Using dedicated Network Card / Adapter to isolate cameras from Internet?

Post Reply
oceanslider
Posts: 21
Joined: Mon Dec 23, 2019 12:05 am

Using dedicated Network Card / Adapter to isolate cameras from Internet?

Post by oceanslider »

I would like to learn about using a dedicated Network Card / Adapter to isolate my IP Cameras from talking directly to the internet.

Is anyone here doing this, willing to explain how they set it up?
Dedicated Blue Iris 5 PC : HP ProDesk i5-8500, 8gb RAM, 256gb M.2 SSD(for BI and Windows 10), 8tb drive shucked from WD EasyStore.
Two cameras so far: one IPC-HDW5231R-ZE and one IPC-T5442TM-AS, eventually looking to have about 6 or 7 cameras.
HeneryH
Posts: 721
Joined: Thu Jul 18, 2019 2:50 pm

Re: Using dedicated Network Card / Adapter to isolate cameras from Internet?

Post by HeneryH »

I think folks now use virtual networks using modern routers to isolate subnets but I am not 100% sure. Maybe research virtual nets.
oceanslider
Posts: 21
Joined: Mon Dec 23, 2019 12:05 am

Re: Using dedicated Network Card / Adapter to isolate cameras from Internet?

Post by oceanslider »

But then I would need to buy another router. I have an ASUS RT- AC68U flashed with Merlin, but there is no way to create a VLAN with this router. It is a good router and I have OpenVPN setup on it for remote viewing.

There should be a way to setup a dedicated Network Adapter for just my IP Cams. But I'm not super network savvy. I could do it if I had instructions or a video tutorial.
Dedicated Blue Iris 5 PC : HP ProDesk i5-8500, 8gb RAM, 256gb M.2 SSD(for BI and Windows 10), 8tb drive shucked from WD EasyStore.
Two cameras so far: one IPC-HDW5231R-ZE and one IPC-T5442TM-AS, eventually looking to have about 6 or 7 cameras.
ctfjr
Posts: 40
Joined: Mon Oct 14, 2019 5:43 pm

Re: Using dedicated Network Card / Adapter to isolate cameras from Internet?

Post by ctfjr »

This may not help if you are set on a 2nd network card but it lets you what other options there are.

I'm using a Ubiquiti system here and its very easy to deny internet access to any individual client or group of clients by creating a 'rule'.
HeneryH
Posts: 721
Joined: Thu Jul 18, 2019 2:50 pm

Re: Using dedicated Network Card / Adapter to isolate cameras from Internet?

Post by HeneryH »

If you want a separate physical network, you'd need a separate router to do the routing on that second network, wouldn't you? Really not sure, just asking.
SolarEclipse
Posts: 15
Joined: Fri Jun 28, 2019 2:31 pm

Re: Using dedicated Network Card / Adapter to isolate cameras from Internet?

Post by SolarEclipse »

I used to use Network Services Filter on my old ASUS (non-Merlin) to block internet access from my cameras.
I don't know if Merlin supports the same or not.
MikeBwca
Posts: 1115
Joined: Thu Jun 20, 2019 5:39 am

Re: Using dedicated Network Card / Adapter to isolate cameras from Internet?

Post by MikeBwca »

HeneryH wrote: Sun Jan 19, 2020 11:50 pm If you want a separate physical network, you'd need a separate router to do the routing on that second network, wouldn't you? Really not sure, just asking.
That's what I did because I have 1 wireless camera, as well as several wired cameras. I have the router use DHCP on the 2nd nic for that subnet. Worked well. It isolated my 'camera network' from the internet, and, from my normal use network.

BI could see cameras on both networks.
thatsunpossible
Posts: 1
Joined: Fri Jan 24, 2020 10:07 am

Re: Using dedicated Network Card / Adapter to isolate cameras from Internet?

Post by thatsunpossible »

oceanslider wrote: Sat Jan 18, 2020 10:02 pm I would like to learn about using a dedicated Network Card / Adapter to isolate my IP Cameras from talking directly to the internet.

