Physical switches and VLANs

[catcamstar]

I have a limited understanding of VLANs, but based on the Ubiquity configs I've been messing around with it APPEARS to me that if something is connected to a switch port and the PORT is assigned a VLAN, that regardless of any trickery, anything attached to that port will get tagged to the assigned VLAN.

Well, there are a couple of things to mention:

• if you talk about a "port" on Ubiquity: either you put a physical port in 1 vlan, which renders that physical port to that vlan, anything else you put behind it (even if the device "fakes" trunking/port tagging or any other jokes), it falls in that vlan. This does mean that you "might" loose physical ports against the "flexibility" of using vlans. This is off course a security versus manageability trade-off.
• if you do enforce tagging on a physical port, you need to understand that IF anything behind that port "fakes" (forges?) a vlan, it can do whatever it wants IN that vlan. If that vlan can reach the internet, well, you get the idea.
• BY DEFAULT, a VLAN is like a physically constructed LAN (with classic ethernet switches). This said: there is absolutely no OUT OF THE BOX routing! It's like stacking 2 switches with on top of each other, without an interconnection. YOU define the routing (and now we are entering the debate: do you want a L2 router or a L3 switch) - which means that a vlan cannot out of the box "open" the internet for your vlan devices (eg camera's). Hence my "black hole vlan". It does what its name says it does.
• that's why I explained above that it makes more sense to do the L2 switching on a switch than "forcing" a L3 capable router do some "stupid" switching. MAC allocation tables in switches serve their purpose

Someone had posted some crazy attempts by a camera to escape containment, I just can't ever find that thread on these forums to refer back against. But surely one of the more potentially insidious things to have to worry about is the camera being programmed to try and find a path out of the network.

I've seen that post too. And I know of other devices that spawn random mac addresses, forks random dhcp "fake" leases, and even create docker instances on botnetted devices to bypass any firewall. The internet has changed a lot since 1992, it's better be safe than sorry.

And don't forget the most important rule: you enforce the security you want, because in 10 years, everything on this forum is obsolete anyhow ;-)

Good luck!
CC

 

[Holbs]

These crazy attempts to escape containment, random mac address's, etc... were they from no-name 3rd party cameras? I know Dahua cameras (all of which I have) had issues in their past about security. Would hope, they learned and have a better rep nowadays.

 

[catcamstar]

These crazy attempts to escape containment, random mac address's, etc... were they from no-name 3rd party cameras? I know Dahua cameras (all of which I have) had issues in their past about security. Would hope, they learned and have a better rep nowadays.

If you feel "safer" driving in a Volvo because Volvo is a "safer" car? If a train crashes into a Volvo, it will be turned into rumble too. In other words: even knowing that Dahua cams might (or might not?) have a better reputation, I would not expose my other network devices to them. Is this paranoid? A bit, because who says that a "Synology" is "safer" than Dahua? Nobody can guarantee this! But ... it's a bit like in kinder garten: 1 kid might be heavenly, but put 2 bullies together, you'll get war. Better be safe than sorry: I prefer isolation than "cleanup" a messy rumble.

My 2c.
CC

 

[AP514]

So what you are saying is that you can use Vlans to work as a break instead of 2 Nic's ??
But how do you keep the BI PC from letting out the traffic to the net if the PC has both Vlans enabled. If I went the Vlan route ??
Here are my 2 setups..I am working on the same problem as the OP is.....
1st is the Dual Nic......
2nd is BI PC with the 2 Vlans enabled to the PC.

 

[Kn10]

So what you are saying is that you can use Vlans to work as a break instead of 2 Nic's ??
But how do you keep the BI PC from letting out the traffic to the net if the PC has both Vlans enabled. If I went the Vlan route ??
Here are my 2 setups..I am working on the same problem as the OP is.....
1st is the Dual Nic......
2nd is BI PC with the 2 Vlans enabled to the PC.

So you do one or the other, but not both. Either the dual nic method, or the VLAN method if you have a managed switch.

The goal is to not have the potentially untrusted cameras talking directly to the internet. So VLAN 20 has no internet access.
But we trust the BI machine which does have access to the internet.

