What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Isolate IP cameras

ragnaroknroll

Regular Contributor
I recently posted a related thread on SuperUser, but thought I'd post a modified version here to get advice specific to Asuswrt-Merlin.

I'm planning to install a home surveillance system consisting of 7 PoE cameras recording 24/7 to my HTPC. I figured since my HTPC stays on 24/7, there's no real need to get a separate NVR. Considering my complete lack of trust in these cameras, I will be blocking internet access to them using the Parental Controls feature from the Asuswrt-Merlin GUI. Additionally, I would like the cameras to be able to communicate only with the HTPC, while keeping the rest of the devices connected to my home network safely isolated from them. The HTPC, on the other hand, should be able to communicate freely with the rest of my home network devices.

My planned home network configuration is as follows. I already have an Asus RT-AC86U router running Asuswrt-Merlin, that is connected to the internet. A PoE switch I am yet to purchase will be connected to the router, and the cameras and HTPC will be connected to this PoE switch. All other network devices in my home will be connected directly to the router. My questions are as follows:

1. Can my isolation requirements be met just by purchasing a cheap unmanaged PoE switch and configuring the router? On first thought, it feels like the Guest Network feature with the Access Intranet setting disabled might be able to help me out. Firstly though, I don't know how to connect wired devices to a guest network. Even if I manage to do this and put all the cameras on a guest network, I don't know how I can permit them to communicate with the HTPC, which cannot be on the guest network, since it needs to be able to communicate with the rest of my home network devices. Alternatively, could I achieve what I want to using the command line?

2. If this cannot be achieved by just configuring the router, what type of switch will I need and how should I go about configuring it? From reading up a bit online, it appears I need a switch that supports VLAN configuration. I've noticed that some L2 managed switches offer VLAN configuration capabilities, while being much cheaper than L3 managed switches. Specifically, some TP-Link L2 managed switches (like the TL-SG1210MPE) support an MTU VLAN mode, which I think would satisfy my requirements if I set the HTPC port as the uplink port. Unless I've misunderstood how this mode works, this would permit the cameras to communicate only with the HTPC, and the HTPC with the router, which gives the HTPC access to the rest of my home network devices and the internet. If this cannot be achieved using an L2 managed switch either, can it be achieved using a more expensive L3 managed switch?

Any help or advice would be much appreciated. Thanks!
 
If your HTPC has a second NIC, or one can be easily added, that may be the cheapest and easiest way to isolate the camera traffic, although VLAN would be the typical approach as it gives more flexibility, but at a cost.
 
@dosborne - Thanks a lot for the suggestion! This is something that did not occur to me before. Unfortunately my HTPC has just one NIC at the moment, but I will definitely put acquiring a second NIC on the list of options to consider. I was hoping this could be achieved by just configuring my existing router, which would by far be the cheapest solution, since I can then just get a simple unmanaged switch :) Nevertheless, I wouldn't mind paying a bit more for a quality L2/L3 managed switch either, which might have other benefits down the line. I would just like to be sure that I can achieve what I'd like to using either an L2 or L3 switch before taking the plunge.
 
The dual NIC approach is very common, see here:
 
The guys are right. A 2nd nic in your HTPC connected to a dumb (or smart) POE switch where all the cameras home is the simplest solution.
Things to consider:
* Static IPs for the cameras or dhcp? If dhcp then the htpc or a smart switch would have to act as the dhcp server.
* Use a different ip subnet for this isolated network so the htpc does not get confused about routing between the 2 nics. The closer the 2 subnets are, the more likely we the human will fat finger something.
example:
home lan - 192.168.50.x/24
poe lan - 172.16.100.x/28
* With the cameras completely isolated you will also want your htpc to act as ntp source for the cameras. This is useful for accurate time if you use timestamp overlay from the cameras.
* If the cameras offer options between h264 & h265 its probably best to use the more standardized h264. The newer cpu's support h265 acceleration but the support is broader for h264. Might have to trial this out. The idea is to maintain a relatively acceptable cpu load on the htpc cpu.
* another thing to watch for is hdd activity (try to use a surveillance specific hdd such as the seagate skyhawk or wd purple). Constant writing to a drive should be done on a dedicated drive designed for video storage.

Im sure there are other things that I am just forgetting about but that should be a good start.
 
There really needs to be a nvr or dedicated pc to handle the cameras. Trying to serve media on the network while recording HD streams to disk in one machine is not going to do either task well. A pc with Blue Iris (windows) or Agent DVR (Linux or Windows) handling the cameras placed on a dedicated switch for cams and the pc and linked to the main network will keep the video traffic off your main network unless your viewing the feeds from another device. Set the firewall to drop the traffic from your cameras on WAN out. While An NVR is easy to set up, your trusting the camera company if you want to view cams away from home. PC with dedicated program can provide camera feeds to your phone while away via ngrok without opening ports in the firewall or trusting a camera makers cloud infrastructure. As to specs for the donor pc I have six 2k cameras running into an I-3 processor with 6 gigs of ram, though it rarely ever gets to 2 gigs utilized (usually around 600mb ram and 20% cpu just recording, that's running Agent DVR on ubuntu 20.04.
 
