Remote access to BI while isolating from home network

[techierookie]

The idea is to be able to access the cameras remotely on my iPhone (via the BI app) while also isolating all cameras and BI server away from my home network. In the event of a worst case scenario, I want to ensure that if the BI server gets compromised, at least everything else on my home network won't be under threat.

Just wanted to check whether the below setup will work before I purchase the hardware required.

• Set up a BI server with dual NIC (NIC-A will have Internet access and NIC-B will not)
• Connect cameras to an unmanaged TP-link POE switch which then connects to NIC-B
• Assign static IP to all cameras with random gateway ranges
• Connect NIC-A to a VLAN port on the router (Dream Machine)

Questions:

1. Should I opt for a managed switch to connect the cameras and create an additional VLAN?
2. Should I add any necessary firewall rules on the router?
3. Rather than connecting NIC-A directly to the router, should I connect to the home switch (in a separate VLAN) which then connects to the router? Would this bottleneck the network?

 

[Holbs]

Your camera's are safe as they are on NIC-B, since they will be on different subnet. To make things clear for an example: main personal subnet network would be 192.168.0.x while the NIC-B camera subnet network would be 192.168.5.x
Unmanaged POE switch after NIC-B is fine, I did the same.
Yes, assign static IP to all cameras with random gateway in the camera GUI themselves but do leave 192.168.x.108 unused as that is the default IP for cams (at least for Dahua).
No need for managed switch after NIC-B.
Only additional firewall settings on your UDM is to setup rules to allow UI3 to talk between your main PC and Blue Iris PC, same for Remote Desktop or whatever you use for remote desktop usage.
Is ok to connect NIC-A to either your router or home switch. Depending on the switch in question and it's cpu/process power (I have Ubiquiti 48 port managed switch so I gots the POWER!), you should have no problems. Try it out. If no worky, plug directly into router.
If you figure out how to use the Ubiquiti's Radius VPN server, that would be great as I'm stuck with it

 

[bp2008]

1) No, your plan to connect NIC-A to a specific VLAN on the router should be fine.
2) Yes
3) Only if you wanted more devices on that VLAN which would otherwise consist of only your router and the BI machine.

do leave 192.168.x.108 unused as that is the default IP for cams (at least for Dahua).

The third byte isn't random or anything. It is always 192.168.1.108 for Dahua.

 

[Holbs]

1) No, your plan to connect NIC-A to a specific VLAN on the router should be fine.
2) Yes
3) Only if you wanted more devices on that VLAN which would otherwise consist of only your router and the BI machine.



The third byte isn't random or anything. It is always 192.168.1.108 for Dahua.

got a little too happy with my x's

 

[mikeynags]

The idea is to be able to access the cameras remotely on my iPhone (via the BI app) while also isolating all cameras and BI server away from my home network. In the event of a worst case scenario, I want to ensure that if the BI server gets compromised, at least everything else on my home network won't be under threat.

Just wanted to check whether the below setup will work before I purchase the hardware required.

• Set up a BI server with dual NIC (NIC-A will have Internet access and NIC-B will not)
• Connect cameras to an unmanaged TP-link POE switch which then connects to NIC-B
• Assign static IP to all cameras with random gateway ranges
• Connect NIC-A to a VLAN port on the router (Dream Machine)

Questions:

1. Should I opt for a managed switch to connect the cameras and create an additional VLAN?
2. Should I add any necessary firewall rules on the router?
3. Rather than connecting NIC-A directly to the router, should I connect to the home switch (in a separate VLAN) which then connects to the router? Would this bottleneck the network?

If your BI server gets compromised, your entire network(s) will be as well seeing as though the BI server will live on both your networks. The separation of the cameras is mainly to keep them from phoning home etc. types of things cameras do. Keep everything behind the VPN, block the cams from the Internet and you will cut the risk down dramatically.

 

[reflection]

3) yes if you want to apply firewall rules only for your BI machine and not the rest of your home subnet. This gives you some flexibility to lock down your BI a little more. For example, you might have a rule that only allows RDP to and from your home subnet. So if your BI server does get compromised, it won't have free access to your home subnet. To do this, your managed switch would have to support per VLAN ACLs or you routing everything through your router which does the inter-vlan routing and firewalling (or you can do what I do and virtualize BI which gives you even more flexibility).

 

[techierookie]

If your BI server gets compromised, your entire network(s) will be as well seeing as though the BI server will live on both your networks.

Would this also be the case even if I create a VLAN for one of the ports on the router and exclusively connect the BI Server to it?

I will be accessing the BI Server either physically on the PC itself or through TeamViewer.

 

[reflection]

Would this also be the case even if I create a VLAN for one of the ports on the router and exclusively connect the BI Server to it?

I will be accessing the BI Server either physically on the PC itself or through TeamViewer.

Yes, you would have more security. You still need to apply firewall rules for your BI subnet. This gives you some flexibility to lock down your BI a little more. For example, you might have a rule that only allows TeamViewer ports to and from your home subnet. So if your BI server does get compromised, it won't have free access to your home subnet. To do this, your managed switch would have to support per VLAN ACLs or you routing everything through your router which does the inter-vlan routing and firewalling (or you can do what I do and virtualize BI which gives you even more flexibility).