VLAN vs Dual Nic

skjom

Young grasshopper
Joined
Jul 3, 2015
Messages
88
Reaction score
4
So have been reading the cliff notes and playing around with blue Iris on dual Nic machine , also setting up remote access via Open VPN on an Asus router.

One thing is not very clear to me and that is the pros and cons of vlan on switch for blue Iris or just use dual Nic. I used to be CCNA certified so would like to think half way competent on switch side.

Pro of a dual NIC:
Simple
Cheaper
Less error prone

Cons:
If PC or components go down entire system is offline

For a Vlan I would think it's more complicated to set up but if a PC component fails u can still access your devices.

What do folks go for with Blue Iris?

My use case is access at home via app on phone or seperately with laptop.

Access remotely via phone with VPN active
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
More about the flexibility provided by a virtual approach vs hard-wired. Two simple LAN segments are easy enough to do with either. But beyond that the VLAN can do a lot more and do it easier, faster, on the fly without physical network adds/changes, etc. Either works for basic purposes. Neither really are security solutions in and of themselves. VLANs can be hopped or otherwise compromised. Physical networks jumped where they aggregate. But unlikely on a home network and good enough for purposes of segregating cams. Usually little to no redundancy and lots of potential points of failure on a home network so don't know that I'd put a lot of weight on that aspect either way.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
I used a dual nic. It keeps the traffic and hardware completely separate. The Netflix video streaming, games and other home traffic do not impact the security cameras. I prefer keeping everything separate, it is much easy for me to debug. The primary disadvantage is more wire runs, other than cell phones and tablets everything is hardwired. I do not like wifi at all.
 

skjom

Young grasshopper
Joined
Jul 3, 2015
Messages
88
Reaction score
4
More about the flexibility provided by a virtual approach vs hard-wired. Two simple LAN segments are easy enough to do with either. But beyond that the VLAN can do a lot more and do it easier, faster, on the fly without physical network adds/changes, etc. Either works for basic purposes. Neither really are security solutions in and of themselves. VLANs can be hopped or otherwise compromised. Physical networks jumped where they aggregate. But unlikely on a home network and good enough for purposes of segregating cams. Usually little to no redundancy and lots of potential points of failure on a home network so don't know that I'd put a lot of weight on that aspect either way.
Thanks ,

The thing that slightly bothers me on dual Nic is the CAMs are so dependant on the PC itself. But same could be argued about the switch and other components as you rightly say and the blue Iris PC is doing recording so it should be set up with UPS and made reliable either way I guess.

I'm assuming with VLAN approach. I'd get a L2 managed switch and the Asus Router would control the routes between the two LAN segments. So it would allow my home devices get onto the blue Iris lan in controlled way when the Vlans do need to talk.Need to see how the Asus does that.

Do folks use L3 switches for their cameras and do routing off that?
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Thanks ,

The thing that slightly bothers me on dual Nic is the CAMs are so dependant on the PC itself. But same could be argued about the switch and other components as you rightly say and the blue Iris PC is doing recording so it should be set up with UPS and made reliable either way I guess.

The way typically done with the BI server being everything in a single machine you're pretty much completely dependent on it anyway so...

I'm assuming with VLAN approach. I'd get a L2 managed switch and the Asus Router would control the routes between the two LAN segments. So it would allow my home devices get onto the blue Iris lan in controlled way when the Vlans do need to talk.Need to see how the Asus does that.

Do folks use L3 switches for their cameras and do routing off that?
Not sure what the Asus can do as far as VLANs with the OEM firmware. I've not played with that. Apparently it can do some things with Merlin. Yes, in my case I use a couple of L2/L3 managed switches and that's where I segment things, the router isn't involved other than just as the gateway in/out for the overall network.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
I am in the process of trying to set this up. I have a dual NIC BI machine I am going to try to setup and then later vlans using this setup that @catcamstar came up with to help me with my network to setup vlans:


I really hope to gain enough knowledge to do a step by step guide to setting this up. I have not seen one yet.

From what I was reading you cannot setup vlans with just asus router. You would need a l2/3 managed switch.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
I am in the process of trying to set this up. I have a dual NIC BI machine I am going to try to setup and then later vlans using this setup that @catcamstar came up with to help me with my network to setup vlans:


I really hope to gain enough knowledge to do a step by step guide to setting this up. I have not seen one yet.

From what I was reading you cannot setup vlans with just asus router. You would need a l2/3 managed switch.
Affirmative, as many of the ASUS routers have multiple chipsets, so that not all wired ports are "daisy chained" to the wifi chipset, means that the implementation of vlans is not working (well). You càn configure them, but only limited ports, and excluding all wifi traffic. Plus all changes are "volatile", so you need to manipulate the back-end of this wonderful router...

