Securing Surveillance Camera Networks

Basic Setup and Configuring pfsense Firewall Rules For Home

Synology Surveillance Station With Amcrest AI Advanced Detection

Synology DVA1622 Review:Face Detection, Licences Plates, People Counting and More!

Synology How to set up AI-powered analytics on DVA Series

Amcrest Night Color AI IP5M-T1273EW-AI

Amcrest 4K POE Camera AI Human/Vehicle Detection IP8M-T2669EW-AI

Synology NVR Selector

⏱ Timestamps ⏱
00:00 ▶ Securing Camera Networks
01:26 ▶ Network Layout
02:58 ▶ The Firewall Rules
05:17 ▶ Synology Settings
06:06 ▶ Understanding the risks

LAWRENCESYSTEMS

I have been watching your videos for a while now. I have been wanting to separate an NVR with cameras to a separate network. I'm no network guru and only know enough to get me in trouble lol. After figuring out how to config an older cisco switch with vlans and trunking which really was not that hard and once I configured the vlans on pfsense I was stuck on the rules. I applied the same rules you showed and works like a charm! Thank you for the videos!!!

ClassicCarOverhaul

I have all my cameras on their own network. I use a second nic on my NVR server for all the cams and they run with no DHCP. When I add a new cam I plug them temporarily into my main network and assign it a manual IP. Then I move it over to the POE switch and add it to my server. Makes them inaccessible from anywhere....

soniclab-cnc

I'm glad that putting the cameras and the NVR on the same subnet in this video. Was wondering if that was "good practice" or not as I've been doing that same thing with my IT job too 👍

Deraco

What you also need to watch out for is attackers getting access to network cables on outdoor devices. So it’s good to not allow them traffic to internal networks. That should include NAS read access.

berndeckenfels

Will you please do a step-by-step video going through the process Setting up camera network for people learning how to use PF sense

doug

Is it possible then to access my NVR from external network using these firewall rules? I want to block internal access like this video but also be able to access the NVR from external network.

xgdy

We have 3 separate industrial buildings we rent out to 3 separate renters. Is it possible to have the recordings for all 3 properties in one central place, But also allow our renters access to the cameras for their buildings? Or would it be better just to set up 3 independent systems? In case It's confusing I'll give an example. Something like your local Walmart having access to their cameras, But yet corporate can still see everything all the time.

Delphinus-Keya

Thanks Tom . I don't see the rule where you allow your trusted network access to the camera/synology network/vlan.

tokoiaoben

Freaking BRILLIANT! Thanks Tom, not that i use Pfsense, BUT this applies to OPNSense too !!

JasonsLabVideos

I even enable AP isolation (for the cameras that are on wifi) and port isolation on the switch. I don't want the cameras to be able to talk to each other. Might look like cameras but most of those are full capable linux boxes running on the lan. They can do everything.

MarkRiker

I have a cheap TP-link tapo camera at home. For only £20 it’s really good for the price… initial setup needs internet access as far as i’m aware, but after I add it into my home automation system, RTSP streaming is setup and I can block internet access.

peterwroot

Very important information. Thank you

BindasBadshah

Definitely gotta get motivated to redo all my device networking and throw my risky IOT plugs/cameras/switches in a firewalled VLAN. Not looking forward to redoing all of it and trying to figure out what the heck I missed in the migration, lol.

ShaneL

I have my cameras on their own VLAN. Instead of Synology, my NVR is a Blue Iris PC that doubles as a Plex server (so it needs to access the internet for metadata). I currently configure the PC on the main/trusted network. Is it better to put the PC on the camera VLAN like Tin shows his Synology NVR?

cal

How many NICS are you using on Synology? Normally for IP video systems, we use dual NICs on the servers. One for cameras and the other for the corp network. The camera network is isolated from everything else.

michaelmiller

Forgive me if I'm misunderstanding something here, but the allow inverted RFC1918 rule DOES NOT block the connections to IPs in that alias (local IPs), that would be the default deny rule that handles that AFTER the allow rule. So putting that in isn't a rule that is explicitly blocking access to those IPs and IMO it shouldn't be said as such.

EthanWord

Synology support suggests to set up a reverse proxy to avoid port forwarding. What do you say about it?

riccardoventurelli

If I have lan with only the cameras and the PC to watch the video on, can I do a simplified version of this in the Windows Firewall? I am thinking, all I want is the PC to be able to initiate the communication to the cameras, but deny the cameras to initiate- like you apparently do with pfSense. I already have a POE managed switch, there I can put the cameras on their own vlan which I would prefer. So that cams are on Vlan X and the PC is on Vlan Y. I need a simple rule, that just says: PC (with Blue Iris) can access cameras, but the cameras (or whatever is connected to that port) cannot access the PC. And from other comments here I assume, if I want more different Vlans for camera and PC I need to also define a gateway?

maxmeier

Hi Tom if you exposed the ports to the camera over the internet could the footage be viewable or is it encrypted?

Thanks

aaron