Looking for recommendations for a network switch with POE that's able to isolate a camera connected to it from the internet

[Gazz292]

I want to get a POE camera or 2, they will be connected via cable to the router / switch (hence needing POE) the cameras i'm looking at are 2.5K resolution.

As i've run out of ports on the bt infinity router i'll need to buy a network switch, i guess a gigabit switch with 8 ports will be about right for me (10 ports in total over the infinity smart hub 2 and new switch)
I only really want to view the camera's from within the house (they are to allow me to watch my 3D printers for things like filament tangles, failing prints etc when i am in another room)
A review of some cameras mentions they keep trying to 'phone home' and the need to filter them at the firewall due to that.

This is where things go over my head and i'm not sure how to do things like that, but i could look it up and follow instructions etc... but i'm thinking, would it be easier if i could restrict the cameras ability to see / access the internet? and if i could do that then i'd also like to do the same for the 3D printers network connections, there's no need for them to be accessible / visible on the internet.

When looking at POE switches i noticed there's 'easy smart' / managed versions of some of them, would one of these switches be what i'd want to get to be able to set things up so that the camera's and printers can only be seen on the home network and not the internet?

Budget isn't much, £50 to £75

 

[5abr3]

Are you planning to be able to view the camera feeds only on devices directly connected to the switch (I.e. not via a port on the BT router or over WiFi)?

 

[spile]

There is no need to worry about your cameras being visible outside your network if you don’t forward ports on your router and turn off any cloud functionality they may have.

 

[paradigm]

Are you planning to be able to view the camera feeds only on devices directly connected to the switch (I.e. not via a port on the BT router or over WiFi)?

This is pertinent, as is the question “can the device you want to view the cameras on be connected to two networks at once?”

If the answer to the above is yes and yes then any managed switch that supports VLANs will be enough. The cameras (and additional port you would connect the viewing PC to) would be on a VLAN that has no way back to your router and as such isolated. You would need to statically set IPs on this subnet unless the switch happens to have a DHCP server.

Plenty of cheap PoE gigabit switches will do that for cheap

 

[paradigm]

There is no need to worry about your cameras being visible outside your network if you don’t forward ports on your router and turn off any cloud functionality they may have.

The issue isn’t one of reaching the cameras from the outside with port translation, it’s that cheaper cameras potentially “call home” to China, feeding information and imagery to them.

 

[spile]

The issue isn’t one of reaching the cameras from the outside with port translation, it’s that cheaper cameras potentially “call home” to China, feeding information and imagery to them.

Can you flash alternative firmware on them? I paid around £75 for some robust Amcrests that are Duaha rebrands.

 

[5abr3]

Can you flash alternative firmware on them? I paid around £75 for some robust Amcrests that are Duaha rebrands.

You usually can, however the question then becomes how do you trust the new firmware? I'd start with looking for someone who has developed an alternative and is open source with the contents.

Alternatively there's always PiHole (though the OP being on a BT router makes that more fun if you do want a high availaibilty setup).

 

[WJA96]

I supply and fit Dahua, Hikvision, Hanwha (Korean), Bosch (Taiwanese) and Axis (Vietnam) camera systems and they all ping out. All of them. If you turn off “detect automatic updates” none of them ping out, even the Chinese ones.

The simple fact is that all connected devices ping home to look for software updates.

The wider issue is do any of these devices have inbuilt vulnerabilities that could be exploited by bad actors? Probably. And don’t be fooled by “western democracies” - it was the UK and US that came up with many of the exploits made public by Edward Snowden/WikiLeaks and they were mainly for spying on their own nationals. And if you think about it, to exploit those vulnerabilities the malicious attacker would need to penetrate your firewall anyway. Obviously, if you enable P2P (which is how 99.9% of cameras and doorbells are accessed remotely) then you’re routing your video stream through a remote server anyway. Which makes any other protection method invalid and pointless.

So if you’re in any way smart, lock down all the ports on your firewall, disable software updates and view your camera feeds over your own VPN.

