Network Segmentation

[drinkingbird]

Before I install Merlin on this router, I want to try to make it work with Fresh Tomato by configuring to work in Router Mode. I have looked at the instruction to do it and it seems to me it's already this way...

Access the Fresh Tomato web interface: Open a web browser on a device connected to the Fresh Tomato router's network and enter the router's IP address (e.g., 192.168.1.1) in the browser's address bar. Press Enter to access the Fresh Tomato web interface.

Disable Wireless Access Point (AP) mode: In the Fresh Tomato web interface, navigate to the "Basic" or "Wireless" section. Look for the wireless settings and find the option to disable or turn off the Wireless Access Point mode. This option might be labeled as "Enable Wireless," "Wireless Mode," or similar. Disable the wireless functionality to prevent the router from acting as an access point.

Configure WAN settings: In the Fresh Tomato web interface, navigate to the "Basic" or "Network" section. Locate the WAN settings or Internet connection type. Select the appropriate connection type for your setup (e.g., DHCP, PPPoE, Static IP) and enter the required information, such as username and password for PPPoE or IP address details for a static IP connection. Save the settings.

Configure LAN settings: In the Fresh Tomato web interface, navigate to the "Basic" or "Network" section. Look for the LAN settings and specify the desired IP address range and subnet mask for your local network. This will be the network that your devices connect to. Save the settings.

Enable DHCP: In the Fresh Tomato web interface, navigate to the "Basic" or "DHCP" section. Ensure that DHCP is enabled and set the range of IP addresses that will be assigned to devices on your local network. Save the settings.

----
This is basically they way it is right now, except I enabled Wireless. Also, this is how VLAN looks like.. not sure if this helps...

Really the only reason to run FT would be to run it in AP mode with VLANs and have your main router act as the DHCP server, firewall, etc. It is definitely not running in router mode right now.

The only benefit I can think to running FT in router mode in your setup (in that case you would not need VLANs) is that its firewall rules may be more flexible than stock/merlin firmware so that may make it easier for you to configure the access you do/don't want between the networks. It would also let you eliminate your switch you have sitting there (assuming you don't need more than 5 physical ports at that location) as it lets you segment the physical ports also where stock/merlin does not without some simple scripting.

The disadvantage is that it is extremely complex and designed for power users who know a lot about networking. So it will be difficult for you to get set up, and there is a much higher chance you'll miss something and not end up with the segmentation you want. So if you want to keep FT (in router or AP mode) you'll need to do a bunch of testing when you're done to make sure all the access controls you want are actually working and stuff is segmented with only the traffic you want able to get between the networks. Technically it also isn't updated as much so may not be as secure as Asus or Merlin, but since it is not facing the internet that isn't as big of a concern.

In one of the screenshots you can see it says something like "set WAN vlan first" so you haven't finished configuring the initial setup yet even, probably why you aren't able to set it into router mode.

That's not really the reason. I was told by Blue Iris help in their forum to get a 2nd nic in order to separate the cameras from the main network.
Also, I tried to forward port 81 on both routers using their respective IPs and it was still behaving the same way. Only LAN POE cameras would show on the NVR when I connect the routers R1 LAN to R2 WAN.

I was told to use WAN if I want devices on R2 to have internet access and remain on a separate network.

Yeah they just assume that is the easier path than configuring port forwarding and firewall rules etc. And it may very well be, if you have the second NIC anyway and it is right there, technically you can just do that, as long as you're comfortable that the blue iris PC won't route traffic between the two networks (defeating the purpose). Having a single device connected to two different "security zones" is technically bad network design, but in the home environment it isn't as big of a concern, especially if it is behind a firewall (your main router).

I only get 50/10 from my ISP as of now.. later this year I might get 500/500 upgrade as they are running fiber in my area.
Having only 50 Mbits down won't affect this?

