VLAN firewall rule - block the cameras but not the Blue Iris computer

[saltwater]

I have now got two Dahua cameras set up and running and am using Blue Iris on a HP Prodesk SFF computer. I have a UDM Pro and Unifi 24 port POE switch. My cameras and Blue Iris computer are on VLAN 30. I have a firewall rule in place to block the cameras dialling out of the network. My problem is, the Blue Iris computer is on the same VLAN, how do I allow the Blue Iris computer to access the internet?

Steve.

 

[sneakynuts]

You will need to make a rule to ONLY allow the blue iris IP to access your lan whilst all other traffic remains blocked.

I don't use unifi router so can't help with a screenshot sorry.

 

[saltwater]

Thanks for the info. I've had a play around and I've created a rule to allow my Blue Iris IP address to access the internet. The very next rule is the rule to block all VLAN 30 access to the internet. I'm slightly confused though, wouldn't the very next rule cancel out the first rule?

Anyway, it appears the second rule (VLAN 30 wide) doesn't cancel out the first rule (specific VLAN 30 IP address) as I tested on my main computer, manually changed to a VLAN 30 address and couldn't connect to the internet, and yet my Blue Iris computer can. All good so far. I know there are other rules to put in place to tighten things up, but I'll research that over the weekend.

 

[LopezEL]

I would not give the BI box unrestricted access to the internet. For one- Windows update has broken my settings several times with automatic updates even though I've turned them all off.

 

[saltwater]

I would not give the BI box unrestricted access to the internet. For one- Windows update has broken my settings several times with automatic updates even though I've turned them all off.

I'm yet to experience the Windows automatic update with the BI machine. I ran a de-bloat script so that it's a bare minimum Windows 10 machine, altered a setting to prevent automatic updates and then installed another program that prevents that windows update setting from changing. As I said, I'm yet to see how all this works out.

 

[reflection]

Thanks for the info. I've had a play around and I've created a rule to allow my Blue Iris IP address to access the internet. The very next rule is the rule to block all VLAN 30 access to the internet. I'm slightly confused though, wouldn't the very next rule cancel out the first rule?

Anyway, it appears the second rule (VLAN 30 wide) doesn't cancel out the first rule (specific VLAN 30 IP address) as I tested on my main computer, manually changed to a VLAN 30 address and couldn't connect to the internet, and yet my Blue Iris computer can. All good so far. I know there are other rules to put in place to tighten things up, but I'll research that over the weekend.

Access lists are evaluated in sequential order. Once a match condition occurs, the action is performed and the evaluation stops. This is the behavior you are seeing which is expected.

 

[peotnes]

Here is an alternative to using VLANS to separate your cameras from other network devices. I'm separating my Home Network and Camera Network and my BI computer will span both networks. Lots of devices not shown below for clarity. All ports have port security to prevent unwanted physical access. VLANS on the Home Network restrict access to the BI computer and the NAS. The Camera Network switch provides PoE.

Our living room TV is used for streaming (we cut the cable) and will also be the BI Monitor. Wireless mice and keyboards along with remote control (already works well on the media server) will control the BI computer. This turns our living room into a "command center" if needed and we are also connecting a second HDMI or Display Port to the bedroom TV for when "things go bump in the night".

 

[saltwater]

Nice graphic there.

If I understand correctly, when you refer to 'Dual Teamed NICs' you are referring to two NICs in the Blue Iris computer? So your blue line is one NIC and the red line is the other NIC.

What length of HDMI are you running from your Blue Iris computer to your loungeroom TV?

 

[peotnes]

Nice graphic there.

If I understand correctly, when you refer to 'Dual Teamed NICs' you are referring to two NICs in the Blue Iris computer? So your blue line is one NIC and the red line is the other NIC.

What length of HDMI are you running from your Blue Iris computer to your loungeroom TV?

Thanks for the compliment! I find that if I spend a lot of time up front I save time and expense down the road.

4 NICS total for two teams of two. Windows 10 dropped the teaming capability from the GUI to force you to buy Server, but it can still be done from the command line . The idea is to have as much network throughput as I can support between the cameras and the BI server and the BI server and the NAS. My switches and the NAS max out a 1 GB per port, so I decided to team. This gives the BI server 2 GB access to both networks.

My living room/loungeroomTV sits in a corner above my fireplace. The is enough open space behind it that I have a 19" rack that holds audio equipment along with the existing media server. The Blue Iris server (which will be a used I7 SFF crammed with memory) and securely mounted to a 19" shelf. The HDMI cable (actually Display Port to HDMI) will be 6' long, the same as the media server HDMI cable. The one to the bedroom will be much longer (less than 50'') but will be long distance CL2 or CL3 rated)

I do remote control via the free version of VNC, but use a wireless keyboard and mouse as a backup. I also hack into the reset switch on the computer chassis and add a pushbotton switch that lets me cycle the power from the front of the fireplace.

Rear view of the rack as I installed the initial setup. The satellite receiver on the shelf about half way up is gone and that is where the SFF BI server (workstation, actually) will sit.


Reset switch extension for the media server. I'll use a similar switch with a different colored button for the BI computer.


All buttoned up with 100% Wife Acceptance Factor (WAF). JRiver Media Center plays my music and movie library stored on the NAS. Not seen is a subwoofer behind the TV that combines well with the Paradigms .

 

[peotnes]

Also, my VLANS above:
IOT = Internet Only Things. For example my work computer that uses VPN access. smart phone devices and any guests on the wireless network
NOT = Network Only Things. Network promiscuous devices like my printer that I want to only be accessed only by local devices. Wireless and Bluetooth turned off.
INT = Internet and Network Things. Workstations, the NAS (so it can update it's software and built in anti-virus).

I've debated a lot about wheter the BI server should be on the NOT or the INT VLAN. I could do BI updates without Internet access, but not Windows 10 or antivirus.

 

[reflection]

I've debated a lot about wheter the BI server should be on the NOT or the INT VLAN. I could do BI updates without Internet access, but not Windows 10 or antivirus.

On the internet facing side of BI, you can setup up ACLs or FW rules to allow internet access only when you want to update your BI box.

Here are some additional rules to add for your BI server on the internet facing side:

Whitelist firewall settings for BlueIris

I just finished scanning my BI for used ports and update my firewall settings for it. Figured I would share this. The goal here is to whitelist BI so that only the minimal ports/protocols are allowed - everything else is denied. This should lock down BI as much as possible. Sorry if someone...

ipcamtalk.com