 2022 for my Blue Iris server, but I think the NTP service is available on Windows 10 and 11 too.
I'd also recommend only accessing your Blue Iris server via a VPN rather than exposing it directly to the internet. Tailscale is very easy to set up and is what I'd recommend - install it on your Blue Iris server, update the Windows firewall if needed, install it on your phone or laptop or whatever, then accessing the Blue Iris' Tailscale IP from your phone or laptop should just work. Wireguard is good, but takes a while to set up (Tailscale is built on top of Wireguard and automates the setup). Other solutions like ZeroTier are fine too.
Can you explain a little more? I'm setting up my home network and don't want to go back to way it was (just using the Blue Iris wizard to setup up remote access) I have Hik cameras, don't really want to mess with VLANs. I'm tech/pc savvy to a point, What would you recommend? 2 Network cards and how would that setup be/look like? THANKS!
This is very helpful and intersting. I'm looking to re-setup my home network and concerned about the cameras exposed to internet, not so much for someone to watch them but to gain gateway to my home network. In this scenario above, that will elimate that totally? Will also still be able to view the cameras while outside my home network via BI, which will be secure and say someone may be able to watch but never access the cameras/home network direclty?
Any thoughts on how to assure my IoT devices are also secure? ie. My zwave locks/doorbell/switches etc?
If nothing else, use the tools in your router to block the camera IP's from accessing the internet. Every router is different, but there will be a way to block IP's on your lan from getting out to "phone home" or provide a target for some hacker.
looney2ns
IPCT Contributor
Dual NIC setup on your Blue Iris Machine
In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs: Router Security - Subnets and IP addresses...
How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk
Z-Wave and Zigbee are essentially automatically secure, as there's no way the devices can directly reach the internet. Z-Wave and Zigbee are totally separate networks. Proprietary controllers / gateways can access the internet, but the best practice for Zigbee is to use a PoE Zigbee coordinator like the SLZB-06 (SLZB-06 Zigbee Ethernet PoE LAN USB WiFi Adapter CC2652P | Zigbee2MQTT | Home Assistant | SMLIGHT | SMLIGHT Official Homepage) along with Zigbee2MQTT and something like Home Assistant. I'm less familiar with Z-Wave as most of my smart devices use Zigbee.
If you have wi-fi IoT devices, the best approach is to put them on a separate VLAN. This requires wifi access points that support multiple SSIDs and let you change the VLAN per SSID. Low-end consumer-grade access points normally don't support this, but prosumer and business-focused ones do. I've got two TP-Link Omada EAP670 access points, but the Ubiquity Unifi U6 and U7 series are popular too. The best practice for wifi will be to eventually use Wifi HaLow for IoT devices, but support isn't widespread yet.
Check if your motherboard has two Ethernet ports - some of the higher-end ones do. If not, buy another NIC. A Gigabit NIC is around $15 (e.g. ) but these days you may as well buy a 2.5Gbps NIC since they're not much more expensive (e.g. ) and you may want to update your home network to 2.5Gbps or higher one day.
Connect one NIC to a switch that only has the cameras attached to it. I usually use the "worse" NIC for this (i.e. slower speed, Realtek chip instead of a better one, etc). Connect the other NIC to your regular network. Ensure they're using different subnets.
If you're running Blue Iris in a VM (for example, on a Proxmox or Unraid system), use PCI passthrough to pass through the camera NIC directly to the VM.
Thanks, was hoping to avoid VLANs as I’m not too familiar with them. I’ll be using Home Assistant, will I be able to integrate or use AI or Motion triggers from BI for HA? I did that years ago with Vera
Yeah, that will work fine. I'm using Blue Iris for my NVR, and have automations configured in both Home Assistant and Node-RED. Blue Iris can send MQTT events on alerts (i.e. when motion is detected), then Home Assistant and Node-RED can listen for that.
I think there's a Home Assistant custom component for Blue Iris, but I'm not using it. I just use iframes to UI3 to show cameras, and MQTT for doing things when alerts are triggered.
Last edited:
VLANs are really not complicated, but do require network switches and routers that support them. If you have inexpensive consumer grade network equipment, you might not be able to utilize VLANs even if you wanted to.
Got one more ? - Are you running Home Assistant and BI on same PC? Or using Raspberry Pi? Trying to figure out which route to go...
Thanks for sharing your perspective! I agree, no system is truly safe online. It’s more about managing risks, and geopolitical concerns definitely play a big role in shaping these narratives.
Depends. If you have wired cameras on a system not connected to the internet...nothing happens.
First, examine exactly WHY you need to be internet connected. If it's just to be notified you may be able to have an email sent with a still capture. Doesn't require any inward facing ports. If you want live video or management with open inward facing ports..that's where you'll get screwed. Maybe.