New here, need advice..

Discussions related to the 1.36.x series of ZoneMinder
Post Reply
Kb00
Posts: 2
Joined: Mon Oct 25, 2021 5:46 am

New here, need advice..

Post by Kb00 »

I've been searching around for software that might fulfill a specific need. I don't know if ZoneMinder hits the target or not so I've come to ask..

A few neighbors here and myself thought of getting some cameras setup on our properties. The idea has been tossed around about having some cameras each of us host that are accessible to one another - networking our cameras together for viewing at one time.
I'm doing my best to avoid nest/ring crap as a privacy advocate and trying to keep it out of "the cloud" and foss if possible.

When landing on BlueIris, it appeared the only thing I could do is have each neighbor host a vpn and we'd have to switch vpn connections to which set of cameras we wish to access, and then log into the camera system - unable to view all at once.
It would appear there's a software limitation that doesn't necessarily have to exist for aggregating multiple vpn connections for a centralized perspective; seeing all cameras that we're allowing each other access to at one time.

Can ZoneMinder pull this off? Does anyone else here have a similar use-case?
tortho
Posts: 11
Joined: Tue May 25, 2021 8:56 pm
Location: Sandefjord, Norway

Re: New here, need advice..

Post by tortho »

@Kb00 Im a newbie myself but I suspect that Zoneminders multiple server install might work for that task.
While awaiting some more advanced user you might have a look at this one: https://zoneminder.readthedocs.io/en/st ... erver.html
User avatar
Andyrh
Posts: 243
Joined: Sat Oct 28, 2017 3:55 am

Re: New here, need advice..

Post by Andyrh »

An option would be to allow the camera to be stream over the internet. This has risks as cameras tend to not be secure. While the connection may not be 100%, I suspect it will work. You would need to do the math on the bandwidth needed, ZM will show the bandwidth it is using for each stream.
A VPN would be best for security, but will require at least one of the group to be capable of maintaining the VPNs and routes and everyone has to be on a different subnet. A bunch of 192.168.1.x networks will not work.

If you are symmetrical 1Gb bandwidth will not be an issue.

ZM is easy to install with the "easy way" script and can be tested on most any PC.

I have thought about the same thing, but none of my neighbors are technically inclined.

Depending on distances, WiFi bridges? Sort of a crazy idea...
Andy
o||||o

Ubuntu 22.04
ZM 1.36.33
E5-1650-v4 Xeon
16 GB RAM
6 cameras -> 54 FPS modect
bbunge
Posts: 2930
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: New here, need advice..

Post by bbunge »

To add a bit to the prior post..
Each neighbor will need a router that does DDNS and port forwarding. The cams do not need to be the same but I would keep the frame rate to 5 FPS and a low resolution to minimize bandwidth use. The cams to be port forwarded through the router firewall.
The NVR, Zoneminder would work, will be hosted on one home network and port forwarded on a secure socket so all the neighbors can access it. User ID and passwords are a must. The cams will be accessed by the NVR via the home owners router URL. Note that the use of a VPN client on the router could mess things up.
Zoneminder can be installed on an old PC. Ubuntu is a good choice for beginners. With the recent Zoneminder builds that use video pass through the load has been reduced greatly. Cams exposed to the internet pose a security risk so should have good password security enabled.
alabamatoy
Posts: 349
Joined: Sun Jun 05, 2016 2:53 pm

Re: New here, need advice..

Post by alabamatoy »

bbunge wrote: Mon Oct 25, 2021 1:04 pm Cams exposed to the internet pose a security risk so should have good password security enabled.
Or use a FW/router that can limit access to only the ZM server IP. That's certainly not bulletproof, but it would dramatically reduce the risk posed by allowing Internet access to the cams.
Kb00
Posts: 2
Joined: Mon Oct 25, 2021 5:46 am

Re: New here, need advice..

