Step one complete, on to step two

J

JRdabbler

n3wb
Mar 8, 2022
23
11
Arizona
Hello again everyone! With a lot of help from my previous thread, I’ve got a hold of a pc to run my blue iris and my first camera, a empiretech ‎IPC-T5442T-ZE.

I was hoping to get a little guidance on how to properly set up my camera and my network. I’m running a ubiquiti udm, and a ubiquiti 24 poe switch. I want to make sure that my cameras are properly prevented from phoning home, and or becoming a vulnerability. Any write ups or reading material would be greatly appreciated.
Thanks.
 
Simplest thing to do is to have two NICs in your BI computer - one NIC is where you connect everything camera related and have it on an IP address that isn't the same as your internet IP address. Then the other NIC is used to connect your BI computer to a component in your system with Internet.

Or you VLAN your system.

Lot's of options. May be other options with the Ubiquiti setup.
 
wittaj said:
Simplest thing to do is to have two NICs in your BI computer - one NIC is where you connect everything camera related and have it on an IP address that isn't the same as your internet IP address. Then the other NIC is used to connect your BI computer to a component in your system with Internet.

Or you VLAN your system.

Lot's of options. May be other options with the Ubiquiti setup.
Click to expand...
I read a bit on the dual nic set up, i might be mistaken, but I gathered that a dedicated poe switch would be used strictly for the cameras. Didn’t plan for this, not interested in buying a dedicated switch. I’ll see if I can study up on vlans
 
Yes, you should use a dedicated POE switch regardless. The difference is do you get a managed one that you have to program to VLAN, or get an unmanaged one (cheaper) and plug all the cameras into it and then a cable from that to the 2nd NIC in the BI computer. Or you have a POE switch that everything goes into and then another switch that is a router to VLAN it.

Dual NIC is easier and cheaper than VLAN. Unless you have a router or switch already with VLAN capabilities, then you are buying another $80+ device, versus a $15ish NIC.
 
wittaj said:
Yes, you should use a dedicated POE switch regardless. The difference is do you get a managed one that you have to program to VLAN, or get an unmanaged one (cheaper) and plug all the cameras into it and then a cable from that to the 2nd NIC in the BI computer. Or you have a POE switch that everything goes into and then another switch that is a router to VLAN it.

Dual NIC is easier and cheaper than VLAN. Unless you have a router or switch already with VLAN capabilities, then you are buying another $80+ device, versus a $15ish NIC.
Click to expand...
Oh hell, I hope you are mistaken… piss poor planning on my side… I got that 24 port switch with the assumption that I could just configure the necessary ports appropriately.
 
  • Wow
Reactions: garycrist
I would think ubiquiti's would have VLAN's in the mix, unless it specifically says unmanaged
 
  • Like
Reactions: JNDATHP
If not too late to return it, you may wanna decide if the effort to program that expensive bad boy is worth the effort LOL.

But if it is a managed switch and has VLAN capability, then yeah you can certainly get by with it, but you may find the learning curve steep to program it correctly. Or maybe you stumble in to a quick solution.

It is why most go with the Dual NIC - because it is easy and less chance to screw up programming because there is none LOL.
 
We have all UniFi Ubiquiti equipment. VLans are simple to set up as is an incoming VPN which our iPhones connect to on an Always connection. I found a small app on the UniFi forums that makes an iPhone connect Always, Manual, and when not on known WiFi.

I set up inbound and outbound firewall rules to prevent our cameras from reaching the Internet. I can verify that they don’t/can’t phone home because when the firewall rules are active, the cameras cannot connect to Dahua servers to check for a firmware update. When not active, they can.

Also, UniFi comes with a built in NTP server. Just my 2c.
 
  • Like
Reactions: JRdabbler and Flintstone61
JNDATHP said:
We have all UniFi Ubiquiti equipment. VLans are simple to set up as is an incoming VPN which our iPhones connect to on an Always connection. I found a small app on the UniFi forums that makes an iPhone connect Always, Manual, and when not on known WiFi.

I set up inbound and outbound firewall rules to prevent our cameras from reaching the Internet. I can verify that they don’t/can’t phone home because when the firewall rules are active, the cameras cannot connect to Dahua servers to check for a firmware update. When not active, they can.

