Menu
What's new
By:
Filters Better Search

Help with isolating camera and IoT networks

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

jhv

New Around Here
Hi, I need some help with understanding how to create isolated networks at home to seperate cameras and IoT devices from the main network. I currently have an ASUS RT-AX82U as the main router connecting to my isp and an ASUS DSL-AC68U connected to the main router as a mesh node to give improve wifi coverage in an area that previously had reduced signal strength. The AC68U used to be the main router until our isp upgraded the connection from FTTN to FTTP. The network as it is now works great with almost no trouble at all, however I just purchased a few ip cameras to monitor the house when we go away and lots of googling later I find myself confused and also concerned the current setup is not secure enough.

From my research it seems that the cameras should be isolated from the main network and this also led to learning that IoT devices should also be isolated. My router doesn’t support vlans except for the guest networks which are not ideal. For now I have temporarily connected the cameras to the guest network so they are operational for our upcoming trip. I don’t yet have an NVR setup, the cameras each record locally onto a micro sd card and I am able to access them from their phone app both from my main home network and also when away from home. They are tp-link Tapo cameras and the associated phone app. As a test I setup zoneminder on a spare Linux laptop and connected it to one of the cameras. Zoneminder could access the feed if the camera was connected to the main network but with the laptop and the camera both on the guest network zoneminder could not access the feed, which I expected since the guest network doesn’t allow devices to talk to each other.

I could use some help, perhaps with a simple diagram, to visualise how the network should look for it to work. Attached is a very simple drawing of how I think it should look but I don’t know if I’m on the right track.
Network.png


The Camera and IoT networks would somehow be isolated from the main router but those devices would still need access to the internet and I would need to access the camera feeds. The items in pink currently don’t exist in my home network and the cameras are temporarily connected to the guest wifi network of the main router. The plan is to disable the camera wifi and connect them through PoE to the NVR through a PoE switch if the NVR doesn’t have PoE ports or is a software NVR running on a laptop.

Sorry if I am unclear, after several long days of searching the internet trying to crease my network knowledge my brain is kind of scrambled. Any help would be greatly appreciated.
 
If you still have the AC68U, install FT (FreshTomato) firmware and daisy-chain that router to the primary router to support your IOT/Camera networks. This effectively gives you VLAN support since you get the default VLAN (vlan1) of the secondary router, plus any additional VLANs you chose to define on that same router (vlan2 is used by the WAN, so vlan3, vlan4, etc.). You can also create additional VAPs (virtual APs) and bridges (the default is br0, containing vlan1 and the eth1 (2.4GHz) and eth2 (5GHz) APs, so br1, br2, etc.) and freely associate the VLANs and APs/VAPs as you see fit amongst those bridges. Finally, install firewall rules on the AC68U to deny access to the private, upstream IP network of the main network, while still allowing access to its WAN for internet access.
 
jhv said:
The items in pink currently don’t exist in my home network
Click to expand...

Check the NVR specs. Most have Camera Network already isolated from Control Network, the port you connect to your router. For IoT use Guest Network, good enough. Drawback - you have to control your IoT devices over Internet (WAN) because you’ll lose local access to them (LAN). The security precautions will impact your own user experience.
 
eibgrad said:
If you still have the AC68U, install FT (FreshTomato) firmware and daisy-chain that router to the primary router to support your IOT/Camera networks. This effectively gives you VLAN support since you get the default VLAN (vlan1) of the secondary router, plus any additional VLANs you chose to define on that same router (vlan2 is used by the WAN, so vlan3, vlan4, etc.). You can also create additional VAPs (virtual APs) and bridges (the default is br0, containing vlan1 and the eth1 (2.4GHz) and eth2 (5GHz) APs, so br1, br2, etc.) and freely associate the VLANs and APs/VAPs as you see fit amongst those bridges. Finally, install firewall rules on the AC68U to deny access to the private, upstream IP network of the main network, while still allowing access to its WAN for internet access.
Click to expand...
That sounds promising. Just to be sure I understand you, after I flash Fresh Tomato to the AC68U, I set up the various VLANs for the IoT and camera networks in this router, like this?
Network 2.png


Will I still be able to also use the 68U to extend the primary wifi network from the AX82U to fill the gap in wifi reception for the main network as well as manage the vlan networks?

Is it worth swapping the AC68U and AX82U so the 68U becomes the primary router connected to the WAN and the 82U acts as the wifi extender?

I also found this fork of the Merlin firmware that lists the RT-AX82U and DSL-AC68U as supported routers and it also says it’s an official Merlin fork supported by ASUS and Merlin.

https://github.com/gnuton/asuswrt-merlin.ng

I’ve read Merlin also supports vlans but needs to be done with scripting which I’m not yet sure how to do but am willing to do some research and educate myself if Merlin is a good alternative to FT firmware.

Which of the two routers is better as the main router connected to the WAN with regards to its hardware specs/features, eg firewall, overall security of the network exposed to the internet?

Thank you for your help getting me onto a path using my existing hardware, I already feel like I am getting closer to solution.
 
Tech9 said:
Check the NVR specs. Most have Camera Network already isolated from Control Network, the port you connect to your router. For IoT use Guest Network, good enough. Drawback - you have to control your IoT devices over Internet (WAN) because you’ll lose local access to them (LAN). The security precautions will impact your own user experience.
Click to expand...
Haven’t gone very far down the NVR rabbit hole yet. Not yet sure whether to use a seperate NVR standalone box or setup my spare laptop as the NVR running something like zoneminder. I did some quick searches on the tplink VIGI NVR which is compatible with my existing cameras which are also tplink from the TAPO range. The cameras I have are all ONVIF/RTSP capable and I think the VIGI NVR can control pan/tilt on the cameras with that functionality, but not 100% sure. I found some info online to enable Pan/tilt control from zoneminder for the Tapo cameras but have not been able to get that to work yet in the short time I’ve experimented with zoneminder.

