Menu
What's new
By:
Filters Better Search

Should I segment out my security cameras & NVR?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

P

politby

Occasional Visitor
I am installing four (4) security cameras and a network video recorder server in my house. I was wondering whether I should give them their own LAN segment in order to improve performance and/or security.

The cameras will all be connected to their own switch, a 3Com 4500 series located in the attic. This switch I believe is level 3 capable.

All my other equipment is located in the basement. I have a Microtik RB2011 router which also is level 3 capable, it has my incoming internet connection and is connected to a Procurve 1800 switch which is level 2 but not 3 capable. Currently all other devices - PCs, access points, servers, IP phones, home automation, etc. are plugged in to the ProCurve which is running in unconfigured mode.

The NVR software is running in a virtual machine on one of the servers currently connected to the ProCurve. This virtual machine has its own dedicated network card so I can connect it either to the router or the ProCurve Switch, but not to the switch that runs the cameras.

Do I have anything to gain from segmenting this network? If segmenting is a good idea how do you think I should do it?

I guess if I wanted proper subnets I would have to use the router because the ProCurve is only level 2. That would mean connecting both the NVR virtual machine and the attic switch to the router and figuring out how to set it up.

Or can I connect them to the ProCurve and use some sort of simpler VLAN configuration?

The cameras and the NVR need internet access, and I also need to connect to them from web browsers on a couple of PCs. The NVR server is a member of my Windows domain and stores its recordings on another Windows server so it cannot lose its connection to the domain. Can a Windows domain span VLANs and/or subnets?

Maybe I should put my IP telephony on its own segment as well while I'm at it?

Sent from my Nexus 4 using Tapatalk
 
Separating the IP cams, home automation and VoIP each into their own VLANs will help with security. Unless the devices are generating a LOT of traffic, you probably won't see any performance gain.

You can do this with simple layer 2 VLANs, no need to go to Layer 3.

Here are a few how-tos that may help
http://www.smallnetbuilder.com/lanw...how-to-segment-a-small-lan-using-tagged-vlans

http://www.smallnetbuilder.com/lanw...ow-to-use-a-layer-3-switch-in-a-small-network

http://www.smallnetbuilder.com/lanwan/lanwan-howto/30071-vlan-how-to-segmenting-a-small-lan
 
Agreed. Only time you might see a performance gain by segementing on the same physical network is if devices are broadcasting instead of unicasting (and you aren't locking down unintended recipient ports with storm control on the switch) or they are for some reason sending out a significant amount of ICMP traffic, which would often mean a bugged device/virus or else you have a very, very large number of devices on your network (IE hundreds of devices will, in aggregate send out a LOT of ICMP traffic on a LAN, so segmenting it out would boost performance by isolating the ICMP traffic in to smaller clusters).
 
A little bit more information: Here's what it looks like now, and with the proposed members of the camera VLAN circled:

network.png


I have made some experiments. I first tried with just a subnet on the SFP port, using these instructions:

http://networkingforintegrators.com/2013/01/how-to-run-multiple-networks-from-a-mikrotik/

This almost worked. The 3Com switch picked up a DHCP address and so did the cameras connected to it. I could reach the router from both subnets and also log into the cameras' web interfaces. However the web interface of the 3Com switch was unreachable and the camera live video feeds were not displayed in the browser.

When I set up a VLAN according to these instructions:

http://networkingforintegrators.com/2012/12/mikrotik-basic-vlan-example/

The result was less encouraging. The 3com switch and the cameras could never contact the DHCP server and they were unreachable from outside the VLAN. The router was still reachable though.

So I don't think I got this setup right. Further guidance would be much appreciated.




Sent from my Nexus 4 using Tapatalk
 
Last edited:
Just a suggestion, might work for you might not.
If you go to a network of 10.1.4.x for your inside ethernet and dhcp server with a netmask of 255.255.255.0 for your pc's and such you could assign the DC a static ip with a netmask of 255.255.252.0 and put the NVR on the 10.1.5.x network with 255.255.0.0 [static] as well as the cameras with static. Any machine on the 10.1.4.x network with the 255.255.252.0 netmask will be able to access the .5 net, those with 255.255.255.0 won't be able to see it.
Had to do that here to get the ASA to accept .5 traffic so I could add another 100+ workstations. That .252. netmask will not allow it to see .1, .2, .3 subnets, only .4, .5, .6 subnets. A normal class A subnet is 255.0.0.0 and it can see anything on 10.x.x.x. You can use the netmask to hide as well as expose subnets. Remember to put that same .252 netmask on the routers inside IP so the router can also see the .5 net. I'm assuming your DC is the DNS/DHCP server.
 
