How to block my IP cameras from the internet and my local network?

I found a easy way to do it.

go to profiles create new group Type IPv4 enter the IP you want blocked hit save.

then go to firewall create new rule type internet out - action drop - source type - port/ip group IPv4 Address group select the one you just made in profiles hit save.

inspired by user Gargoile
 
  • Like
Reactions: Gargoile
I was more concerned about the cameras I have "phoning home" They were very inexpensive, but well manufactured with a lot of great features (human recognition). That's a pretty powerful processor, thus the reasons for my suspicions. (I later learned that these cameras do indeed attempt to contact an unknown IP address)

I created a separate network and my BlueIris software runs on a computer with two NICs. All of the camera network have fixed IP address. I have a dedicated computer running BlueIris (~$250 refurbished on Amazon). I haven't taken the time to ensure that the network is secure, so I don't know if this works or not. I did run into a challenge. The cameras want to access an NTP server to get the time. I resolved this by building my own NTP server from an Arduino with an ethernet interface and a GPS module. I found the NTP Server software for the Arduino online. So for under $20 I have an NTP server.

All is good.

OSD
 
  • Like
Reactions: sebastiantombs
You can also load NetTime on the BI machine and use it as the NTP server. No Arduino needed that way.
 
  • Like
Reactions: TonyR
sebastiantombs said:
You can also load NetTime on the BI machine and use it as the NTP server. No Arduino needed that way.
Click to expand...

Like this idea.

What are the steps to add the NTP server to each camera? Assuming that it will be necessary to log into each individual camera and change the Date & Time NTP server to other than "clock.ise.org". Would one use "0.nettime.pool.ntp.org" as the correct camera NTP server for each individual camera? i.e. reuse the same server?
 
Yes, each camera needs to be pointed to the NTP server. You'd use the IP of the BI server assuming that's where you installed it. The cams all use the same server IP.

Beyond installing NetTime on the BI Server, you may also need to allow traffic through the Windows firewall on the server over UDP port 123. And check that the native Windows time server hasn't already grabbed port 123. If so, you can disable it.
 
Last edited:
  • Like
Reactions: sebastiantombs
The two NIC cards will not work for me as everyone's situation is different.

I did try the VLAN and it worked as well but i thought it was a lot more complicated so many rules to make. I didn't think my BI computer should be on the same VLAN as the cameras as it would have no internet then i read that it would be taxing on the router if you had all that data going over two VLANs.

Blocking by IP was the easy route lol
 
  • Like
Reactions: TonyR
Mike 19 said:
The two NIC cards will not work for me as everyone's situation is different.

I did try the VLAN and it worked as well but i thought it was a lot more complicated so many rules to make. I didn't think my BI computer should be on the same VLAN as the cameras as it would have no internet then i read that it would be taxing on the router if you had all that data going over two VLANs.

Blocking by IP was the easy route lol
Click to expand...
cameras are going to tax a 1Gb network. But in your case with a 10Gb network, it wouldn't be a burden anyways.

two nics on different ip into the same network works well, however, they should be the same speed or else it would have to buffer to the lower speed which can slow things down.
 
How many cameras are running that it would "tax" a gig network switch? I'm running 22, mix of 4MP, 2MP and one 8MP, and only see ~200Mb/PS of traffic on the private LAN. Even if you had 44 4MP cameras running I don't think you'd hit 600Mb/PS.
 
I was referring to the VLAN taxing the UDM not the NIC cards.

From what i can find there is a huge performance drop with IP cams on VLANs using the UDM Pro.
 
Running My cameras on Vlan using UDM pro. I have not noticed a problem with performance with 12 cameras, I think that was some older software on the USG/udm pro.
All cameras are on the same switch and all the ports they are plugged into are set to that Vlan only not all traffic. Made a separate wireless network for that Vlan too. I have three raspberry pies running Camviewer software on them to display on TV's around the house. so everything security related is on one vlan, BI computer, dahua nvr, cameras, and camviewers. Firewall rules are set so I can get to all of them from the main network but they cannot get out of that Vlan unless they are queried from the main.
Security Vlan is also set so it cannot get out of the house. If you plug a computer into that network it has no abilities to get out to the world.

I would try a vlan.
 
sebastiantombs said:
How many cameras are running that it would "tax" a gig network switch? I'm running 22, mix of 4MP, 2MP and one 8MP, and only see ~200Mb/PS of traffic on the private LAN. Even if you had 44 4MP cameras running I don't think you'd hit 600Mb/PS.
Click to expand...
32 - 8mp @ UHD (3840x2160) 25 fps Is about 880Mb/s w h.264 high quality compression
Then when you have a lot of bandwidth getting used this way, Will your recorder keep up?
32- 8mp with the above settings would need a HDD sustained transfer rate of ~110 MB/s
It is getting near the limits in SATA especially when there is more than 1 remote session in live view and another one searching the recordings
So eventually NVR makers will have to go either SAS (which is the full duplex SATA) with a dual armature HDD, or with lesser performance with NVMe storage .
 
