Network security: VLAN or Firewall

[reaver]

I have decided to use BI on a PC to manage my IP cameras but I am undecided as to how I want to isolate my IP Cameras from connecting out to the internet. I'm trying to decide between 2 approaches and would appreciate any feedback especially if there is any impact to BI.

One approach is to setup a dedicated VLAN for the IP Cams and setup firewall rules. I think this is pretty common and I've read articles and watched videos about this.

The other approach is to skip the VLAN and just setup firewall rules on the router to block internet access by using the camera's MAC or IP address.

At this stage I'm leaning towards the second approach (block camera's MAC or IP address) because it is straightforward and easy to setup. Would there be any adverse impact to BI with this approach?

[TimG]

I'm afraid you will have to try these methods to see what works for you.

I'm an old fashioned guy, so I went for a second NIC in the BI5 pc, and isolated the cameras that way. It also keeps camera network traffic off of my main LAN. I then use OpenVpn for remote access.

[Matts1984]

Some of it is up to preference and what you see your cameras doing. I personally first vlan'd my cameras to completely isolate them and have a firewall in front. Out of curiosity I monitored to see what my cameras were trying to do and wow, I did not want them to have access to the internet... while they work well and have good images, they try to talk outbound a lot to IPs (countries) and on services I'd rather them not try. I just today actually added a second NIC to my BI server so that it sat on the same vlan to connect to cameras but it's front end was on my normal network, these was to optimize the path of BI traffic.

Ultimately, at least in my situation, the cameras require ZERO outbound access, I mean none. BI connects to the cameras so having them completely isolated without even access to my internal network was preferred. I eventually did permit them DNS and NTP solely to my firewall so that they can use their own OSD to show timestamps rather than BI showing it - and thus saved a ton of BI CPU cycles. Everything is running great, and I'm very content with the cameras being totally locked down and only doing what I bought them to do.

[reaver]

I think I'll go with the dual NIC approach. Aside from isolating the cameras, keeping the camera streams off the local network is a bonus

[hotbrass]

Matts1984, what firewall are you using?

[HeneryH]

I think I'll go with the dual NIC approach. Aside from isolating the cameras, keeping the camera streams off the local network is a bonus

Do you just use static IP addresses on everything to avoid needing any smarts in the network?

[TimG]

In my case, I have equipment such as my old Amiga A1200 that can't even spell DHCP. Getting a computer like that online originally began with having to learn about Hayes modem initialisation strings at a time when they would be set up automatically for pc users. Nowadays it quite happily sits on my IPv4 LAN with a static IP. A 1992 50Mhz (Accelerated from 14Mhz) computer on the internet

Even now, I find Emby, Homeseer and Blue Iris much easier to control with a static IP.

I do set up a DHCP window for devices that don't need a static IP, but everything else is nailed down on the device itself (including the IP cams). When I swapped my router last year, all I had to do to get full LAN functionality back, was to set the IPv4 address and the DHCP window (and set up wifi SSIDs).

I believe that a few of the issues we see here with networking are that people set up quasi static IP addresses from the router rather than directly on each device. When that combines with port forwarding from external WAN to internal LAN addresses, I think it begins to unravel; possibly due to timing issues. I can't prove that, but I do ask the question each time to see how people have set up their static IP's. Just my enquiring mind trying to make sense out of chaos

[Matts1984]

Matts1984, what firewall are you using?

I'm running a Sophos UTM (not the XG firewall) with their completely free Home use license. All it requires is a pentium based system with 2 or more NICs. In my situation (and based on profession) I'm a bit overkill but I've been using it for easily 7+ years and it's still being actively updated by Sophos. In short, I love it. The home license gives essentially full capabilities of the product (won't do sandboxing or allow for customization of block pages) but you get firewalling, advanced networking (link aggregation, QoS, etc) IPS, URL Filtering, a Web App Firewall - which I use specifically for BlueIris, VPN, the list goes on. The ONLY caveat the license has is a maximum of 50 active IPs which I'm pushing, but I remember the days when the cap used to be 10 IPs . Too many smart devices, tablets, cell phones, etc now.

Anyway, if you can't tell, I'm pretty passionate about firewalls and I love this one. I've tried all/most of the OpenSource ones and still come back to the Sophos UTM (formerly Astaro). I've tried some SOHO version enterprise firewalls too but you're paying licensing with those. Happy to provide more on this... possibly needs a different thread though!

[MikeBwca]

... such as my old Amiga A1200 ...

Dang! Someone else with the Amiga blues.
I have an Amiga 3000 complete with monitor, floppy, and a tape backup system. Havn't used it in years. Been meaning to power it up and mess around with it. Used to run an Amiga emulator in windows. Keep meaning to install that also...

[TimG]

MikeBwca - I hope you've already removed the barrel batteries