Network Segmentation

[drinkingbird]

I know the best thing for me to do here is to try to move the NVR PC over to area 1.
I just don't want to spend money at this time buying the equipment I need to achieve what I want.

Let's say I do that and move the NVR to area 1 and I am able to achieve what I need... one questions that's been lingering...
the Blue Iris NVR has an app which I use to view all cameras.. does this mean that the NVR web server will be on 192.168.2.x network and will I also need to have my smartphone connected to the same network in order to view the cameras?.. or is there a way for me to view them while connected to the main network 192.168.1.x?

Moving the NVR doesn't help unless you can also move router 2 to that area and have the wireless cameras connect to that, sounds like there may not be enough signal strength though?

Your issue is you need both networks in both locations right now. So unless you can get it all in once place, you will need VLANs for segmentation.

If you don't want to buy switches, then you can use one of the other options involving Fresh Tomato.
Spare router with FT running as pseudo smart switch + 68U R2 running FT acting as both a router and a smart switch
Two spare routers acting as pseudo smart switches keeping the 68U with Merlin firmware

You can't mix and match here. You can either have segmentation or not have it.

No segmentation means your phone and anything else can see the cameras (and vice-versa). Segmentation means you'll need to do a few extra steps to enable that connectivity, but it is possible.

With the "pseudo segmentation" of using one physical network but two different subnets means your phone won't be able to see the cameras unless you give it a static IP in the 192.168.2.x subnet. Honestly I don't really see that as a valid option, it is not really buying you much security or segmentation. Better than nothing, but you have much better options available.

 

[macster2075]

Moving the NVR doesn't help unless you can also move router 2 to that area and have the wireless cameras connect to that, sounds like there may not be enough signal strength though?

I believe wireless signal will be good enough there for all wireless cameras.
If I am able to do this and move everything to area 1 where the main router is... what then?

What connects to what? - I need to be able to visualize and make sure I can do this before I commit to this endeavor!

 

[ATLga]

This is going in circles...

 

[macster2075]

This is going in circles...

I know.. anyone reading this post will either be extremely frustrated or die laughing.

 

[ATLga]

Seems like the Blue Iris is the cause of all of these various tries at different workarounds and if you just toss them, get rid of the switches and extra router, you'll be all set. Problem solved hahaha. Have you thought about a different camera system that will work without all the hoo ha.

 

[macster2075]

Actually the Blue Iris NVR is awesome. You can mix and match different camera brands as long as they support RTSP. Lots of features and much better than other NVRs where you can only use certain cameras.
My cameras are different.. Amcrest and Wyze for the wireless... and you can have them in different networks at the same time.. its web server will broadcast over the LAN to a browser as well...so you can see all cameras on a browser or the app.

You can have cameras on different subnets and they all come together within the NVR.. so yeah, Blue Iris is not the issue here.. The biggest issue here is ME.
I lack the knowledge to make the right connections..

Somtimes the price you pay to gain a little tiny knowledge is getting ridiculed for not knowing enough.. but hey.. I'm willing to pay that price.

 

[ATLga]

Wasn't ridicule. If you're willing to put in the effort then go for it. You've been given some good advice here along with several options. Pick one of them, stick to it, don't change mid stream, and implement. Seriously, good luck. I would have given up and said h3ll with it.

 

[macster2075]

Wasn't ridicule.

Oh I didn't mean you specifically or anyone in particular.. just trying to make a point that I don't know much but willing to learn.

 

[drinkingbird]

I believe wireless signal will be good enough there for all wireless cameras.
If I am able to do this and move everything to area 1 where the main router is... what then?

What connects to what? - I need to be able to visualize and make sure I can do this before I commit to this endeavor!

Do you have a specific reason not to trust these cameras? I mean personally, I don't trust any IOT device but I'm a bit over paranoid. If you're comfortable with them, just have one big network with everything on it and no segmentation and be done with it, everything in 192.168.1.x. R2 can just run in AP mode (or set up AIMESH, basically the same thing but lets you extend a guest wifi throughout the house). No need to move anything around, stuff can be in both places. Or if you don't need the extra wifi coverage, you don't need it at all. Or keep R2 and get rid of the netgear, etc.

If not trusted and you want segmentation, and you can get everything in one spot (except that netgear switch and the trusted stuff that connects to it), then you proceed as planned prior to when you said you had wired cameras in area 1.

