TALK ME OFF THE LEDGE

[Holbs]

TL (above member) wrote about Dual NIC here: Dual NIC setup on your Blue Iris Machine
Sadly no pic on post. Found a general one on the net. "Win16 server" box would actually be your Blue Iris computer with 2 NIC ports (I had to buy a 2nd small NIC card for my PC). The point is: NIC1 connects to your router as your other PC's or whatnot connect to the router. NIC2 off Blue Iris computer heads out to a POE switch that your cameras connect to which will have a different IP scheme. Notice below, NIC1 has IP address of 192.168.0.xxx which is the IP scheme of your general network. However, NIC2 has a different IP subnet of 192.168.10.xxx . This *should* prevent anything after your Blue Iris computer from getting to the internet...and "should" prevent anyone from getting into your individual cameras.
This is, of course, if not using VLAN technology which I have no experience about

 

[TL1096r]

TL (above member) wrote about Dual NIC here: Dual NIC setup on your Blue Iris Machine
Sadly no pic on post.

Good Idea. I came up with this on how it will look when complete:

I suggested to start with a router because normally it is an upgraded speedier model than what you currently have and once you set it up you gain some confidence. You can also setup a new wifi ssid/password and reconnect devices and get your network back up with the new router before starting on the cams.

I had a poor d-link router free from my ISP. It took 1 minute to setup my asus router. I was happy as the overall speeds were quicker and with the asus router you get a lot more options.

To setup I simply removed the d-link and plugged in the asus router and typed router.asus.com in my chrome browser and setup name/password. Followed the Randy OPENVPN setup - downloaded the opvn file - uploaded it onto my phone - opened the file in the openvpn app. To test type router.asus.com and you should be able to connect to your router if vpn is working.

So we've had some friendly discussion about VPN's and alternative. I question what someone like myself (classic noob) should do since I have zero experience implementing anything like this and I get the feeling I might be well over my head in trying. I think I can handle most of the sourcing and install aspects and some of the basic setup features with BI and the home networking. But when it comes to more complex security tasks like OpenVPN or alternatives, I have no idea if I'll be able to comprehend how to do that. So would setting up some simple port forwarding be better than nothing at all? Or should I strive to do something more secure which would require more technical intuition? Appreciate the insight.

Why not plug 1 ethernet wire from POE+ switch to your main BI computer (if you have dual nic - you put the wire from switch into the main NIC not connected to the internet that has your cams on it). I think if you are not setting up vlans or any other protective layers so having dual NIC is a great little added layer of protection that is simple to setup.

If you want to setup a BI setup there is no way around the steps I listed here in this thread:
Newbie Starter Guide to IP Cam System – VPN setup – Computer Hardware – Blue Iris – Dahua Cameras

Let us know what you are thinking about your setup if you are not sure and we can try to help.

A couple months ago, I was overwhelmed with what I MUST do in regards to network security to the point that I was about to pick up pFsense firewall box. But really... we all gotta start somewhere. The above points give a great starting point as a beginner. Run with that. Later on, you can jump head first into Uber VPN security and firewall setup. For now, just get the basics out of the way else you will never get into it at all
I mean...don't get me wrong. I DID do some things right as in cameras on their own subnet!

Same here. I settled on a more secure router, dual NIC and no pfsense yet but I want to do that with a manged switch, VLANs, and maybe out of the box firewall hardware for added layers of protection.

You need context, port forwarding BI is secure.

More VPN exploits..
Vulnerabilities Exploited in Multiple VPN Applications | CISA
again not against VPN but you need to keep on top of the bugs

Port forwarding BI with stunnel? That was the only time I port forwarded. I stopped using stunnel once I setup openVPN. I have no ports forward that I know of currently. Do you have more info on port forwarding you are talking about vs VPN?

Asus and OpenVPN seems pretty good about updating firmware and vulnerabilities.

 

[windguy]

@Holbs & TL1096R - Thanks for the reply and info. Great diagrams to work off of. I think you've set me straight on what I need to do. I did some exploring today and found out that when I wired up the upstairs bedrooms/offices ten years ago, I add two extra Cat5e drops for a total of three. Amazing that something I did that long ago is actually paying off. Now I can run setup the BI host with dual NICs and cleanly separate the camera system from the rest of the house network. The only hitch was that I was going to connect an indoor camera off the wireless router in the family room since it faces the only door in the back of the house. Not so lucky on that one. I can get a second Cat5e cable to that location but it's going to take some opening of walls and subflooring to make the drop. Will consider this an add-on for later but provision for it now. Thanks!

 

[Holbs]

hmm... dilemma. But a good point about adding wireless cam's after BI computer off 2nd NIC. Maybe...wireless router after BI computer for wireless cams and then POE switch connected to router?