Last edited:
Why run 25F/ps? 15F/ps is more than enough.
 
alastairstevenson said:
I'm curious where you get that figure from.
That's about 28Mbps per camera.
None of my Hikvision 8MP cameras allow a bitrate to be configured at over 16,384Kbps.
Click to expand...
but they run a different compression standard: H.265 or h.264 with high compression
you wouldn't get a low compression, high quality in a camera until you start looking into cameras that have a AMD cortex or better processor ($500+ cameras)
 
alastairstevenson said:
OK, so quite different from what you quoted to get that figure. Not h.264
Click to expand...
its not going to be exact, because its a calculation.
There are several ways these cams can be set up. Some have certain limitations than others.
The bandwidth varies and there are a lot of combinations.
If you want to anticipate what bandwidth its going to possibly consume, there are several online calculators and none of them are going to give you truly exact numbers, just an approximation.
 
tech_junkie said:
If they are not wired away from your network, they will still share the bandwidth in the common wire.
But in your case since its 10 Gb network, there shouldn't be bottleneck issues anyways.

If you static and remove the gateway entry, the cam can not go onto the internet.
If you want to hide them from the rest of the network, since you have a 2nd network port, you can static them with a different ip like 10.110.110.X Both cameras and computer.

If you want to hide them from the internet, but be able to assign a computer to access them, then you would netmask the cameras away from the network (255.255.255.128) but the common computer has the whole netmask (255.255.255.0)
Click to expand...
i realize this is an 'older' topic, but the comment about '...static and remove the gateway entry...' - what does this mean? if the gateway address in a camera is left blank the camera barks at this; it won't allow it.
 
ennywohn said:
i realize this is an 'older' topic, but the comment about '...static and remove the gateway entry...' - what does this mean? if the gateway address in a camera is left blank the camera barks at this; it won't allow it.
Click to expand...

TL1096r

Thread 'Dual NIC setup on your Blue Iris Machine'

In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet

This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs:
Router Security - Subnets and IP addresses

You will need:
-2 NIC
-Blue Iris on a suitable computer - choose here:
Choosing Hardware for Blue Iris | IP Cam Talk
-POE switch

This setup is easy to setup once you know what you are doing.

Connect your POE into the second NIC on your computer.

Then go to:
-Control...
  • Like

Bascially you want 2 network cards in you BI PC. Set up the cameras to have a gateway that connects to the BI pc on a network card that has an address that can't connect to your home network. BI can connect to the cameras and the cameras can connect to BI but not the wider network. The other network card in the BI machine can be set up to connect your BI machine to your home network. BI then acts as an intermediary ( a bit like a firewall) therefore between your cameras and your home network. The cameras can't contact the outside network because the card they connect to cannot resolve the outside network address, but you can contact and view the cameras through BI.
 
  • Like
Reactions: ennywohn
CCTVCam said:
TL1096r

Thread 'Dual NIC setup on your Blue Iris Machine'

In making your system more secure this is a great option to eliminate your cameras calling home / connecting to the internet

This is a great place to start to setup a bit more secure network and learn more about IP/Subnets etc. before adding dual NICs:
Router Security - Subnets and IP addresses

You will need:
-2 NIC
-Blue Iris on a suitable computer - choose here:
Choosing Hardware for Blue Iris | IP Cam Talk
-POE switch

This setup is easy to setup once you know what you are doing.

Connect your POE into the second NIC on your computer.

Then go to:
-Control...
  • Like

Bascially you want 2 network cards in you BI PC. Set up the cameras to have a gateway that connects to the BI pc on a network card that has an address that can't connect to your home network. BI can connect to the cameras and the cameras can connect to BI but not the wider network. The other network card in the BI machine can be set up to connect your BI machine to your home network. BI then acts as an intermediary ( a bit like a firewall) therefore between your cameras and your home network. The cameras can't contact the outside network because the card they connect to cannot resolve the outside network address, but you can contact and view the cameras through BI.
Click to expand...
thanks for this. i do understand the bridging you noted. my network is very different.

i changed the camera's mask from 255.255.255.0 to 255.255.255.128 as noted above. the camera 'dropped out of sight' as expected. then i changed a different computer to this 'new mask' & it was able to find this camera. the computer was no longer able to reach the internet. switching back to the 5G WiFi the computer returned to normal.

the camera was visible on BI regardless of the mask. so apparently BL is only interested in ip, onvif & rtsp.
 
You must log in or register to reply here.
Top Bottom