First post, secure installation of outdoor ip cameras

Honestly, it really isn't a big deal to setup VLANs - especially with pfSense. You don't have to use a smart switch for VLAN creation either. Connect the cameras and DVR to a separate switch and link it to another NIC on the firewall (assuming you can add one). The firewall will then do all of the routing for you. With the DVR in the same subnet as the cameras the only traffic that would need to pass through the router is your viewing/configuration client. Simply add a rule to allow any traffic that originates on the "secure" LAN to be routed to the "camera" LAN (which would be covered by the default any/any rule) - done! pfSense will maintain the tables so no return rule is required for the cameras/dvr to send data back. By default all traffic that originates on the camera LAN is denied access anywhere.
 
Even if you need to use a smart switch you won't run into any bandwidth issues as long as the switch's backplane can handle the data throughput. Further, you can utilize a single port on the smart switch for the camera lan and uplink another switch from there to contain all the cameras/dvr - that will remove the smart switche's backplane from having to move the data around.
 
A bit off of the original post and more about today's home network, managed switches and software firewalls.
 
Here relating to firewalls in general got into tinkering with them many years ago both at work and at home.  Thinking back to the 80/90's there were very simple boot and run firewall programs that booted up off of a floppy disk.  Geez at similiar time played with basic Unix floppy boot up OS with multiple serial terminals and DOS layering the network in tiny pieces and having machines talk to each other. 
 
Here in this thread was mentioned two very nice and flexible software firewalls.  One called Vyatta and another called PFSense.  There are also replacement OS's for SOHO firewalls like DD-WRT and OpenWRT.
 
Here I started using an big box (I made a big box) software firewall called Smoothwall (over 10 years ago).  Today there is much more. Well here are some more software firewalls.
 
    CheckPoint FireWall-1 5
    pfsense 5
    Firestarter 5
    Netfilter 4
    SmoothWall Express 3
    Guarddog 3
    ipchain 3
    Endian 2
    Susefirewall 1
    Cisco ASA/PIX 1
    ClearOS 1
    APF 1
    Firewall Builder 1
    Auto firewall in Puppy Linux 1
    Drawbridge 1
    Monowall 1
    Firehol 1
    SuSEfirewall2 1
    Plesk 1
 
 
I personally went from Smoothwall to PFSense and have enjoyed the ride.  I did originally it by using 4 Gb network cards it it.  Updated the box hardware base and today use 6 Gb network cards in it.  (geez and I want to take it to more purchasing more NICs).
 
At work remember NAT (network address translation).  It was not a soft button but rather "take this subnet" and "match the IP's to this subnet one by one" by hand.  Everybody knew what it was but no one wanted to go thru a subnet of numbers matching them one by one.  IPChains is another one of these endeavors. What a PITA it was back then; it was only bean counting and a bit repeitious and time consuming.
 
The intelligent managed switch today is way more cost effective than just a few years ago. As a learning experience relating to using a managed switch at home I went this direction to take advantage of what there was out there at a reasonable cost that could do what the managed switches of yesteryear do / did.
 
Concurrently the "old" residential home network years ago was made up of maybe 1 device with a modem, then one or two devices with a network connection and today even more network wired and wireless devices.  Many of these devices today are constantly in communication with the internet such that they are never off.  Geez I have two automation boxes which do communicate to other pieces of hardware in the home but continously every second of every day get some pieces of data from the internet.
 
So your OP and related to just a learning experience is a valid mostly because it really is best to learn in the practice relating to stuff you do use. 
 
Many folks prefer not to know and well relating to automation do just want things to work and use. Many automation folks do want to know every detail of every piece that is doing their automation or security today.
 
Here on Cocoontech there are resources relating to just about anything relating to automation and security stuff. 
 
Many folks are looking to introduce or use automation in a home not built yet or just purchased and ask what it is that they have to do or install or learn about automation / security in general just like you did in your original post.
 
Just to add to Pete's list, there is IPCop, currently version 2.1, based on Linux From Scratch.
This was my first, currently also on pfsense
 
As Work alluded to, network security is only half the battle.

Personally, from dealing with enterprise sites with <500 IP cams, usually it's easier to VLAN the camera/recording device then secure that. Pull DHCP off and run only the IP's you need. From that end, most cameras don't require the whole spectrum of ports to be open to the NVR or software....usually it's less than half a dozen to stream and allow web management. They generally don't need access to the outside world (and majority of the systems wouldn't recommend exposing all the ports to the outside).
 
