Switch ideas ?

AP514

Pulling my weight
Joined
Dec 10, 2018
Messages
259
Reaction score
247
Location
Pearland, Texas
I posted this over in accessories..but think maybe it should have been here instead.
I am looking for some help on getting the correct switches for my up coming IPCAM set up...
Figure I would put all the cams(Black box) and the 2 switches on 1 and have my current setup as another. Trying to isolate Blue Iris computer and my Cams from the net.
Any help wold be nice...suggestions on my setup

AP514
IPCAM-Layout.png
 
Joined
May 1, 2019
Messages
2,215
Reaction score
3,504
Location
Reno, NV
Your diagram is the most recommended way to keep cameras off the internet by putting them after your Blue Iris PC on their on subnet. I did the same for a good many months because my ASUS router could not do multiple VLANS.
However, I did not isolate my Blue Iris PC from the internet. That was still required for OpenVPN and updates.
 

AP514

Pulling my weight
Joined
Dec 10, 2018
Messages
259
Reaction score
247
Location
Pearland, Texas
I guess I am in the Same Boat. Still looking at Switch info..going towards Managed..
 

Walrus

Getting comfortable
Joined
Nov 19, 2018
Messages
593
Reaction score
449
Location
Ontario
If you set up the network as pictured, with separate switches for the cam network on a 2nd NIC on the BI PC, you don't need managed switches.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
If you set up the network as pictured, with separate switches for the cam network on a 2nd NIC on the BI PC, you don't need managed switches.
That is true, but you can never access any of your cams directly (eg for firmware upgrade), neither by VPN (except if you'd deploy a VPN service on your BI pc). If you BI pc refuses (for whichever reason: windows update, corruption, ransomware, .. ) you can by no means access your core surveillance system.

That's why I adviced in the other thread, to go for a bit more "high grade" networking system, with vlans, managed switches with do leave your BI pc in a "crucial" centerpoint yet out of the wind from your other devices. Which means you can still use the BI app, but if that goes down/become inaccessible, you could still watch your cam feeds directly.

Just my 2c.
 

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
I use an EdgeRouter X to create separate LANs and enforce isolation. The camera LAN is completely isolated from other WAN and other LAN's with the exception of the surveillance PC. I don't rely on just VLAN packet tagging to isolate the camera LAN. It is physically separated. The surveillance PC is granted special access to the WAN. If I were using an NVR, I would probably not allow it WAN access in case its firmware is doing something nefarious.

My main LAN devices have full access to other LAN's. That lets my normal devices directly contact the cameras. The cameras cannot reach the WAN. They are not allowed DNS lookups. They get NTP from the EdgeRouter.

My IOT LAN is not allowed to access any of my main network nor camera LAN. They can only talk to the WAN.

EdgeRouter's are huge bang for buck for setting up isolation and limiting access. They are, unfortunately, not for network novices. They arrive completely dumb and you must configure their ports, services, LAN's and rules to get it functional. It takes over 20 firewall rules to implement my system.

network.jpeg
 
Last edited:
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
Any help wold be nice...suggestions on my setup
You need to choose based on 1. whether you understand VLANs (or willing to learn about them) and are willing to use them and buy equipment that supports them for slightly more.

The fear that your BI computer might happen to be broken, personally I think that's a long shot concern, but in that case your capability to video record your cameras is compromised so you'll want to focus on fixing that ASAP anyway.
If you don't understand how VLANs work and aren't willing to do research and learn, then maybe VLANs aren't for you. I believe MANAGED switches will typically run a little more, so going this way may cost you a little more for the added capabilities a managed switch provides.

I'm no network engineer, but I like to learn, so I am tinkering with VLANs to learn more about them on a small scale. I am mostly playing with VLANs so I can handle segregating multiple wifi devices onto their proper networks (IoT devices, AV equipment, cellphones, guest cell/computer, trusted equipment) on a single AP with a single SSID.

But I also love the KISS principle and I'm cheap I have a configuration more like your diagram with the BI computer as a "single point of failure". You will find BOTH camps here (VLAN and Idiot-Proof), just depends on how much work you want to put into it. I did it the Idiot-Proof way because:
1. misconfiguring VLAN's might actually give me a sense of security when it is insecure because of some bonehead thing I did setting the VLANs up​
2. Managed switches cost more​
3a. I personally don't have significant issues keeping by Windows machines up and running and find Blue Iris in particular quite reliable (but I also run it on bare metal).​
3b. Since my only interface to the cameras is via the Blue Iris webserver, I notice really quickly when it's offline, because I have it onscreen in the house about 16 hours a day.​
4. setting it up that way virtually all camera video is on a completely segregated camera network ( I do have some remote cameras that have to come in over a VPN tunnel thru my main router/firewall).​
 
Top