Surprised so many people are OK with WPA2-PSK

You're in a tough spot, IMO. I don't think there's much chance you can have a wireless camera a couple of hundred feet away from your AP and not have it negatively impact the performance of your WiFi network. Also, as @fenderman alluded to, there best cameras out there (in terms of image quality, especially in low light) generally don't have a wifi-version, at least not when it comes to the Hikvision/Dahua professional market models that most folks here use.

If you will have line-of-sight between the camera and the building that has your server room in it, I'd take a look at Ubuiqiti's airMAX NanoStation PTP solution. It uses its own RF protocol (airMAX) between the two units, so no neighbors snooping. On the remote end, you can get a model with a secondary PoE port, allowing you to make any virtually any wired PoE camera wireless (like @fenderman was saying). On the building end, use a cheaper model without the secondary port. This solution doesn't use your existing WiFi at all, so it shouldn't impact it.

With a solution like that, you're free to use just about any camera you want. If low-light image quality is something your'e going after, check out the Dahua/Hik models that use the 4MP 1/1.8" image sensor, they're generally the best bang for the buck (especially if you can find OEM versions of the models from @EMPIRETECANDY or this forum's store).
 
Last edited:
  • Like
Reactions: djernie, windguy, PiIot and 1 other person
Doesn't the addition of a MAC address table provide another layer of security for the wireless router?
I always thought it did but I'm sure you're going to shoot bullets in that notion rather quickly.
 
PiIot said:
Seems pretty wild to me that a "security camera" wouldn't have the most secure methods of communication available to it
Click to expand...
It's well understood, especially here in ipcamtalk, that 'security cameras' (actually surveillance cameras) have been subject to very little design thinking aimed at security hardening them, as demonstrated by the rich set of security vulnerabilities they exhibit.

But methinks you are trolling a bit, or maybe hosting a crypto exchange.
 
alastairstevenson said:
It's well understood, especially here in ipcamtalk, that 'security cameras' (actually surveillance cameras) have been subject to very little design thinking aimed at security hardening them, as demonstrated by the rich set of security vulnerabilities they exhibit.

But methinks you are trolling a bit, or maybe hosting a crypto exchange.
Click to expand...

Not trolling, I'm new here. Vulnerabilities of the hardware/firmware have never really worried me much as I can completely segregate the cams in their own VLAN and block all network access to/from them. I think an ethernet based cam using an rpi as a wifi bridge is the best option.
 
  • Like
Reactions: djernie
PiIot said:
No, MAC addresses are easily spoofed
Click to expand...
Figured you were going to gun that one down pretty quickly. Wow!
So the scenario is that your neighbor is going to first crack your WPA2 Pass Phrase and then spoof a MAC address to gain access to your network. That's interesting.
 
windguy said:
Figured you were going to gun that one down pretty quickly. Wow!
So the scenario is that your neighbor is going to first crack your WPA2 Pass Phrase and then spoof a MAC address to gain access to your network. That's interesting.
Click to expand...

Right. If someone is able to crack your WPA2psk network, they're definitely going to have the tools to spoof a MAC.
 
PiIot said:
I guess I don't have as big of an issue with putting wifi devices like thermostats on the wpa2-psk ssid/vlan and segregating them off other than MQTT or TLS ports. How much access/damage could someone do if they got into your thermostat?
Click to expand...
The question was about getting into the network, not thermostats etc.
 
Howdy,

I generally try to use the right tool for the job. Sometimes this means plunking down more $'s.

Given your long wireless reach, if you want any type of good quality, a wireless cam isn't going to cut it. Given your situation, I would use wireless gear to create a point-to-point, secure, connection. I use Ubiquiti gear. I use NanoBeam 5AC Gen2's, set up in a point-to-point configuration. I can push about 221 Mbps before the CPU is swamped. The radios sync at 655 Mbps. Once you have a wireless connection, connecting the endpoints to their respective gear is easy. You'll need a PoE on your wired cam. They're not that expensive.

HTH!
-pablo
 
  • Like
Reactions: djernie and PiIot
bp2008 said:
As fenderman pointed out, it is easy and not terribly expensive to add your own wifi bridge,
Click to expand...
I could not find a wifi bridge that supported 5 GHz and WPA2-Enterprise and didn't cost an arm and leg. Do you know of any inexpensive ones?
 
Last edited:
@pov2 Nope, I've never used WPA2-Enterprise and don't pay attention to it in spec sheets. As @Pilot mentioned, a raspberry pi could do the job. It won't be plug-and-play and it won't have the best antenna, but it does at least have dual-band wireless.
 
  • Like
Reactions: TL1096r and djernie
pov2 said:
I could not find a wifi bridge that supported 5 GHz and WPA2-Enterprise and didn't cost an arm and leg. Do you know of any inexpensive ones?
Click to expand...

Hi,

See my response above ... each radio costs about 120 CAD. I don't know if that price-point works for you.

Cheers,
-pablo
 
I just noticed that in UniFi, CCMP Encryption is enabled by default and a new GTK key is created every hour, both can be used with WPA-Personal and WPA-Enterprise
 
PiIot said:
Best case scenario, sure. Worst case scenario though? They crack it on the first attempt. I'd rather there be no scenario at all and have the network un-crackable using EAP-TLS. I also would not prefer to give visiting guests a 20+ character randomized special/number/uppercase/lowercase/whatever password.
Click to expand...

There are a lot of coincidents to get the worse case scenario. There has to be a neighbor, who has the knowledge, who has the time, who has the interest....
I have more things to worry about in my life, probably easier to die in a car crash than having a nosy neighbor peeping on my cameras.
 
PiIot said:
Right. If someone is able to crack your WPA2psk network, they're definitely going to have the tools to spoof a MAC.
Click to expand...

You must have one hell of a neighbour. I hope you've exercised your 2nd amendment rights because it sounds as if you're going to need them.
 
SamM said:
I still don't get the demand for wireless cameras??? These devices need some sort of continuos power source, bringing the wired part back.. Anyway, (imo) wired is the safest route from nosy neighbours.
Click to expand...

I think it's because some people happen to have a power outlet located approximately where they want to mount a camera so they take the easy way instead of the proper way. But, if they are going out of their way to run power for a WiFi cam then you are spot on.
 
As others have said, buy a good quality camera (Dahua's are a favorite of mine) and then put good network gear up to support it. I have camera's all over my property as we have a number of show dogs and live in a secluded location and that is what I do. Ubiquiti AP's all over the place and they just work, I think I currently have 8 or 9 of them. Then if you want you can run WPA2-Enterprise. And to answer the question about why use wireless, I have cameras that are over 300 feet up a long wooded driveway. No way I'm going to pull fiber up there, way too many tree roots.
 
You could try some Ethernet over power line adapters. Powerline networking. That way you get hardwired reliability without running new cat5 cables.
 
You must log in or register to reply here.
Top Bottom