Looking for recommendations for a network switch with POE that's able to isolate a camera connected to it from the internet

Associate
Joined
14 Mar 2023
Posts
2
Location
scabbyborough
I want to get a POE camera or 2, they will be connected via cable to the router / switch (hence needing POE) the cameras i'm looking at are 2.5K resolution.

As i've run out of ports on the bt infinity router i'll need to buy a network switch, i guess a gigabit switch with 8 ports will be about right for me (10 ports in total over the infinity smart hub 2 and new switch)
I only really want to view the camera's from within the house (they are to allow me to watch my 3D printers for things like filament tangles, failing prints etc when i am in another room)
A review of some cameras mentions they keep trying to 'phone home' and the need to filter them at the firewall due to that.

This is where things go over my head and i'm not sure how to do things like that, but i could look it up and follow instructions etc... but i'm thinking, would it be easier if i could restrict the cameras ability to see / access the internet? and if i could do that then i'd also like to do the same for the 3D printers network connections, there's no need for them to be accessible / visible on the internet.

When looking at POE switches i noticed there's 'easy smart' / managed versions of some of them, would one of these switches be what i'd want to get to be able to set things up so that the camera's and printers can only be seen on the home network and not the internet?

Budget isn't much, £50 to £75
 
Associate
Joined
12 Mar 2009
Posts
578
Are you planning to be able to view the camera feeds only on devices directly connected to the switch (I.e. not via a port on the BT router or over WiFi)?
 
Associate
Joined
7 Jul 2023
Posts
101
Location
Worcestershire
There is no need to worry about your cameras being visible outside your network if you don’t forward ports on your router and turn off any cloud functionality they may have.
 
Caporegime
Joined
26 Aug 2003
Posts
37,409
Location
Cheshire
Are you planning to be able to view the camera feeds only on devices directly connected to the switch (I.e. not via a port on the BT router or over WiFi)?
This is pertinent, as is the question “can the device you want to view the cameras on be connected to two networks at once?”

If the answer to the above is yes and yes then any managed switch that supports VLANs will be enough. The cameras (and additional port you would connect the viewing PC to) would be on a VLAN that has no way back to your router and as such isolated. You would need to statically set IPs on this subnet unless the switch happens to have a DHCP server.

Plenty of cheap PoE gigabit switches will do that for cheap :)
 
Caporegime
Joined
26 Aug 2003
Posts
37,409
Location
Cheshire
There is no need to worry about your cameras being visible outside your network if you don’t forward ports on your router and turn off any cloud functionality they may have.

The issue isn’t one of reaching the cameras from the outside with port translation, it’s that cheaper cameras potentially “call home” to China, feeding information and imagery to them.
 
Associate
Joined
7 Jul 2023
Posts
101
Location
Worcestershire
The issue isn’t one of reaching the cameras from the outside with port translation, it’s that cheaper cameras potentially “call home” to China, feeding information and imagery to them.
Can you flash alternative firmware on them? I paid around £75 for some robust Amcrests that are Duaha rebrands.
 
Associate
Joined
12 Mar 2009
Posts
578
Can you flash alternative firmware on them? I paid around £75 for some robust Amcrests that are Duaha rebrands.
You usually can, however the question then becomes how do you trust the new firmware? I'd start with looking for someone who has developed an alternative and is open source with the contents.

Alternatively there's always PiHole (though the OP being on a BT router makes that more fun if you do want a high availaibilty setup).
 
Soldato
Joined
13 Jul 2005
Posts
19,160
Location
Norfolk, South Scotland
I supply and fit Dahua, Hikvision, Hanwha (Korean), Bosch (Taiwanese) and Axis (Vietnam) camera systems and they all ping out. All of them. If you turn off “detect automatic updates” none of them ping out, even the Chinese ones.

The simple fact is that all connected devices ping home to look for software updates.

The wider issue is do any of these devices have inbuilt vulnerabilities that could be exploited by bad actors? Probably. And don’t be fooled by “western democracies” - it was the UK and US that came up with many of the exploits made public by Edward Snowden/WikiLeaks and they were mainly for spying on their own nationals. And if you think about it, to exploit those vulnerabilities the malicious attacker would need to penetrate your firewall anyway. Obviously, if you enable P2P (which is how 99.9% of cameras and doorbells are accessed remotely) then you’re routing your video stream through a remote server anyway. Which makes any other protection method invalid and pointless.

So if you’re in any way smart, lock down all the ports on your firewall, disable software updates and view your camera feeds over your own VPN.

In the situation you are in, I would buy a cheap NVR which will power your cameras and put them on a different subnet to the one the recorder is accessed via the main network. It will also record if you fit a hard drive. You should be able to pick up a diskless unit for about £50. Then you only have one device to protect from being accessed and if you wanted, you don’t even have to hook the NVR up to you own internal network, or the internet. You can’t get much more secure than that.
 
