Wired IP camera/ NVR POE setup on a RT-AX86U Pro running 3.0.0.6.102_34313

[cheaponos]

Hi all,

First time poster here. I have searched through the forum but still unsure on whether what I'm trying to achieve can be done.

I have an RT-AX86U Pro running 3.0.0.6.102_34313 and I'm about to get wired IP cameras around the house that will connect directly to the NVR POE box.

Q1/ I'm wondering whether I can use the Guest Network Pro or VLAN function to create an isolated subnet / VLAN for the wired IP cameras so the NVR and cameras are separate from the other (internal) network?

Q2/ I would be okay to view the camera footage and manage the cameras directly on the NVR. I also need to (remotely) view camera footage via the smart phone app (which is a missus non-negotiable). Additionally, if there was a way to connect to the NVR via its web interface for camera viewing and camera management that'd be ideal, and if I could use a PC on the other internal network to access the NVR web interface, that would be good, so not to have to buy another PC, but I'm not sure if that's possible and also only allow one way traffic i.e. PC to NVR and not NVR to PC? Or do I buy another PC and connect that directly to the NVR LAN port?

Current network setup is very basic: NBN box, unmanaged switch, Asus router.

Apologies if this has been asked to death and I'm just not finding the answers.

TIA.

 

[Tech9]

Q1/ I'm wondering whether I can use the Guest Network Pro or VLAN function to create an isolated subnet / VLAN for the wired IP cameras so the NVR and cameras are separate from the other (internal) network?

Most NVRs will do this by default - camera network will be isolated from your management/monitoring interface. Otherwise whoever connects to a camera wire will have straight access to your network. This potential security issue is covered already, check the NVR user manual.

Q2... I also need to (remotely) view camera footage via the smart phone app (which is a missus non-negotiable).

This is also NVR function, some do it in better ways than others, most do it one way or another. In most cases you have nothing to configure on your router, you may have to install whatever is required software on your computers for local management and mobile devices for remote viewing.

 

[Tech9]

Current network setup is very basic: NBN box, unmanaged switch, Asus router.

You can keep it simple as it is. Just connect the NVR to your router or switch. Follow the instructions how to do local management and camera monitoring, then the instructions how to view the cameras on remote devices. Good brand NVR will do this for you the easy way. New PC not needed unless you want to see the cameras 24/7 on separate dedicated monitor. Even this is doable on single dual monitor PC in case it runs 24/7.

 

[cheaponos]

…camera network will be isolated from your management/monitoring interface.

Thanks. So the cameras will be isolated as part of the NVR internally managing via its own DHCP, but what about the NVR itself? Ideally the NVR would sit on a separate subnet to my other devices. For instance, the main network is 192.168.100.1 and the NVR is different 192.168.101.1. Perhaps that’s what you’re saying is out of the box. I’ll check the NVR manual.

 

[Tech9]

but what about the NVR itself?

NVRs management interface will have manually assigned or assigned by DHCP address. If you VLAN isolate it you'll also lose access to it and have to view and manage your cameras online only instead of locally. This won't be the ideal setup for you. If you don't trust this NVR right from the start better get something from a well known and trusted brand. This applies to all your devices. Otherwise you may want to isolate them too.

 

[cheaponos]

If you VLAN isolate it you'll also lose access to it and have to view and manage your cameras online only instead of locally.

That’s where I was then thinking a need then for a separate pc, with the connection being nvr lan port to switch, separate pc connected to switch, switch connected to router.

I get your point about brand trust and then potentially needing to isolate all devices, but ultimately I am keen to know whether a specified lan port on the RT-AX86U Pro can be vlan’d/ isolated, and if so, how can this be configured?

 

[Tech9]

how can this be configured?

@OzarkEdge was recently playing with LAN ports isolation and perhaps can help you with that.

The theory is here:

[Wireless Router] What is VLAN and how to setup in ASUS Wireless Router? | Official Support | ASUS Canada

 

[PunchCardBoss]

@cheaponos

I am running 6 POE cameras connected to my syno NAS running Synology's Surviellance Station (a software NVR). And my NAS is connected to my AX88U-PRO running Asus stock FW. So my setup is similar to yours.

There are a number of way you can set up your system, some of wich are dependent on your NRV.

.....ADDED.....
Ideally, you would want all your surveillance equipment/devices to be completely isolated from the rest of your LAN --- AND without internet access so no devices can "call home" and load Firmware when they want.

