Help with isolating camera and IoT networks

[jhv]

Hi, I need some help with understanding how to create isolated networks at home to seperate cameras and IoT devices from the main network. I currently have an ASUS RT-AX82U as the main router connecting to my isp and an ASUS DSL-AC68U connected to the main router as a mesh node to give improve wifi coverage in an area that previously had reduced signal strength. The AC68U used to be the main router until our isp upgraded the connection from FTTN to FTTP. The network as it is now works great with almost no trouble at all, however I just purchased a few ip cameras to monitor the house when we go away and lots of googling later I find myself confused and also concerned the current setup is not secure enough.

From my research it seems that the cameras should be isolated from the main network and this also led to learning that IoT devices should also be isolated. My router doesn’t support vlans except for the guest networks which are not ideal. For now I have temporarily connected the cameras to the guest network so they are operational for our upcoming trip. I don’t yet have an NVR setup, the cameras each record locally onto a micro sd card and I am able to access them from their phone app both from my main home network and also when away from home. They are tp-link Tapo cameras and the associated phone app. As a test I setup zoneminder on a spare Linux laptop and connected it to one of the cameras. Zoneminder could access the feed if the camera was connected to the main network but with the laptop and the camera both on the guest network zoneminder could not access the feed, which I expected since the guest network doesn’t allow devices to talk to each other.

I could use some help, perhaps with a simple diagram, to visualise how the network should look for it to work. Attached is a very simple drawing of how I think it should look but I don’t know if I’m on the right track.

The Camera and IoT networks would somehow be isolated from the main router but those devices would still need access to the internet and I would need to access the camera feeds. The items in pink currently don’t exist in my home network and the cameras are temporarily connected to the guest wifi network of the main router. The plan is to disable the camera wifi and connect them through PoE to the NVR through a PoE switch if the NVR doesn’t have PoE ports or is a software NVR running on a laptop.

Sorry if I am unclear, after several long days of searching the internet trying to crease my network knowledge my brain is kind of scrambled. Any help would be greatly appreciated.

 

[eibgrad]

If you still have the AC68U, install FT (FreshTomato) firmware and daisy-chain that router to the primary router to support your IOT/Camera networks. This effectively gives you VLAN support since you get the default VLAN (vlan1) of the secondary router, plus any additional VLANs you chose to define on that same router (vlan2 is used by the WAN, so vlan3, vlan4, etc.). You can also create additional VAPs (virtual APs) and bridges (the default is br0, containing vlan1 and the eth1 (2.4GHz) and eth2 (5GHz) APs, so br1, br2, etc.) and freely associate the VLANs and APs/VAPs as you see fit amongst those bridges. Finally, install firewall rules on the AC68U to deny access to the private, upstream IP network of the main network, while still allowing access to its WAN for internet access.

 

[Tech9]

The items in pink currently don’t exist in my home network

Check the NVR specs. Most have Camera Network already isolated from Control Network, the port you connect to your router. For IoT use Guest Network, good enough. Drawback - you have to control your IoT devices over Internet (WAN) because you’ll lose local access to them (LAN). The security precautions will impact your own user experience.

 

[jhv]

If you still have the AC68U, install FT (FreshTomato) firmware and daisy-chain that router to the primary router to support your IOT/Camera networks. This effectively gives you VLAN support since you get the default VLAN (vlan1) of the secondary router, plus any additional VLANs you chose to define on that same router (vlan2 is used by the WAN, so vlan3, vlan4, etc.). You can also create additional VAPs (virtual APs) and bridges (the default is br0, containing vlan1 and the eth1 (2.4GHz) and eth2 (5GHz) APs, so br1, br2, etc.) and freely associate the VLANs and APs/VAPs as you see fit amongst those bridges. Finally, install firewall rules on the AC68U to deny access to the private, upstream IP network of the main network, while still allowing access to its WAN for internet access.

That sounds promising. Just to be sure I understand you, after I flash Fresh Tomato to the AC68U, I set up the various VLANs for the IoT and camera networks in this router, like this?

Will I still be able to also use the 68U to extend the primary wifi network from the AX82U to fill the gap in wifi reception for the main network as well as manage the vlan networks?

Is it worth swapping the AC68U and AX82U so the 68U becomes the primary router connected to the WAN and the 82U acts as the wifi extender?

I also found this fork of the Merlin firmware that lists the RT-AX82U and DSL-AC68U as supported routers and it also says it’s an official Merlin fork supported by ASUS and Merlin.

https://github.com/gnuton/asuswrt-merlin.ng

I’ve read Merlin also supports vlans but needs to be done with scripting which I’m not yet sure how to do but am willing to do some research and educate myself if Merlin is a good alternative to FT firmware.

