Remoting to Blue Iris PC from different VLAN?

mercfh · Feb 24, 2019

Is this possible? I have Blue Iris installed on a small Dell Business class PC. It's on the same VLAN and Subnet as the Camera's.

However the Blue Iris PC needs to be tucked back into a closet (IE: No monitor/keyboard/etc..). I figure "Oh well I can just remote desktop to it from my other PC's/Laptops (On a Different VLAN). However that doesn't work. So im trying to figure out the best way to be able to check in on the Blue Iris PC without having to physically drag a monitor/keyboard/mouse over to it each time.

FWIW Im using Ubiquiti gear (Switch/USG/AP)

thanks!

fenderman · Feb 24, 2019

mercfh said:
Is this possible? I have Blue Iris installed on a small Dell Business class PC. It's on the same VLAN and Subnet as the Camera's.

However the Blue Iris PC needs to be tucked back into a closet (IE: No monitor/keyboard/etc..). I figure "Oh well I can just remote desktop to it from my other PC's/Laptops (On a Different VLAN). However that doesn't work. So im trying to figure out the best way to be able to check in on the Blue Iris PC without having to physically drag a monitor/keyboard/mouse over to it each time.

FWIW Im using Ubiquiti gear (Switch/USG/AP)

thanks!

RDP wont work from a different vlan unless, you expose the rdp port to the net using vpn and "remote" in.
You can use services like teamviewer to do this - note that they will add a good amount of cpu overhead.

Mr_D · Feb 24, 2019

It depends on your firewall rules. Unless you create any, the EdgeRouter will happily route between any and all directly connected networks. I have my cameras and BI PC on VLAN 140. I have a set of firewall rules under VLAN140_IN that restrict devices on that VLAN from reaching other networks or the Internet. But I can easily reach INTO that VLAN from my other subnets. I haven't used a USG, but on the EdgeRouter, you can look at the packet counts against your firewall rules in real time. Try RDPing into BI and see what rule is racking up packets. You could add a rule above that to allow TCP3389 to pass through.

mercfh · Feb 25, 2019

Hmmmm, are you using the generic Windows 10 RDP? Since that's what im using (and trying to connect via Microsoft RDP on OSX). The USG i'd imagine would be able to route them.

Mr_D · Feb 25, 2019

mercfh said:
Hmmmm, are you using the generic Windows 10 RDP? Since that's what im using (and trying to connect via Microsoft RDP on OSX). The USG i'd imagine would be able to route them.

I actually don't use RDP in this case but I log into the web UI of each camera and the BI web UI. Start with the basics. Can you ping the BI PC from your other VLAN? Disable the Windows firewall on the BI PC and see if anything changes. It could be the Windows firewall blocking RDP.

mercfh · Feb 26, 2019

Mr_D said:
I actually don't use RDP in this case but I log into the web UI of each camera and the BI web UI. Start with the basics. Can you ping the BI PC from your other VLAN? Disable the Windows firewall on the BI PC and see if anything changes. It could be the Windows firewall blocking RDP.

Ah good point. Completely forgot about the Windows Firewall TBH.

Mr_D · Feb 26, 2019

mercfh said:
Ah good point. Completely forgot about the Windows Firewall TBH.

Yeah it can be a real PITA. You'd think enabling RDP or file sharing would automatically open the necessary firewall ports, but not always.

Whoaru99 · Feb 26, 2019

Hmmm, interesting. I would've expected traffic between VLANs to be blocked by default. But, you're saying default is inter VLAN routing allowed?

Mr_D · Feb 26, 2019

Whoaru99 said:
Hmmm, interesting. I would've expected traffic between VLANs to be blocked by default. But, you're saying default is inter VLAN routing allowed?

The Ubiquiti Edgerouter is a router. Right out of the box it.....routes. So if you have physical interfaces and three virtual ones hanging off one of the physical ones, each on their own subnet, it will happily route between them all. People have gotten themselves in trouble when one of those interfaces is the WAN. They do have a setup wizard that will designate one of ports as WAN and setup basic firewall rules to reject incoming traffic. But if you activate any additional physical interfaces or add any virtual interfaces, its up to the user to make firewall rules to restrict the free-flow of packet to/from it.

Whoaru99 · Feb 26, 2019

That's my point of confusion, perhaps it's simply not enough knowledge. On the Linksys LRT214 I first experimented with VLAN (but subsequently went to physically separate networks) there was a specific option to enable/disable inter VLAN routing and the default was disabled. It just seemed logical to me that if one was setting up VLANs the default would be to block traffic between, not default to allow it. :idk:

Not intending to dispute what you say about that specific hardware because I don't have any experience with it. Just seemed odd to me default would be to allow inter VLAN, that's all, because I thought one of the main points about VLAN was for isolation.