Phew. Might take me a while to parse that, lol.

The DC is the primary DNS server for all machines on the domain but it forwards requests to the router. It is not a DHCP server, that is handled by the router.

It's not a large network - no more than 50 IP addresses total. In terms of traffic, the worst case would probably be a couple of Netflix SuperHD streams from the internet while my media server is sending a Blu-ray rip to a client PC and the one of the security cameras recording to the server.
 
Last edited:
politby said:
Phew. Might take me a while to parse that, lol.

The DC is the primary DNS server for all machines on the domain but it forwards requests to the router. It is not a DHCP server, that is handled by the router.

It's not a large network - no more than 50 IP addresses total. In terms of traffic, the worst case would probably be a couple of Netflix SuperHD streams from the internet while my media server is sending a Blu-ray rip to a client PC and the one of the security cameras recording to the server.
Click to expand...

I don't think you'll have a problem then. My net is much smaller, around abouts a dozen IP addresses (maybe 14?). However, my traffic is similar or heavier. I keep the heaviest traffic through my core switch (16 port) with router and APs connected directly off the core (another 16 port handling some ancillary devices and LAN drops that are light on traffic, like my MoCA bridge to feed my DVR). I've got a 75/75 FIOS connection and I've got 2Gbps between server and desktop (SMB Multichannel, two gigabit NICs in each machine, Windows 8.1 on them). I have never noticed a hiccup. The heaviest use case I can possibly think of is when running a synch/backup between my desktop and server chugging along at 210+MB/sec, a couple of Netflix streams (to AppleTV and wife's iPad) AND pulling down a new steam game on my laptop, chugging at a good 8+MB/sec there.

Nothing hiccuped, nothing seemed to slow down. I am sure I could generate some more artificial traffic to see if anything falls apart, but I'd have to start getting creative. Maybe sending some really big PDFs from my tablet to the printer. Oh, or maybe pushing up a bunch of files from my laptop to the server at the same time as my desktop is pulling new files from the server...though I'll likely just "break" my RAID array and not the network capacity.
 
My security camera server has two nic's, one, 10.1.x.x on the internal corp net of which it is a member and second nic, 192.168.x.x which the 150+ cameras are on. The cameras are static ip. I just rt into the server for access to the cameras live and recorded and allows me to view, playback or download and burn for any legal requirements.
 
camera traffic would be a small percentage of the LAN capacity.
No need for complexity of VLAN or 2nd subnet for capacity reasons.
I can't see a security issue.
 
You are probably right. Not a whole lot to gain and more complicated. But now that I have started tinkering with it I'd like to see if I can get it to work, if nothing else so for the learning experience.

So I set up the Microtik router with 2 subnets, like this, each subnet with its own DHCP server and gateway IP:

network2.png


I left the NVR virtual machine out of it at this point, will get to that later.

The router automatically created a static route between the two subnets. This mostly worked with a few strange exceptions which I thought maybe you could comment on. The cameras and the 3Com switch picked up their IP addresses, and I did some testing from PCs connected to each individual subnet.

From machine B:

- full Internet access
- full access to cameras including video feed
- full access to 3Com web interface
- cameras and 3Com respond to pings

From machine A:

- full Internet access
- access to camera web interfaces but no video
- no access to 3Com web interface
- cameras but not 3Com respond to pings

From both A & B using external IP, i.e. going through router NAT and port forwarding:

- full access to cameras including video feed
- full access to 3Com web interface

I don't understand why I can connect to the cameras' web interfaces but not get the video stream (Hikvision browser plugin). And why do the cameras but not the switch respond to connections from the other subnet? I cannot find any setting in the switch that blocks connections from outside its own subnet.

There must be something I have overlooked when setting up the subnets. I realize the actual settings are going to be Microtik specific, but maybe you can see from my description above whether my thinking is correct?


Sent from my Nexus 4 using Tapatalk
 
Last edited:
Don't know enough about the R820 but I figure it has a firewall, are the .2 and .10 on the router on different ethernet ports ? If so could they be acting like a DMZ interface and Inside interface, Cisco uses security levels 0-100 where the DMZ is set at 50 and the inside is 100.
Not knowing what ports the video uses and whether those could be blocked by the firewall by default.
What netmask did you use ?
 