Which of the two routers is better as the main router connected to the WAN with regards to its hardware specs/features, eg firewall, overall security of the network exposed to the internet?

Thank you for your help getting me onto a path using my existing hardware, I already feel like I am getting closer to solution.

 

[jhv]

Check the NVR specs. Most have Camera Network already isolated from Control Network, the port you connect to your router. For IoT use Guest Network, good enough. Drawback - you have to control your IoT devices over Internet (WAN) because you’ll lose local access to them (LAN). The security precautions will impact your own user experience.

Haven’t gone very far down the NVR rabbit hole yet. Not yet sure whether to use a seperate NVR standalone box or setup my spare laptop as the NVR running something like zoneminder. I did some quick searches on the tplink VIGI NVR which is compatible with my existing cameras which are also tplink from the TAPO range. The cameras I have are all ONVIF/RTSP capable and I think the VIGI NVR can control pan/tilt on the cameras with that functionality, but not 100% sure. I found some info online to enable Pan/tilt control from zoneminder for the Tapo cameras but have not been able to get that to work yet in the short time I’ve experimented with zoneminder.

I prefer not to have to pay any subscription fees for NVR software which is how I originally found zoneminder. I don’t yet know if the VIGI NVR has a gui interface I can access through a browser or if I have to use their windows software which is a subscription product. Any recommendations for either a software based or standalone NVR box that is not subscription based or something in the case of software, would am happy with a one time purchase but don’t want ongoing subscription costs. Also, I know I would need a PoE capable switch to connect the cameras to if I go with a software NVR or the standalone box doesn’t have multiple ports, which I am ok with.

Thank you for your help.

 

[eibgrad]

That sounds promising. Just to be sure I understand you, after I flash Fresh Tomato to the AC68U, I set up the various VLANs for the IoT and camera networks in this router, like this?
View attachment 61614

Will I still be able to also use the 68U to extend the primary wifi network from the AX82U to fill the gap in wifi reception for the main network as well as manage the vlan networks?

As I initially described it, the AC68U has its WAN facing the private IP network of the AX82U (i.e., WAN to LAN, respectively), so NO, in that configuration, you would NOT be able to extended the wifi of the AX82U's IP network. But what you could do instead is configure the AC68U in AP mode (disable its WAN and assign that port to the LAN, disable its DHCP server, etc.). Now use one of the LAN ports as an uplink to the AX82U. And now you have the physical APs of the AC68U on the AX82U IP network since it's a LAN to LAN connection. You can then add additional VLANs/VAPs/bridges for the IOT/Camera IP networks on the AC68U and route then over that uplink. As before, you need firewall rules to prevent the IOT/Camera IP networks from accessing resources on the private IP network.

Is it worth swapping the AC68U and AX82U so the 68U becomes the primary router connected to the WAN and the 82U acts as the wifi extender?

The issue here is that in terms of performance, the AX82U is presumably better than the AC68U. And it doesn't solve the problem of VLANs unless you either install FT (or DD-WRT, it would work as well, but I prefer FT), OR, as you alluded to, do some scripting to enable VLANs w/ the AC68U. As it happens, I did this very thing quite some time ago.

Tutorial - Adding IP Networks to the ASUS RT-AC68U (et al.)

Overview The following script adds support for the creation of additional IP networks for the ASUS RT-AC68U running Asuswrt-Merlin firmware. https://pastebin.com/hvHHic1V The impetus for the script came from another forum member. The original intent was to simply add a single VLAN to the...

www.snbforums.com

But that assumes you insist on sticking w/ Merlin. It's far easier and more reliable to use FT (or even DD-WRT) since these firmwares support VLANs natively, so NO HACKING required. Also, the AC68U is EOL, so there will be no further support come the first of next year. So it seems pointless to continue pursuing a solution based on the AC68U as your primary router, esp. w/ Merlin. IMO, it makes more sense to use the AC68U as a *supplimentary* device using firmwares that will continue to support it indefinitely.

BTW, we've been supporting these types of configurations on the FreshTomato forum for years. Nothing new here. It's just that Merlin has been such a favorite for users for so long, they've usually insisted on a Merlin solution, even if it requires hacking/scripting. But as I said, that's all changed now since support is ending very soon. So FT and DD-WRT are now your better options.