The dual NIC approach is very common, see here:
@jsbeddow - Thanks a lot for sharing this link. It contained a lot of very useful information indeed.
 
The guys are right. A 2nd nic in your HTPC connected to a dumb (or smart) POE switch where all the cameras home is the simplest solution.
Things to consider:
* Static IPs for the cameras or dhcp? If dhcp then the htpc or a smart switch would have to act as the dhcp server.
* Use a different ip subnet for this isolated network so the htpc does not get confused about routing between the 2 nics. The closer the 2 subnets are, the more likely we the human will fat finger something.
example:
home lan - 192.168.50.x/24
poe lan - 172.16.100.x/28
* With the cameras completely isolated you will also want your htpc to act as ntp source for the cameras. This is useful for accurate time if you use timestamp overlay from the cameras.
* If the cameras offer options between h264 & h265 its probably best to use the more standardized h264. The newer cpu's support h265 acceleration but the support is broader for h264. Might have to trial this out. The idea is to maintain a relatively acceptable cpu load on the htpc cpu.
* another thing to watch for is hdd activity (try to use a surveillance specific hdd such as the seagate skyhawk or wd purple). Constant writing to a drive should be done on a dedicated drive designed for video storage.

Im sure there are other things that I am just forgetting about but that should be a good start.
@slidermike - Thank you so much for sharing these pointers. Am fully convinced now that the dual NIC approach is the one to use. Will likely keep things simple and use static IPs for the cameras. I'll unfortunately have to record into my HTPC's 8TB Seagate Barracuda drive for now, but will definitely consider a Seagate Skyhawk as its replacement once it dies. Cheers!
 
There really needs to be a nvr or dedicated pc to handle the cameras. Trying to serve media on the network while recording HD streams to disk in one machine is not going to do either task well. A pc with Blue Iris (windows) or Agent DVR (Linux or Windows) handling the cameras placed on a dedicated switch for cams and the pc and linked to the main network will keep the video traffic off your main network unless your viewing the feeds from another device. Set the firewall to drop the traffic from your cameras on WAN out. While An NVR is easy to set up, your trusting the camera company if you want to view cams away from home. PC with dedicated program can provide camera feeds to your phone while away via ngrok without opening ports in the firewall or trusting a camera makers cloud infrastructure. As to specs for the donor pc I have six 2k cameras running into an I-3 processor with 6 gigs of ram, though it rarely ever gets to 2 gigs utilized (usually around 600mb ram and 20% cpu just recording, that's running Agent DVR on ubuntu 20.04.
@Techwrench - Thanks for sharing your thoughts and usage data. Just a quick followup question. My HTPC runs Linux Mint 20.3 and the camera management app I will be using on it is Shinobi. Its hardware specs are Intel Core i5-12600 processor with 16GB RAM. It'll likely be recording video from seven 4MP cameras. Given your usage data, I feel the HTPC should not struggle too much to serve media in conjunction with recording video. Could you please clarify why you think it may not do either task well? And thanks for the suggestion to use ngrok. Had not heard of it before, but I've just looked it up and it appears to be just the thing I'd need.
 
Ah! With Linux on your HTPC you can assign a second IP address to the existing NIC in a different range from the LAN addresses. Then assign the cams a static IP address in the same range.
For example: If the HTPC has an IP address of 192.168.1.100 assign a second IP address of 192.168.10.100 with a subnet mask of 255.255.255.0 but no gateway address. Then assign the cams a static IP address of 192.168.10.101, .102, and so on. Just omit a gateway or router address. The cams can be in the same physical Ethernet or WIFI as the rest of the LAN clients and will not have access to the internet. To manage the cams you will have to set a desktop client with an IP address in the same range as the cams. I have several Zoneminder servers running on Ubuntu set up this way on small business networks. I use Webmin to manage the servers which makes it easy to add a second IP address. Works really well!
 
@Techwrench - Thanks for sharing your thoughts and usage data. Just a quick followup question. My HTPC runs Linux Mint 20.3 and the camera management app I will be using on it is Shinobi. Its hardware specs are Intel Core i5-12600 processor with 16GB RAM. It'll likely be recording video from seven 4MP cameras. Given your usage data, I feel the HTPC should not struggle too much to serve media in conjunction with recording video. Could you please clarify why you think it may not do either task well? And thanks for the suggestion to use ngrok. Had not heard of it before, but I've just looked it up and it appears to be just the thing I'd need.
The ram and cpu utilization when recording your camera streams direct to disk as raw data with no encoding, is very minimal and likely could run at the same time as serving media provided there are dedicated hard drives for each purpose within your htpc. Where the real resource use comes into play is viewing your camera streams either on the htpc or another device. The live views must be decoded for display. For example on my system, with the cameras set at 10fps from within each camera's on device settings, and configuring the two video streams from each camera at full resolution for the direct to disk stream, and 720p for the live view stream that is decoded for display when viewed live on the server itself or another device. The resource use goes from 600mb ram and 20% cpu, to around 1.2-1.5g ram and 40-60% cpu. If I set the cameras to stream full resolution (2k) on the decode for live viewing stream then cpu goes to 70-80%, again this is at 10 fps. If you want to live view your cams at their full resolution, times seven cameras it is going to take a big bite out of the cpu resources. Also the resource use specs I mentioned are with hardware decoding enabled otherwise the use would be 10-15% higher. The chipset must support quicksync to utilize hardware decoding, which it looks like yours is new enough to do that. I have personally found that I like to keep a screen up to view my cameras all the time, so I can glance at it regularly so I always have the additional resource use of decoding the live streams.
 