That's why one would indeed some L2/L3 switching/routing being capable of (properly) handling vlans. I propose the ER-X as "main" router (which is for good reasoning) called Egderouter. It is able to define the vlans, and create (enough) uplinks towards managed switch(es), either in Physical port tagging or vlan trunking. You have couple of ethernet ports free to construct whatever setup you have in mind. In the drawing above, the ASUS is put in one separate vlan, so wifi devices can still work on your network. Within the ER-X, you define the "rules" of "who can talk to who", basically firewall rules to open up restrictions (eg can my cams contact the internet). Your downstream devices (especially the switch) need to be "managed" to be able to use more than one vlan in that switch. To rephrase: if you would "connect" 1 vlan in an unmanaged switch, all the (8/16/24) ports end in that vlan. It's an all-or-nothing case. With an ER-X, you could potentially put 2 unmanaged switches underneath 2 physical ports on the ER-X in 2 different vlans, but if you would have spare ports on any of these switches, you can never re-configure them to another vlan/network. And for the price of 2 unmanaged switches you can have a decent managed switch. Having real L2/L3 switch in your network can provide the same capabilities, but at a bit higher price range.

Hope this helps!
CC
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
939
Location
CT
I use Ubiquiti network gear and created VLANS for the cameras and BI. Works well. Dual-NIC versus VLAN comes down to personal preference, cost and complexity. Either would work well, go with what you are more comfortable supporting. If you start off with the Dual-NIC method, you can always change it later on down the road.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
I use Ubiquiti network gear and created VLANS for the cameras and BI. Works well. Dual-NIC versus VLAN comes down to personal preference, cost and complexity. Either would work well, go with what you are more comfortable supporting. If you start off with the Dual-NIC method, you can always change it later on down the road.
dual nic is what I am doing now and then down road the er-x/managed setup with vlans. It seems more secure. Do you have a step by step how you setup your dual-nic. I have this so far:
How to Enable DHCP in Windows 10
 

skjom

Young grasshopper
Joined
Jul 3, 2015
Messages
88
Reaction score
4
@TL1096r you seem to be at similar position to me , @catcamstar advice on Asus has prob saved me time messing around trying to get it set up with VLANs.
Very helpful
 

skjom

Young grasshopper
Joined
Jul 3, 2015
Messages
88
Reaction score
4
I use Ubiquiti network gear and created VLANS for the cameras and BI. Works well. Dual-NIC versus VLAN comes down to personal preference, cost and complexity. Either would work well, go with what you are more comfortable supporting. If you start off with the Dual-NIC method, you can always change it later on down the road.
Do you have a ubiquiti router and have the cams, BI Pc in one VLAN with the other home devices in another VLAN or how do you have your set up?
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
Do you have a ubiquiti router and have the cams, BI Pc in one VLAN with the other home devices in another VLAN or how do you have your set up?
@TL1096r you seem to be at similar position to me , @catcamstar advice on Asus has prob saved me time messing around trying to get it set up with VLANs.
Very helpful
yes many people want to add a bit more security but very new. I have been speaking with catcamstar for weeks and he has giving me a lot of advice. I am trying to compress it into a small DIY for others. I get stuck on small things myself.
Here are some steps I found and some info catcam has giving me.

- NIC1: connect to your ISP network, put in DHCP - and get an 192.168.x.x address
- NIC2: connect to your POE CAM network, put in static ip: 10.0.0.1 for example
- configure your cams on fixed IPs (from the BI pc) to 10.0.0.100, 10.0.0.101, 10.0.0.102 and so on.

How to Enable DHCP in Windows 10

----

Go into Control Panel and edit the properties of the 2nd NIC to assign it an IP address and subnet mask. For example, you could make it 192.168.80.10 with a subnet mask of 255.255.255.0. All of your cameras will need to be on the same network as the PC, so they could use 192.168.80.20, 192.168.80.21, etc. with the same subnet mask. You can leave the gateway and DNS entries blank. I'm assuming the 2nd NIC is solely for connecting to an isolated network containing your cameras which do not need Internet access.

My goal is to make sure cams never speak to internet so a bit less worries and then setup vlans in future with more er-x/managed switch.
 

IAmATeaf

Known around here
Joined
Jan 13, 2019
Messages
3,287
Reaction score
3,252
Location
United Kingdom
I’ve gone for dual LANs on my BI PC and have the cam network wired separately to the rest of my home network. I also have a fully managed switch so can also create VLANs if needed.