I prefer not to have to pay any subscription fees for NVR software which is how I originally found zoneminder. I don’t yet know if the VIGI NVR has a gui interface I can access through a browser or if I have to use their windows software which is a subscription product. Any recommendations for either a software based or standalone NVR box that is not subscription based or something in the case of software, would am happy with a one time purchase but don’t want ongoing subscription costs. Also, I know I would need a PoE capable switch to connect the cameras to if I go with a software NVR or the standalone box doesn’t have multiple ports, which I am ok with.

Thank you for your help.
 
jhv said:
That sounds promising. Just to be sure I understand you, after I flash Fresh Tomato to the AC68U, I set up the various VLANs for the IoT and camera networks in this router, like this?
View attachment 61614

Will I still be able to also use the 68U to extend the primary wifi network from the AX82U to fill the gap in wifi reception for the main network as well as manage the vlan networks?
Click to expand...

As I initially described it, the AC68U has its WAN facing the private IP network of the AX82U (i.e., WAN to LAN, respectively), so NO, in that configuration, you would NOT be able to extended the wifi of the AX82U's IP network. But what you could do instead is configure the AC68U in AP mode (i.e., disable its WAN and assign that port to the LAN). Now use one of the LAN ports as an uplink to the AX82U. And now you have the physical APs of the AC68U on the AX82U IP network since it's a LAN to LAN connection. You can then add additional VLANs/VAPs/bridges for the IOT/Camera IP networks on the AC68U and route then over that uplink. As before, you need firewall rules to prevent the IOT/Camera IP networks from accessing resources on the private IP network.

jhv said:
Is it worth swapping the AC68U and AX82U so the 68U becomes the primary router connected to the WAN and the 82U acts as the wifi extender?
Click to expand...

The issue here is that in terms of performance, the AX82U is presumably better than the AC68U. And it doesn't solve the problem of VLANs unless you either install FT (or DD-WRT, it would work as well, but I prefer FT), OR, as you alluded to, do some scripting to enable VLANs w/ the AC68U. As it happens, I did this very thing quite some time ago.

www.snbforums.com

Tutorial - Adding IP Networks to the ASUS RT-AC68U (et al.)

Overview The following script adds support for the creation of additional IP networks for the ASUS RT-AC68U running Asuswrt-Merlin firmware. https://pastebin.com/hvHHic1V The impetus for the script came from another forum member. The original intent was to simply add a single VLAN to the...
www.snbforums.com www.snbforums.com

But that assumes you insist on sticking w/ Merlin. It's far easier and more reliable to use FT (or even DD-WRT) since these firmwares support VLANs natively, so NO HACKING required. Also, the AC68U is EOL, so there will be no further support come the first of next year. So it seems pointless to continue pursuing a solution based on the AC68U as your primary router, esp. w/ Merlin. IMO, it makes more sense to use the AC68U as a *supplimentary* device using firmwares that will continue to support it indefinitely.

BTW, we've been supporting these types of configurations on the FreshTomato forum for years. Nothing new here. It's just that Merlin has been such a favorite for users for so long, they've usually insisted on a Merlin solution, even if it requires hacking/scripting. But as I said, that's all changed now since support is ending very soon. So FT and DD-WRT are now your better options.
 
P.S. Just to give you an idea of how long this AP mode solution has been around the FT forum, I wrote the following firewall script in support of it in 2015! And it has 3800+ downloads.

pastebin.com

tomato-ap-firewall.sh - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.
pastebin.com pastebin.com

Virtual WLAN with Adblock

Hello, I have a Netgear 6400v1 running freshtomato 2024.3 configured in AP mode behind my ISP router. I would like to create a virtual WLAN with adblock feature and access to internet (like a guest network isolated from br0 or not). ISP router : 192.168.1.5 Netgear router : 192.168.1.1...
www.linksysinfo.org
 
Last edited:
Sorry, I misunderstood you initial reply connecting the AC68U to the AX82U. I assumed it was a LAN-LAN connection between the routers, not LAN-WAN where the WAN port of the 68 is connected to a LAN port of the 82, but its good to know it will still work connected LAN-LAN and use the 68U as an AP to extend the main wifi.

The reason I was asking about setting up the vlans on the main router is because the location of the main router is in a central cabinet ( a sort of home made rack) where there is enough room to locate any switches needed for the vlans, an nvr and also convenient to run cat5e cables to the cameras. The 68U is sitting in a corner of the lounge room where we previously had poor wifi signal. It's a pity there is no FT firmware for the 82U.

Thank you for the links. Alot of good information there, I will need to take some time to properly read and digest it all and then start setting up the network. I will likely flash FT to the 68U and set up a vlan on it as a first attempt for testing and to make sure I know what I am doing before doing anything to the main router so I dont accidently break our internet. Worst case, if the 68U is up and running after the changes and then I end up breaking the 82U, the 68U can always act as a backup to get our internet operational again until I fix any mistakes I might have made.
 
You must log in or register to reply here.

Similar threads

C
Wired IP camera/ NVR POE setup on a RT-AX86U Pro running 3.0.0.6.102_34313
2
Replies
25
Views
1K
tiddlywink
tiddlywink
S
Effect of security cameras on LAN
Replies
11
Views
239
sfx2000
sfx2000
M
YazFi Problem with YazFi
Replies
19
Views
805
bennor
B
D
Isolating IP cams and NVR from the rest of the network with VLAN
Replies
10
Views
305
degrub
D
M
Isolating home security cameras and providing remote access?
Replies
5
Views
1K
jsbeddow
J

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,065 (members: 13, guests: 1,052)
Top