How to separate IP camera system from the network

[boomhower]

I need some help as I am not up to speed on networking. I'm ordering an IP surveillance system. When I set this up I want to keep the camera network traffic separate from the rest of the network. I don't have paid TV service so everything we do is streaming, whether from the net or NAS. It's a four person house so it gets used a lot. I currently have a newer Asus AC router running DD-WRT and an unmanaged gigabyte switch. What do I need to do to install this so it doesn't eat up my networking bandwidth? Do I need anymore equipment or can it be done in router settings? The system itself will have all cameras going to a DVR and it connecting to the network. It will need internet access for remote viewing so it can't be completely isolated. Thanks for the help.

 

[Red Squirrel]

I would get a used managed gigabit switch and setup the cameras on a separate vlan. Though you'll also need a router that can do vlans if you want to route traffic through using firewall rules. You'll probably want some kind of VPN as well to access the cameras remotely. You don't want to actually expose them directly to the internet, there's lot of security issues with that.

Having them on a separate vlan will also ensure that if by chance your vpn was hacked they'll only have access to that vlan and not your main network, provided you setup rules properly. Typically I like to block all traffic between vlans by default then add exceptions. Personally I use pfsense but that may be overkill for some people especially if you don't have a spare system to run it on.

 

[boomhower]

I would get a used managed gigabit switch and setup the cameras on a separate vlan. Though you'll also need a router that can do vlans if you want to route traffic through using firewall rules. You'll probably want some kind of VPN as well to access the cameras remotely. You don't want to actually expose them directly to the internet, there's lot of security issues with that.

Having them on a separate vlan will also ensure that if by chance your vpn was hacked they'll only have access to that vlan and not your main network, provided you setup rules properly. Typically I like to block all traffic between vlans by default then add exceptions. Personally I use pfsense but that may be overkill for some people especially if you don't have a spare system to run it on.

What should I be looking at? I see anywhere from $35 to the moon in price for managed switches. What's the simplest to program considering I have no clue how to handle it and will have to learn? Is VPN managed by the switch as well? As I mentioned my router is on DD-WRT and am not sure if it will do VLAN or not, I'm not home at the moment.

 

[Red Squirrel]

Just ensure that all ports are gigabit and that it's actually managed. A lot of switches are described as being gigabit but it's because they have 2 gigabit uplink ports and the rest are 10/100. You're probably looking at $100-200 for a managed gigabit. The Dells seem to go fairly cheap on ebay. Before you buy lookup the model number just to ensure it really is managed and full gigabit. You'll pay more for premium names like Cisco but you don't need to go with that, Dell, HP is ok. Netgear I tend to stay away from, but maybe they're better now.

Most switches are command line though, you need to connect a serial connection and terminal in to program it. You can find decent tutorials online for the commands and stuff.

Failing that, another option would be to go the custom router route (pfsense, etc) and have 3 nics so one wan and two lans. You plug two separate unmanaged switches into the two lan ports and you can essentially do the same thing you would with 2 vlans. Maybe your router actually supports this, not sure. Have not used a home grade router in a while so not sure what kind of features they have these days.

 

[nsafreak]

I agree with what Red Squirrel said, you'll need a managed gigabit switch along with a router that is VLAN aware. Last I looked DD-WRT can do VLANs so you should be ok there. I have a Dell PowerConnect 5324 myself and it is a fully managed gigabit switch with management at layer 2. You can get one on eBay for all of $50 here. By default it's configured to be managed via serial with a command line interface but you can enable a web based GUI.

 

[boomhower]

OK, this looks like it's going to be a lot more difficult than I anticipated. It took me the better part of a day just to get a DD-WRT bridge and my old school surveillance system operating correctly. Lets look at it from another angle, is it really needed? From the calculators I've used it looks like it will take ~50Mbps on the high end for five 2MP cameras using h.264 compression. Given an Asus AC66U router how big of an impact are we talking? The rest of the usage is normal Netflix/Hulu stuff along with FPS gaming.

 

[nsafreak]

That depends on where the bandwidth is being used. If you're doing a lot of streaming to a network location outside of your local network then it may have an impact on your streaming since I'm guessing like most other folks you have less upstream bandwidth than you do downstream. If however you're just viewing the DVRed cameras on occasion then it shouldn't have an impact on your local network since that should be a small amount of network utilization.

 

[boomhower]

That depends on where the bandwidth is being used. If you're doing a lot of streaming to a network location outside of your local network then it may have an impact on your streaming since I'm guessing like most other folks you have less upstream bandwidth than you do downstream. If however you're just viewing the DVRed cameras on occasion then it shouldn't have an impact on your local network since that should be a small amount of network utilization.

Remote viewing is minimal. I'll check it a couple times a day just for the simple fact that I can. Not much to see other than occasionally the dogs playing outside.

 

[alkemyst]

I would get a used managed gigabit switch and setup the cameras on a separate vlan. Though you'll also need a router that can do vlans if you want to route traffic through using firewall rules. You'll probably want some kind of VPN as well to access the cameras remotely. You don't want to actually expose them directly to the internet, there's lot of security issues with that.