Associate
OP
Joined
14 Mar 2023
Posts
2
Location
scabbyborough
Are you planning to be able to view the camera feeds only on devices directly connected to the switch (I.e. not via a port on the BT router or over WiFi)?
The way i have things now:
The BT smart hub 2 (i think it is) is in the room where the phone line comes in, which is also where the 3D printers live, and where the camera(s) i want to get will live.
The wifi from the BT hub is used by my dad's phone and kindle, then ethernet cables go to dad's desktop PC, the inkjet printer and the smart tv in the living room.

Then the last ethernet port on the smart hub has a 25 meter long cat6 cable that goes to the other side of the house.. where i spend most of my time.
That cable is plugged into a Honor router 3's WAN port.

The wifi for that router is a seperate one to the BT one, and to that i connect my laptop, phone, android tablets etc via wifi (and a tv, playstation and desktop pc to the remaining lan ports)

I'd need to view the camera's over the honor router's wifi network, not over the BT hub's wifi network.

:

As others have mentioned, i am likely overthinking this, just worrying about someone gaining access to the camera's, seeing they are looking at 3D printers and hacking into the 3D printers to do something like set the hotend to 300 degrees C and drive it into the plastic of the half finished print to try and start a fire.

i know the solution to that is to not connect the network to the printers and transfer G-code files via the usb stick, but the idea of the camera's is so i can check on the print progress every now and then whilst i'm doing other things, and if i see something going wrong i can pause the print and go and walk to the other end of the house and check it out in person.



Perhaps the solution is to just use a basic non managed network switch with POE ports, and set up the firewall properly on the BT home hub router?
 
Associate
Joined
12 Mar 2009
Posts
578
The way i have things now:
The BT smart hub 2 (i think it is) is in the room where the phone line comes in, which is also where the 3D printers live, and where the camera(s) i want to get will live.
The wifi from the BT hub is used by my dad's phone and kindle, then ethernet cables go to dad's desktop PC, the inkjet printer and the smart tv in the living room.

Then the last ethernet port on the smart hub has a 25 meter long cat6 cable that goes to the other side of the house.. where i spend most of my time.
That cable is plugged into a Honor router 3's WAN port.

The wifi for that router is a seperate one to the BT one, and to that i connect my laptop, phone, android tablets etc via wifi (and a tv, playstation and desktop pc to the remaining lan ports)

I'd need to view the camera's over the honor router's wifi network, not over the BT hub's wifi network.

:

As others have mentioned, i am likely overthinking this, just worrying about someone gaining access to the camera's, seeing they are looking at 3D printers and hacking into the 3D printers to do something like set the hotend to 300 degrees C and drive it into the plastic of the half finished print to try and start a fire.

i know the solution to that is to not connect the network to the printers and transfer G-code files via the usb stick, but the idea of the camera's is so i can check on the print progress every now and then whilst i'm doing other things, and if i see something going wrong i can pause the print and go and walk to the other end of the house and check it out in person.



Perhaps the solution is to just use a basic non managed network switch with POE ports, and set up the firewall properly on the BT home hub router?
Is there any chance to run a second 25m run to where your PC is? If so then the VLAN suggested by Paradigm is the simplest option withiht messing with the rputer (not necessarilythe easiest technically). Otherwise you are going to have to sort the firewall out and knock the update setting out.

Not aware of being able to do trunking for a VLAN over that type of configuration with common or garden BT type routers but maybe someone like @paradigm can weigh in.


Regatding the PiHole I mentioned before: I am currently working out how to deploy PiHole on a BT Smart Hub 2 in a high availability layout to avoid the ire of the other half and that looks like that will need at least 3 Raspberry Pi's, maybe 4 to get failover working for both DHCP and DNS which I don't think is going to go down well :cry:

Edit: part complete message originally posted somehow
 
Last edited:
Soldato
Joined
4 Jan 2004
Posts
7,692
Location
Nottingham
Few thoughts here;

Make sure that you don't have devices in the DMZ on your firewall/router and don't have random inbound ports open to internal devices. You could consider disabling UPNP too but that may cause other issues for devices on your network that are expecting to be able to dynamically open ports to themselves. It never hurts to cast your eye over these things whether you have a network camera or not as it'll help secure all your existing devices, including your 3D printer which sounds like it's networked :)

Buy a reputable camera to reduce some risk of it "calling home" to random Chinese servers. Secondly, set a static IP on the device but leave the gateway blank. this will make it harder for it to get access to anything beyond your network (e.g. the internet). Thirdly, for belt and braces approach if your firewall/router allows it, configure a policy to block outbound internet access for the camera's static IP address. As others have mentioned you could also look at PiHole/AdGuard and use that to block all requests from the camera out to external domain names....you could also just not give it any DNS/Nameserver information when setting static a IP address too if it allows you to leave it blank.

Another consideration here is to buy a USB camera and connect it to a Raspberry Pi that's housed in the same location as the printer. The pi can be configured to broadcast the video stream on an internal URL. You can then connect to the Pi to view the camera, though it's less convenient and arguably you're just moving the risk from one device to another, but at least this way you have more control over what access is allowed in to the OS on the Raspberry Pi. There's always something like OctoPrint to handle a chunk of this for you, plus the possibility to give additional control and access to your 3D printer on the local network.
 
Back
Top Bottom