Also, I thought having 2 NICs would simplify things in network segmentation.
I don't really need to increase coverage for my IoTs as they all get full bars right now where router 2 is located... So maybe the IMESH option may not be what I need?

The port used for Blue Iris NVR is 81.

I was only referring to LAN performance, so the bandwidth between the NVR and the cameras. 500M should be more than enough I'm assuming. Having two NICs would give you the full gig as it isn't passing through a router, just a switch in that design.

If you have no need/desire for AIMESH then can take that off the table.

If you definitely want to run FT then first make sure you're running the latest (at least 2021.8 but hopefully there is a newer version than 2 years old). Then you need to decide if you want to run it as an AP with VLANs to extend your main router's segmented networks (will require dual NIC on the NVR or a script on the main asus to allow communication between the two) or as a second router (which could potentially eliminate the second NIC requirement).

One other benefit to FT is that you could eliminate the switch you have sitting there and just use the router ports sitting in different VLANs. This would work in either router or AP mode. This could also be done with some simple scripting on the Asus in AP or router mode too.

So I guess decide what combination is right for you and we'll go from there.

If you want least complex, totally done through the GUI, no scripting, and don't want AIMESH, then dual router with Merlin 386.11 on both is probably going to be the simplest.

If you want a bit more flexibility and some advanced features/power user stuff, potentially being able to remove that extra switch, etc, then FT on the second router (in either router or AP mode) is the way go but you'll need to spend more time learning FT and testing to make sure you got it right.

 

[macster2075]

I decided to just flash Merlin back.. So right now, I am on the latest version 386.11 on the RT-AC68P.
The initial setup is already done.

I would like to put that 2nd NIC to work, so I might as well use it.
What needs to be done next?

 

[ColinTaylor]

Just configure it as a normal router with the default settings. Change the LAN IP subnet to be 192.168.2.x. Then check that it's working as expected.

 

[macster2075]

The reason I am using a switch is because my main PCs are in the same room as the Blue Iris PC and Router 2.
So, the Ethernet cable coming from R1 LAN is connected to the switch , then from there I hook up my PC that way I am connected to the main network.

Then from the switch, I run another Ethernet to R2.

So at this point, I can just connect an Ethernet cable in the WAN port of R2 and another Ethernet from the 2nd NIC of the Blue Iris PC to the LAN port?
I also notice that the wireless cameras are not connecting to the wireless signal from R2.. same ssid and password as before.

EIDT..
I also see that when I connect my iphone to R2 wifi, I still get the IP from 192.168.1.x network.
How do I need to configure this in Network Filter?

for the Source IP
192.168.1.0/24

Port Range
81

Destination IP
?

Port Range
81

 

[ColinTaylor]

The reason I am using a switch is because my main PCs are in the same room as the Blue Iris PC and Router 2.
So, the Ethernet cable coming from R1 LAN is connected to the switch , then from there I hook up my PC that way I am connected to the main network.

Then from the switch, I run another Ethernet to R2.

So at this point, I can just connect an Ethernet cable in the WAN port of R2 and another Ethernet from the 2nd NIC of the Blue Iris PC to the LAN port?

Correct. So your PC will have two IP addresses, one in 192.168.1.x and the other in 192.168.2.x.

I also notice that the wireless cameras are not connecting to the wireless signal from R2.. same ssid and password as before.

You need to fix this problem before proceeding.

 

[macster2075]

Correct. So your PC will have two IP addresses, one in 192.168.1.x and the other in 192.168.2.x.

Just to make sure we are on the same page. When you say my PC, are you referring to the Blue iris PC?
I ask because in the room where the Blue Iris PC is, there is also the PC I use for everyday use and my wife's PC as well.

So, are you saying that all the PCs in this room will have 2 IP's.. 192.168.1.x and 192.168.2.x?

EDIT:
I notice if I connect an Ethernet cable from R2 LAN to the switch, then the wireless camera connects to Blue Iris NVR.
This is behaving exactly the same as Fresh Tomato.