In the situation you are in, I would buy a cheap NVR which will power your cameras and put them on a different subnet to the one the recorder is accessed via the main network. It will also record if you fit a hard drive. You should be able to pick up a diskless unit for about £50. Then you only have one device to protect from being accessed and if you wanted, you don’t even have to hook the NVR up to you own internal network, or the internet. You can’t get much more secure than that.

 

[WJA96]

There is no need to worry about your cameras being visible outside your network if you don’t forward ports on your router and turn off any cloud functionality they may have.

100% agree. Although obviously you’re still vulnerable if you use P2P.

 

[Gazz292]

Are you planning to be able to view the camera feeds only on devices directly connected to the switch (I.e. not via a port on the BT router or over WiFi)?

The way i have things now:
The BT smart hub 2 (i think it is) is in the room where the phone line comes in, which is also where the 3D printers live, and where the camera(s) i want to get will live.
The wifi from the BT hub is used by my dad's phone and kindle, then ethernet cables go to dad's desktop PC, the inkjet printer and the smart tv in the living room.

Then the last ethernet port on the smart hub has a 25 meter long cat6 cable that goes to the other side of the house.. where i spend most of my time.
That cable is plugged into a Honor router 3's WAN port.

The wifi for that router is a seperate one to the BT one, and to that i connect my laptop, phone, android tablets etc via wifi (and a tv, playstation and desktop pc to the remaining lan ports)

I'd need to view the camera's over the honor router's wifi network, not over the BT hub's wifi network.

:

As others have mentioned, i am likely overthinking this, just worrying about someone gaining access to the camera's, seeing they are looking at 3D printers and hacking into the 3D printers to do something like set the hotend to 300 degrees C and drive it into the plastic of the half finished print to try and start a fire.

i know the solution to that is to not connect the network to the printers and transfer G-code files via the usb stick, but the idea of the camera's is so i can check on the print progress every now and then whilst i'm doing other things, and if i see something going wrong i can pause the print and go and walk to the other end of the house and check it out in person.



Perhaps the solution is to just use a basic non managed network switch with POE ports, and set up the firewall properly on the BT home hub router?

 

[5abr3]

The way i have things now:
The BT smart hub 2 (i think it is) is in the room where the phone line comes in, which is also where the 3D printers live, and where the camera(s) i want to get will live.
The wifi from the BT hub is used by my dad's phone and kindle, then ethernet cables go to dad's desktop PC, the inkjet printer and the smart tv in the living room.

Then the last ethernet port on the smart hub has a 25 meter long cat6 cable that goes to the other side of the house.. where i spend most of my time.
That cable is plugged into a Honor router 3's WAN port.

The wifi for that router is a seperate one to the BT one, and to that i connect my laptop, phone, android tablets etc via wifi (and a tv, playstation and desktop pc to the remaining lan ports)

I'd need to view the camera's over the honor router's wifi network, not over the BT hub's wifi network.

:

As others have mentioned, i am likely overthinking this, just worrying about someone gaining access to the camera's, seeing they are looking at 3D printers and hacking into the 3D printers to do something like set the hotend to 300 degrees C and drive it into the plastic of the half finished print to try and start a fire.

i know the solution to that is to not connect the network to the printers and transfer G-code files via the usb stick, but the idea of the camera's is so i can check on the print progress every now and then whilst i'm doing other things, and if i see something going wrong i can pause the print and go and walk to the other end of the house and check it out in person.



Perhaps the solution is to just use a basic non managed network switch with POE ports, and set up the firewall properly on the BT home hub router?

Is there any chance to run a second 25m run to where your PC is? If so then the VLAN suggested by Paradigm is the simplest option withiht messing with the rputer (not necessarilythe easiest technically). Otherwise you are going to have to sort the firewall out and knock the update setting out.

Not aware of being able to do trunking for a VLAN over that type of configuration with common or garden BT type routers but maybe someone like @paradigm can weigh in.


