Am I overthinking this?

Started with wanting to build a NAS and now I’m into homelab territory lol. I need some guidance on if I am overthinking things or if I am on the right path.

I have finally setup a pfsense box and got my main network setup how I like it. I am now trying to get a network setup for my blueiris build and I’m wondering If I am doing this correctly or if there may be a better way.

I have the cameras running through opt1 on pfsense. Different ip range. I have an HP E2620-24 POE (J9624a) switch that I got for cheap off ebay. I would like to run the cameras off that and limit their connectivity to the local network only so the BI box can see them but they cannot get online. I then only want to let the BI box out to the internet to send me alerts/let me view the cameras on the go. I would also like to view the cameras and get alerts at home as well.

What is the best way to achieve each of those?

For the cameras, is it better to use the vlan features in the poe switch and block internet access there? or would it be better to block their IP address at the pfsense level?

For BI reaching the internet, can I get granular control to only let that program poke through? I don’t plan on running anything else off it besides a clean windows install.

This last part may be more appropriate for a different category so please let me know if I should ask somewhere else. is it smart to poke holes through the interfaces to let lan talk to the blue iris pc? or would it be better to have them essentially go out to the internet and do a u-turn back down the other interface?

Also, does anyone have a good recommendation for a guide to these aruba/hp enterprise switches. This is the first time I have used one. I know its powerful but I’m a bit lost going through the webgui. I could use a good read/youtube video on it. I am a pharmacist by trade so all this is just hobby tinkering for me.

Thanks for any advice to help my paranoid self.

1 Like

That’s a lot of questions in one post, let’s see if I can help you by explaining my solution to a similar problem.

What I suggest you to do is to start using VLANs and leverage the PFSense firewall capabilities.

In my network I made a VLAN for cameras and IOT devices that:

  • ALLOW all local connections across all VLANS, in my case (if you are not familiar with CIDR notation, take a look online, /16 in this case means from to
  • BLOCK everything else

Here’s a screenshot from my PFSense box:

This means that camera can’t autoupdate or reach any cloud services, which is my goal but make sure to understand this.

I’m not familiar with BI but my guess is that you want it to be able to reach internet for updates? In that case, you can easily add another rule to PFSense to ALLOW a particular set of IPs (you can also use domain aliases in this case) so that the box will not be able to connect to anything EXCEPT those particular IPs.

You can setup an alias under firewall → alias like the following:

Here I added for simplicity but you can add as many hostnames IPs or ranges as you wish to be allowed.

Once you did this from the firewall rules you can use this alias in the destination box:

Adding the rule will give you something like:

Personally I keep everything isolated from the internet and only allow internet connection when running (manual) updates. IMHO you should be in full control at least of the devices that shouldn’t have a broad internet access, and to be fair: cameras, “smart” IOT devices etc, do not “need” to be connected 24/7.

I hope this helps you, I’m sure I forgot some of the questions or maybe I added even more confusion.
Have fun with your homelab!

1 Like

Thank you, it’s definitely pointing me in the right direction. And I agree with the cameras not needing internet access 24/7. All I plan on allowing is then to talk the NVR box and then that box sends me updates/live video/etc.

I really appreciate the in depth answer!

1 Like