Mr_D · Feb 26, 2019

Whoaru99 said:
That's my point of confusion, perhaps it's simply not enough knowledge. On the Linksys LRT214 I first experimented with VLAN (but subsequently went to physically separate networks) there was a specific option to enable/disable inter VLAN routing and the default was disabled. It just seemed logical to me that if one was setting up VLANs the default would be to block traffic between, not default to allow it.

Not intending to dispute what you say about that specific hardware because I don't have any experience with it. Just seemed odd to me default would be to allow inter VLAN, that's all, because I thought one of the main points about VLAN was for isolation.

I'm sure different hardware has different defaults. VLANs can be used for isolation if the proper firewall rules are in place. They can also be used to have smaller broadcast domains, give one VLAN priority (like for VOIP), and other uses.

Martin Paul Sr · Feb 27, 2019

What @fenderman said.
Run a web-based remote access program.
If you don't want to pay for Team Viewer, there is another service called ConnectWise Control that still offers free accounts for small users
Three hosts max, one connection at a time.

Mike · Feb 27, 2019

Check out Jump Desktop. I've been using it for years and love it.

Martin Paul Sr · Feb 27, 2019

Awesome to know about it. Thanks...!
I used LogMeIn free version for many years and then it became not free, actually quite pricey.
I had to quit using Team Viewer Quick Support for temp tech support sessions with customers (veterinarians with digital x-ray gear).
It seemed like half of them already had a full-time TeamViewer host session running from whatever vendor installed their equipment, and they usually don't know the password.
TeamViewer is also pricey but I had access to a partner's account.
It's good to know about less common services (especially free ones), little chance for that conflict.

Martin Paul Sr · Feb 27, 2019

I looked into Jump Desktop a little further.
I think it's the best solution I've ever heard of (admittedly have not ever looked around much).
It can connect to the old private standard VNC and RDP hosts, uses encryption, can use Google account for auth, super-low bandwidth / fast interaction.
Free-of-charge for Windows, $10 Android client...
I'll probably use it for my own personal stuff.
But for business I often need a "quick connect" host download for temporary customer tech support sessions.

MnemonicMonkey · Feb 27, 2019

I'll throw this in there in the 'keep it simple' category...

I have my cameras in a static IP block that I just made a block outbound firewall rule on the ER. Made port forwarding on the BI machine easier, and I can still access cameras via TinyCam on other devices.

Sent from my Pixel XL using Tapatalk

awahl101 · Mar 2, 2019

you should have no problems accessing between vlans. it all depends on the firewall setup, i find ubiquitis routers gui very confusing coming from pfsense and sonicwall. but generally there is no deny between vlans by default on any device i have used.

curious about the switches etc

Sent from my LG-LS997 using Tapatalk

fenderman · Mar 2, 2019

awahl101 said:
you should have no problems accessing between vlans. it all depends on the firewall setup, i find ubiquitis routers gui very confusing coming from pfsense and sonicwall. but generally there is no deny between vlans by default on any device i have used.

curious about the switches etc

Sent from my LG-LS997 using Tapatalk

if you allow traffic between the vlans you defeat the entire purpose.

Dahuacamcctv · Mar 2, 2019

Im not too experienced in networking but what might work is to use a 2 port network card and plug one into your cameras' vlan and the other into your other vlan. then use your 'normal' vlan to remote desktop and the other to send the camera feeds to blueiris.

awahl101 · Mar 2, 2019

fenderman said:
if you allow traffic between the vlans you defeat the entire purpose.

broadcast traffic, unless restrictions between the vlans were setup there should be none by default blocking anything between the two.

if there are you can allow an exception for a single ip/mac and the services needed.

Sent from my LG-LS997 using Tapatalk

Search

Search

Remoting to Blue Iris PC from different VLAN?

mercfh

Getting the hang of it

fenderman

Mr_D

Getting comfortable

mercfh

Getting the hang of it

Mr_D

Getting comfortable

mercfh

Getting the hang of it

Mr_D

Getting comfortable

Whoaru99

Pulling my weight

Mr_D

Getting comfortable

Whoaru99

Pulling my weight

Mr_D

Getting comfortable

Martin Paul Sr

Young grasshopper

Mike

Martin Paul Sr

Young grasshopper

Martin Paul Sr

Young grasshopper

MnemonicMonkey

n3wb

awahl101

Young grasshopper

fenderman

Dahuacamcctv

Getting the hang of it

awahl101

Young grasshopper