Regatding the PiHole I mentioned before: I am currently working out how to deploy PiHole on a BT Smart Hub 2 in a high availability layout to avoid the ire of the other half and that looks like that will need at least 3 Raspberry Pi's, maybe 4 to get failover working for both DHCP and DNS which I don't think is going to go down well

Edit: part complete message originally posted somehow

 

[cokecan]

Few thoughts here;

Make sure that you don't have devices in the DMZ on your firewall/router and don't have random inbound ports open to internal devices. You could consider disabling UPNP too but that may cause other issues for devices on your network that are expecting to be able to dynamically open ports to themselves. It never hurts to cast your eye over these things whether you have a network camera or not as it'll help secure all your existing devices, including your 3D printer which sounds like it's networked

Buy a reputable camera to reduce some risk of it "calling home" to random Chinese servers. Secondly, set a static IP on the device but leave the gateway blank. this will make it harder for it to get access to anything beyond your network (e.g. the internet). Thirdly, for belt and braces approach if your firewall/router allows it, configure a policy to block outbound internet access for the camera's static IP address. As others have mentioned you could also look at PiHole/AdGuard and use that to block all requests from the camera out to external domain names....you could also just not give it any DNS/Nameserver information when setting static a IP address too if it allows you to leave it blank.

Another consideration here is to buy a USB camera and connect it to a Raspberry Pi that's housed in the same location as the printer. The pi can be configured to broadcast the video stream on an internal URL. You can then connect to the Pi to view the camera, though it's less convenient and arguably you're just moving the risk from one device to another, but at least this way you have more control over what access is allowed in to the OS on the Raspberry Pi. There's always something like OctoPrint to handle a chunk of this for you, plus the possibility to give additional control and access to your 3D printer on the local network.

 

[Gazz292]

dang, i'm sure i'd sent a reply a month ago, sorry for going silent.

i've still got nowhere with a camera / NVR setup, mostly because i've been busy working on the new room that is housing the 3D printer(s)
now that i've done an upgrade on my Prusa MK3 to make it a MK3.5, i know a little more about what i need with a camera setup (still waiting on delivery of the other printer (Prusa XL)

The software used to send the g-code files to the printers and control them is 'Prusa Connect' and it includes a basic camera viewer in it,
This viewer uses RTSP, and grabs a still shot from a linked camera every 10 seconds to show on the Prusa Connect screen, which is accessed via a 'secure' webpage... there is a thing called Prusa Link which runs locally on the home network, but it's very basic compared to connect, and i suspect it grabs the camera image(s) via the internet anyway.

All i know is that RTSP means Real Time Streaming Protocol, and it's something do do with sending video images over the internet, so i am unsure if this is going to be insecure to do so.




What i am thinking i want to do,

I'd have at least 2 small fixed cameras that will be mounted, one on each of the printers, looking directly at the nozzle,
Then either a few more fixed cameras looking at the filament spools, or a PTZ camera mounted on the ceiling overlooking everything, i prefer the PTZ idea as then i can move that camera to overlook both printers, and zoom in to look closer at any potential issues (filament tangles, running low on filament etc)

These cameras i'd connect to a NVR as @WJA96 recommended, that'd sort out powering them too i believe.
i've no need for recording the images atm... but i could see me perhaps adding more cameras at a later date to maybe look in the bird nesting boxes in the garden, and maybe watch over the home workshop etc.

The NVR should allow me to view the live stream of the camera's on a web page on my laptop, connecting to an IP address that is on my home network only.

Then i'd need to do this RTSP thing and get a snapshot from each camera sent to either Prusa link or Prusa Connect,

Most of the time i'd have the Prusa connect / link page showing on a tab in chrome, or on an android tablet that i have mounted next to my laptops screen,
This will allow me to keep an overview of the print status and data like temperatures etc, and i could also see the 10 second camera snapshots to spot something going wrong (you can add multiple camera RTSP 'streams' to the Prusa Connect page i believe)

So if i see something not right on the snapshot images, i can then switch to the camera livestream tab and view the cameras in real time, move the PTZ one etc. then pause the print via Prusa connect / link and make my way to the other end of the house to investigate in person.




i believe that this RTSP thing throws a spanner in the works of keeping the camera streams local?

And it may not be as simple as starting off with buying a cheap NVR and adding things to it as needed?