Both of your diagrams are correct for each method. But again, you choose one way or the other. A VLAN capable (managed) switch often costs more than a dumb switch and an extra nic. So depends on which way you want to go.

 

[catcamstar]

So what you are saying is that you can use Vlans to work as a break instead of 2 Nic's ??
But how do you keep the BI PC from letting out the traffic to the net if the PC has both Vlans enabled. If I went the Vlan route ??
Here are my 2 setups..I am working on the same problem as the OP is.....
1st is the Dual Nic......
2nd is BI PC with the 2 Vlans enabled to the PC.
View attachment 61148
View attachment 61149

With @Kn10 above.

Another consideration: dual nic setup is easier to "setup": you simply create 2 TCPIP subnets on both ethernet adapters, your router does not require any setup. which implies that vlan setup is much more complex: you have to create each vlan, your second diagram extending the two vlans to your bi pc EXPECTS your NIC to be vlan taggable (if not, you still need another NIC), there is still a third option: you leave your BI pc in vlan 10, BUT you create a routing rule that only VLAN10 with BI_PC_IP_ADDRESS can "enter" vlan_20. The latter does not require any "change" on your BI pc, but impacts "routing" of all video stream packages from your camera's towards your BI pc. It is an option though, but maybe not the best one. Flexibility wise, I'd suggest the latter: if you add, for example, a NAS in your garage, with the vlan based setup you can simply "re-use" any port on the switch and drop it in the required vlan (10).

Good luck!
CC

 

[AP514]

OK, I think I am getting closer to the setup I am looking for..this is the Switch I snipped from Ebay for $53.. IN this thread ( Got this POE+ Switch-Want to Test- Ideas )
All Ports are working Great and Tested. (Except for the SFP that was ripped out)

How would I find out/Test if my PC/Nic can handle the Vlan routing ? ?
UPDATE: I found this link about how to check if your NIC has Vlan tagging....How do I set a virtual local area network (VLAN) tag with my network card in Windows? | FAQ | StarTech.com
I looks like my Nic can only do 1 Vlan....

I also like the Router Rule Idea..but not clear(visualizing) how the routing goes on that...

As far as a NAS not sure I will be using One.. My BI PC has 3- 12TB HD(shucked) 2 are in Raid 1 with the 3rd as Long term storage. I figure once the Raid1 gets 80% full it will Dump to the 3rd.

Side Note: I just Received my 1st CAM IPC-3241T-zas from Andy today...Woot ! !

 

[saltwater]

Is there a preference to physically having separate switches to serve different functions ie. CCTV, Normal Stuff and other stuff (you know I what I mean). I now have an opportunity to pick up a used UniFi US-48-750W 48 Port Gigabit Managed Switch PoE+ SFP+ for an attractive price. As new, it's not a device I would have considered purely for price reasons. If using this device there would be no need to purchase another switch, not in the short term at least or ever. Each port can be managed to turn off and on the POE features. I like the idea of one unit but then if it fails, for whatever reason, the whole system goes down. I read somewhere else in this forum someone setup two switches for their cameras and connected half their cameras to one switch and the other half to the other switch. If there is a failure then at least half the camera footage is retrievable. I'm now at the procrastinating stage of do I pick up this 48 port switch.

 

[AP514]

The reason I have 2 switches is.. My Garage is Detached (100' run) and I had no unused conduit to run my Cat 6 in. So, I ran a Fiber Cable(Non conductive-Fiber Cable can be run in conduit w/ 120V Wires) to the Garage.
This is where I have a second Switch.
As far as having only half my Cams go down at once...Not really worried about it. The chances are.....Slim (IMO)

 

[saltwater]

As far as having only half my Cams go down at once...Not really worried about it. The chances are.....Slim (IMO)

Yeah, that's what I reckon.

 

[AP514]

I guess I will have to test my PC and the Vlan setup....but from what I have read my Nic can only do 1 Vlan.
So, It looks like the Dual NIC setup is the best way to go For Now.....

Thoughts or suggestions on how to...? ?

