Network Segmentation

[macster2075]

Would it be easier if both routers had Merlin firmware on it?

 

[ColinTaylor]

I dont see Router mode on this one. I only see this..
View attachment 51333

You have to have a WAN interface defined in the Network settings.

Would it be easier if both routers had Merlin firmware on it?

Probably. Then you could use the Network Services Filter to restrict access to the upstream LAN.

 

[macster2075]

You have to have a WAN interface defined in the Network settings.


Probably. Then you could use the Network Services Filter to restrict access to the upstream LAN.

This is what I see in Network...

 

[drinkingbird]

Thanks for your patience.. haha...

Main router is Asus RT-AC86U v386.11
router 2, Asus RT-AC68U Fresh Tomato

Router 1 - peronal stuff - 192.168.1.x
Router 2 iot's and security cameras + NVR running on Windows 11 PC - 192.168.2.x

OK, you're in good shape then. You have a few options.

To start, does FT (in AP mode like you are now) let you put the main and/or guest WIFI into a specific VLAN other than 1? May be under the wifi/guest config or under the VLAN config.
Does FT let you configure VLANs on the WAN port?

Based on that can give you some options.

 

[macster2075]

OK, you're in good shape then. You have a few options.

To start, does FT (in AP mode like you are now) let you put the main and/or guest WIFI into a specific VLAN other than 1? May be under the wifi/guest config or under the VLAN config.
Does FT let you configure VLANs on the WAN port?

Based on that can give you some options.

Thanks.. in order for me to answer your question, I need to know what FT stands for...Keep in mind, my knowledge is very limited, so I lack the required verbiage lol

 

[drinkingbird]

Thanks.. in order for me to answer your question, I need to know what FT stands for...Keep in mind, my knowledge is very limited, so I lack the required verbiage lol

FreshTomato

 

[macster2075]

FreshTomato

oh my!! wow.... yes, I crated a vlan in tomato and made it 192.168.3.1.. now this is something I know how to do as I've done it many times and it always works.
But in this scenario, the vlan would behave the same as the normal wifi network... now, It does let me choose where I want the WAN or LAN.. it has many options, which is very helpful for someone that knows what they are doing (not me)...I installed FT on this router a while ago and just left it on it....

Is it better and easier for me to achieve that I need by simply installing Merlin back to it?

 

[drinkingbird]

oh my!! wow.... yes, I crated a vlan in tomato and made it 192.168.3.1.. now this is something I know how to do as I've done it many times and it always works.
But in this scenario, the vlan would behave the same as the normal wifi network... now, It does let me choose where I want the WAN or LAN.. it has many options, which is very helpful for someone that knows what they are doing...me,.. I installed FT on this router a while ago and just left it on it....

Is it better and easier for me to achieve that I need by simply installing Merlin back to it?

You have a couple options (limited by the fact that you need wired devices on router 2 to be segmented)

Keep FT in AP mode and use VLANs to segment - from what I can see as long as you are using FT 2021.8 or newer you can assign the wireless into any VLAN, which will be necessary here. This will require you to learn about the VLAN and bridging functions a bit more and probably experiment some.

Load Asus or Merlin 386 code onto router 2, run it in router mode, use network services filter to block access to the main LAN.
Main advantage is this is probably the simplest one to set up.
Main disadvantages of this setup:
-Stuff on LAN 1 can't access stuff on LAN 2 without setting up some extra routes, port forwarding, and a bit more complex firewall rules. On the flipside, it would let you have just 1 NIC in your NVR PC and configure rules and routing to let it access LAN2. Having your NVR connected to both is somewhat of a security issue but in reality in the home environment probably not a big deal.
-Double NAT/routing. For the most part no impact, especially if there is no communication needed between the two isolated networks.
-Ping is still allowed from LAN2 to LAN1 but there is a simple workaround to block that if you want.
You could run FT in router mode too but there is really no benefit (actually more complex) to doing that over just using Asus/Merlin in router mode.

Option 3 is to set the two into AIMESH and do a basic script (using merlin) to re-map the physical ports of router 2 into the guest network. It isn't hard or complex but if not familiar with linux/scripting, it may be a bit daunting. But I can tell you exactly what needs to be in the script. That may be the cleanest solution for you. You'd then be able to have the guest network span across both routers and fully isolated from the main network. Since you can run merlin 386.11 on both routers, it should work well. Heck in this option, if the only wired device that needs access to LAN2 is the NVR, you could even just use firewall rules (via a script) to give it access to both networks via a single NIC, even when running AIMESH.

Based on what you think you can handle, we can go through what needs to be done.

NOTE one potential catch with the VLANs options is the switch must be able to pass VLANs. Many modern "dumb" switches that support jumbo frames will, but it can be hit or miss. If it is a smart/managed switch, then it can be configured to pass them no problem.