Post by Kb00 »

@Andyrh
Yeah i was leaning towards the vpn route of things due to the security over opening ports..
The wifi bridge idea definitely came to mind - i think ideally, the cameras would exist on a network unto themselves where each of us access them with our own levels of access based on login credentials. We're just too far apart in the middle if nowhere with no way to power them at the points they'd need to be in to link us. It's a great idea but unfortunately not feasible.

@bbunge
Correct me if I'm wrong
This does sound like exactly what would do the trick, but sounds like it's taking the most liberties with security. Cameras pointing directly out through opened fw ports?
Even ZM port forwarded is a risk of the same nature, because in both cases, you're opening a port. Regardless of user credentials, it's your network that opens itself to vulnerabilities with open ports.

@alabamatoy
Agreed. A static route/nat could lessen that impact.
User avatar
Andyrh
Posts: 243
Joined: Sat Oct 28, 2017 3:55 am

Re: New here, need advice..

Post by Andyrh »

Not trying to spend your money, but there are POE port extenders for Ethernet that push POE and 100Mb over RG6 to around 800'.
I have done minor research for adding cameras to the RC field I fly at and some of the runs would be in the 600' range.

For WiFi, you could look at directional antennas to cover the distance.

If you build this I would be interested in your solution.
Andy
o||||o

Ubuntu 22.04
ZM 1.36.33
E5-1650-v4 Xeon
16 GB RAM
6 cameras -> 54 FPS modect
User avatar
kitkat
Posts: 193
Joined: Sun Jan 27, 2019 5:17 pm

Re: New here, need advice..

Post by kitkat »

Rather than one (or each) of the participants running ZM and a VPN, could you get a cheap VPS somewhere and run it on that?

It was the first thing that came to mind and I haven't really thought it through but it should be possible to do something that way.

You'd still have to use a VPN to avoid opening any local ports (unless you can do something funky with inward connections from the cameras to the ZM server somehow - Now that'd be a seriously useful feature, a ZM source type of 'Incoming' or 'Listen' or similar), but port opening might not be quite so worrisome if it's from a known host with a fixed address (and maybe some sort of SSL/SSH cert?).


e2a: The more I think about this, the more I think it's worth exploring.

You'd need a single ZM server/VPS somewhere, and each participant would have to punch one single-port, single-source-address hole through their firewall/router for each of their cameras (drop all packets that don't come from the ZM server address at the gateway/router so there's no access to potentially-vulnerable camera software from elsewhere).

No VPN required, and everyone can access the ZM interface directly on the server either by hostname (f you have one) or IP address without having to do anything special, and you can assign rights and privileges as required there. Maybe protect the web front end with HTTP Authorisation before the ZM login for an extra layer of security if you're that way inclined (I am).

Whatever you do, local upstream/outgoing bandwidth for the cameras may be an issue, and if you use a VPN you'll make the throughput worse to the tune of 5% to 10% for the encryption overhead.

If you do try this then I'd be interested to see how it works out :)



(Hmm... One problem might be that each participant would need s static IP address or the ZM server wouldn't be able to find them... Maybe a free DynamicDNS service would fix that... or perhaps back to the VPN idea...)
bbunge
Posts: 2930
Joined: Mon Mar 26, 2012 11:40 am
Location: Pennsylvania

Re: New here, need advice..

Post by bbunge »

Kb00 wrote: Mon Oct 25, 2021 4:02 pm @bbunge
Correct me if I'm wrong
This does sound like exactly what would do the trick, but sounds like it's taking the most liberties with security. Cameras pointing directly out through opened fw ports?
Even ZM port forwarded is a risk of the same nature, because in both cases, you're opening a port. Regardless of user credentials, it's your network that opens itself to vulnerabilities with open ports.
Ah, I was being rushed by the family to do something and I forgot to finish my thought.

Port Forward, yes. But use a router that can restrict the forward to a specific upstream address. My Asus router port forward calls this a source IP. Although I've never tried it a URL should work as well. My Amcrest cams also have an IP Filter that can use IP address or MAC address. So, there are ways to secure port forwards...
Post Reply