Is anyone here doing this, willing to explain how they set it up?
Create a rule in your router's firewall to deny access to the internet for each camera. Setup is different for every router, but if your router allows you to create firewall rules, this is by far the simplest way to do what you want to do.
User avatar
TimG
Posts: 2391
Joined: Tue Jun 18, 2019 10:45 am
Location: Nottinghamshire, UK.

Re: Using dedicated Network Card / Adapter to isolate cameras from Internet?

Post by TimG »

But then I would need to buy another router. I have an ASUS RT- AC68U flashed with Merlin, but there is no way to create a VLAN with this router. It is a good router and I have OpenVPN setup on it for remote viewing.

There should be a way to setup a dedicated Network Adapter for just my IP Cams. But I'm not super network savvy. I could do it if I had instructions or a video tutorial.
I know it's an old thread, and you have probably sorted this by now, but:

1. I have an Asus RT-AC86U router running Merlin firmware.
2. I have a second NIC on the BI5 pc just for my cams.
3. I have a PoE ethernet switch plugged into the second NIC, and the IP cams are plugged in to that.
4. I do NOT have a second router connected between the cams and the second NIC.
5. The NIC and the cams all have static IP's.
6. I have OpenVPN running on the RT-AC86U for remote server access and BI viewing.

Simples :lol:
Forum Moderator.
Problem ? Ask and we will try to assist, but please check the Help file.
Matts1984
Posts: 496
Joined: Fri Apr 10, 2020 1:12 pm
Location: Maryland, USA

Re: Using dedicated Network Card / Adapter to isolate cameras from Internet?

Post by Matts1984 »

Yes so this definitely all comes down to design choice, budget (though trust me, I don't like spending a dime!), and what functionality you'd like.

You can certainly add a second NIC to your BI server. Give that interface a static IP address (different subnet than your "regular" network) and make sure NOT to give it a default gateway. That interface should then go to either your one camera directly or to a network switch that isn't connected to your regular network**. You can configure your BI system to do dhcp or some other complicated setup but as TimG noted, it's easiest (and in my opinion preferred) to just also give your camera(s) static IPs, again no default gateway - because there isn't one! At that point, your secondary BI NIC and the cameras are all on the same subnet, can talk directly with absolute minimal latency (no layer 3 hops), and no default gateway to be able to talk to another network - including the Internet. The catch is that you won't be able to directly access the cameras from a system other than your BI server. This may be fine but a consideration if you need to do firmware updates, etc. Also, IF your cameras need to use NTP (network time protocol) to ensure current overlay timestamps, that wouldn't work.

If you have a router/firewall that can do any sort of rules, you should be able to keep a single flat network and just block outbound traffic from the cameras. Again consider if you want to block ALL outbound traffic or still allow NTP (udp/53) for time (you likely also need to permit DNS (udp/53) so that it can resolve the name of an NTP server). From a paranoid security perspective, this does technically still leave you vulnerable to lateral movement though which is why having an isolated, completely cut off vlan for just cameras is most ideal. I have done packet captures on my cameras and can say you absolutely do not want them to have wide open outbound access!! In fact, for my cameras I configure my firewall to be the DNS server of the cameras and then while I cannot force the cameras to use my NTP server, I translate their traffic to redirect to my firewall for NTP - the result being they never do go to the Internet.

Sorry for what could be overload. Happy to break that down more if anyone cares or followed what I said :D . I lay in bed awake at night thinking about changes I can make to my environment!

**Technically it could be a switch on multiple networks and it SHOULD isolate subnets ok but you could be setting yourself up for some headaches plus if you're isolating anyway, why not actually isolate.
Blue Iris 5.9.4.x | Server 2022 VM | Xeon E5-2660 v3 @ 2.60GHz - 16 Cores | 24GB RAM | 8TB RAID | Sophos UTM WAF | Mostly various SV3C Cameras
Post Reply