Wanting to keep the cameras from phoning home to China or other mischief. Some will be in a detached garage on a wired POE switch and some in the house. Can I keep the traffic separate with one cable between buildings or do I need two? Want to set up a NVR, probably Zoneminder, that I can access from the home network but would like to keep the cameras off it or limit their connection to only the NVR. What's the best way to do this? I set up my own network with static ip for some devices but don't have a lot of network experience so some detail would be helpful. Router is running ddwrt.
separating camera network from rest of home network
- Thread starter JimS
- Start date
wkearney99
Senior Member
I have my pfsense router firewall rules set to specifically block the IP addresses for all of my devices that don't need outbound connections. pfsense allows creating an alias, in which I've got each device's IP address. This allows making a set of rules that'll cover anything in the alias.
I have all my DNS set up internally to run through an instance of pi-hole. This is a DNS server with spam blocking. The nice part of it is the dashboard. It allows me to see quite easily what devices have been making DNS requests. It caught my Smart Things hub making an EXTREME amount of DNS lookups, due to a Hue integration bug. Like 50k requests per hour.
I have all my DNS set up internally to run through an instance of pi-hole. This is a DNS server with spam blocking. The nice part of it is the dashboard. It allows me to see quite easily what devices have been making DNS requests. It caught my Smart Things hub making an EXTREME amount of DNS lookups, due to a Hue integration bug. Like 50k requests per hour.
Your wiring generally won't matter (unless you create a totally separate LAN for the cameras and NVR and don't give it WAN access). These type of restrictions usually occur at the router level. The router controls how traffic is routed internally (LAN) and externally (WAN). You just need to create some rules to prevent the cameras (by ip address or mac address) from communicating outside of your LAN.
I also run pfsense, but I found this DD-WRT guide that is hopefully still relevant. https://www.reddit.com/r/DDWRT/comments/917ey2/block_a_group_of_ip_addresses_from_accessing/
I also run pfsense, but I found this DD-WRT guide that is hopefully still relevant. https://www.reddit.com/r/DDWRT/comments/917ey2/block_a_group_of_ip_addresses_from_accessing/
pete_c
Guru
Utilize PFSense here and the PFBlocker add on. Pi-Hole is a good add on but not necessary when using PFSense.
Here is a video comparing PFSense-PFBlocker and Pi-Hole.
[youtube]http://youtu.be/6wToQrcvkF8[/youtube]
You can separate the CCTV network via VLANs (lots of folks do this) or autonomous networks and separate rules on your firewall.
Many CCTV DVRs today utilize POE enabled ethernet ports for an autonomous network plus a separate ethernet port for the DVR GUI.
Typically you cannot see the rules in play between the networks on these devices between ethernet interfaces (embedded Linux)
Here is a video comparing PFSense-PFBlocker and Pi-Hole.
[youtube]http://youtu.be/6wToQrcvkF8[/youtube]
You can separate the CCTV network via VLANs (lots of folks do this) or autonomous networks and separate rules on your firewall.
Many CCTV DVRs today utilize POE enabled ethernet ports for an autonomous network plus a separate ethernet port for the DVR GUI.
Typically you cannot see the rules in play between the networks on these devices between ethernet interfaces (embedded Linux)
wkearney99
Senior Member
While pfsense does have a blocker, the dashboard in pi-hole is FAR superior. That alone makes it worth the trivial effort to install it. Tip, it'll run on anything that runs linux, not just a raspberry pi. I have mine running in a Debian linux VM on my QNAP NAS.
Thanks. That gives me a few things to check into.
Bill, Sounds like you are running pfsense AND pihole? Will take a look at how much overhead they take. I've got a linux box running mythtv if the overhead isn't too high. Need to check the loading too but I think it is pretty high when dealing with multiple recordings.
Bill, Sounds like you are running pfsense AND pihole? Will take a look at how much overhead they take. I've got a linux box running mythtv if the overhead isn't too high. Need to check the loading too but I think it is pretty high when dealing with multiple recordings.
pete_c
Guru
I do not think you will have an issue running Pi-Hole on the MythTV box.
Here running MythTv and Logitech Squeeze server on a Lenova Tiny M93 computer (recently upgraded from an old core duo). It wasn't working too hard on the core duo and even less now on the Lenova Tiny.
I have the MythTV box talking to two HDHomerun boxes. Not really recording too much. Looking now to see about saving live streaming stuff on the Kodi boxes.
I am happy here running PFBlocker on PFSense. On a new install had to register PFBlocker on the Maxmind site.
Here running MythTv and Logitech Squeeze server on a Lenova Tiny M93 computer (recently upgraded from an old core duo). It wasn't working too hard on the core duo and even less now on the Lenova Tiny.
I have the MythTV box talking to two HDHomerun boxes. Not really recording too much. Looking now to see about saving live streaming stuff on the Kodi boxes.
I am happy here running PFBlocker on PFSense. On a new install had to register PFBlocker on the Maxmind site.
OP asked question specifically about preventing cameras from phoning home however in addition to what has been suggested previously in order to truly isolate and secure the cameras you will need to either have a completely separate physical network (already mentioned) or implement VLANs; How to setup VLANs for CCTV is an example article of how to set up using layer 2 capable Netgear switches. I use a Ubiquiti Edgerouter and Edgeswitches for my home network.
The physical / VLAN network configuration isolates the cameras from the rest of your network attached devices. To mitigate security risks one of these approaches should also be taken with all IoT types of devices, not just IP based security cameras. With VLANs one can configure the router to "black hole" all internet bound traffic from the IP cameras and other IoT devices that do not utilize known/sanctioned cloud services thus preventing them from "phoning home."
-Ben
The physical / VLAN network configuration isolates the cameras from the rest of your network attached devices. To mitigate security risks one of these approaches should also be taken with all IoT types of devices, not just IP based security cameras. With VLANs one can configure the router to "black hole" all internet bound traffic from the IP cameras and other IoT devices that do not utilize known/sanctioned cloud services thus preventing them from "phoning home."
-Ben
Similar threads
