Multiple VLANs for security cameras, media devices etc

[Jack Yaz]

Hi there,

I've seen some discussion in other threads as to how to configure VLANs on Merlin f/w. What I was curious about, is that if I had managed switches with VLAN tagging, would there need to be any configuration on the Asus router. e.g. (ignore VLAN numbers they're just examples!)

VLAN1: Normal clients such as PCs, access to VLANs 2-3 + WAN
VLAN2: Guest clients, access to WAN only
VLAN2: File server
VLAN3: IP Camera monitoring software running on a server (small Debian box)
VLAN4: IP cameras (to save to VLAN2 over FTP (or equivalent), and VLAN3, no WAN)
VLAN5: Wireless printer (to be accessible by VLAN1 and 2)


Or am I missing the point of VLANs and going overboard?

 

[Jack Yaz]

Having read a bit more, I understand that VLAN tagging is only required when spanning multiple switches (including router). So, an example:

IP Camera 1 <------> Switch 1 <---------> ASUS <--------> Switch 2 <------> Windows 10 PC
                                                              ^----->IP Camera 2

Switch 1 would PVID camera 1s port as Vlan 4.
Switch 2 would PVID camera 2 as Vlan 4.
Switch 2 would PVID Windows PC as VLan 1.

Outbound from each switch would tag packets accordingly to their PVID VLAN? Asus would then be configured to be aware of vlans 1 and 4, and that it can detect it on any port as long as it's tagged? And then create iptables (or ebtables?) rules to specify any crossover between vlans?

Is this right so far?

 

[Martineau]

Hi there,

I've seen some discussion in other threads as to how to configure VLANs on Merlin f/w. What I was curious about, is that if I had managed switches with VLAN tagging, would there need to be any configuration on the Asus router. e.g. (ignore VLAN numbers they're just examples!)

VLAN1: Normal clients such as PCs, access to VLANs 2-3 + WAN
VLAN2: Guest clients, access to WAN only
VLAN2: File server
VLAN3: IP Camera monitoring software running on a server (small Debian box)
VLAN4: IP cameras (to save to VLAN2 over FTP (or equivalent), and VLAN3, no WAN)
VLAN5: Wireless printer (to be accessible by VLAN1 and 2)


Or am I missing the point of VLANs and going overboard?

You will still need to tag the port(s) on the router to allow the downstream VLANs to access the Internet.

e.g. All VLANs such as my VLAN30 (IoT) are connected via a switch attached to Port 4 which is now tagged.

 ./VLANSwitch.sh 30 status verbose

 vlan30 Robocfg Status
 =====================
   1: vlan1: 1 2 3 4t 5t
  30: vlan30: 4t 5t

Spoiler: rest of VLAN 30 enquiry request output.....

 vlan30 Bridge Status
 ====================

 vlan30 Status
 =============
vlan30    Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
          inet addr:10.88.30.1  Bcast:10.88.30.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:81142 errors:0 dropped:0 overruns:0 frame:0
          TX packets:81076 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:64588311 (61.5 MiB)  TX bytes:5803000 (5.5 MiB)

         18: vlan30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode
alias IoT


 vlan30 Statistics
 =================
vlan30  VID: 30  REORDER_HDR: 1  dev->priv_flags: 1
         total frames received        81142
          total bytes received     64588311
      Broadcast/Multicast Rcvd            0
      total frames transmitted        81076
       total bytes transmitted      5803000
            total headroom inc            1
           total encap on xmit        81076
Device: eth0
INGRESS priority mappings: 0:0  1:0  2:0  3:0  4:0  5:0  6:0 7:0
 EGRESS priority mappings:
  Firewall rules
  ==============
  DNS VPN rules
  =============
Chain DNSVPN1 (2 references)

 vlan30 ACTIVE devices (ARP only accurate within 60secs?)
 ========================================================
10.88.30.14 xx:xx:xx:xx:xx:xx  Hive-Hub (myHivehub.Martineau.lan)

NOTE: Number your VLANs as two or three digits, and ensure they are not already 'allocated' by the firmware i.e. weirdly my RT-AC68U shows VLANs 56-62 but I have only defined/configured 20,30,40,50 and 200 skipping 60

robocfg show

Switch: enabled

<snip>
      1: vlan1: 1 2 3 4t 5t
      2: vlan2: 0 5
  20: vlan20: 4t 5t
  30: vlan30: 4t 5t
  40: vlan40: 4t 5t
  50: vlan50: 4t 5t
     56: vlan56: 0 3 7t 8t
     57: vlan57: 0t 1 2t 4t 5t 8u
     58: vlan58: 1t 3t 5 7
     59: vlan59: 0 3t 5 8u
     60: vlan60: 0t 2 7t
     61: vlan61: 0 1t 2 5t 7
     62: vlan62: 0 2t
 200: vlan200: 4t 5t

Minimal Firewall rules (INPUT) will be required for DHCP/DNS (DNSSEC?) and explicit FORWARD rules to protect your LAN, but add any Firewall pin-holes so that the VLAN could access nominated LAN printers etc.