 

[ColinTaylor]

Just to make sure we are on the same page. When you say my PC, are you referring to the Blue iris PC?
I ask because in the room where the Blue Iris PC is, there is also the PC I use for everyday use and my wife's PC as well.

Yes, sorry. I meant only the Blue Iris PC would have two IP addresses.

EDIT:
I notice if I connect an Ethernet cable from R2 LAN to the switch, then the wireless camera connects to Blue Iris NVR.
This is behaving exactly the same as Fresh Tomato.

Don't do this, this is wrong. It suggests that your wireless cameras are still connected to R1's Wi-Fi. Make sure R2 has different SSID's and the cameras are only connecting to that.

 

[macster2075]

Yes, sorry. I meant only the Blue Iris PC would have two IP addresses.



Don't do this, this is wrong. It suggests that your wireless cameras are still connected to R1's Wi-Fi. Make sure R2 has different SSID's and the cameras are only connecting to that.

R1 wifi is off.

 

[ATLga]

The reason I am using a switch is because my main PCs are in the same room as the Blue Iris PC and Router 2.
So, the Ethernet cable coming from R1 LAN is connected to the switch , then from there I hook up my PC that way I am connected to the main network.

Then from the switch, I run another Ethernet to R2.

So at this point, I can just connect an Ethernet cable in the WAN port of R2 and another Ethernet from the 2nd NIC of the Blue Iris PC to the LAN port?
I also notice that the wireless cameras are not connecting to the wireless signal from R2.. same ssid and password as before.

EIDT..
I also see that when I connect my iphone to R2 wifi, I still get the IP from 192.168.1.x network.
How do I need to configure this in Network Filter?

for the Source IP
192.168.1.0/24

Port Range
81

Destination IP
?

Port Range
81

Just trying to follow along nothing to offer, but this really is confusing. Are you saying the switch has both routers connected to it?


"So, the Ethernet cable coming from R1 LAN is connected to the switch , then from there I hook up my PC that way I am connected to the main network.

Then from the switch, I run another Ethernet to R2.

So at this point, I can just connect an Ethernet cable in the WAN port of R2 and another Ethernet from the 2nd NIC of the Blue Iris PC to the LAN port?"

 

[drinkingbird]

Just to make sure we are on the same page. When you say my PC, are you referring to the Blue iris PC?
I ask because in the room where the Blue Iris PC is, there is also the PC I use for everyday use and my wife's PC as well.

So, are you saying that all the PCs in this room will have 2 IP's.. 192.168.1.x and 192.168.2.x?

EDIT:
I notice if I connect an Ethernet cable from R2 LAN to the switch, then the wireless camera connects to Blue Iris NVR.

No. Plug your normal trusted devices (plus the AC68 WAN port) into your switch and they will get 192.168.1.x. Plug untrusted devices into the AC68 LAN ports and they will get 192.168.2.x. So your NVR will be the only one with dual IPs.

For wifi you need to use a different SSID on the second router so that you can choose which router each device connects to. Make sure the second router is set to 192.168.2.1 for LAN and DHCP range is 192.168.2.x also.

Then if you are using the dual NIC setup the firewall rules are pretty easy. In Firewall -> Network services filter on the second router, set enable filter to "yes", set it to deny list (default) and add the following rules
Destination IP 192.168.1.0/24 protocol TCP hit add
Destination IP 192.168.1.0/24 protocol UDP hit add
Apply

Typically I'd leave the filtered ICMP part empty. Clients on LAN 2 can ping stuff on LAN 1 but not a big deal, they can't do anything else. You can block ICMP here (for example to block ping you'd just put an 8 in this field) if you want but note they won't be able to ping anything, even on the internet (I guess if they are just cameras that is fine). ICMP is required for certain stuff to work so I wouldn't block all of the types (you can block multiple by putting the type codes separated by spaces, but ping/echo request type 8 is probably the only one that really matters).