R820?

The .2 and .10 are on different Ethernet ports, both using 255.255.255.0. Identically configured except for the .10 vs .2 of course.

Sent from my Nexus 4 using Tapatalk
 
politby said:
R820?

The .2 and .10 are on different Ethernet ports, both using 255.255.255.0. Identically configured except for the .10 vs .2 of course.

Sent from my Nexus 4 using Tapatalk
Click to expand...
I think even if you are routing between the two interfaces the netmask is blocking the .2 and .10 from seeing each other, try changing the netmasks to 255.255.0.0 and see what happens.
 
politby said:
You are probably right. Not a whole lot to gain and more complicated. But now that I have started tinkering with it I'd like to see if I can get it to work, if nothing else so for the learning experience.

So I set up the Microtik router with 2 subnets, like this, each subnet with its own DHCP server and gateway IP:

network2.png


I left the NVR virtual machine out of it at this point, will get to that later.

The router automatically created a static route between the two subnets. This mostly worked with a few strange exceptions which I thought maybe you could comment on. The cameras and the 3Com switch picked up their IP addresses, and I did some testing from PCs connected to each individual subnet.

From machine B:

- full Internet access
- full access to cameras including video feed
- full access to 3Com web interface
- cameras and 3Com respond to pings

From machine A:

- full Internet access
- access to camera web interfaces but no video
- no access to 3Com web interface
- cameras but not 3Com respond to pings

From both A & B using external IP, i.e. going through router NAT and port forwarding:

- full access to cameras including video feed
- full access to 3Com web interface

I don't understand why I can connect to the cameras' web interfaces but not get the video stream (Hikvision browser plugin). And why do the cameras but not the switch respond to connections from the other subnet? I cannot find any setting in the switch that blocks connections from outside its own subnet.

There must be something I have overlooked when setting up the subnets. I realize the actual settings are going to be Microtik specific, but maybe you can see from my description above whether my thinking is correct?


Sent from my Nexus 4 using Tapatalk
Click to expand...

This should work. How are the ports and VLAN's configured in your switches? All the ports should be access ports that are untagged.
 
fistv said:
I think even if you are routing between the two interfaces the netmask is blocking the .2 and .10 from seeing each other, try changing the netmasks to 255.255.0.0 and see what happens.
Click to expand...

Will try that. But if the netmask was blocking I should not even be able to even ping the cameras from machine A, should I?

Sent from my Nexus 4 using Tapatalk
 
abailey said:
This should work. How are the ports and VLAN's configured in your switches? All the ports should be access ports that are untagged.
Click to expand...

That's how it's set up. Both switches are in factory configuration and the router ports are too.

The RB2011 comes from the factory set up with the first gigabit port as WAN port. The remaining ports (4 gigabit, 5 10/100 plus 1 SFP port) are bridged as a switch, essentially making it work just like a consumer router.

This can all be customized to your heart's content, all ports can be set up individually just like on any level 3 router.

I just removed one port from the bridge, added a new network to it (the .10) and set up a DHCP server. The router automatically creates static routes when you do this. According to Microtik's instructions this is all that's supposed to be needed.

The problem must have to do with the routing between the subnets, as everything worked fine when accessing the security cameras from the internet through NAT. I'm starting to think it must be something with the firewall in the router that causes this.

I forgot to include in the diagram that I have a Sophos UTM between the router and the Procurve switch. It has its firewall turned off and only does web filtering and threat management. But in any case it is configured to give machine A complete pass through so I doubt it has anything to do with this.

Sent from my Nexus 4 using Tapatalk
 
You must log in or register to reply here.

Similar threads

S
Effect of security cameras on LAN
Replies
11
Views
358
sfx2000
sfx2000
C
Wired IP camera/ NVR POE setup on a RT-AX86U Pro running 3.0.0.6.102_34313
2
Replies
25
Views
2K
tiddlywink
T
D
Isolating IP cams and NVR from the rest of the network with VLAN
Replies
10
Views
562
degrub
D
J
Help with isolating camera and IoT networks
Replies
16
Views
1K
tiddlywink
T
M
Isolating home security cameras and providing remote access?
Replies
5
Views
1K
jsbeddow
J
Similar threads
Thread starter Title Forum Replies Date
S Effect of security cameras on LAN Other LAN and WAN 11

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 539 (members: 28, guests: 511)
Top