How can I keep my security camera setup off line and still acces it locally

[TrafficChaos]

Hi everyone.
I am putting together an ip camera system that connects to an NVR.
I want to put the NVR in a safe place and access it over my network.

My router runs OPNsense, it has four ports, it is in default configuration
with nothing set up yet, igc1 is the Wan port and igc0 is the lan port.

That leaves two more ports on the router, igc3 and igc4.
Is there a way I can set one of these ports / igc3 for example, so that I can connect my NVR
to it and access it over the lan / igc1 port, but make sure the NVR connected
to igc3 in this example can not access the WAN / internet.

I am completely new to OPNsense, networking and ip cameras, so a simple
solution is what am after.

Thanks to all.

[Seattle2k]

If you want to prevent the NVR from reaching the internet, create a block rule...

[dseven]

You could assign igc3 as another interface, and give it its own subnet (not overlapping with your existing LAN), and create firewall rules to explicitly allow whatever communication you deem appropriate...

... or you could put the NVR on your LAN and block it from accessing the internet... but it would still be able to talk to other hosts on your LAN without going through the firewall - that may or may not be a concern, depending on how much you distrust the NVR...

[TrafficChaos]

You could assign igc3 as another interface, and give it its own subnet (not overlapping with your existing LAN), and create firewall rules to explicitly allow whatever communication you deem appropriate...

... or you could put the NVR on your LAN and block it from accessing the internet... but it would still be able to talk to other hosts on your LAN without going through the firewall - that may or may not be a concern, depending on how much you distrust the NVR...

Thank you for commenting.
How can I block an IP / my NVR's IP if it turns out to be dynamic, I am awaiting the
NVR in the mail, and can not find any information regarding whether it has a fixed IP
or a dynamic one.

[TrafficChaos]

You could assign igc3 as another interface, and give it its own subnet (not overlapping with your existing LAN), and create firewall rules to explicitly allow whatever communication you deem appropriate...

... or you could put the NVR on your LAN and block it from accessing the internet... but it would still be able to talk to other hosts on your LAN without going through the firewall - that may or may not be a concern, depending on how much you distrust the NVR...

Thank you for commenting.
How can I block an IP / my NVR's IP if it turns out to be dynamic, I am awaiting the
NVR in the mail, and can not find any information regarding whether it has a fixed IP
or a dynamic one.

Thank you for posting.
You bring up some good points, regarding trusting I am unsure but in general I do
not trust anything and thus my blocking idea.
I am awaiting the NVR in the post, and as of yet do not know whether it has a static
or dynamic IP, I am only assuming a static IP could be blocked easier than a dynamic one.

I have what I think is an odd setup, I only have mobile internet access.
I set up OPNsense and use a portable router connected by cable to the OPNsense WAN port and
set to bridge mode.
This portable router bridges to my phone to provide my entire wired network with internet access.
This also means I can leave my phone in the same room as the routers and connect via Ethernet
to my network in another part of the house and use apps on my laptop rather than the apps on the
phone, open source apps that is, I have zero trust in my phone not to be listening in and sending big
brother info from any app I would use on that device, so I use computers instead to communicate.

Now, I have decided to add some IP cameras, and am quite lost, I went the NVR route as in
testing it would take a very fast computer to record my 8mp cameras and display them, I tried
with zoneminder, memory was ate up until the system frooze every time a camera was triggered
it would record so much then freeze the computer, so I will now use an NVR which must use
a GPU to do its work, the chips inside these things are rarely marked so its a guessing game.

[dseven]

How can I block an IP / my NVR's IP if it turns out to be dynamic, I am awaiting the
NVR in the mail, and can not find any information regarding whether it has a fixed IP
or a dynamic one.

I would expect it will allow you to either configure a fixed IP address or use DHCP. If you choose DHCP (or if there's no option), you could create a reservation in OPNsense's DHCP server to assign it a specific IP address of your choosing (which should be outside the pool for dynamic addresses).

[TrafficChaos]

How can I block an IP / my NVR's IP if it turns out to be dynamic, I am awaiting the
NVR in the mail, and can not find any information regarding whether it has a fixed IP
or a dynamic one.

I would expect it will allow you to either configure a fixed IP address or use DHCP. If you choose DHCP (or if there's no option), you could create a reservation in OPNsense's DHCP server to assign it a specific IP address of your choosing (which should be outside the pool for dynamic addresses).

Looking online I  see these NVR's have two IP settings, one for the Switch that provides POE connectivity and one for the internal NIC that connects to your network.
The IP for the switch can be changed, but I read it is better to allow the NVR to assign one via its own DHCP and then to remove the tick and this will make it static.
Saying this, this is not the IP required to access the NVR, it has to be left alone as it is a static IP that the NVR uses to talk to the switch, and changing it am told results in the connected cameras being unable to communicate with the switch in the NVR.

I will see how it goes, and ask again when I get stuck.

One thing though, how does one create a reservation in OPNsense's DHCP server.
Am beyond new to all this network stuff, I hear of subnets and this is even more cconfusing,
as is different ip ranges, all greek to me.

[dseven]

I would suggest not interfering with the internal network provided by the NVR (for communication with the cameras). It's the connection to your LAN that you're concerned about.

DHCP reservation setup is covered at https://docs.opnsense.org/manual/dhcp.html

You won't be able to actually do it until you have the NVR, as you'll needs its MAC address (basically a hardware identifier for its network interface).

[cookiemonster]

As others say, separate network on its own port, or on the same one as the rest but managed with rules.
You will have more than one option but practicalities will also play a part in the decision I imagine. Like if the cameras are wireless or will be wired in the setup, and if there's a want to connect to them from the outside i.e. when you're out and about.
From the firewall point of view, the simplest setup is separate port, separate network.