 

[eibgrad]

P.S. Just to give you an idea of how long this AP mode solution has been around the FT forum, I wrote the following firewall script in support of it in 2015! And it has 3800+ downloads.

tomato-ap-firewall.sh - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

Virtual WLAN with Adblock

Hello, I have a Netgear 6400v1 running freshtomato 2024.3 configured in AP mode behind my ISP router. I would like to create a virtual WLAN with adblock feature and access to internet (like a guest network isolated from br0 or not). ISP router : 192.168.1.5 Netgear router : 192.168.1.1...

www.linksysinfo.org

 

[jhv]

Sorry, I misunderstood you initial reply connecting the AC68U to the AX82U. I assumed it was a LAN-LAN connection between the routers, not LAN-WAN where the WAN port of the 68 is connected to a LAN port of the 82, but its good to know it will still work connected LAN-LAN and use the 68U as an AP to extend the main wifi.

The reason I was asking about setting up the vlans on the main router is because the location of the main router is in a central cabinet ( a sort of home made rack) where there is enough room to locate any switches needed for the vlans, an nvr and also convenient to run cat5e cables to the cameras. The 68U is sitting in a corner of the lounge room where we previously had poor wifi signal. It's a pity there is no FT firmware for the 82U.

Thank you for the links. Alot of good information there, I will need to take some time to properly read and digest it all and then start setting up the network. I will likely flash FT to the 68U and set up a vlan on it as a first attempt for testing and to make sure I know what I am doing before doing anything to the main router so I dont accidently break our internet. Worst case, if the 68U is up and running after the changes and then I end up breaking the 82U, the 68U can always act as a backup to get our internet operational again until I fix any mistakes I might have made.

 

[tiddlywink]

..

 

[jhv]

Do not buy an NVR with PoE built in. Buy a separate *fanless* managed PoE switch. You will thank me later.

You are going down the vlan rabbit hole including intervlan routing. The AX82U needs to be replaced. My vote is 2x TUF-AX4200 flashed to openwrt; one as a gateway and one as a dumb AP. Vlans fully work.

Using DSA to create vlans on openwrt:

What is the reason you recommend to not use an NVR with PoE built in?

Currently I am leaning towards using a managed switch and Zoneminder on my spare testing laptop. This laptop is dual boot Linux Mint and Windows 10 Pro which I use to experiment with and not worry about losing important data on my other laptop. I also downloaded the demo version of Blue Iris to try out, but I haven’t ruled out a standalone NVR box which is why I asked about your comment using an NVR with built in PoE.

I don’t really want to spend any money buying more routers if the ones I have will do the job. The AX82U is happily running with no issues whatsoever, so I will keep using it unless there is a good reason to get rid of it? The AC68U, which was previously acting as a mesh node now has Fresh Tomato firmware installed on it. It’s not yet part of the main network as I only installed the FT firmware earlier today before going to work. Currently reading through the FT documentation to gain a better understanding of the various settings.

One thing I did notice right away was that I could not access the router by connecting the laptop to one of the LAN ports on the router, however the router wifi networks (both 2.4G and 5G) were available so I accessed the FT gui using wifi. In the little time I had to play before leaving for work, I couldn’t find any obvious setting that may have disabled the LAN ports on the router. I think the ports are enabled because the blue light on the front of the router for the port the laptop was plugged into was on and in network settings on the laptop (Windows 10), it had a message under the ethernet connection that said unknown network, or something similar (I’m not near the laptop now and can’t remember the exact wording). I will do some more research and study the documentation, and hopefully in the next day or two I will have some time to play with the router to figure out what is happening. I’m sure it’s just a noob mistake that I missed while in a hurry. Aside from the LAN connection issue, the firmware looks like it will let me set up the network the way I would like it using my existing hardware. Too bad there isn’t a version of FT for the AX82U.

 

[degrub]

That message means that the laptop did not join the network automatically. You just tell windows if it is a public or private network and it should join if it can. The fact that you could join immediately by wifi, just means that you already had before.

 

[degrub]

What is the reason you recommend to not use an NVR with PoE built in?

Currently I am leaning towards using a managed switch and Zoneminder on my spare testing laptop. This laptop is dual boot Linux Mint and Windows 10 Pro which I use to experiment with and not worry about losing important data on my other laptop. I also downloaded the demo version of Blue Iris to try out, but I haven’t ruled out a standalone NVR box which is why I asked about your comment using an NVR with built in PoE.

I don’t really want to spend any money buying more routers if the ones I have will do the job. The AX82U is happily running with no issues whatsoever, so I will keep using it unless there is a good reason to get rid of it? The AC68U, which was previously acting as a mesh node now has Fresh Tomato firmware installed on it. It’s not yet part of the main network as I only installed the FT firmware earlier today before going to work. Currently reading through the FT documentation to gain a better understanding of the various settings.