 

[catcamstar]

I guess I will have to test my PC and the Vlan setup....but from what I have read my Nic can only do 1 Vlan.
So, It looks like the Dual NIC setup is the best way to go For Now.....

Thoughts or suggestions on how to...? ?

"From what you read" is not the best scientific approach Open your Network Adapter settings: right click Network Center - choose "Change Adapter Options" - pick the Ethernet adapter where your cable is going into, right-click and pick"properties" - Press the "Configure" button and go into the "Advanced Tab". Search for something "vlan" alike (eg my intel shows: packetpriority&vlan. If you don't find it, have a quick google on the exact type, some (intel) network cards require some additional hocus pocus: Forums

But, like I wrote above, this does not necessary mean you have to go dualNIC. You still have ample options:

• either you put your BI pc completely in the IPC-cam-vlan. This means that all your cam traffic is directly exposed to the BI pc. No configuration required at all for this to happen. But you do need to create an (inter)vlan route that you, with your mobile, coming from VPN/home-wifi can reach the BI pc, and only on specific ports. Disadvantage: only if you are watching your BI video streams, then your router is doing "overtime".
• either you put your BI pc completely in your "home" vlan, which makes it reachable for home-wifi without reconfiguration but you need to create an (inter)vlan route that your BI pc can reach all your cameras. Yet your router is doing overtime 24/7, as it needs to route all video footage all the time.

I personally would opt for the first.

If none of the options above are appealing to you, you can go the 2NIC setup, but then vlans might be an optional traject too.

Good luck!
CC

 

[AP514]

"From what you read" is not the best scientific approach Open your Network Adapter settings: right click Network Center - choose "Change Adapter Options" - pick the Ethernet adapter where your cable is going into, right-click and pick"properties" - Press the "Configure" button and go into the "Advanced Tab". Search for something "vlan" alike (eg my intel shows: packetpriority&vlan.

I already went into my PC..I found Vlan. So I can have a Vlan to my PC/Nic. (your PC/Nic is a lot newer tan my old PC mine just says Vlan)

If you don't find it, have a quick google on the exact type, some (intel) network cards require some additional hocus pocus: Forums

But, like I wrote above, this does not necessary mean you have to go dualNIC. You still have ample options:

• either you put your BI pc completely in the IPC-cam-vlan. This means that all your cam traffic is directly exposed to the BI pc. No configuration required at all for this to happen. But you do need to create an (inter)vlan route that you, with your mobile, coming from VPN/home-wifi can reach the BI pc, and only on specific ports. Disadvantage: only if you are watching your BI video streams, then your router is doing "overtime".
• either you put your BI pc completely in your "home" vlan, which makes it reachable for home-wifi without reconfiguration but you need to create an (inter)vlan route that your BI pc can reach all your cameras. Yet your router is doing overtime 24/7, as it needs to route all video footage all the time.

I personally would opt for the first. I like option 1 also....
1) My PC is dedicated to just BI..
2) I found my PC/MB -Nic can do Vlan
3) Not spooled up on how to set up InterVlans.....(More reading required) Setting up an interVlan will keep the cams away from the net ?? Phoning home ??

If none of the options above are appealing to you, you can go the 2NIC setup, but then vlans might be an optional traject too.

Good luck!
CC

Thanks for the info and Help....I will mull over this info and be posting More Questions soon

 

[catcamstar]

Thanks for the info and Help....I will mull over this info and be posting More Questions soon

Setting up an (inter)vlan routing is as easy as a firewalling rule. Depending on your router, this can be easy or difficult. I employ an EdgerouterX from Ubiquity, it has a really sophisticated firewalling system:

In which you can define which device(s) can pass in & out each vlan/segment/WAN|ISP. Which means that you can indeed prevent cams from phoning home, but you, from your "trusted" devices, can join that vlan. Keep in mind that your BI pc will be "treated" as a camera too, so you'll have to work your way around updating services (eg Windowsupdate, antivirus, .. ).

