Remoting to Blue Iris PC from different VLAN?

mercfh

Young grasshopper
Joined
Nov 5, 2018
Messages
37
Reaction score
7
Location
United States
Is this possible? I have Blue Iris installed on a small Dell Business class PC. It's on the same VLAN and Subnet as the Camera's.

However the Blue Iris PC needs to be tucked back into a closet (IE: No monitor/keyboard/etc..). I figure "Oh well I can just remote desktop to it from my other PC's/Laptops (On a Different VLAN). However that doesn't work. So im trying to figure out the best way to be able to check in on the Blue Iris PC without having to physically drag a monitor/keyboard/mouse over to it each time.

FWIW Im using Ubiquiti gear (Switch/USG/AP)

thanks!
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
31,662
Reaction score
10,590
Is this possible? I have Blue Iris installed on a small Dell Business class PC. It's on the same VLAN and Subnet as the Camera's.

However the Blue Iris PC needs to be tucked back into a closet (IE: No monitor/keyboard/etc..). I figure "Oh well I can just remote desktop to it from my other PC's/Laptops (On a Different VLAN). However that doesn't work. So im trying to figure out the best way to be able to check in on the Blue Iris PC without having to physically drag a monitor/keyboard/mouse over to it each time.

FWIW Im using Ubiquiti gear (Switch/USG/AP)

thanks!
RDP wont work from a different vlan unless, you expose the rdp port to the net using vpn and "remote" in.
You can use services like teamviewer to do this - note that they will add a good amount of cpu overhead.
 

Mr_D

Getting comfortable
Joined
Nov 17, 2017
Messages
597
Reaction score
517
Location
Southern California
It depends on your firewall rules. Unless you create any, the EdgeRouter will happily route between any and all directly connected networks. I have my cameras and BI PC on VLAN 140. I have a set of firewall rules under VLAN140_IN that restrict devices on that VLAN from reaching other networks or the Internet. But I can easily reach INTO that VLAN from my other subnets. I haven't used a USG, but on the EdgeRouter, you can look at the packet counts against your firewall rules in real time. Try RDPing into BI and see what rule is racking up packets. You could add a rule above that to allow TCP3389 to pass through.
 

mercfh

Young grasshopper
Joined
Nov 5, 2018
Messages
37
Reaction score
7
Location
United States
Hmmmm, are you using the generic Windows 10 RDP? Since that's what im using (and trying to connect via Microsoft RDP on OSX). The USG i'd imagine would be able to route them.
 

Mr_D

Getting comfortable
Joined
Nov 17, 2017
Messages
597
Reaction score
517
Location
Southern California
Hmmmm, are you using the generic Windows 10 RDP? Since that's what im using (and trying to connect via Microsoft RDP on OSX). The USG i'd imagine would be able to route them.
I actually don't use RDP in this case but I log into the web UI of each camera and the BI web UI. Start with the basics. Can you ping the BI PC from your other VLAN? Disable the Windows firewall on the BI PC and see if anything changes. It could be the Windows firewall blocking RDP.
 

mercfh

Young grasshopper
Joined
Nov 5, 2018
Messages
37
Reaction score
7
Location
United States
I actually don't use RDP in this case but I log into the web UI of each camera and the BI web UI. Start with the basics. Can you ping the BI PC from your other VLAN? Disable the Windows firewall on the BI PC and see if anything changes. It could be the Windows firewall blocking RDP.
Ah good point. Completely forgot about the Windows Firewall TBH.
 

Whoaru99

Pulling my weight
Joined
Dec 22, 2018
Messages
423
Reaction score
159
Location
Here
Hmmm, interesting. I would've expected traffic between VLANs to be blocked by default. But, you're saying default is inter VLAN routing allowed?
 

Mr_D

Getting comfortable
Joined
Nov 17, 2017
Messages
597
Reaction score
517
Location
Southern California
Hmmm, interesting. I would've expected traffic between VLANs to be blocked by default. But, you're saying default is inter VLAN routing allowed?
The Ubiquiti Edgerouter is a router. Right out of the box it.....routes. So if you have physical interfaces and three virtual ones hanging off one of the physical ones, each on their own subnet, it will happily route between them all. People have gotten themselves in trouble when one of those interfaces is the WAN. They do have a setup wizard that will designate one of ports as WAN and setup basic firewall rules to reject incoming traffic. But if you activate any additional physical interfaces or add any virtual interfaces, its up to the user to make firewall rules to restrict the free-flow of packet to/from it.
 