Under WAN DNS on Router 2, you have a couple options, let it just get router 1's IP via DHCP (easiest), or put whatever DNS servers your Router 1 gets from your ISP. Option 2 is a tad more secure and cleaner but really not a big difference either way. Under LAN DHCP on router 2 don't specify any DNS, clients will get Router 2's IP, that's what you want.

R1 wireless is disabled? So you have no trusted wireless devices at all? Trusted wireless should be connected to Router 1's main wireless, and untrusted wireless to Router 2's main wireless. No guest networks needed (unless you want additional untrusted networks for guests etc, that's a different discussion on how to best do that). The two wireless should have two different SSIDs and passwords.

To keep things easy, you can go on router 1 and create a DHCP reservation for Router2 as 192.168.1.2 so you always know what its IP is (and if you want to eliminate the second NIC or do port forwarding in the future it would be required anyway). Then unplug/replug the WAN on router 2 so it gets the new IP.

If you want to be able to manage router 2 from LAN 1 go on router 2's WAN page and enable WAN access. Since it isn't facing the internet this is fairly safe to do. You can then access it from LAN 1 by hitting 192.168.1.2.

If you want to eliminate that switch, there is a fairly simple script to change some of the ports on the AC68 into the untrusted LAN and have others in the trusted one. But thats not required, just a nice to have/cleanup thing if you wanted to do it.

Made a few edits above so make sure you're reading the latest version.

 

[ColinTaylor]

R1 wifi is off.

Make sure you are not using guest Wi-Fi on R2.

 

[macster2075]

Make sure you are not using guest Wi-Fi on R2.

I don't use guest wifi, so it's off.

 

[drinkingbird]

I don't use guest wifi, so it's off.

There's too many parallel discussions going on. I've given what info I can above, I'll leave it at that. If you have no trusted wifi devices, then R1 wifi can be off. If you have trusted ones, it needs to be on with a different SSID.

 

[macster2075]

@drinkingbird Sorry about that. I was trying to answer questions. Let's continue if you don't mind.
At this point, I am still not getting the results I am looking for.

I should have mentioned this before and it may be relevant. My setup is not ideal, I know.. but please bare with me.

The outdoor POE cameras... they all come into the house on the side of the house where the main router is.
( I am aware the ideal thing would be for the POE switch to be where the Blue Iris NVR is).. yes, but unfortunately because of how this house was wired, this is what I am working with.

Next to Router 1, I have a 5 port POE switch.

The POE cameras are connected there, then from that POE switch, I connect a cable to the LAN port of Router 1.
Then, from R1 LAN, there's an Ethernet running to the other side where the Blue Iris PC is and that 2nd switch.. not POE.

Now, those POE cameras, they are on a static IP for the 192.168.2.x network.

So what is happening is..
On R2, I connected an Ethernet cable from its WAN port to that 2nd switch. There are no cameras showing on the Blue Iris NVR at this point.

If I connect a cable from the NVR NIC 2 to R2 LAN port, then I can see only the wireless cameras..but not the wired POE cameras.

If I connect a cable from the R2 LAN port to the switch (not the POE), then I can see the rest of the wired cameras... but i was told to not do this.

EDIT:
Is the issue here that the POE cameras are already on a different subnet and its being transferred on the same cable as the 192.168.1.x network?

 

[ColinTaylor]

 

[drinkingbird]

@drinkingbird Sorry about that. I was trying to answer questions. Let's continue if you don't mind.
At this point, I am still not getting the results I am looking for.

I should have mentioned this before and it may be relevant. My setup is not ideal, I know.. but please bare with me.

The outdoor POE cameras... they all come into the house on the side of the house where the main router is.
( I am aware the ideal thing would be for the POE switch to be where the Blue Iris NVR is).. yes, but unfortunately because of how this house was wired, this is what I am working with.

Next to Router 1, I have a 5 port POE switch.

