Hi,
I've set up a new dedicated server (an old Dell R310) using Debian 10 and I've configured the two NICS with each its own static IP.
ENO1 is in my server VLAN for accessing the ZM webinterface, SSH, etc...
ENO2 is in my camera VLAN for directly accessing the IP cams
How can I make sure that:
1. ENO1 is solely used for the management part
2. ENO2 is solely used for accessing the cams
When I do a netstat, I see that the cams are indeed going over ENO2, unfortunately my management is also going over ENO2 instead of ENO1.
Other option is using bond the two nics and forgetting about splitting the traffic.
[solved] ZM server with two IP addresses?
-
- Posts: 19
- Joined: Wed Jun 24, 2020 8:21 am
[solved] ZM server with two IP addresses?
Last edited by DonZalmrol on Sun Nov 22, 2020 9:27 am, edited 1 time in total.
Re: ZM server with two IP addresses?
To segregate the traffic and ensure you are using the NICs as intended you must use different subnets.
On an managed switch create VLANs and use different subnets. On an unmanaged switch simply use different subnets. The result is effectively the same but there are differences.
For example:
ENO1 - IP:10.1.1.10 GW 10.1.1.1 Mask 255.255.255.0 -- This is the same subnet as your management and other systems are on.
EN02 - IP:192.168.1.10 GW (blank) Mask 255.255.255.0 -- This is the same subnet as your cameras.
Assuming no router to connect the 2 subnets only systems on the 192 subnet can talk to the cameras.
A side effect of not allowing the cameras a route to the internet is they are frequently targets for hackers. This will provide protection.
Out of curiosity, why did you choose to segregate the cameras?
On an managed switch create VLANs and use different subnets. On an unmanaged switch simply use different subnets. The result is effectively the same but there are differences.
For example:
ENO1 - IP:10.1.1.10 GW 10.1.1.1 Mask 255.255.255.0 -- This is the same subnet as your management and other systems are on.
EN02 - IP:192.168.1.10 GW (blank) Mask 255.255.255.0 -- This is the same subnet as your cameras.
Assuming no router to connect the 2 subnets only systems on the 192 subnet can talk to the cameras.
A side effect of not allowing the cameras a route to the internet is they are frequently targets for hackers. This will provide protection.
Out of curiosity, why did you choose to segregate the cameras?
Andy
o||||o
Ubuntu 22.04
ZM 1.36.33
E5-1650-v4 Xeon
16 GB RAM
6 cameras -> 54 FPS modect
o||||o
Ubuntu 22.04
ZM 1.36.33
E5-1650-v4 Xeon
16 GB RAM
6 cameras -> 54 FPS modect
-
- Posts: 19
- Joined: Wed Jun 24, 2020 8:21 am
Re: ZM server with two IP addresses?
Seems I've made a stupid mistake.
When I created a DNS address in my domain, I've pointed it to my ENO2 static IP that is used for the CAM VLAN, instead of pointing it to the static IP of ENO1 on my MAN VLAN...
The main reason was for additional security as I tend to tighten up the FW rules for my CAM VLAN.
When I created a DNS address in my domain, I've pointed it to my ENO2 static IP that is used for the CAM VLAN, instead of pointing it to the static IP of ENO1 on my MAN VLAN...
The main reason was for additional security as I tend to tighten up the FW rules for my CAM VLAN.
Re: [solved] ZM server with two IP addresses?
It's very easy to have two ip addresses, if you physically separate the networks.
firewall 1 (cameras only, no internet)
firewall 2 (internet, no cameras)
And two ethernet ports (add a network card if needed) on the ZM server for each separately wired network.
VLANs with one firewall are another option, but require more configuration. Follow the keep it simple philosophy, and stick with two physical networks. One has internet access, the other does not. The one without WAN access will only do DHCP. Done.
firewall 1 (cameras only, no internet)
firewall 2 (internet, no cameras)
And two ethernet ports (add a network card if needed) on the ZM server for each separately wired network.