 

[macster2075]

I really appreciate the great help here! -
First, a quick question regarding the Router mode option 2. If I go that route, does that mean I won't need to use the 2nd NIC?
I would like to also mention that the PC running the NVR also needs to be connected to the main network 192.168.1.x.. which is why I am using 2 nics. Nic 2 is only for the NVR

Having said that.. if you think option 2 would not work for what I need... then....Let's try leaving FT in AP and give the vlans option a try.. if that doesn't work, then prob option 3.

 

[drinkingbird]

I really appreciate the great help here! -
First, a quick question regarding the Router mode option 2. If I go that route, does that mean I won't need to use the 2nd NIC?
I would like to also mention that the PC running the NVR also needs to be connected to the main network 192.168.1.x.. which is why I am using 2 nics. Nic 2 is only for the NVR

Having said that.. if you think option 2 would not work for what I need... then....Let's try leaving FT in AP and give the vlans option a try.. if that doesn't work, then prob option 3.

Actually first an edit to my previous post, the non-dual router options you can actually eliminate the switch from the path between the two routers, so not a concern whether it supports VLANs or not.

Yes in the dual router mode you can just have a single NIC with access to both networks. Requires some port forwarding, routing and firewall stuff, but all done via the GUI. The main catch is you'll need to determine what TCP/UDP ports are needed from the NVR to/from LAN2. Actually we could make this work in any of the options but anything other than dual router mode will require scripting via SSH to make that work. The only other "catch" is that your throughput will be limited when using a single NIC in dual router mode but still should be up in the 500M+ range which should be plenty.

If having the AIMESH isn't of benefit to you/a desirable feature, I guess the dual router option may be easiest, as everything can be done via the GUIs, as long as you can determine which ports need to be allowed. If you're ok with getting into scripting or learning more about FT's VLANs and bridging, it is technically a simpler design but likely not a big deal/impact in your case.

 

[drinkingbird]

I really appreciate the great help here! -
First, a quick question regarding the Router mode option 2. If I go that route, does that mean I won't need to use the 2nd NIC?
I would like to also mention that the PC running the NVR also needs to be connected to the main network 192.168.1.x.. which is why I am using 2 nics. Nic 2 is only for the NVR

Having said that.. if you think option 2 would not work for what I need... then....Let's try leaving FT in AP and give the vlans option a try.. if that doesn't work, then prob option 3.

I guess to simplify it down, if you are ok creating a script with instructions on what to do, the AIMESH setup would probably be cleanest and most flexible, plus it gives you more coverage for your IOT devices (both routers can handle them but they would be totally isolated on both), that's the way to go.

If not, then the dual router setup, first using your dual NICs just to get it working, then toying with reducing to a single NIC, is the next best option.

In either case, I would start by getting the AC68U updated to merlin 386.11 (use merlin even if you don't need its features, he has made it more compatible with the limited NVRAM on the 68U). I believe you'll need to go into recovery mode on that router and use the asus restore utility.
After successfully updating, first do a hard reset by holding the WPS button on the router while turning it on. Hold it til the power light starts flashing (15 seconds or so) then release it.
Configure just enough to get in (use dummy SSIDs etc for now), go to admin/restore, check off "initialize settings" and do the factory reset there.
Probably not necessary but a third step would be to go into admin, enable the "format jffs on next boot" option, apply, and reboot again using the reboot button in the gui.
Just to make sure all remnants of FT are gone.

Next steps will depend on which option you want to go with. Honestly I think trying to figure out VLANs in Fresh Tomato is going to be more difficult that a script even so I'm just tabling that option.

 

[macster2075]

The only other "catch" is that your throughput will be limited when using a single NIC in dual router mode but still should be up in the 500M

I only get 50/10 from my ISP as of now.. later this year I might get 500/500 upgrade as they are running fiber in my area.
Having only 50 Mbits down won't affect this?

Also, I thought having 2 NICs would simplify things in network segmentation.
I don't really need to increase coverage for my IoTs as they all get full bars right now where router 2 is located... So maybe the IMESH option may not be what I need?

The port used for Blue Iris NVR is 81.

 

[ColinTaylor]

I only get 50/10 from my ISP as of now.. later this year I might get 500/500 upgrade as they are running fiber in my area.
Having only 50 Mbits down won't affect this?

Also, I thought having 2 NICs would simplify things in network segmentation.
I don't really need to increase coverage for my IoTs as they all get full bars right now where router 2 is located... So maybe the IMESH option may not be what I need?

The port used for Blue Iris NVR is 81.

If the only reason you have two NICs on the NVR is to access its port 81 from the 192.168.1.x network all you'd need to do is create a port forwarding rule on the second router. You'd then access it by using the second router's "WAN" IP address.

 

[macster2075]

If the only reason you have two NICs on the NVR is to access its port 81 from the 192.168.1.x network all you'd need to do is create a port forwarding rule on the second router. You'd then access it by using the second router's "WAN" IP address.

That's not really the reason. I was told by Blue Iris help in their forum to get a 2nd nic in order to separate the cameras from the main network.
Also, I tried to forward port 81 on both routers using their respective IPs and it was still behaving the same way. Only LAN POE cameras would show on the NVR when I connect the routers R1 LAN to R2 WAN.