The POE cameras are connected there, then from that POE switch, I connect a cable to the LAN port of Router 1.
Then, from R1 LAN, there's an Ethernet running to the other side where the Blue Iris PC is and that 2nd switch.. not POE.

Now, those POE cameras, they are on a static IP for the 192.168.2.x network.

So what is happening is..
On R2, I connected an Ethernet cable from its WAN port to that 2nd switch. There are no cameras showing on the Blue Iris NVR at this point.

If I connect a cable from the NVR NIC 2 to R2 LAN port, then I can see only the wireless cameras..but not the wired POE cameras.

If I connect a cable from the R2 LAN port to the switch (not the POE), then I can see the rest of the wired cameras... but i was told to not do this.

EDIT:
Is the issue here that the POE cameras are already on a different subnet and its being transferred on the same cable as the 192.168.1.x network?

You need to understand that isolating means not connecting the two networks together in any way. You keep adding new surprises and issues.

I think you need to draw out exactly what you have, every connection and device. At the very least you need to disconnect the POE switch from router 1 and connect it to a LAN port of router 2 directly, not through any shared switches etc.

If that is not possible, you need to invest in smart switches with vlan support etc.

I think you are in way over your head honestly.

To be totally clear
Trusted devices (wired or wireless) connect to router 1 ONLY
Untrusted devices (wired or wireless) connect to router 2 ONLY.

Your POE switch is UNTRUSTED

No switch can connect to both routers unless it is a smart switch with VLAN support and you've configured two vlans and isolation properly.

 

[macster2075]

I understand the frustration. I just have to work with what I have. Thanks for your help and patience.

 

[drinkingbird]

I understand the frustration. I just have to work with what I have. Thanks for your help and patience.

Draw out what all your physical devices and cabling, that's the only way anyone is going to be able to help.

For the devices you've mentioned so far, this is how they must be connected:

Router 1 WAN connects to internet
Router 1 LAN connects to remote non-POE switch and any trusted wired devices near router 1 (not POE switch, not cameras)
Remote non-POE switch connects to any trusted devices (including NVR port 1) near router 2, and Router 2 WAN
Cameras connect to POE switch
POE switch connects to Router 2 LAN
NVR port 2 and any other untrusted wired devices to Router 2 LAN

Trusted wireless devices to router 1 regular wifi SSID 1 (no guest network enabled)
Untrusted wireless devices to router 2 regular wifi SSID 2 (no guest network enabled)

No other connections/switches/etc can be there other than exactly what is above. If you do not have enough cabling between router 1 and router 2 to set up the above, then that is a totally different discussion to either get some smart switches (or maybe your switches already are smart ones?) or use MOCA or something to get more connections.

 

[macster2075]

Can I just get an old router and turn it into a smart switch?

 

[drinkingbird]

Can I just get an old router and turn it into a smart switch?

Smart switches are cheap, 5 port ones run $20 to $25. If you want to get into scripting, you can turn the Asus into a smart switch (the 68U is easy, the 86 is a lot harder). Or go back to Fresh Tomato on the 68U which supports VLANs (but it doesn't support the 86U so that's only half the battle).

Lets take 20 steps back here. What are you trying to accomplish?
Stop the cameras from accessing your trusted LAN in case they have malware?
Stop the cameras from accessing the internet so people can't spy on you?
Are there any other untrusted devices other than the cameras (and if so, do they need internet access)?

If the cameras don't need internet access at all (you can do firmware updates etc by uploading them from a PC) then just put the cameras and NVR port 2 on a totally isolated switch that connects to nothing else. That's going to be your safest and cleanest solution. Obviously your POE switch would be the choice for this since the cameras need POE.

That will require 2 cables between the two sides of the house (unless you can move the NVR to near where router/POE switch are located). If you can't do that, then a pair of cheap smart switches is the easiest solution to send two segmented VLANs over that same single cable.

What brand/model are the switches you have now (both POE and non-POE).