Having them on a separate vlan will also ensure that if by chance your vpn was hacked they'll only have access to that vlan and not your main network, provided you setup rules properly. Typically I like to block all traffic between vlans by default then add exceptions. Personally I use pfsense but that may be overkill for some people especially if you don't have a spare system to run it on.

This will do nothing to preserve his bandwidth though.

Video traffic should really be on it's own network/devices. Somethings can be done like limit it to capturing frames only every 5 seconds and only go full-video based on motion in the area/at certain time intervals.

What needs to be known though is total bandwidth and how much the cameras are using.

I have 3 wireless cameras on a 50Mbps connection...I don't really notice any kind of network degrading. Of course I am running a Cisco C819 ISR router which has a decent CPU to process traffic.

If bandwidth is fine, some QoS to give less priority to the video camera traffic could work if you are experiencing some choppiness in your streaming.

QoS is not a solution for lack of bandwidth however.

 

[boomhower]

This will do nothing to preserve his bandwidth though.



Video traffic should really be on it's own network/devices. Somethings can be done like limit it to capturing frames only every 5 seconds and only go full-video based on motion in the area/at certain time intervals.



What needs to be known though is total bandwidth and how much the cameras are using.



I have 3 wireless cameras on a 50Mbps connection...I don't really notice any kind of network degrading. Of course I am running a Cisco C819 ISR router which has a decent CPU to process traffic.



If bandwidth is fine, some QoS to give less priority to the video camera traffic could work if you are experiencing some choppiness in your streaming.



QoS is not a solution for lack of bandwidth however.

It's a gigabit network so bandwidth shouldn't be an issue. Outgoing is by far going to be limited by my cable pipe. At this point it seems the biggest concern is the router being able to keep up. I would hazard a guess it should be able to. If not I can certainly upgrade to a better non-wireless router and turn mine into an access pint. Thoughts here?

 

[VirtualLarry]

QoS is not a solution for lack of bandwidth however.

That should be a sticky!

 

[JoeMcJoe]

Have passwords on all the cameras and the NVR, then it can be on the same network as everything else.

Your life will be easier.

 

[alkemyst]

It's a gigabit network so bandwidth shouldn't be an issue. Outgoing is by far going to be limited by my cable pipe. At this point it seems the biggest concern is the router being able to keep up. I would hazard a guess it should be able to. If not I can certainly upgrade to a better non-wireless router and turn mine into an access pint. Thoughts here?

Keep in mind gigabit or not, doesn't mean you will ever see full gigabit on every switchport.

All devices should have a maximum throughput listed.

I have seen 8 port switches totally overloaded.

 

[boomhower]

Keep in mind gigabit or not, doesn't mean you will ever see full gigabit on every switchport.



All devices should have a maximum throughput listed.



I have seen 8 port switches totally overloaded.

I can plug the NVR straight to the router to keep my cheapo switch out of the equation. Right now just the switch is plugged in the router and everything is off of it or wireless. I can plug the camera straight the router and only it will need to keep up with the traffic. Question is can it?

One test I found:

WAN - LAN 836 Mbps
LAN - WAN 839 Mbps
Total Simultaneous 819 Mbps
Maximum Simultaneous Connections 30,069
Firmware Version 3.0.0.4.164

 

[Red Squirrel]

I would not even worry about local bandwidth usage, just make sure all your stuff is gigabit and local (no cloud based camera stuff, have your own dvr). Heck 10g is an option if you really get at that point but I doubt it. You could put your cameras on a separate switch if you are concerned about the switch's cpu usage and don't want that to add latency to your main network, but not sure if you'd really notice anything either way. The idea of the vlans is to separate the networks and not for bandwidth. Though I suppose it will help break up broadcast traffic, but that's not really an issue on a gigabit network. At least not in a home environment. In a business type environment it could maybe be an issue at some point.

For internet, anything you do on your network wont do much if the streaming uses more bandwidth than you have. But that's only an issue if you are streaming to somewhere on the internet like an external server. I would keep everything local, just make sure the DVR is in a secured location that will take long to get to if someone breaks in. By that time the cops will have arrived. I suppose you could have a setup that sends still snapshots to an internet server only when there's activity.

 

[riahc3]

I thought I should put a IP camera surveillance system on a separate subnet (or VLAN) to also not overload my bandwidth. At the end of the day, was told not to do it.

 

[alkemyst]

I thought I should put a IP camera surveillance system on a separate subnet (or VLAN) to also not overload my bandwidth. At the end of the day, was told not to do it.

A VLAN is not going to preserve bandwidth.

A separate device will only preserve non-routed/LAN traffic on that switch.

 

[boomhower]

Thanks for the suggestions guys. Ordered the cameras today and will hopefully get them up in the next week or so. For the time being I'm just going to plug the NVR in my router and see how it does. If there are performance issues I'll look into a managed switch and VLANs, I'm really hoping it doesn't come to that.

 

[inachu]

Cisco Catalyst 2960 are kinda dirt cheap at the moment.

 

[alkemyst]

Cisco Catalyst 2960 are kinda dirt cheap at the moment.

Keep in mind that the 2960's (and some 3xxx series) that are dirt cheap now are not gigabit except on the 2 uplink ports.


100Mbps is plenty for most needs though.