Seeking network design to add IP Cameras alongside home network

[el_pedr0]

How should I configure my existing hardware/software to achieve good (or at least, not terrible) security when I add some IP cameras.

Current set up:
* Asus RT-AC68U router running merlin: Providing the gateway to WAN and IP assignment. Only one LAN port is used, and that's connected to the GS748T. WiFi radio is turned off.
* Netgear GS748T 48-port switch: All wired devices (desktops, TVs, Access Points, Proxmox server and containers) are connected to this switch
* Three TP Link EAP 225 access points: providing WiFi in the house.

I wish to add 8 wired IP cameras. They are HiWatch (Hikvision's cheap end range) IPC-T140.
I have a Netgear GS724TPv2 24-port POE switch which I can dedicate to the IP Cameras.

My server has two NICs. I am currently only using one, which is connected to the GS748T 48-port switch.

All the camera ethernet cables terminate right next to the server and I can locate the 24-port switch there too.

This is a home environment and I completely trust the people who live in the house and use the network.


Objectives:
* Limit the potential for someone external to gain access to my home network through vulnerabilities in the cameras.
* Limit the potential for someone external to gain access to my home network by physically gaining access to an ethernet cable from one of my exterior IP cameras.
* Limit the potential for someone external to view the streams of my cameras.
* Control the cameras with zoneminder and host zoneminder on a container in Proxmox
* Access zoneminder from computers on the home network
* Access zoneminder from outside the network using zmNinja app, for example.

In my simplistic view - I see a 'home network' with all my computers and devices and the 48-port switch as the hub, and a 'camera network' with the 24-port switch as its hub. I'm wondering if the physical layout of my hardware and cables could keep things simple allow because I'd only have a single 'meeting' point of the networks - i.e. the server, where one NIC is connected to the switch with the home network and the other connected to the switch with the IP cameras.

Would welcome thoughts as to whether I'm on the right lines here.

 

[follower]

Impossible.

 

[bbunge]

Have done what you are seeking. I am a long time Zoneminder user and have develoed several of the WIKI install instructions.

The solution is to assign static IP addresses to the cameras that are not in the same range as the LAN. For example, if the LAN is 192.168.1.0/24 the router will be address 192.168.1.1 and the client range is 192.168.1.2 to 254. Assign the cams to addresses in the 192.168.10.0/24 range, subnet 255.255.255.0 and give them a gateway and DNS of 192.168.10.1. Connect the cams to the main Ethernet the same as other devices
Next your Zoneminder server will have an IP address in the 192.168.1.0/24 range. Assign the NIC a second IP address inthe 192.168.10.0/24 range with a subnet of 255.255.255.0 and the cams will talk to the Zoneminder server and nothing else.
One issue is that your cams will not get a time sync because they can't talk to the internet and you will have to manually set an IP address on any PC used to configure the cams.

Edit: I should add that it is easy to add a second IP address to a Linux server with Webmin. I also recommend Ubuntu 20.04 or Debian 11 for a server with Mariadb as a database server.

ZoneMinder Wiki - Wiki - Ubuntu Server or Desktop Zoneminder 1.36.x

wiki.zoneminder.com

ZoneMinder Wiki - Wiki - Debian 11 Bullseye with Zoneminder 1.36.x

wiki.zoneminder.com

 

[el_pedr0]

Thank you @bbunge. Welcome news indeed - and even easier to set up than anticipated. It's a minor hassle to manually switch the IP address on a PC whenever I want to configure the cameras, but I suspect that'll be once in a blue moon once I've got everything set up.

A few follow up questions:
1) Can I set up some sort of timeserver to give the cams a time, or would I just have to check on them once in a while to see they haven't drifted?

2) Zoneminder will be in a container, which currently bridges to one NIC. The physical machine has two NICs, so I suspect it will be feasible to give the container access to both NICs. You write:

Assign the NIC a second IP address inthe 192.168.10.0/24 range with a subnet of 255.255.255.0

So, does that mean that I leave the container with access to just one NIC, but assign that NIC two IP addresses by appropriately configuring the OS within the container?

3) Any reason why not Ubuntu 22.04?

Edit - I spun up ZM on a container last night following those instructions. Very easy - thank you.

 

[bbunge]

Thank you @bbunge. Welcome news indeed - and even easier to set up than anticipated. It's a minor hassle to manually switch the IP address on a PC whenever I want to configure the cameras, but I suspect that'll be once in a blue moon once I've got everything set up.

A few follow up questions:
1) Can I set up some sort of timeserver to give the cams a time, or would I just have to check on them once in a while to see they haven't drifted?

2) Zoneminder will be in a container, which currently bridges to one NIC. The physical machine has two NICs, so I suspect it will be feasible to give the container access to both NICs. You write:

So, does that mean that I leave the container with access to just one NIC, but assign that NIC two IP addresses by appropriately configuring the OS within the container?

3) Any reason why not Ubuntu 22.04?

Edit - I spun up ZM on a container last night following those instructions. Very easy - thank you.

1. should be able to set some kind of time server on Linux
2. I do not use or recommend using a container for Zoneminder. An old PC works best. I have my Zoneminder on an Optiplex 9020 i3 with a 500 GB SSD
3. 20.04 performs better with fewer issues. Also uses an older PHP. 22.04 with Mariadb and the load is almost double from 20.04. With 20.04 I use the HWE kernal.