Good luck and happy reading!
CC

 

[AP514]

Keep in mind that your BI pc will be "treated" as a camera too, so you'll have to work your way around updating services (eg Windowsupdate, antivirus, .. ).

Now that is the Key......an how to go about it is the hard part..

 

[catcamstar]

Now that is the Key......an how to go about it is the hard part..

I understand your feelings, but especially on Ubiquity, it's not that hard at all. Either you do it the "easy" way: you simply "whitelist" your IP of your BI pc all together, then it can freewheel to the WAN interface. OR, alternatevely, you'll put the firewall in "logging" mode, and you look closely which ports are required for (eg antivirus update) and you only allow, on the BI PC IP ànd specific ports, some outbound communications.

Good luck!
CC

 

[crw030]

Even though I am trying to learn my way around VLANs, I continue to recommend the simpler approach (dual nic) for most general users (even though I hope to be confident in the VLAN approach someday). Some people just won't have the time to spend trying to get it right, and doing things wrong will lead to a less secure setup/broken than if you hadn't tried it.

Not that either way is technically "better", imho, but one is definitely simpler.

I think the real strength in the VLAN approach is having your network devices mixed on switches without home-runs for all your networking. (i.e. in your garage if you had trusted + IOT + cameras... each could be hooked to the same home run cable and VLAN would still segregate traffic).

However, a real strength of dual-nic is that ALL your camera traffic will always be routed on a separate network and network card (an extraordinarily hard to do it wrong and have poor security), and never have to pass through your router or get crammed down the same pipe as your other traffic.

 

[Holbs]

Even though I am trying to learn my way around VLANs, I continue to recommend the simpler approach (dual nic) for most general users (even though I hope to be confident in the VLAN approach someday). Some people just won't have the time to spend trying to get it right, and doing things wrong will lead to a less secure setup/broken than if you hadn't tried it.

Not that either way is technically "better", imho, but one is definitely simpler.

I think the real strength in the VLAN approach is having your network devices mixed on switches without home-runs for all your networking. (i.e. in your garage if you had trusted + IOT + cameras... each could be hooked to the same home run cable and VLAN would still segregate traffic).

However, a real strength of dual-nic is that ALL your camera traffic will always be routed on a separate network and network card (an extraordinarily hard to do it wrong and have poor security), and never have to pass through your router or get crammed down the same pipe as your other traffic.

I agree. My first foray into Blue Iris computer and IP cameras, I had the 2nd NIC setup and it worked great. Would recommend that method for majority of networks.
In my instance, I "acquired" a Ubiquiti 48port POE+ switch at a local auction for 80% off retail. Couldn't pass it up.
In my even rarer instance, I needed to learn subnet & VLANs regardless of IP cams due to learning how to setup a IOT network, Home Automation network, guest network, yadaa yadaa yadaa.

 

[reflection]

If your switch supports these features, here's another way.

This would be a whitelist approach.

1. One NIC for your BI.
2. Define a static MAC on the ports of the POE cameras. (switchport port-security mac-address <XXXX>
3. Make sure you only limit the POE switch ports to only have one mac (switchport port-security maximum 1). The default is 1 on a Cisco switch.
4. Create a mac filter that only allows the Camera MAC to talk to the BI MAC. All other MACs to/from each camera is dropped (including camera to camera). Also only allow ethertypes for IPv4 (0x0800) and ARP (0x0806).
5. Create an IP filter that only allows the appropriate ports/protocols for the camera to BI communication. All other ports/protocols to/from are dropped.

No need for dual NICs or VLANs. Your Cameras will only be allowed to talk to BI. A compromised camera will not be able to change its MAC address (and expect to communicate). A compromised camera will not be able to "infect" other cameras directly. It might be able to spawn processes on random ports but no one will listen. No vlan hopping. You would micro-segment each camera.

If you did a VLAN or dual NIC design, you are still not micro-segmenting your cameras. For example, let's say you updated one camera with bad firmware and your other cameras had a vulnerability or backdoor. In theory the infected camera could spread laterally and brick all your other cameras. This would be analogous to WannaCry or NotPetya spreading via a Microsoft SMB vulnerability (look up Eternalblue).