One thing I did notice right away was that I could not access the router by connecting the laptop to one of the LAN ports on the router, however the router wifi networks (both 2.4G and 5G) were available so I accessed the FT gui using wifi. In the little time I had to play before leaving for work, I couldn’t find any obvious setting that may have disabled the LAN ports on the router. I think the ports are enabled because the blue light on the front of the router for the port the laptop was plugged into was on and in network settings on the laptop (Windows 10), it had a message under the ethernet connection that said unknown network, or something similar (I’m not near the laptop now and can’t remember the exact wording). I will do some more research and study the documentation, and hopefully in the next day or two I will have some time to play with the router to figure out what is happening. I’m sure it’s just a noob mistake that I missed while in a hurry. Aside from the LAN connection issue, the firmware looks like it will let me set up the network the way I would like it using my existing hardware. Too bad there isn’t a version of FT for the AX82U.

Noise from the built in cooling fan is one reason to not use an NVR with POE . Heat may also shorten the life of the recording media as well.

 

[jhv]

That message means that the laptop did not join the network automatically. You just tell windows if it is a public or private network and it should join if it can. The fact that you could join immediately by wifi, just means that you already had before.

Ahhh, ok. I will check again. I don’t recall seeing anywhere to tell windows if it is a public or private network, but I was rushing when I was doing all this. The wifi didn’t connect immediately because it was a new network that it had not joined before, but the two wifi networks did show up in the list of available networks. However, soon as I clicked on the connect button it connected right away, as expected.

 

[tiddlywink]

..

 

[jhv]

I’ve had some issues with Fresh Tomato on the DSL-AC68U. For some reason I am unable to access the router GUI with an ethernet cable connected directly between a laptop and the router. The laptop is dual boot with Windows 10 Pro on one drive and Linux Mint Cinnamon on the other drive. The ethernet connection to the router didn’t work with either windows or Linux which makes me think there is a setting in FT that wasn’t set right. The ethernet port on the laptop does connect to the network if I plug it in to the main router so I know the laptop does work.

I then installed Merlin firmware to the router to see if that would suit my needs. Couldn’t get the main router to add the AC68U as a mesh node so in order to get our home network up and running again before going away for a few weeks, I put the stock firmware back on the router and sent it up once again as an AIMesh node. I noticed the stock firmware is 388 and the gnuton version of Merlin for this router is 386, maybe that had something to do with AIMesh not working? Reflashing the stock F/W and getting the AIMesh back up and running at least fixed the wifi connectivity in the parts of the house that had poor signal strength. The IP cams will stay on the guest network for now so I have a reasonably stable setup while I’m away. I thought of another alternative that may achieve what I want, see next post.

 

[jhv]

I have a couple spare RPi 4B boards lying around. Can I connect one of the pi’s to the main router, say with the wifi interface (or a USB ethernet adapter if that is better) and then connect the built in ethernet port from the pi to a managed switch to create the various VLAN’s for the camera network, iot, etc? Would this give me isolated networks that can access the Internet, and the devices within each network can talk to each other but remain isolated from the main network? I imagine the pi would need some kind of router software, or perhaps an OS designed to turn the pi into a router? If this option would work, then I could the two ASUS routers remain as they are operating as an AIMesh, which I know already works well, and then any additional networks can hang off the main router behind the RPi, NUC, spare laptop, etc (open to suggestions here). My thoughts are the Pi (or more suitable device?) will create and manage the VLAN’s and provide the firewall to isolate access to the main network and also allow access from the main network to the VLANs via the pi to be able to configure/manage the cameras/iot devices. I think I would also need to create firewall rules in the main router to block access from the isolated networks (or maybe only the RPi?) back to the main network but still allow internet access and access to the isolated networks for admin purposes.

If this arrangement works, then presumably the Pi can be accessed from the main network because it is a part of that network using its wifi interface and then once connected to the pi, the isolated networks can be accessed using its ethernet interface. And because the pi creates and manages the VLAN’s, those networks will be visible and accessibly to the pi? Am I understanding all this correctly? Also, would this actually isolate the networks as I hope it would or is it introducing more problems?

Sorry for the noob type questions, still trying to understand how everything will tie in together. I’m sure I have over complicated things. I learn things visually, so if someone could make a simple sketch or make some notes on my attached sketch below it would be very helpful.

 

[tiddlywink]

..