 

[windguy]

hmm... dilemma. But a good point about adding wireless cam's after BI computer off 2nd NIC. Maybe...wireless router after BI computer for wireless cams and then POE switch connected to router?

Thanks Holbs - The camera for the family room would be a wired camera and connect to the wired LAN port of the wireless router sitting right next to it on a counter. The wireless router has four LAN ports. If I do that then it would be the only camera outside of the physical subnet hanging off the BI host. I'm guessing that would defeat the purpose of separating the cams to restrict outside access. Like I said, I can add the required Cat5e cable but it will take some effort and some dust. Thanks!

 

[TL1096r]

hmm... dilemma. But a good point about adding wireless cam's after BI computer off 2nd NIC. Maybe...wireless router after BI computer for wireless cams and then POE switch connected to router?

Yes, for wireless like a doorbell. I am unsure how you make it secure and connect it to the second NIC or if possible. If anyone wants to comment more that would be great.

@Holbs & TL1096R - Thanks for the reply and info. Great diagrams to work off of. I think you've set me straight on what I need to do. I did some exploring today and found out that when I wired up the upstairs bedrooms/offices ten years ago, I add two extra Cat5e drops for a total of three. Amazing that something I did that long ago is actually paying off. Now I can run setup the BI host with dual NICs and cleanly separate the camera system from the rest of the house network. The only hitch was that I was going to connect an indoor camera off the wireless router in the family room since it faces the only door in the back of the house. Not so lucky on that one. I can get a second Cat5e cable to that location but it's going to take some opening of walls and subflooring to make the drop. Will consider this an add-on for later but provision for it now. Thanks!

For the cabinet. You might be able to place your BI machine in there. How far is the cabinet to your "office 1"? If it is 50 feet you can use HDMI cable to hook up a monitor. And you said you have an ethernet wire? You can hook up a mouse:
https://www.amazon.com/gp/product/B07CZC8728

You can have full control of your BI machine monitor/mouse(keyboard) combo without the machine in that room. It is what I do and it works great.

If you have more than 50 feet you would need to use this but you would need 2 more ethernet wires:
https://www.amazon.com/gp/product/B007NHHLA0

You can also get an HDMI splitter and run the feed into other rooms. I am not sure if you are worried about the heat in 1 cabinet. Extinguishers can put your mind at ease:
Fire Extinguisher Ball Anti-Fire-Ball Stop Fire Loss Tool Safety Non-Toxic | eBay

And if a cabinet fan is a good idea:
https://www.amazon.com/AC-Infinity-Cooling-Ventilation-Projects/dp/B009OWVUJ0

 

[SouthernYankee]

Using a second NIC with a wireless camera is straight forward.
1) Get an access point, wire it to the switch that is on the second NIC, give it an IP address that is in the second nic sub net range.
2) set the access point to have a different SSID then your home wifi, make sure that it is on a different channel than your than your home wifi.
3) configure the wireless camera to have an IP address in the second nic sub net range.
4) configure the wireless camera to have the same SSID and channel as the access point.

 

[windguy]

Using a second NIC with a wireless camera is straight forward.
1) Get an access point, wire it to the switch that is on the second NIC, give it an IP address that is in the second nic sub net range.
2) set the access point to have a different SSID then your home wifi, make sure that it is on a different channel than your than your home wifi.
3) configure the wireless camera to have an IP address in the second nic sub net range.
4) configure the wireless camera to have the same SSID and channel as the access point.

Thanks SY - great input as always. It would be cool to repeat this info in the Dual NIC SETUP thread.
Dual NIC setup on your Blue Iris Machine
I'm not sure I'll be using any wireless cams but if I do you've provided an easy way to keep them locked down on the BI subnet.

 

[TL1096r]

Thanks SY - great input as always. It would be cool to repeat this info in the Dual NIC SETUP thread.
Dual NIC setup on your Blue Iris Machine
I'm not sure I'll be using any wireless cams but if I do you've provided an easy way to keep them locked down on the BI subnet.

Great idea. I will add it.

@SouthernYankee is it the same setup for a wireless doorbell cam?

 

[looney2ns]

Great idea. I will add it.

@SouthernYankee is it the same setup for a wireless doorbell cam?

Yup

 

[TL1096r]

Yup

Thanks. How do you use the wireless cam features like laview for example - using hikconnect still possible?

And how do you know the channel it is on to make sure it is not on the same one. Finally, what is a suggested access point?

 

[windguy]

@TL1096r - thanks for the input. You're always thinking outside the box or in this case, inside the media box.

The structured cabinet we have is compact and sits between studs in the wall, so about a 3.5" depth. Maybe 14" x 28" in size. Pics below. Not much room in there for equipment. I put this in 17 years ago after seeing a few new model homes using this type of setup and figured I'd replicate the design. I'll replace the gateway/router and put the new POE switch in there, but that will max it out for sure (modem, router, POE switch).