Also, UniFi comes with a built in NTP server. Just my 2c.
Click to expand...
JNDATHP said:
We have all UniFi Ubiquiti equipment. VLans are simple to set up as is an incoming VPN which our iPhones connect to on an Always connection. I found a small app on the UniFi forums that makes an iPhone connect Always, Manual, and when not on known WiFi.

I set up inbound and outbound firewall rules to prevent our cameras from reaching the Internet. I can verify that they don’t/can’t phone home because when the firewall rules are active, the cameras cannot connect to Dahua servers to check for a firmware update. When not active, they can.

Also, UniFi comes with a built in NTP server. Just my 2c.
Click to expand...

Ok awesome… so lemme see if I understand this correctly…. I’ll create a vlan for cameras, then set up firewall rules for them, this will make sure they can’t phone out to anywhere they aren’t supposed to.

Then I also need to set up a vpn so I can access with my iPhones.
 
You ubiquity gear will certainly do VLANs which are VIRTUAL LANs - basically the same things as creating a physically separate LAN, but it's done in the software instead of hardware. In the end, as long as everything is set up correctly, the result is the same.

I would certainly create a "CCTV" VLAN and put all of your cameras and the BI machine on it. Then you can block this VLAN from accessing the internet. I'm not familiar with how Ubiquity handles their firewall rules, but you probably want to block the CCTV VLAN from other VLANs (like your main network). Usually this is a "one way" block - devices on other VLANs can still initiate communication with the CCTV devices, but not vice versa. This means that you can still access the CCTV devices to set things up and see the camera feeds using your phone, computers, etc on the main VLAN. However your CCTV devices will not be able to initiate communication with any other device or the internet.

Once you get the first VLAN working correctly, it is easy to add more. Create one for a guest network, one for IOT things that don't need the internet (lights, automation ,etc), one for IOT things that do need the internet (mobile devices including your phones, media streamers, etc), one for network printers, etc, etc, etc. You might be surprised to see that I say your mobile devices (phones, tablets, etc) should NOT be on your main network. In essence, they are IOT devices and should be put on the Internet IOT VLAN, in my opinion.
 
Last edited:
  • Like
Reactions: Treatwise and JRdabbler
Ok haven’t had much free time lately but I’ve managed to get my firewall rules set up, my blue iris and deep stack set up reasonably well, I’m testing a few locations as well. I have run into a snag accessing blue iris remotely.

I think. I have set up my vpn correctly. All the videos and write ups that I have found (so far) for setting one up for unifi are on the old network interface, and some of the options are missing or different.

I’m using an iPhone, and it says that I am connected to vpn, but the blue iris app doesn’t connect. I can log into my udm router using the LAN IP, so that leads me to believe it’s working. Can anyone point me towards some study material for this?

unifi udm 1.11.4
Network 7.0.25
 
Again I am unfamiliar with the Ubiquity way of doing things, but with pfSense (which I use) you have to specify which network addresses/VLANs should be accessible through the VPN. It sounds like this may be what you are experiencing. The VPN connection/tunnel is established, but if you didn't specify which addresses/VLANs should be available through the VPN, you aren't actually able to connect to any of the devices on your local network, Basically the firewall is allowing the tunnel to connect, but is then blocking any communication to your network devices because you haven't specified what communication is allowed.
 
The Automation Guy said:
Again I am unfamiliar with the Ubiquity way of doing things, but with pfSense (which I use) you have to specify which network addresses/VLANs should be accessible through the VPN. It sounds like this may be what you are experiencing. The VPN connection/tunnel is established, but if you didn't specify which addresses/VLANs should be available through the VPN, you aren't actually able to connect to any of the devices on your local network, Basically the firewall is allowing the tunnel to connect, but is then blocking any communication to your network devices because you haven't specified what communication is allowed.
Click to expand...
Thanks I’ll see what I can find tonight, does anything special need to be done on the blue iris machine?
 
Does your Ubiquiti PoE switch do standardized 48V 802.3af (PoE) or 802.3at (PoE+) or is it Ubiquiti's passive 24V PoE?
 
You must log in or register to reply here.
Top Bottom