Wired IP camera/ NVR POE setup on a RT-AX86U Pro running 3.0.0.6.102_34313

[PunchCardBoss]

So if I move my cameras and the raspberry pi with the CCTV onto the subnet, it is more secure.

YES, in general. Setting up a VLAN on your 86U-PRO lets you assign a LAN port (wired) to a specific subnet. You define (assign) the subnet number rather than the router. So if you want a subnet that is 192.168.3.1, or 192.168.99.1 you can do that.

In theory, you should be able to do the same thing with WiFi. Guest Network Pro allows you to choose the type of connection: wired or WiFi by radio frequency.

Now, there is one more step to the security issue: ISOLATION. Asus’ Guest Network Pro allows you to choose whether you want to allow “Access Intranet” (not internet). This switch permits or denies access of devices on a subnet to access devices on another subnet that is controlled by your router. If you want to keep all your devices on your subnet from communicating with any LAN device on another subnet, then leave this switch off. (Note, isolation also appears on the LAN>VLAN>Profile screen. It is called “Port Isolation”)

Special note. Right now, the Asus firmware for your router may not allow you to deny internet access for a specific device on your VLAN subnet. This appears to be a bug and current limitation.

How do I then access these devices from my main PC, on the other subnet ? Does that access method reintroduce the security risk ?

There are 2 ways you can access a VLAN subnet from your primary subnet.

The first and often easiest is to temporarily change the Guest Network Pro “Access Intranet” option to Allow. Then you can dis-allow after your finished to re-establish your VLAN subnet isolation. Note that security (isolation) is temporarily suspended during this process.

The second way is to temporarily connect your PC to the VLAN subnet. I simply connect my PC to the switch that is connected to the VLAN port on my router and reboot my PC (assuming your PC NIC is set up with automatic DHCP). When I am finished doing want I need to do, I disconnect my ethernet cable and reconnect to my WiFi (after a reboot). Security of your PC is temporarily compromised when it is connected to VLAN subnet.

The best scenario would be to have a separate PC on your VLAN subnet all the time. But that option is not practical for home systems.

ADDED...
Here is how I have my network wired (with VLAN IDs hidden). Note that I can either have my router control the VLAN for my cameras or connect the switch to a 2nd LAN port on my NAS/NRV which has a static VLAN IP. Everything works as it should.

 

[tiddlywink]

..

 

[bennor]

IIRC, merlin has an addon to do intervlan routing with a GUI. YazFi or something like that?

Note that YazFi is WiFi Guest Network only. Does not address wired LAN clients. And YazFi does not work on down stream AiMesh nodes.

 

[Ripshod]

Any good?

sbnMerlin 1.2.6 - Network Isolation Tool based on Guest Networks, June 26 2024

Hello Guys, I'm writing this post to share the update version of the script I made that automatically creates ethernet bridge instances {bridge} for network isolation, based on the active Guest Networks. An ethernet bridge is a device commonly used to aggregate other individual ethernets (like...

www.snbforums.com

 

[PunchCardBoss]

IIRC, merlin has an addon to do intervlan routing with a GUI. YazFi or something like that?

Your network looks similar to mine but I had to switch to TUF-AX6000 with openwrt. Firewall zones and traffic rules makes intervlan routing a breeze by zone, mac, ip, specific day/time, etc.

Nice to hear there are other options. I've even considered migrating to an OPNsense box to get IPS and better firewall controls.

Unfortunately, I need to keep things simple so someone else in my household can carry on if I can't. For now, that means staying with (for better or worse) AsusWRT FW and its limitations. One can only hope Asus will mature their PRO WRT 5.0 firware with more stability and features.

 

[tiddlywink]

..