VLANs with one firewall are another option, but require more configuration. Follow the keep it simple philosophy, and stick with two physical networks. One has internet access, the other does not. The one without WAN access will only do DHCP. Done.
fastest way to test streams:
ffmpeg -i rtsp://<user>:<pass>@<ipaddress>:554/path ./output.mp4 (if terminal only)
ffplay rtsp://<user>:<pass>@<ipaddress>:554/path (gui)
find paths on ispydb or in zm hcl
If you are new to security software, read:
https://wiki.zoneminder.com/Dummies_Guide
ffmpeg -i rtsp://<user>:<pass>@<ipaddress>:554/path ./output.mp4 (if terminal only)
ffplay rtsp://<user>:<pass>@<ipaddress>:554/path (gui)
find paths on ispydb or in zm hcl
If you are new to security software, read:
https://wiki.zoneminder.com/Dummies_Guide
Re: [solved] ZM server with two IP addresses?
Not sure if I understand just what you want to do with the different LAN cards. We do have a couple of setups that use two subnets on a common un-managed LAN.
We actually use one LAN card with a static IP address and a virtual IP address. To give an example: the ZM server has an IP address of 192.168.1.100 with a subnet 255.255.255.0 and gateway 192.168.1.1. The assigned virtual IP address is 192.168.100.100 with a subnet of 255.255.255.0. All the cameras have static IP addresses assigned in the 192.168.100.0/24 range. Traffic travels over the same LAN wiring/WIFI but the cameras are not visible from other devices on the 192.168.1.0/24 subnet except the ZM server. Therefore the ZM server is accessed to view monitors/manage from the 192.168.1.0/24 subnet.
We actually use one LAN card with a static IP address and a virtual IP address. To give an example: the ZM server has an IP address of 192.168.1.100 with a subnet 255.255.255.0 and gateway 192.168.1.1. The assigned virtual IP address is 192.168.100.100 with a subnet of 255.255.255.0. All the cameras have static IP addresses assigned in the 192.168.100.0/24 range. Traffic travels over the same LAN wiring/WIFI but the cameras are not visible from other devices on the 192.168.1.0/24 subnet except the ZM server. Therefore the ZM server is accessed to view monitors/manage from the 192.168.1.0/24 subnet.
Re: [solved] ZM server with two IP addresses?
bbunge what you are describing is an inexpensive way to keep the cameras off the internet assuming you do not assign a default GW to anything with an 192.168.100.0/24 address and there is not router for 192.168.100.0/24 and also hiding them from normal viewing.
However you are not preventing anything on your LAN from talking to the cameras, you are only hiding them. If your intention is to hide the cameras and keep them on the LAN I think you have achieved that goal. If you want to really isolate them, that requires either a 2nd unmanaged switch or a managed switch with VLANs.
However you are not preventing anything on your LAN from talking to the cameras, you are only hiding them. If your intention is to hide the cameras and keep them on the LAN I think you have achieved that goal. If you want to really isolate them, that requires either a 2nd unmanaged switch or a managed switch with VLANs.
Andy
o||||o
Ubuntu 22.04
ZM 1.36.33
E5-1650-v4 Xeon
16 GB RAM
6 cameras -> 54 FPS modect
o||||o
Ubuntu 22.04
ZM 1.36.33
E5-1650-v4 Xeon
16 GB RAM
6 cameras -> 54 FPS modect
Re: [solved] ZM server with two IP addresses?
It's great to see that you're setting up a new dedicated server with two NICs and separate static IPs for management and camera VLANs. It sounds like you're on the right track and taking some good steps to ensure that your network is set up properly.
- yadirasmanns
- Posts: 1
- Joined: Sat Mar 18, 2023 10:12 am
- Location: Kansas City
Re: [solved] ZM server with two IP addresses?
To ensure that ENO1 is solely used for management and ENO2 is solely used for accessing the cameras, you can use some basic networking tools to set up routing rules. For example, you can use the 'route' command to add specific routes for each NIC. This way, traffic intended for management will be sent through ENO1, and traffic intended for camera access will be sent through ENO2. If you need more information on router IP addresses, I'd recommend checking out routeripnet.com for some helpful resources. Alternatively, you could consider using bonding to combine the two NICs into a single logical interface.