Who knows networking? How can I keep my new NVR septate from personal network?

Discussion in 'NVR's, DVR's & Computers' started by supremekizzle, Jul 23, 2016.

Share This Page

  1. supremekizzle

    supremekizzle n3wb

    Joined:
    Jul 20, 2016
    Messages:
    26
    Likes Received:
    2
    I'd like to keep my new NVR and camera separate from my personal network. It's not a concern for speed, it's just to keep my personal network safe from malware or other attacks. How is this accomplished? Are there ways to partition off my router? Thanks
     
  2. tomw

    tomw Getting the hang of it

    Joined:
    Nov 30, 2015
    Messages:
    104
    Likes Received:
    21
    Yes. This is easily doable...but, you'll need a router/firewall (and switch if you use vlans) that is capable of it.

    I ran something like this on a DD-WRT wrt54G where I physically segregated the ports (with some command line magic) then went to a pfsense implementation where I segregate using vlans (much easier).

    What router and switch do you have? Do they both support vlans?
     
    supremekizzle likes this.
  3. supremekizzle

    supremekizzle n3wb

    Joined:
    Jul 20, 2016
    Messages:
    26
    Likes Received:
    2
    I have an Asus ac68u. I don't have a switch. What switch do you mean?
     
  4. supremekizzle

    supremekizzle n3wb

    Joined:
    Jul 20, 2016
    Messages:
    26
    Likes Received:
    2
    I did a little more reading. My router is running merlin custom firmware. Turns out that I'll need to flash tomato to get vlan functionality. I can then dedicate one LAN port as a vlan (I think) this will be the one I use to connect my NVR. I saw smart switch mentioned, is this the switch you're referencing? I don't think I need one, but I don't fully comprehend most of the projects I undertake. Lol. Please correct me where needed. :)
     
  5. Akoya

    Akoya n3wb

    Joined:
    Jul 9, 2016
    Messages:
    3
    Likes Received:
    1
    Agree this can be done with vlans on routers, I personally run pfsense, but I think ddwrt is capable too. I have heard great things about the new Ubiquiti router though which I think for the money, is the single best solution for network isolation in a home setting, and there is room for another vlan for internet of things devices. I have not purchased this and have no first hand experience, I am very close to buying it though. :)

    Ubiquiti EdgeRouter X Advanced Gigabit Ethernet Routers ER-X 256MB Storage 5 Gigabit RJ45 ports

    [h=1]https://www.amazon.com/Ubiquiti-Edg...F8&qid=1469406532&sr=8-1&keywords=edge+router[/h]
     
    supremekizzle likes this.
  6. supremekizzle

    supremekizzle n3wb

    Joined:
    Jul 20, 2016
    Messages:
    26
    Likes Received:
    2
    That is pretty nice. Affordable too. If I had a more robust network I think I'd grab something like that, but my 4 channel NVR with 1 cam will do fine on a vlan on my existing router, I think. I'll look into that other firmware you mentioned too. I've always heard of ddwrt so I could look into how that compares to tomato. Thanks for all the help :)
     
  7. Akoya

    Akoya n3wb

    Joined:
    Jul 9, 2016
    Messages:
    3
    Likes Received:
    1
    On second thought, just adding any old router to your current setup would allow you the isolation you are after. Any additional router within your network could be asigned its own subnet, and I don't think you need gigabit for cameras just yet...
     
  8. jdougal

    jdougal n3wb

    Joined:
    Jul 24, 2016
    Messages:
    25
    Likes Received:
    0
    What are the best common practices as far as setting up your IP network? I would like to keep it secure, however I would also like the convenience of using apps like TinyCam when away.

    I currently have a wired network with 3 of 4 ports filled on my router (Asus RT-ac56u). My basement is also wired into a 8 port switch, which is then fed into one of the ports in the router. Is it even possible to secure my NVR and have it connected to the router for internet feeds?
     
  9. supremekizzle

    supremekizzle n3wb

    Joined:
    Jul 20, 2016
    Messages:
    26
    Likes Received:
    2
    Im pretty sure you can set up a vlan and then create a VPN that is accessible from outside the network with ip cam apps. I have a very rudimentary understanding of all of this and am learning as I go, so don't take my word for it.
     
  10. tomw

    tomw Getting the hang of it

    Joined:
    Nov 30, 2015
    Messages:
    104
    Likes Received:
    21
    What I would do (and have done) is:
    1: Run separate vlans for Cam lan and home lan (though home lan does not need to be a vlan)
    2: Set firewall rule(s) that blocks Cam vlan from accessing the home lan and only allows it to connect to the internet
    3: Set firewall rule that allows homeLan to access Cam lan (and internet) allows people on the home lan to access the cams.
    4: Setup a VPN that enables you to connect into your home lan from the internet so you can access the cams as if you were at home.

    Profit.

    Others will have other solutions.
     
  11. supremekizzle

    supremekizzle n3wb

    Joined:
    Jul 20, 2016
    Messages:
    26
    Likes Received:
    2
    Thanks x1000000. No one has laid it out this thoroughly yet this simply to understand. I have even asked on networking forums. Most people assume that other people already know networking, which I don't. Thank you!
     
  12. Jagradang

    Jagradang n3wb

    Joined:
    Aug 10, 2017
    Messages:
    15
    Likes Received:
    2
    This is exactly what I was thinking of doing in my setup. Thanks for laying it iut so nicely. Now just need to figure out if my Asus ac68u can do this!