In terms of reliability if the BI PC develops a fault, dependant upon the fault it could take out your cams or access to your cams in either config, don’t understand why in a VLAN config the BI system would still work?
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
I’ve gone for dual LANs on my BI PC and have the cam network wired separately to the rest of my home network. I also have a fully managed switch so can also create VLANs if needed.

In terms of reliability if the BI PC develops a fault, dependant upon the fault it could take out your cams or access to your cams in either config, don’t understand why in a VLAN config the BI system would still work?
In what way? Failure of hardware or someone hacking into BI machine? I have backup to my BI server computer so can easily fix if someone dies. But hacking not sure.. just using windows firewall. Connecting through stunnel right now but will setup vpn with asus in future.
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
Neither really are security solutions in and of themselves
I disagree here, I am 100% certain my cameras which are on a physically separate network and ONLY connected to the Blue Iris machine using a dedicated NIC, cannot "phone home" or become stepping off points for hacker attacks. They cannot physically talk to anywhere in the world except that one lone Blue Iris machine, and no one in the world but the Blue Iris machine can talk to them. The OP mentions "what if the PC goes down" which I would argue is your primary security recorder, so unless you are recording to the SD cards as backup, you would be out of luck anyhow, and if you are recording to local SD card, then you would have the recordings for that period anyhow. I guess he means he could access the camera streams from a mobile device even if his Blue Iris PC gets hacked, but I don't think that is the primary security risk so much as the cameras firmware.

The simplicity of that dual-nic configuration is a 8th grader could set it up and not give the cameras access to their masters in China/wherever. It takes an extra switch (instead of a Managed POE switch a dumb POE switch for just the cameras) and it requires an extra $20 NIC. Basically compared to the proposed configuration, its like $20 more.

For anyone that wants to Keep It Simple: ISP ----- ASUS Router ----- PRIMARY SWITCH ------ BI PC ------- POE SWITCH ------ CAMS
 

Serodgers

Getting the hang of it
Joined
Dec 17, 2018
Messages
74
Reaction score
51
Location
PC FL
I use Ubiquiti network gear and created VLANS for the cameras and BI. Works well. Dual-NIC versus VLAN comes down to personal preference, cost and complexity. Either would work well, go with what you are more comfortable supporting. If you start off with the Dual-NIC method, you can always change it later on down the road.
Same here. Ubiquity ER-POE router and a ES‑24‑250W poe switch. VLAN setup for 8 of the available 24 ports just for BI IPCams. I have other VLANs to keep things organized and more secure.


Sent from my iPad using Tapatalk
 

skjom

Young grasshopper
Joined
Jul 3, 2015
Messages
88
Reaction score
4
I disagree here, I am 100% certain my cameras which are on a physically separate network and ONLY connected to the Blue Iris machine using a dedicated NIC, cannot "phone home" or become stepping off points for hacker attacks. They cannot physically talk to anywhere in the world except that one lone Blue Iris machine, and no one in the world but the Blue Iris machine can talk to them. The OP mentions "what if the PC goes down" which I would argue is your primary security recorder, so unless you are recording to the SD cards as backup, you would be out of luck anyhow, and if you are recording to local SD card, then you would have the recordings for that period anyhow. I guess he means he could access the camera streams from a mobile device even if his Blue Iris PC gets hacked, but I don't think that is the primary security risk so much as the cameras firmware.

The simplicity of that dual-nic configuration is a 8th grader could set it up and not give the cameras access to their masters in China/wherever. It takes an extra switch (instead of a Managed POE switch a dumb POE switch for just the cameras) and it requires an extra $20 NIC. Basically compared to the proposed configuration, its like $20 more.

For anyone that wants to Keep It Simple: ISP ----- ASUS Router ----- PRIMARY SWITCH ------ BI PC ------- POE SWITCH ------ CAMS
What's the purpose of the primary switch here - is it just for expansion or other household devices?

The Asus router I would imagine have 4 ports on board , so the BI PC could connect directly to that ?
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
I disagree here, I am 100% certain my cameras which are on a physically separate network and ONLY connected to the Blue Iris machine using a dedicated NIC, cannot "phone home" or become stepping off points for hacker attacks. They cannot physically talk to anywhere in the world except that one lone Blue Iris machine, and no one in the world but the Blue Iris machine can talk to them. The OP mentions "what if the PC goes down" which I would argue is your primary security recorder, so unless you are recording to the SD cards as backup, you would be out of luck anyhow, and if you are recording to local SD card, then you would have the recordings for that period anyhow. I guess he means he could access the camera streams from a mobile device even if his Blue Iris PC gets hacked, but I don't think that is the primary security risk so much as the cameras firmware.