If you've got cheapie IP cameras, sure, somebody can pull them off and access the network, but the better units are far more difficult and put the right security hardware on them, it's very difficult.
 
video321 said:
Honestly, it really isn't a big deal to setup VLANs - especially with pfSense. You don't have to use a smart switch for VLAN creation either. Connect the cameras and DVR to a separate switch and link it to another NIC on the firewall (assuming you can add one). The firewall will then do all of the routing for you. With the DVR in the same subnet as the cameras the only traffic that would need to pass through the router is your viewing/configuration client. Simply add a rule to allow any traffic that originates on the "secure" LAN to be routed to the "camera" LAN (which would be covered by the default any/any rule) - done! pfSense will maintain the tables so no return rule is required for the cameras/dvr to send data back. By default all traffic that originates on the camera LAN is denied access anywhere.
 
Even if you need to use a smart switch you won't run into any bandwidth issues as long as the switch's backplane can handle the data throughput. Further, you can utilize a single port on the smart switch for the camera lan and uplink another switch from there to contain all the cameras/dvr - that will remove the smart switche's backplane from having to move the data around.
Click to expand...
I don't want to come off as argumentative - but this is missing half the point (merely setting up another VLAN isn't that hard once you get away from consumer stock firewall/routers).  I have never played much with these PC based firewalls but I can tell you that most routers are designed to process WAN type traffic levels - in the 20-50mbps range.  If you're using dumb or even managed Layer 2 switching and expecting your firewall to bridge the gap, then ALL of that traffic and all those packets are having to be processed by your firewall.  Depending on your use case scenario, it could just be the occasional viewing traffic bridging the gap, but it could be much more if you have a lot of viewing clients or like to use full quality viewing.  You could potentially really hose your internet performance.
 
The link TurboSam posted in this comment I think covers it very well.
 
Work2Play said:
I don't want to come off as argumentative - but this is missing half the point (merely setting up another VLAN isn't that hard once you get away from consumer stock firewall/routers).  I have never played much with these PC based firewalls but I can tell you that most routers are designed to process WAN type traffic levels - in the 20-50mbps range.  If you're using dumb or even managed Layer 2 switching and expecting your firewall to bridge the gap, then ALL of that traffic and all those packets are having to be processed by your firewall.  Depending on your use case scenario, it could just be the occasional viewing traffic bridging the gap, but it could be much more if you have a lot of viewing clients or like to use full quality viewing.  You could potentially really hose your internet performance.
 
The link TurboSam posted in this comment I think covers it very well.
Click to expand...
 
I'll give you some real-world numbers from my personal setup....
 
I have pfSense running in a virtualized environment with virtualized VLAN NICs that don't have any hardware offloading enabled running on a host machine with an Athlon II x2, but with only a single processor and 1GB RAM allocated to pfSense. The WAN and "secure" LAN are each utilizing a separate NIC with the rest of the VLANs running on another. I can consistently get 250-300 mb/s throughput between the secure LAN to another VLAN to machines each running Win7 in a VM. Processor usage on pfSense will hover around 50%. This was measured with Iperf along with simple Windows file transfer. That is a lot of overhead through MANY virtualized NICs and I still get pretty impressive throughput. Yes, my throughput to the VLAN will take a hit if I'm maxing out my WAN link (120 mb/s), but I'll still get 100-120 mb/s so it isn't an issue for me.
 
With that said...
I completely agree with you on throughput, but depending on the hardware, drivers, and tuning used the numbers will vary tremendously.
So you bringing that up is an extremely valid point to take into consideration before designing your network layout.
 
I have to ask a follow-up question - purely out of curiosity - have you ever plugged a kill-a-watt into that box?  I'm very power-conscious since my power cost is around the worst in the country - so I do try to run dedicated low-power appliances wherever possible - my power bill already hits close to $900 in the summer months - a computer that costs some $5/month to run costs $35/month here.  It definitely affects my design decisions at home.  I'm jealous of the guys with basements that stay cool and power that stays cheap who can run whatever they want!
 
Here its been a while that I have changed over to a software linux based firewall.
 
I am mostly looking at the OP and just the curiosity / familiarity with PFSense and integration of use with residential IP cameras.
 
I have seen in recent years the implementation of DIY IP based residential (and commercial) cameras and mobile access to said cameras with no security mostly because of what is assumed about the magic of the internet everywhere.
 
The above said it was only a few years ago that I looked and was amazed that ISP's had left their routers configured at defaults based on the assumption that no one would every look.
 
Me too, Work2Play... and I'm no where near the cost of electricity compared to you!
The truth... it's plugged into a kill-a-watt right now!!! I was playing with a few things the other day and wanted to see the impact on power before making a decision on which route to go.
 