    Did anyone ever figure out if this works on the Asus router

    Sent from my SM-G935F using Tapatalk
     
  13. DavidDavid

    DavidDavid Pulling my weight

    Joined:
    Jan 29, 2017
    Messages:
    492
    Likes Received:
    193
    Location:
    Ohio
    I would actually block the cams from accessing the internet as well. No need for it if you have VPN and more secure.
     
  14. Jagradang

    Jagradang n3wb

    Joined:
    Aug 10, 2017
    Messages:
    15
    Likes Received:
    2
    My nvr would be on the same cam LAN so I would still want to open one port forward so I can use the mobile app without having to setup vpn on mobile but yeah disable all cams from accessing Internet

    Sent from my SM-G935F using Tapatalk
     
  15. DavidDavid

    DavidDavid Pulling my weight

    Joined:
    Jan 29, 2017
    Messages:
    492
    Likes Received:
    193
    Location:
    Ohio
    I would also block the NVR from the internet and use a VPN to securely connect and view cams from phone.

    It's really not that hard....
    VPN Primer for Noobs
     
  16. Jagradang

    Jagradang n3wb

    Joined:
    Aug 10, 2017
    Messages:
    15
    Likes Received:
    2
    Well it depends on your interest speeds and router power. Last time I tried openvpn it was soo dog slow I couldn't even stream a low bit rate Mp3 so I doubt video would have ever had worked. Not tried it on my new router but worth a shot.

    Sent from my SM-G935F using Tapatalk
     
  17. DavidDavid

    DavidDavid Pulling my weight

    Joined:
    Jan 29, 2017
    Messages:
    492
    Likes Received:
    193
    Location:
    Ohio
    Not sure how much the router plays into it, but I would think any router in the past 5 years or so would work fine.
    I think upload internet speed is the biggest consideration. I've got 1Mbps upload and it's slow. But definitely not unusable. I stream music from my NAS all the time. And have no issues with the camera feeds.
     
  18. hostileharry

    hostileharry n3wb

    Joined:
    Feb 27, 2017
    Messages:
    11
    Likes Received:
    1
    I just got my pfSense box setup and plan on doing something similar... now to just figure out how the hell to do all this. I was thinking about just putting the Cam + Blue Irish PC on it's own interface and subnet, but this should be easier.

    Did you use pfSense to complete this? If so, do you have a recommended step by step?
     
  19. moelassus

    moelassus n3wb

    Joined:
    Sep 14, 2017
    Messages:
    3
    Likes Received:
    2
    Location:
    Missouri
    I use pfSense in the same fashion. I have a dedicated VLAN for my NVR and cameras. In pfSense I've labeled that interface as CCTV (VLAN 100). In the firewall rules I allow communication from the secure network to the CCTV network on TCP port 443 and 8000 only, which allows me to communicate with my NVR. I disallow communication from the CCTV network to the LAN. I also block access to the router interface on the CCTV network for security reasons). For mobile access I've configured pfSense as an OpenVPN Server (just run the OpenVPN Server Wizard). I can then VPN into my netwok and run the mobile app to view my cameras (be sure to default to a low res sub stream or you'll melt your phone).

    For a great series of tutorials on configuring pfSense, check out Mark Furneaux's excellent series.

    VLANs offer a lot of flexibility but they can be very confusing to a non-technical person. You can avoid the complexity of VLANs by getting a four port pfSense box. I personally use Protectli appliances. They are fanless and work great. I have multiple 8MP cameras and I can use Live View at full resolution from my desktop and the pfSense box doesn't break a sweat.

    Moe
     
    hostileharry and DavidDavid like this.
  20. Jagradang

    Jagradang n3wb

    Joined:
    Aug 10, 2017
    Messages:
    15
    Likes Received:
    2
    Does the phone get very hot when using vpn and streaming cameras? That'll be Quite a big trade off if you have to use low res settings?

    Sent from my SM-G935F using Tapatalk
     
  21. moelassus

    moelassus n3wb

    Joined:
    Sep 14, 2017
    Messages:
    3
    Likes Received:
    2
    Location:
    Missouri
    My iPhone 6s gets warm but more importantly, viewing at high res decimates battery life. If I'm live viewing the high res stream or doing high res Playback, I can almost watch my battery count down. It's pretty awful. It doesn't have anything to do with VPN. The same problem occurs when I'm on the local LAN.

    Other phones might handle it better/differently but this is my experience. The Hik mobile apps are pretty awful and I prefer to use my laptop for remote viewing.
     
  22. ztm

    ztm n3wb

    Joined:
    Jun 23, 2017
    Messages:
    5
    Likes Received:
    1
    If your NVR has built-in PoE ports than it's done. Use them. It's the simplest solution.
    If not put another router (and switch if needed) after your recent one. But this solution was mentioned by Akoya as well. Let say your LAN is now 192.168.0.xxx. The new router and NVR and IP cams will be in 192.168.1.xxx. Plug your NVR and cams onto this network. And all your CCTV traffic is separated from your current network. Of course some port forwarding must be done to get it working.
     
  23. DavidDavid

    DavidDavid Pulling my weight

    Joined:
    Jan 29, 2017
    Messages:
    492
    Likes Received:
    193
    Location:
    Ohio
    Interesting about the phones heating up. I've got a Moto Z Play (android on Verizon) and I've watched the full resolution video for more than id say 5-10 minutes on a few occasions and my phone does not heat up any more than any other program that has the screen on constantly.

    Oh and I use Tasker to switch TinyCam between full resolution and low bandwidth mode depending on if I'm at home or not. If I didn't have shitty internet speeds at home (1mb/s upload) I'd have it full resolution all the time.