Giving access to CCTV cameras

eblaster101 · November 21, 2022, 10:49am

hi,

Pre-requisites
-Main building - 32 cameras / hikvision / running on seperate CCTV POE switch /
-Sub Unit - 8 cameras / dahua / POE cameras /Has their own internet

We have a site which is a serviced office building. It has pfsense running all the CCTV equipment running on an isolated VLAN 10.101.0.0/24

The sub unit wants access to some of the hikvision cameras running on the 10.101.0.0/24
Most NVRS have 2 subnet networks i understand this and how to add the camera etc.

I am not sure how best to set this up on the network side. If i set up the sub unit with the same subnet as 10.101.0.0/24 i will be able to add the cameras by linking the 2 networks but this would cause a DHCP conflict and a security concern. I only want the subunit to access the camera IPs i decide.

Does anyone know how to best handle this?

thank you

ad4m1 · April 8, 2023, 1:41am

Hi eblaster101

I think the best approach is to keep your cameras on separate subnets, and then use a firewall rule to allow the traffic from one subnet to the other.

I think i’ve understood your setup correctly, sorry if I haven’t.

I also presume your pfsense router has access to both cameras networks ? and is also the default gateway for both of those networks ?

If that is true then you can easily do this with a firewall rule on the subnet interface that wants to access the other camera network.
My advise would be create yourself a firewall alias from the firewall menu.
You want an IP alias.
Call it something like SubSiteCameras
Make sure to select Host(s) as the type
Put the IP’s of the sub-site cameras you want to access into that list and hit save,.

Then create yourself a firewall rule to allow access to those cameras by selecting the firewall menu and rules. then click on the interface that services your main building cameras.
Click add and enter the following items:
Action: Pass
Protocol: TCP/UDP
Source: the IP of your main building NVR
Destination: Single Host or Alias
Destination Address: the name of your alias you create earlier (SubSiteCameras)
Destination Port Range: unless you know the exact port(s), I would just choose Any

Hopefully that help you out or points you in the right direction.