The box I'm currently using was purchased as a 24/7 HTPC/server/VM-running box something like 7 yrs ago. I remember picking it out based on video performance and power consumption because I didn't want to run a dedicated video card to draw that extra 15+ watts just to watch movies. Anyway... with the main desktop and (3) VMs running it will idle at 60W when all of the drives except the system drive power down. When pfSense kicks into gear it will spike to around 75-80 then drop right back down. I've been wanting to upgrade to a box that will support passthrough for some time now, but haven't been pushed into doing so just yet. However, I'm sure I can get my idle consumption much lower once I do, but the cost recovery would take quite a while.
 
Just a thought if I may...
Running dedicated lower-power appliances is good, but the cost of acquisition plus operating costs (electricity) can add up quickly depending on how many you have vs. purchasing a single 24/7 box built for lower power consumption. With hardware these days you can get a powerful i3/i5 to idle around 30W.
 
Just checking in here! I am amazed at the amount of responses this thread has generated!
 
I love my pfsense box and although I am still learning it I have delved into a whole lot of the extra features it has.  There are lots of options out there for running pfsense, depending on your overall needs some of them use very little power.  I built mine as a mini itx box with an efficient power supply and and intel G620 processor with is fairly efficient but gives a little more power for running some of the pfsense packages.  I have not plugged it into to a kill-a-watt but I haven't noticed any impact on my utility bill either.
 
In relation to my original post and Pete-c's last post about security of web access to network cameras, one of my favorite features of pfsense is its strong OPENVPN support.  I use this frequently to access the internet securely from public wifi as well as the connivence of accessing my home LAN securely anywhere I have an internet connection.
 
I will plan on having my cameras isolated from the WAN and if I need to view my feeds remotely from my laptop or phone then I can simply connect to my VPN and then do so as if I am on the local network.
 
Again thanks for all the thoughts here, this is a good discussion!
 
Thank you cheezit73 for starting this discussion.
 
Recently upgraded my PFSense box to a new mITX BCM motherboard.  Its a bit more resilent than the older mITX board.  The BCM board has a 12VDC connection on it.  Added a GPS with PPS to the box for NTP and its been working fine.  I used a pico PSU on the older PFSense motherboard / box.
 
I was doing VPN before using PFSense; but is was sort of kudgy.  (most of my Smoothwall stuff was just added scripts / pieces here and there).
 
I recently did test (while traveling) the VPN stuff on PFSense and was impressed as how easy it was to configure and use.
 
My DIY NVR is a ZoneMinder (http://zoneminder.com) box (its been a variety of Linux flavors) for many years such that I have always used only one IP to access my cameras (before though they were all analog). 
 
Its a simple box which records streams 24/7 saving only configured events.  I liked the BCM mITX motherboard so much that I bult a ZM box using one of these same mITX boards.
 
I too am using OpenVPN and utilize it every single day of the week. When I get to my office the first thing I do is connect! I have it redirect all traffic with the exception of my office subnets - all web surfing goes through my personal Internet. The Android app works flawless for me and doesn't require root either. I only have (2) ports open to the outside and they are both for OpenVPN (a preferred UDP port and a backup TCP port).
 
If anyone needs help creating a very secure SSL VPN (I wasn't affected by Heartbleed) just let me know and I can help you out with the scripts and cert creation.
 
Getting back to VLANs... my VoIP box requires a tunnel to my provider's servers, so I created another VLAN and isolated it. Now that just in case situation of their servers being hacked and someone being in my network is a non-issue. An absolute requirement - no. A feel good extra security measure - you bet!
 
@video321,
 
So for your Ooma VOIP stuff you created one VLAN  / subnet just for the device? 
 
Here mostly just goofing with the DECT phone stuff built in and have been able to connect my Openpeak mfg DECT phones to it but not really get too much functionality with them.
 
I can't find any software anymore relating to sniffing the DECT wireless network.  There used to be a bunch out there.
 
Yeah... as of now it's all alone in what I labeled the 'IoT VLAN'. I'm sure it'll be joined by more devices soon enough ;)
With pfSense and a managed switch it's stupid easy! I can connect to it from the secure lan or the VPN VLANs, but it can't get to me.
 
That's cool pete - I never did play with asterisk or any other soho pbx software before as I never really had a need to. Though, it's always been of interest.
 
Thanks video321.
 
Currently testing separate firewalls with PFSense.  (Almond + and my little microuter thing). 
 
I have only played with the blue tooth and DECT stuff on the Ooma box.  It has worked well for me. 
 
I'll probably do what you did as it sits next to the PFSense box today.
 
I am very amazed at what can be done at home these days with reasonably priced managed switches and software firewalls like PFSense.
 
You must log in or register to reply here.

Similar threads

StarTrekDoors
PC Access 3.17.0.843 Update Release Notes
Replies
0
Views
3K
StarTrekDoors
StarTrekDoors
electron
Chat Transcript - Securifi (Almond+) - 02/22/2013
Replies
0
Views
3K
electron
electron
Back
Top