Isolating IP cams and NVR from the rest of the network with VLAN

[dissonance79]

I am a total VLAN noob trying to work my way through this. I'm trying to isolate my IP cams from my home network due to security risks I've heard regarding IP cams. My Asus RT-AX88U Pro router is located centrally on the second floor of my house in sort of a hallway loft that is open to the downstairs (there is only a handrail separating them). So it's sort of an ideal place for the wifi from my Asus router. My network box is in the garage which isn't real convenient for me to put my Asus router there as it's on one end of the house and there is a lot of HVAC ducting blocking wifi signal.

That said, I believe my Asus router supports VLANs but given that the NVR is attached to the router in my loft, and the IP cams are all attached to a POE switch in my garage, can I make it so that just the IP cams and NVR are isolated on their own network? I tried sketching an example below:

I haven't bought a managed switch yet since I'm not sure if this will work.

 

[eibgrad]

Seems to me it would be a lot simpler and cost effective to place the NVR in the garage along w/ the IP cameras. Then you could grab an old router and place it between the private and IP Camera+NVR networks. After all, by definition, a router creates a new VLAN/LAN behind its WAN.

The only issue at that point is whether the IP Camera+NVR network should be facing the LAN or WAN of that router.

If it's WAN facing, then the IP camera/NVR network has NO access to the private network or the internet. It lives in total isolation, where only the private network can visit. But there's no DHCP server on the WAN side, so you'd have to statically configure those devices for IP. And I don't know if your IP Camera+NVR network is internet-dependent.

OTOH, if it's LAN facing, the IP camera+NVR network would have access to the internet, but you'd need to configure the firewall to prevent upstream access to the private network. And you could enable remote access over its WAN for administrative purposes from the private network.

IOW, if you have a suitable additional router available, support for at least one additional VLAN (perhaps more) is already available. It's just being aware of it and how to orient the hardware and configure the firmware appropriately for the given situation.

All that said, the devil is always in the details, and you might very well require something more akin to a managed switch, VLANs on the ASUS, etc. But I just think too many ppl don't consider what's probably already available, esp. if it's simpler and more cost effective.

 

[dissonance79]

I could put the NVR in the garage but it's hooked up to a monitor and mouse on a desk in the loft for real time monitoring and for reviewing video. I don't think I could have the same setup in the loft otherwise. I don't really like the IP cam traffic going through my home ethernet as it takes bandwidth and it would be better plugged directly into the NVR, but I think I would lose the real time monitoring and reviewing video in the house. Dialing into the NVR's IP address gives a very limited UI.

 

[Tech9]

This NVR perhaps already has separated cameras and control network. You don’t need to route cameras traffic through your LAN. Cameras connected to the NVR and remote monitoring on LAN is the most common setup. Doable even with cheaper NVR models.

 

[tiddlywink]

..

 

[tiddlywink]

..

 

[bbunge]

All my cams are connected to a managed PoE switch as well as the cam server. The cams all have static Ip addresses as well as the cam server (a Debian Linux server with Zoneminder). All of those are on a UPS so they stay running if the power fails. The PoE managed switch is connected to my router. So, all the cam traffic is contained within the PoE switch. To monitor my cams I simply fire up a web browser on any device, phone, tablet, PC, Mac or Linux desktop any place else on the LAN on the internet. I don't worry about the cams being a security risk as I buy from a trusted source and keep the firmware updated. Merlin, Diversion and Skynet take care of the rest.

 

[dissonance79]

Unmanaged PoE switch - may not pass vlan traffic. I would suggest replacing with a managed PoE switch. untagged 300 with tagged trunk

I am likely wrong but wouldn't you connect the unmanaged POE switch that the ip cams are hooked to, to a port on the managed switch, and then set that one port on the managed switch to tag everything as 300?

 

[tiddlywink]

..

 

[PunchCardBoss]

given that the NVR is attached to the router in my loft, and the IP cams are all attached to a POE switch in my garage, can I make it so that just the IP cams and NVR are isolated on their own network?

A question that most forget to ask is whether your NVR has addressable ethernet ports. Cheap NVRs don't. The good ones do. Does yours?

NVR with Addressable Ethernet​

Based on the search results, here are key findings:

• Some NVRs have dual Ethernet ports, which offer benefits such as:
  • Multi-Addressing: Allows for separate networks for cameras and the NVR, improving network redundancy and reliability.
  • Fault Tolerance: Enables the NVR to continue functioning even if one Ethernet port fails.
• Addressable Ethernet ports enable the assignment of specific IP addresses to each port, allowing for:
  • Segmentation of networks: Different subnets for cameras and the NVR.
  • Isolation of devices: Each port can be configured independently, reducing the risk of conflicts.
• When configuring an NVR with addressable Ethernet ports, it’s essential to:
  • Set the default route or main NIC to the Ethernet port connected to the internet.
  • Configure IP addresses and gateways for each port.
  • Ensure that the gateway of the LAN port not connected to the internet matches the subnet of the IP address assigned to that port.

Examples of NVRs with Addressable Ethernet Ports

• Hikvision NVRs with dual LAN ports: Allow for separate networks for cameras and the NVR, and enable fault tolerance.
• Reolink 8-channel NVR: Has a 10/100 Ethernet port, which can be configured for separate networks or fault tolerance.
• Other NVR manufacturers may also offer addressable Ethernet ports, depending on their specific models and configurations.

Key Considerations

• When selecting an NVR with addressable Ethernet ports, ensure that the device meets your specific network requirements and configuration needs.
• Carefully plan and configure the NVR’s Ethernet ports to achieve the desired level of network segmentation, redundancy, and reliability.
• Consult the manufacturer’s documentation and guidelines for specific configuration instructions and best practices.

AI-generated answer.

 

[degrub]

yeah, well, unless they implemented two ethernet controllers their fault tolerance is weak. i guess you expect that with AI nonsense