I was told to use WAN if I want devices on R2 to have internet access and remain on a separate network.

 

[ColinTaylor]

That's not really the reason. I was told by Blue Iris help in their forum to get a 2nd nic in order to separate the cameras from the main network.
Also, I tried to forward port 81 on both routers using their respective IPs and it was still behaving the same way. Only LAN POE cameras would show on the NVR when I connect the routers R1 LAN to R2 WAN.

I was told to use WAN if I want devices on R2 to have internet access.

It's hard to know what's going on as your current setup doesn't actually work. If you reconfigure R2 as a router the cameras will be on a separate network anyway, so it's only the NVR that needs accessibility from both networks. But if two NICs works for you then that's equally valid so stick with that.

Does Blue Iris act as a DHCP server for the camera's subnet? If so then that's where my confusion is coming from.

 

[macster2075]

It's hard to know what's going on as your current setup doesn't actually work. If you reconfigure R2 as a router the cameras will be on a separate network anyway, so it's only the NVR that needs accessibility from both networks. But if two NICs works for you then that's equally valid so stick with that.

Does Blue Iris act as a DHCP server for the camera's subnet? If so then that's where my confusion is coming from.

The Blue Iris NVR does not act as DHCP sever at all. I know it's difficult for me to explain what is happening here because I lack the knowledge to explain, which is very frustrating for me, never the less for you guys trying to help.

What is happening here is, since I have R1 and R2 connected LAN to WAN, only the wired cameras are visible on the NVR.. the wireless cameras that are connected to the wifi signal from R2 do not show on the NVR at all.. as I said before, they ONLY show on the NVR when I connect both routers LAN to LAN... but, even though the wireless cameras show on the NVR and have internet access, they are getting an IP from R1, 192.168.1x network.. which is not what I want or need.

I understand that this is an expected behavior when connecting both routers LAN to LAN..but my confusing is, I can't understand why when using LAN to WAN, the wireless devices cannot connect at all...when using WAN, isn't supposed to give internet access to connected devices?

This is why I am so confused.

 

[ColinTaylor]

This is why I am so confused.

I think the problem at the moment is that you are trying to mix two different subnets on the same local network. This is not a valid network topology and will lead to the sort of problems that you're seeing. You need to go back to basics and set everything up as simply as possible. I suggest the first step is to reconfigure R2 as a router.

 

[macster2075]

The main reason I am confused is because in the past, if I wanted to add another network to my existing one (on another part of the house), I would just get another router, change its IP to something different than the existing network.. plug an Ethernet cable to its WAN port.. enable DHCP and use it as another Wireless Router for LAN and Wireless devices and they would be on a separate network...with internet access... it worked every time.

How is this any different?

 

[ColinTaylor]

The main reason I am confused is because in the past, if I wanted to add another network to my existing one (on another part of the house), I would just get another router, change its IP to something different than the existing network.. plug an Ethernet cable to its WAN port.. enable DHCP and use it as another Wireless Router for LAN and Wireless devices and they would be on a separate network...with internet access... it worked every time.

How is this any different?

That's exactly what I'm suggesting. At the moment that's not what you've got because your RT-AC68U isn't configured as a router.

 

[macster2075]

Before I install Merlin on this router, I want to try to make it work with Fresh Tomato by configuring to work in Router Mode. I have looked at the instruction to do it and it seems to me it's already this way...

Access the Fresh Tomato web interface: Open a web browser on a device connected to the Fresh Tomato router's network and enter the router's IP address (e.g., 192.168.1.1) in the browser's address bar. Press Enter to access the Fresh Tomato web interface.

Disable Wireless Access Point (AP) mode: In the Fresh Tomato web interface, navigate to the "Basic" or "Wireless" section. Look for the wireless settings and find the option to disable or turn off the Wireless Access Point mode. This option might be labeled as "Enable Wireless," "Wireless Mode," or similar. Disable the wireless functionality to prevent the router from acting as an access point.

Configure WAN settings: In the Fresh Tomato web interface, navigate to the "Basic" or "Network" section. Locate the WAN settings or Internet connection type. Select the appropriate connection type for your setup (e.g., DHCP, PPPoE, Static IP) and enter the required information, such as username and password for PPPoE or IP address details for a static IP connection. Save the settings.

Configure LAN settings: In the Fresh Tomato web interface, navigate to the "Basic" or "Network" section. Look for the LAN settings and specify the desired IP address range and subnet mask for your local network. This will be the network that your devices connect to. Save the settings.

Enable DHCP: In the Fresh Tomato web interface, navigate to the "Basic" or "DHCP" section. Ensure that DHCP is enabled and set the range of IP addresses that will be assigned to devices on your local network. Save the settings.

----
This is basically they way it is right now, except I enabled Wireless. Also, this is how VLAN looks like.. not sure if this helps...