AND, you would want your system to send you SMS messages, email or connect with a mobile app so when there is a detection, you will receive notification --- and all this easy to manage with the most secure network configuration.

Well, as in most network designs, there are always compromises. And most of those compromises have a lot to do with the features (or lack of features) on your NVR.
....END ADDED.....

....EDIT....
One of the BIG questions about your NRV is whether it is capable of configuring its ports with different subnets. If it can (the good commercial grade NVRs can), then you have more networking options.
....END EDIT....

Does your NRV have 1 or 2 (or more) addressable LAN ports. In other words, can you assign an IP, subnet mask, gateway and DNS for one port and different IP on a different subnet, subnet mask, DNS and gateway on another other LAN ports?

My NAS has two addressable LAN ports so I use NAS LAN port #2 connected to a POE switch for all surveillance devices on a subnet (similar to a VLAN) without using my AX88U-PRO gateway. AND, NAS port #1 is connected to the AX88U-PRO for internet access and SMS push notifications to my remote mobile.

The big benefit is none of the video comms go through my router which off-loads the router CPU and general congestion. And all surveillance devices are isolated from the rest of my LAN. And I can manage all devices through my primary subnet connection to my NAS

I'm saying all this to say your setup options are very dependent on the features of your particular NVR. I suggest you dig into your NVR instruction manual to find out what port configuration options you have. Only then can you design the best system for your use-case.

If you can't assign more than one IP subnet to NRV ports, then you can use your PRO router VLAN setup to isolate your NVR and surveillance devices from the rest of your LAN. But the VLAN will need internet access for remote SMS push notifications.

...ADDED...
But in this case, all your surveillance devices, including your NVR can "call home", which is considered a security risk.

 

[cheaponos]

Hi @PunchCardBoss - thanks heaps for the detailed reply.

Does your NRV have 1 or 2 (or more) addressable LAN ports

My NVR has one LAN port and 8 POE ports. So I guess that option is out of the question.

My NAS has two addressable LAN ports so I use NAS LAN port #2 connected to a POE switch for all surveillance devices on a subnet (similar to a VLAN) without using my AX88U-PRO gateway. AND, NAS port #1 is connected to the AX88U-PRO for internet access and SMS push notifications to my remote mobile.

The big benefit is none of the video comms go through my router which off-loads the router CPU and general congestion. And all surveillance devices are isolated from the rest of my LAN. And I can manage all devices through my primary subnet connection to my NAS

That is a great setup.

If you can't assign more than one IP subnet to NRV ports, then you can use your PRO router VLAN setup to isolate your NVR and surveillance devices from the rest of your LAN. But the VLAN will need internet access for remote SMS push notifications.

That would leave me with this option is assume. This link from Tech9 provides the guidance to configure VLAN on the AX86U-PRO router - [Wireless Router] What is VLAN and how to setup in ASUS Wireless Router? | Official Support | ASUS Canada

I am running 6 POE cameras connected to my syno NAS running Synology's Surviellance Station (a software NVR). And my NAS is connected to my AX88U-PRO running Asus stock FW.

Does using the Syno NAS Surveillance Station limit the features you can access on your POE cameras? I'm just interested if I were to move to this kind of setup later on.

 

[PunchCardBoss]

Does using the Syno NAS Surveillance Station limit the features you can access on your POE cameras? I'm just interested if I were to move to this kind of setup later on.

The answer is no limitation if I use Synology brand cameras. On other brand cameras, that are compatable with the Synology Surveillance Station, some features may be controlled by the Synology UI where as other features require logging into the camera UI.

 

[jaizan]

Thanks. So the cameras will be isolated as part of the NVR internally managing via its own DHCP, but what about the NVR itself? Ideally the NVR would sit on a separate subnet to my other devices. For instance, the main network is 192.168.100.1 and the NVR is different 192.168.101.1. Perhaps that’s what you’re saying is out of the box. I’ll check the NVR manual.

I've just got a new Asus AX 6000 router.
I need to replicate the existing camera IPs on the new router & examples of the existing IPs are below.
[Reason: Existing CCTV is MotionEyeOS, which is "abandonware" & not all the functionality works if I install a "new camera". So I need the same camera settings. Kicking the can down the road.]

What is the best way to do this ? Should I create a new separate subnet, assuming that's possible ?