R1, R2, and NVR all in area 1 (along with poe switch)
Netgear switch in Area 2

R1 LAN to R2 WAN
Netgear switch to R1 LAN (using your 1 cable between the areas) - only trusted devices connect to that switch
Trusted Area 2 wired devices to netgear switch as mentioned above
POE switch to R2 LAN
Wireless cameras to R2 WIFI SSID 2
Trusted wireless devices to R1 WIFI SSID 1 (different SSID and password)
NVR to both R1 and R2 LANs, or to the POE switch since that is just an extension of R2 LAN at this point
Trusted area 1 wired devices to R1 LAN

R1 LAN 192.168.1.1 with DHCP pool 192.168.1.x-x (default is probably fine). Do not specify any DNS under DHCP.

R2 WAN set to DHCP (you can add a DHCP reservation in R1 so it always gets 192.168.1.2)
R2 LAN set to 192.168.2.1 with DHCP pool 192.168.2.x-x, default is probably fine. Do not specify any DNS under DHCP

Firewall rules I previously gave you to block TCP, UDP, and optonally ping added to R2.

I'd leave IPV6 disabled in both routers just to keep that off the table and not have to worry about additional firewall rules or potential "leaks" etc. You don't need it.

All your devices including cameras can be set to DHCP, no static IPs. If you want them to have a persistent IP give them DHCP reservations in their respective R1 or R2. They will get the correct IP based on what they're connected to.

In this setup your phone needs to be on SSID2 to see the cameras but phase 2 can be setting up port forwarding and firewall rules on R2 to make it be able to see them from R1/trusted if needed. Same for the NVR, potentially reduce to 1 port and set up firewall/port forwarding, but if it has 2 NICs and you sure it won't route traffic between the two networks, not really critical.

 

[macster2075]

I, like you are also paranoid haha. I do not trust my Wyze cameras one bit. They have been known to communicate with servers in China. They now say they don't do that anymore, but I just don't trust them.

This is great and confirms what I had in mind, but needed confirmation. I was able to do this, it doesn't look pretty, but I just wanted to try this out to make sure it was going to work before I make it look better since I'm moving everything to Area 1.

So far everything works as expected and the only thing missing is configuring the firewall to allow only my iphone to be able to communicate with iot devices.
If would prefer that than having to be connected to R2 network as that defeats the purpose of what I am trying to do.

 

[macster2075]

I've been looking around and found these scripts to allow only the iphone to connect to both networks. My iphone's ip is 192.168.1.189

Router 1
iptables -I FORWARD -s 192.168.1.189 -d 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP

Router 2
iptables -I FORWARD -s 192.168.1.189 -j ACCEPT
iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP

would this work?

 

[drinkingbird]

I, like you are also paranoid haha. I do not trust my Wyze cameras one bit. They have been known to communicate with servers in China. They now say they don't do that anymore, but I just don't trust them.

This is great and confirms what I had in mind, but needed confirmation. I was able to do this, it doesn't look pretty, but I just wanted to try this out to make sure it was going to work before I make it look better since I'm moving everything to Area 1.

So far everything works as expected and the only thing missing is configuring the firewall to allow only my iphone to be able to communicate with iot devices.
If would prefer that than having to be connected to R2 network as that defeats the purpose of what I am trying to do.

As of right now your cameras can still talk to China. As part of setting up your phone that can be blocked so they can't talk to the internet at all.

First thing you need to figure out, does your phone camera app allow you to specify a port (TCP or UDP) for each camera or only an IP address? If only an IP, then you'll need to do some more stuff on R2 to disable NAT and do some routing configs.

I thought Wyze cameras connected to the cloud then your phone also connected to the cloud, are you sure your phone needs to access them directly? You may need to give them some internet access for them to work, not positive though.

 

[drinkingbird]

I've been looking around and found these scripts to allow only the iphone to connect to both networks. My iphone's ip is 192.168.1.189

Router 1
iptables -I FORWARD -s 192.168.1.189 -d 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j DROP

Router 2
iptables -I FORWARD -s 192.168.1.189 -j ACCEPT
iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -j DROP

would this work?

Wait now you're willing to get into scripting?

You'll be doing the above via the GUI's firewall rules, no script needed, but there is more to it than that, first you have to get through the NAT before you worry about firewall.

 

[macster2075]

does your phone camera app allow you to specify a port

You've lost me here. I don't need to do anything with my phone camera app.

oh wait.. you mean the Blue Iris NVR app.. ok.. if that's what you mean.. it's port 81.

 

[drinkingbird]

You've lost me here. I don't need to do anything with my phone camera app.

oh wait.. you mean the Blue Iris NVR app.. ok.. if that's what you mean.. it's port 81.

The app on your phone that you want to be able to talk to the cameras on router2, not the camera on your phone.