Whoaru99

Pulling my weight
Joined
Dec 22, 2018
Messages
423
Reaction score
159
Location
Here
That's my point of confusion, perhaps it's simply not enough knowledge. On the Linksys LRT214 I first experimented with VLAN (but subsequently went to physically separate networks) there was a specific option to enable/disable inter VLAN routing and the default was disabled. It just seemed logical to me that if one was setting up VLANs the default would be to block traffic between, not default to allow it. :idk:

Not intending to dispute what you say about that specific hardware because I don't have any experience with it. Just seemed odd to me default would be to allow inter VLAN, that's all, because I thought one of the main points about VLAN was for isolation.
 
Last edited:

Mr_D

Getting comfortable
Joined
Nov 17, 2017
Messages
597
Reaction score
517
Location
Southern California
That's my point of confusion, perhaps it's simply not enough knowledge. On the Linksys LRT214 I first experimented with VLAN (but subsequently went to physically separate networks) there was a specific option to enable/disable inter VLAN routing and the default was disabled. It just seemed logical to me that if one was setting up VLANs the default would be to block traffic between, not default to allow it. :idk:

Not intending to dispute what you say about that specific hardware because I don't have any experience with it. Just seemed odd to me default would be to allow inter VLAN, that's all, because I thought one of the main points about VLAN was for isolation.
I'm sure different hardware has different defaults. VLANs can be used for isolation if the proper firewall rules are in place. They can also be used to have smaller broadcast domains, give one VLAN priority (like for VOIP), and other uses.
 

Martin Paul Sr

Young grasshopper
Joined
Jun 6, 2018
Messages
52
Reaction score
19
Location
San Jose
What @fenderman said.
Run a web-based remote access program.
If you don't want to pay for Team Viewer, there is another service called ConnectWise Control that still offers free accounts for small users
Three hosts max, one connection at a time.
 
Last edited:

Martin Paul Sr

Young grasshopper
Joined
Jun 6, 2018
Messages
52
Reaction score
19
Location
San Jose
Awesome to know about it. Thanks...!
I used LogMeIn free version for many years and then it became not free, actually quite pricey.
I had to quit using Team Viewer Quick Support for temp tech support sessions with customers (veterinarians with digital x-ray gear).
It seemed like half of them already had a full-time TeamViewer host session running from whatever vendor installed their equipment, and they usually don't know the password.
TeamViewer is also pricey but I had access to a partner's account.
It's good to know about less common services (especially free ones), little chance for that conflict.
 

Martin Paul Sr

Young grasshopper
Joined
Jun 6, 2018
Messages
52
Reaction score
19
Location
San Jose
I looked into Jump Desktop a little further.
I think it's the best solution I've ever heard of (admittedly have not ever looked around much).
It can connect to the old private standard VNC and RDP hosts, uses encryption, can use Google account for auth, super-low bandwidth / fast interaction.
Free-of-charge for Windows, $10 Android client...
I'll probably use it for my own personal stuff.
But for business I often need a "quick connect" host download for temporary customer tech support sessions.
 
Joined
Mar 1, 2016
Messages
18
Reaction score
10
I'll throw this in there in the 'keep it simple' category...

I have my cameras in a static IP block that I just made a block outbound firewall rule on the ER. Made port forwarding on the BI machine easier, and I can still access cameras via TinyCam on other devices.

Sent from my Pixel XL using Tapatalk
 

awahl101

Young grasshopper
Joined
Sep 21, 2017
Messages
66
Reaction score
15
you should have no problems accessing between vlans. it all depends on the firewall setup, i find ubiquitis routers gui very confusing coming from pfsense and sonicwall. but generally there is no deny between vlans by default on any device i have used.

curious about the switches etc

Sent from my LG-LS997 using Tapatalk
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
31,662
Reaction score
10,590
you should have no problems accessing between vlans. it all depends on the firewall setup, i find ubiquitis routers gui very confusing coming from pfsense and sonicwall. but generally there is no deny between vlans by default on any device i have used.

curious about the switches etc

Sent from my LG-LS997 using Tapatalk
if you allow traffic between the vlans you defeat the entire purpose.
 

Dahuacamcctv

Young grasshopper
Joined
Jun 6, 2018
Messages
61
Reaction score
26
Location
Chicago
Im not too experienced in networking but what might work is to use a 2 port network card and plug one into your cameras' vlan and the other into your other vlan. then use your 'normal' vlan to remote desktop and the other to send the camera feeds to blueiris.
 

awahl101

Young grasshopper
Joined
Sep 21, 2017
Messages
66
Reaction score
15
if you allow traffic between the vlans you defeat the entire purpose.
broadcast traffic, unless restrictions between the vlans were setup there should be none by default blocking anything between the two.

if there are you can allow an exception for a single ip/mac and the services needed.

Sent from my LG-LS997 using Tapatalk
 
Top