I've always wanted to add some type of UPS for these devices but can't find one that would fit. Seems the only way to do that would be to add UPS to the incoming power back at the fuse box. We have pretty steady and reliable utility power so I'm not too concerned about that. Desktops in the offices each have their own UPS. Thanks!

 

[SouthernYankee]

I use an android phone or tablet and the wifi analyser app. It shows what traffic with the ssid name are on each channel. You should only use channels 1,6,11 . If you are in a high resident area, apartment building this is a very busy graph on the 2.4 GHZ.


Note I think door bell cameras are a waste of money. How many time does someone ring a door bell and stand around waiting to talk to the door bell. Use the money for one or two high quality cameras.

 

[TL1096r]

@TL1096r - thanks for the input. You're always thinking outside the box or in this case, inside the media box.

The structured cabinet we have is compact and sits between studs in the wall, so about a 3.5" depth. Maybe 14" x 28" in size. Pics below. Not much room in there for equipment. I put this in 17 years ago after seeing a few new model homes using this type of setup and figured I'd replicate the design. I'll replace the gateway/router and put the new POE switch in there, but that will max it out for sure (modem, router, POE switch).

I've always wanted to add some type of UPS for these devices but can't find one that would fit. Seems the only way to do that would be to add UPS to the incoming power back at the fuse box. We have pretty steady and reliable utility power so I'm not too concerned about that. Desktops in the offices each have their own UPS. Thanks!

Nice setup. Can you get the cabinet deeper? If not your setup is good.

I use an android phone or tablet and the wifi analyser app. It shows what traffic with the ssid name are on each channel. You should only use channels 1,6,11 . If you are in a high resident area, apartment building this is a very busy graph on the 2.4 GHZ.


Note I think door bell cameras are a waste of money. How many time does someone ring a door bell and stand around waiting to talk to the door bell. Use the money for one or two high quality cameras.

I agree but for the doorbell it is the only option. I have the laview and will want to use hikconnect. I like the idea of having it off the network.
-Do you have any wireless access points that you suggest?
-Will the hikconnect will work with this dual NIC access point setup?
-When setting up the wireless cam this way do you have to connect your android/apple phone to that new access point?

This is all new to me and hope to learn something I will add it all in the dual NIC write-up. I already added what you said already and will include any details.

My asus does auto channel and is on ch. 9.. should I manually choose 1, 6 or 11 instead?

 

[windguy]

Nice setup. Can you get the cabinet deeper? If not your setup is good.

Thanks - the cabinet depth is limited to the depth of the wall - 3.5" standard. It's functional - serves its purpose. Appreciate the thoughts about other options.
I'm good with having the BI host in my home office and I plan to use a KVM sharing my existing monitor/mouse/keyboard to keep it simple, at least that's the current plan.

 

[looney2ns]

Thanks - the cabinet depth is limited to the depth of the wall - 3.5" standard. It's functional - serves its purpose. Appreciate the thoughts about other options.
I'm good with having the BI host in my home office and I plan to use a KVM sharing my existing monitor/mouse/keyboard to keep it simple, at least that's the current plan.

They do make these: https://www.amazon.com/Leviton-4761...ctured+media+enclosure&qid=1570467729&sr=8-40

And there is a 42" version of that box.

 

[TL1096r]

Yup

Do you have more info on setting up a wireless doorcam with the dual NIC so it still works with the app also?

I am trying to put together my cam system and will add it to the dual NIC thread. I cannot figure out how you can do this with the wireless cam and still use hikconnect or laview app.

Thanks - the cabinet depth is limited to the depth of the wall - 3.5" standard. It's functional - serves its purpose. Appreciate the thoughts about other options.
I'm good with having the BI host in my home office and I plan to use a KVM sharing my existing monitor/mouse/keyboard to keep it simple, at least that's the current plan.

Great keep us updated.

 

[windguy]

They do make these: https://www.amazon.com/Leviton-4761...ctured+media+enclosure&qid=1570467729&sr=8-40

And there is a 42" version of that box.

Thanks for posting that. I wasn't aware of this option. Leviton has some pretty nice stuff but it's pricey.
My wife would never allow me to add that option since it's very visible in the laundry room, not tucked away in a closet.
Good solution though if you need to add wider gear like a UPC to the standard depth cabinet.

 

[SouthernYankee]

The purpose of the dual nic is to completely block the cameras from access to the outside world. The only way an app will work is to run it on the bi PC. Or have another device on the camera network.

 

[TL1096r]

The purpose of the dual nic is to completely block the cameras from access to the outside world. The only way an app will work is to run it on the bi PC. Or have another device on the camera network.

Yes. I understand. I am trying to figure out maybe if we can open ports to get just the doorbell wireless cam to interact with their software it would be good. My BI app is a bit buggy won't show alerts on phone with preview.