ZoneMinder Forums

Posted: **Wed Jan 30, 2019 3:23 am**

I am trying to find the best solution to my problem without reinventing the wheel. My situation is pretty simple. I have a bunch of cheap PTZ IP cameras I got during flash sales from Amazon. These cameras work very well, but I do not trust them at all to be exposed to my LAN and the Internet. I want to connect them all to a single router, block all external access from that router, and just use a single trusted server to talk to those cameras. This server would then be the only thing that is allowed to talk to the outside world.

Is ZoneMinder the right thing for this? On my Android phone, I currently use IP Cam Viewer, which has ZoneMinder as an available device type to connect to. My idea is below. Am I in the right place, or is there a better solution for me since I'm not concerned with recording anything, but just want to have a secure gateway?

Code: Select all

Current Setup:
Home LAN --------> Router 1 (Main Router)------->Internet

Proposed Setup:
Evil IP Cam 1 ----------------------|
Evil IP Cam 2 ----------------------|
Evil IP Cam 3 ----------------------|
Evil IP Cam 4 ----------------------|
Trusted Server ---------------------|
                                    |----Router 2------> Home LAN --------> Router 1 (Main Router)------->Internet

Evil IP Cams 1-4 will be contained inside Router 2 with no access to anything outside that router.
Trusted Server will be the DMZ host inside Router 2, meaning it will have all packets sent to Router 2 forwarded to it.

Whenever I want to view any of my IP cameras or control their PTZ functions inside my Home LAN environment, I will point my devices at Router 2 to talk to the Trusted Server.
Whenever I am away from home, I will point to my DDNS, and my Router 1 will forward the appropriate ports to Router 2 to talk to the Trusted Server.

I don't want the Evil untrusted IP Cams to be able to communicate with anything but my Trusted Server, which I plan to have equipped with enough armor and weaponry to keep them in check.

Am I doing this right?

Posted: **Wed Jan 30, 2019 3:41 pm**

but I do not trust them at all to be exposed to my LAN and the Internet. I want to connect them all to a single router, block all external access from that router, and just use a single trusted server to talk to those cameras. This server would then be the only thing that is allowed to talk to the outside world.

Is ZoneMinder the right thing for this?

yes it is. Zoneminder can be set up in this way.

For your Android / Apple phone to use ZoneMinder there is an excellent app called zmNinja that is specifically designed to work as an interface to zoneminder. I will highly recommend zmNinja and it comes also in a desktop version here
More info for zmNinja :
viewtopic.php?t=23645
https://github.com/pliablepixels/zmNinja

another app that is available ZmView

Posted: **Wed Jan 30, 2019 3:50 pm**

zm is perfect for the "trusted server"
but imho you don't need the router#2, you can definitely block all traffic to/from the cams on router#1 as well, leaving one single forward open to the zm server. if you do want to isolate the cams from your own home lan as well, you can do that on router#1 too.

Posted: **Wed Jan 30, 2019 6:31 pm**

alarmix wrote: ↑Wed Jan 30, 2019 3:50 pm zm is perfect for the "trusted server"
but imho you don't need the router#2, you can definitely block all traffic to/from the cams on router#1 as well, leaving one single forward open to the zm server. if you do want to isolate the cams from your own home lan as well, you can do that on router#1 too.

The reason for router#2 is the location of the cameras and the fact that they are all wifi. Router#2 is really just the access point for them. I do have a managed switch on my LAN that I'm thinking about using to make a VLAN to segregate them. I don't trust anything that is based on MAC addresses because any sufficiently evil device can spoof the MAC address of a trusted device. If I'm going to go to the trouble to secure things, I'm not going to leave anything to chance if possible.

Posted: **Wed Jan 30, 2019 6:55 pm**

We have a system set up that uses a LAN network of 192.168.1.0/24 and the Zoneminder server has a static IP on this network. All the cameras, on the same physical ethernet, are assigned IP's in the 192.168.10.0/24 subnet. The single NIC on the Zoneminder server has a second IP address in the 192.168.10.0/24 range and communicates with the cameras on this IP. The cameras can't talk to the internet as there is no gateway in the 192.168.10.0 subnet. Only downside is the cameras can't set their clocks which is not a problem for us. Does not need any additional hardware or VLAN programming. Just a need to know how to assign a 2nd IP to a NIC. And you can do this with one WIFI router.

Posted: **Wed Jan 30, 2019 9:26 pm**

I'm running two networks, one for only cams and that connects up to my wired ethernet port using a local IP network (gigabit hub), and a wireless interface which connects up to my router's DMZ (different building) which gives me WAN access to the cameras (web or ZMninja). I have nothing else on the server, so security concerns are low: my home LAN is isolated.

Other than needing to revert back to 1.30.4 due to instability issues on Debian, it works/worked really well.

Posted: **Fri Feb 01, 2019 12:05 pm**

bbunge wrote: ↑Wed Jan 30, 2019 6:55 pm Only downside is the cameras can't set their clocks

Can you set up an NTP service on the ZM machine and have the cameras get their time from that?

ZoneMinder Forums

Is ZoneMinder good for securing/rebroadcasting RTSP streams?

Is ZoneMinder good for securing/rebroadcasting RTSP streams?

Re: Is ZoneMinder good for securing/rebroadcasting RTSP streams?

Re: Is ZoneMinder good for securing/rebroadcasting RTSP streams?

Re: Is ZoneMinder good for securing/rebroadcasting RTSP streams?

Re: Is ZoneMinder good for securing/rebroadcasting RTSP streams?

Re: Is ZoneMinder good for securing/rebroadcasting RTSP streams?

Re: Is ZoneMinder good for securing/rebroadcasting RTSP streams?