I’ve followed a number of different videos to segment my home network and have learned quite a lot from this channel/forum, but I’ve hit a snag when creating a Cam VLAN. I’ve created the VLAN, I can connect to it from various devices and it doesn’t have internet access (huzzah!) but I don’t seem to be able to actually access a camera after switching it over to the Cam VLAN, either from the Cam VLAN or LAN. I can ping 10.10.30.1 from both and if I connect both my PC and Android to the Cam VLAN i can ping each device. But I changed the profile of the port of one of my POE Cams to the Cam VLAN and am unable to ping it (or access the POE Cams gui like I can for other cams still on my LAN). Pinging the cams old LAN address (10.10.10.125) gives me a “Destination Host Unreachable” and pinging the new one (10.10.30.10) gives me a “Request Timed Out”. I’ve trying to paste screenshots of relevant info, but please let me know if anything further would be helpful…(edit: the first set of Firewall rules is for the LAN, sorry for cutting off the top)
P.S. And yes i know the tutorial suggests putting the NVR/Controller on the same subnet but that would wreck a few backup scripts currently run. I assume everyone would think this isn’t the most secure way to set this, but i’d love to get over this hurdle an get everything with BlueIris back up and running before I starting moving the BlueIris box behind the cam vlan/subnet…
Regarding the security aspect of having the NVR on a different network from the cameras: This is actually an example of a more general problem. Unless you put extra measures in place like IP-MAC Binding and Port Security, a threat actor could theoretically spoof a camera’s IP address and gain access to parts of the overall network that they shouldn’t. But perhaps the more pressing concern is that all the traffic between the cameras and NVR is now forwarded through the router instead of being switched, which negatively impacts your router’s performance.
I think this is a good suggestion and something I will try anyways, but in the Unifi Controller Software it states that the IP is one i assigned in the DHCP server for the new VLAN
So you’d recommend, for example, just the last “* to *” rule as a beginning test?
yikes! i don’t want to negatively impact anything! So it sounds like it would be best to put the BlueIris PC behind the Cam VLAN (eventually) and then give the BlueIris PC access to the WAN?
well i disabled all the rules except the bottom “* to *” rule and thankfully I was about to access the Cam residing on the cam VLAN (as well as various other Cam VLAN clients). One by one, I re-enabled the rules top to bottom and each time everything still worked as expected…all the way to the last rule! Nothing worked, then I simply disabled all the rules, then re-enabled them and everything worked. I guess I’ll take it but I hate when a problem gets solved with the ole “have you tried turning it off and on?”
There is one issue though: I am able to ping around 10.10.30.x and i’m blocked from other networks and the internet, but I’m unable to ping my Blue Iris pc when connected to Cam VLAN. Is there a conflict in the rules passing traffic from Cam Net to 10.10.10.7 and the following one blocking Cam Net to Lan Net (10.10.10.x)?
Hey sorry to bump and apologies for my previous delayed response. Anybody have any ideas for troubleshooting the (in)ability to access the Blue Iris box (resides on the LAN network) from the Cam VLAN network?