 

[WJA96]

The NVR is a completely separate network, usually in the 10.x.x.x subnet, and your only connection is to the web interface on the NVR. And the NVR can be accessed remotely from its own app (certainly Dahua, Hikvision, Reolink etc.) and that connection can be over WireGuard etc.

On Dahua you can send snapshots on a time interval but if it’s on the local network you may as well just send the live stream.

 

[Gazz292]

would you be able to recommend a NVR that i should look at, with say 8 inputs for POE cameras, able to add a HDD later, and can do this RTSP thing?

 

[WJA96]

RTSP is a camera protocol. You would only use it to see the cameras directly without the NVR. It’s not impossible to see the cameras on a different subnet but you would be making life hard for yourself.

There is no point buying any fancy NVR because you really just want a PoE switch with a secondary router on a separate subnet and they all do that. You just need one with a decent web interface and app so the cheapest Hikvision or Dahua one you can find basically.

 

[Gazz292]

Gotya,
all these things go over my head, i'd never heard of RTSP until i got the prusa connect thing going for my 'new' 3D printer,

 

[Tobamory]

I supply and fit Dahua, Hikvision, Hanwha (Korean), Bosch (Taiwanese) and Axis (Vietnam) camera systems and they all ping out. All of them. If you turn off “detect automatic updates” none of them ping out, even the Chinese ones.

The simple fact is that all connected devices ping home to look for software updates.

The wider issue is do any of these devices have inbuilt vulnerabilities that could be exploited by bad actors? Probably. And don’t be fooled by “western democracies” - it was the UK and US that came up with many of the exploits made public by Edward Snowden/WikiLeaks and they were mainly for spying on their own nationals. And if you think about it, to exploit those vulnerabilities the malicious attacker would need to penetrate your firewall anyway. Obviously, if you enable P2P (which is how 99.9% of cameras and doorbells are accessed remotely) then you’re routing your video stream through a remote server anyway. Which makes any other protection method invalid and pointless.

So if you’re in any way smart, lock down all the ports on your firewall, disable software updates and view your camera feeds over your own VPN.

In the situation you are in, I would buy a cheap NVR which will power your cameras and put them on a different subnet to the one the recorder is accessed via the main network. It will also record if you fit a hard drive. You should be able to pick up a diskless unit for about £50. Then you only have one device to protect from being accessed and if you wanted, you don’t even have to hook the NVR up to you own internal network, or the internet. You can’t get much more secure than that.

WJ good advice.... So my question then.. I run 8 Cameras combos of 1080P Hikvisions and 4k Annke they all hook into a POE switch and the NVR is a Synology or QNAP NAS.. What would you recommend as a standalone 4k Capable NVR with 8 port POE. Looked at Amazon but not sure whats good or bad... Or what has what feartures vs whats not good. Basic stuff i use is Line detection, Event detection, Masking, but would love subject detection, but i hazard a guess thats camera specific over the NVR software.

Thanks

 

[WJA96]

WJ good advice.... So my question then.. I run 8 Cameras combos of 1080P Hikvisions and 4k Annke they all hook into a POE switch and the NVR is a Synology or QNAP NAS.. What would you recommend as a standalone 4k Capable NVR with 8 port POE. Looked at Amazon but not sure whats good or bad... Or what has what feartures vs whats not good. Basic stuff i use is Line detection, Event detection, Masking, but would love subject detection, but i hazard a guess thats camera specific over the NVR software.

Thanks

How much do you want to spend?

Something like a Dahua NVR5216-16P-I has pretty much every AI feature you can think of built-in to the NVR on 16 PoE channels but it’s £635+VAT plus hard drives. Dahua NVR5208-8P-EI has 4 AI channels on the NVR but a much reduced feature set it can find and search on. But it’s £265+VAT plus hard drives. Dropping down the scale to something like the NVR4108HS-8P-EI has 2 channels of AI search and identify and that’s £150-ish plus VAT plus hard drives. If you’re OK to use the camera for your AI then NVR4108-8P-4K/2SL is £100-ish plus VAT plus hard drives.