VLAN or other solution to separate camera traffic; advice requested

[marklyn]

I have a TPLink AX6000 router, a Netgear 16 port unmanaged switch and a TPLink 8 port POE switch.
Currently I have 15 cameras total. 6 are on my POE switch which is directly connected to my router. and 7 are on my Netgear switch, which is also directly connected to my router.
My BI system is an Intel i5-12400, 32Gb DDR4 3200 RAM, 1TB Crucial SSD drive. Average CPU usage is 2-3%. The TP Link router usually shows an average of 8-10 on a given core.
Even as good as the performance stats are, I occasionally get the "clock" symbol on some of my cameras when I'm live viewing or viewing a clip.
I was thinking if I moved all of my camera connections to a separate VLAN that might resolve but before I invested in a new managed switch, I wanted to get some opinions on anything I can do with my existing network setup.
I did a very rough drawing of my current setup. Aside from extra details like camera resolution, FPS, etc., just looking at the network configuration, can I do something better to isolate my camera traffic with existing equipment or would a VLAN solution be best.
I have done all of the suggested BI recommendations (second stream, direct write to disk, lower FPS, etc.). Just want some thoughts on VLAN vs something else to try. Thanks!

 

[TonyR]

Not sure where the BI server is plugged in but having cams running through a router is asking for issues; router LAN ports generally choke on that much data.

As far as keeping the cams off the Internet, consider installing second NIC in the BI server in this schema:

 

[SpacemanSpiff]

Where is BI connected in your diagram?
Is this router also your connection to the Internet?

Despite the performance you are witnessing on your router, camera traffic across/through the router is not recommended. Put a second NIC in your BI machine. One NIC is forward facing to your home router, the other NIC hosts all camera traffic. You can still implement this model using VLAN's with a managed switch to reduce the quantity of hardware required.

Many here maintain multiple switches to prevent the complete loss of camera traffic if a switch fails.

 

[marklyn]

Not sure where the BI server is plugged in but having cams running through a router is asking for issues; router LAN ports generally choke on that much data.

As far as keeping the cams off the Internet, consider installing second NIC in the BI server in this schema:

View attachment 145254

In my diagram the BI server is going through the 16 port Netgear switch. Second question answer is the router in my diagram is the only router in my network. I have most of the other ports on my 16 port switched connected to various things (ie: TV's, ROKU's, Tivo box, etc.) I do have a second network card (1gb card) that I could put into the BI machine, so it sounds like I might consider following your diagram. If I change the subnet on my router, could I access the 192.168.1.x and 192.168.0.x devices on the entire network?

 

[TonyR]

If I change the subnet on my router, could I access the 192.168.1.x and 192.168.0.x devices on the entire network?

The NIC's subnet determines what devices are accessed which is why you would put the cams, and nothing but the cams, on NIC #2's subnet; this keeps the cams off of NIC #1's subnet which can access the network.

IIRC, there is a way to configure the router's netmask to access both subnets but the whole idea is to isolate the 2 networks....cams do not need to be on an Internet-accessible network.

 

[marklyn]

The NIC's subnet determines what devices are accessed which is why you would put the cams, and nothing but the cams, on NIC #2's subnet; this keeps the cams off of NIC #1's subnet which can access the network.

IIRC, there is a way to configure the router's netmask to access both subnets but the whole idea is to isolate the 2 networks....cams do not need to be on an Internet-accessible network.

OK, understanding a bit more now. That last statement may be what is my issue.
I have 3 cams (front of the house) that are my "better" cams (more features, quality, etc.) that also have SD cards in them to record above and beyond what BI triggers see. I have a hole in my router firewall to view the video playback directly from the cameras if need be (maybe BI down or BI misses something that might be on the camera's SD card). It sounds like I need to weigh out getting outside access to these 3 cameras if I keep them on a different subnet and 'seeable' only on the inside of my LAN. But, it sounds like a more reasonable and safer approach. All this being said, is there a chance putting these cameras on their own subnet might help clear up the camera lag I sometimes see?

 

[wittaj]

So what happens in this scenario is that you will view BI via UI3 from any devices on your LAN by going to a web browser and typing the in the IP address of your BI computer and :81 and it will bring up the login screen.

Or you can remote desktop in to the BI computer to then access the cameras directly from another device on the LAN.

 

[marklyn]

So what happens in this scenario is that you will view BI via UI3 from any devices on your LAN by going to a web browser and typing the in the IP address of your BI computer and :81 and it will bring up the login screen.

Or you can remote desktop in to the BI computer to then access the cameras directly from another device on the LAN.

But if I try to access BI UI3 from outside, won't I just access using the BI machine's 'inside' IP with a port number that I set up in my Router's firewall? That's the way I do it now, I didn't think that part would change (outside access).

 

[wittaj]

But if I try to access BI UI3 from outside, won't I just access using the BI machine's 'inside' IP with a port number that I set up in my Router's firewall? That's the way I do it now, I didn't think that part would change (outside access).

NO - the whole point of a Dual NIC or VLAN is to not allow your cameras to touch the internet.

The way you are doing now has exposed your system to the internet. There is a thread just today on here of someone seeing login attempts due to port forwarding.

You either setup OpenVPN on your router (if it supports it); install OpenVPN on your computer, or use ZeroTier or some other VPN service that puts you back in on your LAN.

This is a free VPN that your system hosts.

The paid VPNs are for masking your IP address for illegal streaming and porno.

You are not hiding your IP address, rather you are VPNing back into your home network, similar to what many do when they VPN to their employer system.