The simplicity of that dual-nic configuration is a 8th grader could set it up and not give the cameras access to their masters in China/wherever. It takes an extra switch (instead of a Managed POE switch a dumb POE switch for just the cameras) and it requires an extra $20 NIC. Basically compared to the proposed configuration, its like $20 more.

For anyone that wants to Keep It Simple: ISP ----- ASUS Router ----- PRIMARY SWITCH ------ BI PC ------- POE SWITCH ------ CAMS
Your IPC's are indeed "safe", however if you would like to configure a cam (eg through smartpss), you are "forced" to install that on the BI pc, or you would have to install OpenVPN on your BI pc to that you can "remotely" connect to your BI pc to extend your network into that "POE Switch" network. You could potentially "open up" ports on your BI pc to reach that IPC, however you are undermining your "safe network setup". I already had to use dahua tool couple of times to fetch/recover a crashed cam, that is only doable on your BI pc. Hence the implementation of vlans is maybe more difficult, it provides the same level of "security" but with much more flexibility (eg you can define which device talks with which other). But more complex and bit more expensive too.

Hope this helps!
CC
 
Joined
Apr 26, 2016
Messages
1,090
Reaction score
852
Location
Colorado
The Asus router I would imagine have 4 ports on board , so the BI PC could connect directly to that ?
Just consider that “rest of your home network”, I just didn’t know anyone that only had 3 other network devices (after all the BI PC would connect to one port of four available).

But more complex and bit more expensive too.
I know, I have been exploring VLANs as well because I need a way to separate traffic coming into my new Ubiquity AP to keep IoT and guest devices separate from AV devices and somehow make sure our mobile phones can still reach multiple types of devices on the network (like Chromecasts are hard to setup unless they are on the same LAN so are EasyESP IoT devices which auto lock any device not from the same LAN).

I am using RADIUS server to auto-login IoT devices and also put each device on the correct VLAN, but still working through the complexity it brings. I also know from some research that the OP will face challenges using that ASUS router to implement his VLAN solution, so that will make his whole configuration more expensive (MANAGED switch vs UNMANAGED, MANAGED POE vs dumb POE, as well as replacing the ASUS router with a VLAN aware router which supports VPN) these are all going to cost OP more $.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Just consider that “rest of your home network”, I just didn’t know anyone that only had 3 other network devices (after all the BI PC would connect to one port of four available).
Some people start small :) My first setup was plain simple too: ISP - ASUS - port1: NAS, port2: NVR, port3: alarm, port4: domotica. All other devices (mediaplayer, printer, iOT stuff, it went all on (guest)WiFi. I have to admit, my NVR is one with 16POE port, which does, indeed, reflect on a dual-NIC BI pc (but with integrated POE switch). But like I wrote in the other thread: ASUS (and especially my AC87U) was able to do some vlan stuff, but very unreliable and hyper complex (some ports did, some not, and firewalling was .. a mess). That's why I decided to go for "full" vlan capability, simply put: an ER-X in the place of the ASUS, but ASUS still provides the Wifi access all around, but one additional managed switch provides now physical port vlan access and port trunking for more creative access solutions. Intervlan routing is performed on the ER-X.

I am using RADIUS server to auto-login IoT devices and also put each device on the correct VLAN, but still working through the complexity it brings. I also know from some research that the OP will face challenges using that ASUS router to implement his VLAN solution, so that will make his whole configuration more expensive (MANAGED switch vs UNMANAGED, MANAGED POE vs dumb POE, as well as replacing the ASUS router with a VLAN aware router which supports VPN) these are all going to cost OP more $.
Indeed, and that would also be my advice: write down WHAT you want to achieve, HOW you want to achieve it, take into account the dollars, and at least (try to) make a network diagram. If you are not able to simply draw a physical AND a logical network topology, then you know this job may a bit too high for you, and you ask for help. Setting a static IP on a pc is the least that should be accomplished. Especially on building firewall rules: if you do not know what you are doing, you can simply lock yourself out of your own network. Setting up OpenVPN is a mandatory task for an IPCam addict, also here you should know networking basics.
Networks evolve, just like mine did, but in the end, an ER-X ($50) was not a sunk cost, the managed switch I could buy for a bargain at an auction, but adding these two devices to the network opened a lot of flexibility (but increased complexity).
Hope this helps everyone out!
CC
 
Top