 

[Jack Yaz]

I'm guessing port 5 in your situation is the cpu, whereas 87u is port 8? I think!

I've since added another post with a little diagram and a crude explanation based on a bit of googling - how wrong am I?

 

[Martineau]

I'm guessing port 5 in your situation is the cpu, whereas 87u is port 8? I think!

I've since added another post with a little diagram and a crude explanation based on a bit of googling - how wrong am I?

That's pretty much standard except in my situation I have an 8 port PoE Switch in the loft which is connected to port 4 on the router, then all the other VLAN aware/capable switches hang off the loft switch.

One other feature I have implemented is a Bridge for a combined VLAN/Guest Wifi which allows a device to be plugged into a port on the appropriate switch that is 'hard-wired' for VPN (USA) streaming.

 

[Jack Yaz]

So if I copied your setup, how would I allow VLAN1 to talk to VLAN3? i.e. Desktop PC can log into Camera monitoring software web UI? Is that configured at the switch level?

My current (read: flawed) understanding is that VLANs cannot talk to each other.

 

[Martineau]

So if I copied your setup, how would I allow VLAN1 to talk to VLAN3? i.e. Desktop PC can log into Camera monitoring software web UI? Is that configured at the switch level?

My current (read: flawed) understanding is that VLANs cannot talk to each other.

VLANs indeed by default should not be able to communicate given discrete subnets are usually the norm.

So if you want VLAN attached devices to see each other, then why bother with VLANs? just attach the devices to the router (aka the same switch)!

But as always there are exceptions, so just add the appropriate firewall rules depending on your level of paranoia!

e.g. explicitly for each VLAN or to reduce the number of rules by a VLAN 'group'
(NOTE VLAN50 is the VPN USA streaming)

iptables -line -nvL FORWARD

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination        
1        0     0 ACCEPT     all  --  vlan+  *       0.0.0.0/0            10.88.8.131        
2        0     0 ACCEPT     all  --  vlan+  *       0.0.0.0/0            10.88.8.132        
3        0     0 DROP       all  --  br0    vlan+   0.0.0.0/0            0.0.0.0/0            state NEW
4       80 36800 DROP       all  --  vlan+  br0     0.0.0.0/0            0.0.0.0/0            state NEW
5      347 23231 ACCEPT     all  --  vlan+  *       0.0.0.0/0            0.0.0.0/0            state NEW
6        0     0 ACCEPT     all  --  vlan50 *       0.0.0.0/0            10.88.8.131        
7        0     0 ACCEPT     all  --  vlan50 *       0.0.0.0/0            10.88.8.132        
8        0     0 ACCEPT     all  --  tun11  vlan50  0.0.0.0/0            0.0.0.0/0            state NEW
9        0     0 ACCEPT     all  --  vlan50 tun11   0.0.0.0/0            0.0.0.0/0            state NEW
10       0     0 DROP       all  --  br0    vlan50  0.0.0.0/0            0.0.0.0/0            state NEW
11       0     0 DROP       all  --  vlan50 br0     0.0.0.0/0            0.0.0.0/0            state NEW
12       0     0 ACCEPT     all  --  vlan50 *       0.0.0.0/0            0.0.0.0/0            state NEW
13       0     0 DROP       all  --  br0    br2     0.0.0.0/0            0.0.0.0/0            state NEW
14       0     0 DROP       all  --  br2    br0     0.0.0.0/0            0.0.0.0/0            state NEW
15       3   243 ACCEPT     all  --  br2    eth0    0.0.0.0/0            0.0.0.0/0          
16       0     0 ACCEPT     all  --  br1    tun11   0.0.0.0/0            0.0.0.0/0          
17       0     0 ACCEPT     all  --  tun11  br1     0.0.0.0/0            0.0.0.0/0          
18       0     0 ACCEPT     all  --  br0    br1     10.88.8.131          10.88.101.0/24    
19       0     0 ACCEPT     all  --  br1    br0     10.88.101.0/24       10.88.8.131        
20       0     0 ACCEPT     tcp  --  br0    br1     10.88.8.111          10.88.101.0/24       tcp dpt:22
21       0     0 DROP       all  --  br1    *       0.0.0.0/0            10.88.8.0/24
<snip>

 

[Jack Yaz]

I admit it does sound like im being counterproductive, but I want to shield the cameras such that they can only talk to their server, and nothing else (not even WAN). But the Win10 clients would need access to server, so I'm not really sure how to approach that, other than our discussion about vlans and then adding rules to allow one vlan to talk to a specific client on another vlan?

I suppose the Win10 clients and servers could be in the same VLAN, and if I want to separate them for neatness into separate subnets I can just do that with dhcp?