If you allow traffic to pass through the vlan is pointless unless you have ocd and want distinct subnets. Once you allow a device or service through you have defeated the purpose. There is now a path between the two.
Yup. Not sure if op is even still looking for a solution, but I will point out that TeamViewer is free for personal use. At least this week.
This is not correct. Yes vlans are a part of security but permitting certain vlans to speak to one another is not defeating the purpose. For example, in our corporate environment we have vlans for various departments. Some of those vlans are blocked from each other and restricted to only their vlans. Yet other vlans allow certain traffic to pass from another vlan and vice-versa, etc... This is standard network practice.
Once you allow traffic through, you have provided an attack vector. The entire point of setting up the vlan is to completely isolate the ip cameras, you have now punched a hole in that protection. You need to reevaluate your standard practices.
That's a little like saying that once you allow anything through a firewall, you've defeated its purpose. Great. Now I can't access the Internet but I sure am safe. VLANs' primary purpose is to consolidate switches and switch ports by segmenting traffic at layer 2. When combined with properly written firewall rules at layer 3, the admin can restrict or permit the flow of traffic between network segments while maintaining security.
It is impossible to maintain the security once you allow data to flow between them.
I think Mr_D put it perfect...there must be a balance of firewall rules and accessibility. I've isolated my IP cameras and Blue Iris box from the rest of my network via vlan, the IP cameras do not even have internet access with the exception of NTP through the firewall to allow time updates. My IP cameras as well as Blue Iris box are restricted to that vlan and only Blue Iris has internet access for updates and so I can view cameras remotely. My cell phone and laptop are on another vlan (via WiFi) but even that vlan is restricted to just those two devices as the vlan is assigned via FreeRADIUS in pfSense. Now that vlan has access to the IP cameras as well as Blue Iris box but not the other way around. As I said and I'm sure other's will agree, this is standard practice.
I have a similar setup except I run nettime on the BI PC for serving NTP to the cameras so they have no access to my other subnets or the Internet.
The most secure way to do this is simply to access the BI box from wan via vpn.
Yup, that's one good way. I do that and I can access the BI Web UI using the STunnel package in pfSense. BI has one way internet access except through the STunnel port which is used to encrypt the video stream. I have commercially signed certs as well. I try to harden the network as best I can but nothing is "hack" proof. I also used an SSH SOCKS proxy at one point but I'm sure there are several ways people have done this.