Last edited:
Ah! With Linux on your HTPC you can assign a second IP address to the existing NIC in a different range from the LAN addresses. Then assign the cams a static IP address in the same range.
For example: If the HTPC has an IP address of 192.168.1.100 assign a second IP address of 192.168.10.100 with a subnet mask of 255.255.255.0 but no gateway address. Then assign the cams a static IP address of 192.168.10.101, .102, and so on. Just omit a gateway or router address. The cams can be in the same physical Ethernet or WIFI as the rest of the LAN clients and will not have access to the internet. To manage the cams you will have to set a desktop client with an IP address in the same range as the cams. I have several Zoneminder servers running on Ubuntu set up this way on small business networks. I use Webmin to manage the servers which makes it easy to add a second IP address. Works really well!
My mind is blown! I had no idea you could assign multiple IP addresses to a single network card in Linux.

@bbunge - You are awesome! Thank you so much for sharing this. This is probably the most elegant solution to my problem.
 
The ram and cpu utilization when recording your camera streams direct to disk as raw data with no encoding, is very minimal and likely could run at the same time as serving media provided there are dedicated hard drives for each purpose within your htpc. Where the real resource use comes into play is viewing your camera streams either on the htpc or another device. The live views must be decoded for display. For example on my system, with the cameras set at 10fps from within each camera's on device settings, and configuring the two video streams from each camera at full resolution for the direct to disk stream, and 720p for the live view stream that is decoded for display when viewed live on the server itself or another device. The resource use goes from 600mb ram and 20% cpu, to around 1.2-1.5g ram and 40-60% cpu. If I set the cameras to stream full resolution (2k) on the decode for live viewing stream then cpu goes to 70-80%, again this is at 10 fps. If you want to live view your cams at their full resolution, times seven cameras it is going to take a big bite out of the cpu resources. Also the resource use specs I mentioned are with hardware decoding enabled otherwise the use would be 10-15% higher. The chipset must support quicksync to utilize hardware decoding, which it looks like yours is new enough to do that. I have personally found that I like to keep a screen up to view my cameras all the time, so I can glance at it regularly so I always have the additional resource use of decoding the live streams.
@Techwrench - Thanks for clarifying. I was initially considering only writing the video streams directly to disk without encoding, but I can see the value of having the streams displayed on a monitor realtime. I guess I'll play the hardware requirements by ear though, and fiddle around with the stream resolutions and fps based on the CPU utilisation. I might even consider getting a GPU to do the stream decoding for the monitor down the line once the prices have settled down. But I do like the idea of getting a dedicated hard drive for camera recording. I could even make sure to get a Seagate Skyhawk drive as recommended by @slidermike above. Cheers!
 
If you are comfortable with installing programs on Linux give Zoneminder a try. There are install scripts on the ZM wiki for Ubuntu that make it easy.
 
If you are comfortable with installing programs on Linux give Zoneminder a try. There are install scripts on the ZM wiki for Ubuntu that make it easy.
Thanks for the tip. I've just been reading up about Linux-based camera management programme options online for no more than a few weeks now. It appeared to me that the general consensus was that Shinobi is an improvement over Zoneminder, which is why I chose it. Would be keen to hear your thoughts if you think it might actually be preferable to use Zoneminder instead. I even installed Shinobi on my computer and gave it a spin last week. It seems pretty slick.
 
Thanks for the tip. I've just been reading up about Linux-based camera management programme options online for no more than a few weeks now. It appeared to me that the general consensus was that Shinobi is an improvement over Zoneminder, which is why I chose it. Would be keen to hear your thoughts if you think it might actually be preferable to use Zoneminder instead. I even installed Shinobi on my computer and gave it a spin last week. It seems pretty slick.
Never heard of Shinobi. Not too sure of it as it is written in js. I have been involved in Zoneminder for over 10 years. I have written several of the install procedures on the WIKI for Debian and Ubuntu. Recent releases have reduced the server load but some still try to save HD movies, 720P is more than plenty for a security cam system. For years I caught perps at 640x480 5 fps.
 
Never heard of Shinobi. Not too sure of it as it is written in js. I have been involved in Zoneminder for over 10 years. I have written several of the install procedures on the WIKI for Debian and Ubuntu. Recent releases have reduced the server load but some still try to save HD movies, 720P is more than plenty for a security cam system. For years I caught perps at 640x480 5 fps.
Thanks. Noted your point about camera stream resolution and fps. Will also definitely give Zoneminder a spin. And kudos for investing all this time in supporting an open-source project that we all benefit from. Cheers!
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top