Physical Security Network Setup — VLANs, PoE, and Firewall Rules
Proper network segmentation is a non-negotiable requirement for every JP Technical physical security deployment. This article documents the standard network architecture for camera and access control systems.
Why Segmentation Matters
Physical security devices — cameras and door controllers — must be isolated from the rest of your business network for two reasons:
Security: Many cameras and IoT devices have poor security track records. Placing them on your main business network creates a pivot point — a compromised camera could become a path to patient records or financial data.
HIPAA: If your cameras are on the same network as systems storing ePHI, a breach of those cameras potentially constitutes a HIPAA breach. Network isolation limits the blast radius and is considered a reasonable safeguard under HIPAA’s Technical Safeguards (§ 164.312).
Standard Network Architecture
JP Technical provisions the following VLAN structure for physical security:
| VLAN | Purpose | Devices |
|---|---|---|
| VLAN 10 (or existing business LAN) | Business network | Workstations, servers, printers |
| VLAN 20 | Camera network (isolated) | IP cameras, Frigate NVR server |
| VLAN 30 | Access control network (isolated) | BioStar 2 server, CoreStation door controllers |
| VLAN 1 (management) | Network equipment management | Switches, APs — admin access only |
Traffic Flow Rules
Camera VLAN (20):
✅ Cameras → Frigate NVR server (RTSP streams)
✅ Frigate → Business LAN (web UI access, HA integration)
❌ Cameras → Internet (blocked — no cloud uploads)
❌ Cameras → Business LAN (blocked — no direct camera access from workstations)
Access Control VLAN (30):
✅ Door controllers → BioStar 2 server (TCP/IP)
✅ BioStar 2 → Business LAN (admin UI, HA API)
❌ Door controllers → Internet (blocked)
❌ Door controllers → Camera VLAN (isolated from each other)
Business LAN (10):
✅ Admin workstations → Frigate web UI (port 8971)
✅ Admin workstations → BioStar 2 web UI (port 443)
✅ Home Assistant → BioStar 2 REST API (port 443)
✅ Home Assistant → Frigate API (port 8971)
Firewall Rules (Ubiquiti UniFi)
JP Technical deploys on UniFi networking in most client environments. The following firewall rules are applied:
Camera VLAN (20) Rules
# Block camera VLAN from reaching business LAN
Rule: VLAN20 → LAN REJECT (except Frigate server IP)
# Block cameras from reaching internet
Rule: VLAN20 → WAN REJECT (except NTP: UDP 123)
# Allow Frigate server to reach HA (on LAN)
Rule: Frigate-IP → HA-IP ALLOW (TCP 8123)
Access Control VLAN (30) Rules
# Block door controllers from reaching internet
Rule: VLAN30 → WAN REJECT
# Allow door controllers to reach BioStar 2 only
Rule: VLAN30 → LAN REJECT (except BioStar2-IP, TCP 1433/443/9000)
# Allow BioStar 2 to reach HA for API integration
Rule: BioStar2-IP → HA-IP ALLOW (TCP 8123)
PoE Switch Placement
Each camera VLAN requires a dedicated PoE switch:
[Core Switch / Router] ──── [Camera PoE Switch] ──── [IP Cameras]
└─── [Access Control Switch] ── [Door Controllers]
└── [BioStar 2 Server]
Important: Do not mix cameras and door controllers on the same PoE switch. Keep them physically and logically separate.
PoE Budget Planning
| Camera Model | PoE Draw |
|---|---|
| Typical 1080p indoor | 5–8W |
| Typical 4K outdoor with IR | 10–15W |
| Suprema BioEntry W2 reader | ~3W |
| Suprema FaceStation F2 | ~10W |
Always account for 20–30% PoE headroom above calculated draw. A switch running near its PoE budget limit will throttle or drop devices during cold boots.
UPS Backup Requirements
UPS backup is mandatory for all physical security components. A power failure that unlocks all doors is a security incident. A power failure that stops recording during an event is an audit gap.
Minimum UPS Coverage
| Component | Minimum Runtime |
|---|---|
| Door controllers + power supplies | 4 hours (fail-secure behavior on power loss) |
| Camera PoE switch + Frigate server | 2 hours |
| BioStar 2 server | 2 hours |
JP Technical installs APC or CyberPower UPS units sized for the specific load. All UPS units are connected to the RMM for remote battery health monitoring.
Remote Management Access
JP Technical manages physical security systems remotely via Cloudflare Tunnel (no open inbound firewall ports required):
[JP Technical Admin] → Cloudflare Tunnel → [cloudflared on business LAN]
↓
Frigate Web UI (port 8971)
BioStar 2 Web UI (port 443)
Home Assistant (port 8123)
No physical security management traffic traverses the open internet. All connections are authenticated via Cloudflare Access with JP Technical staff credentials.
Clients cannot access physical security management UIs through this tunnel — only JP Technical staff. Client-facing access (viewing camera feeds, unlocking a door remotely) is via a separate authenticated app or Home Assistant dashboard provisioned per client.
Camera Static IP Assignment
All cameras are assigned static IP addresses (via DHCP reservation on camera VLAN) using the naming convention:
10.x.20.101 – Camera 1 (Front Entrance, Exterior)
10.x.20.102 – Camera 2 (Lobby, Interior)
10.x.20.103 – Camera 3 (Server Room, Interior)
...
10.x.20.200 – Frigate NVR Server
Where x is the client’s assigned subnet. This makes Frigate config readable and simplifies troubleshooting.