192.168.3.33​	Automatic IP​
192.168.3.66​	MAC-IP Binding​

 

[PunchCardBoss]

I've just got a new Asus AX 6000 router.

Congrats.

It is relatively simple to "manually assign IP around your DHCP List" so that your new router will assign your camera to a specific IP. You will need the MAC address of your camera.

If I am not mistaken, your AX 6000 has a default gateway address of 192.168.50.1. This means your subnet is 50. In your example above, you have a subnet of 3.

If your camera has an IP address that uses subnet 3 and can not be changed, you have 2 choices.

1. You can set your entire router to a subnet of 3. Do this on the router's LAN - LAN IP page. Change the value of 192.168.50.1 to 192.168.3.1. This means all your LAN IPs will be on subnet 3. And your new router login will be 192.168.3.1.
2. Or, you can use Merlin Firmware for your router. Merlin Firmware (according to others) offers VLAN capabilities. I don't use Merlin because I have a AX88U-PRO router, which has VLAN capabilities.

There is one other possibility. If your camera has an ethernet port, you could connect a PC/Mac directly to your camera. In some cases, you can use a mobile app.

For example sake, lets assume your camera has an IP of 192.168.3.66. Most cameras can either be set as DHCP or with a static IP. In this example, lets assume it is static or fixed: 192.168.3.66. Now, to make a direct connection to your camera by ethernet, you must configure your PC/MAC network card (NIC) to be on the same subnet. In this case, you can configure your PC/MAC with a manual/fixed IP of 192.168.3.12 and a sub-mask of 255.255.255.0; DNS=192.168.3.1; Gateway: 192.168.3.1. Note that the DNS and Gateway IP addresses are not real. That does not matter. But you may need to fill in the blanks to set your PC/MAC with a manual/fixed IP.

NOW, your PC/Mac and Camera are on the same subnet. Note that you don't have a router in this simple LAN connection. Nonetheless, devices on the same subnet can communicate with one another without a router.

Launch a browser on your PC/MAC and type 192.168.3.66 in the address field. You will get a browser warning because the IP address does not have a SSL Cert, but it does not matter. Just proceed. You should see the camera Log-In screen and can now configure your camera.

Almost forgot. When you are done, return your PC/MAC NIC configuration back to the way it was so you can use it as you normally would.

I did this for every one of my cameras so I could configure each camera with a static/fixed IP address of my choosing. I made notes and labeled each camera so I know which static/fixed IP address I used for each camera. Only after I did this did I configure my router VLAN.

Hope this helps you understand some of your options.

 

[jaizan]

You have 2 choices.

1. You can set your entire router to a subnet of 3. Do this on the router's LAN - LAN IP page. Change the value of 192.168.50.1 to 192.168.3.1. This means all your LAN IPs will be on subnet 3. And your new router login will be 192.168.3.1.
2. Or, you can use Merlin Firmware for your router. Merlin Firmware (according to others) offers VLAN capabilities. I don't use Merlin because I have a AX88U-PRO router, which has VLAN capabilities.

Thank you. I presume creating a VLAN somehow allows me to create a separate subnet. That's what I prefer, but I don't prefer it sufficiently to change the firmware.
So option #1 it is.

[The AX88U-Pro was my first choice, but in recent weeks that has been £50~70 more expensive. If the AX88U-pro price drops before I've had my new router for 30 days, I might just change to that]

 

[PunchCardBoss]

I presume creating a VLAN somehow allows me to create a separate subnet. That's what I prefer, but I don't prefer it sufficiently to change the firmware.

Yep. A router without VLAN support (of any kind) means the router only has one subnet for both ethernet and WiFi. It is for this reason I purchased an Asus PRO router. PRO routers are VLAN capable for ethernet and/or WiFi with Asus native firmware.

HOWEVER, your new router does have GUEST networks. These are (poor man's) WiFi (only) VLANs. I say "poor man's" because you can't set the subnet value. Instead, the firmware does.

The good news about GUEST network(s) is that they (theoretically) can be isolated from the rest of your LAN. I say theoretically because Asus does some wonky things with their GUEST network(s).There is lots of discussions in this forum about GUEST Network anomalies.

So, if your camera could be set to an IP that is part of the GUEST WiFi network, it could work and still be isolated from the rest of your LAN on a different subnet.

Although, this is theoretically possible, it is not the 'best practices method. The 'best practices method is to use a firmware that offers VLAN configurations like Asus PRO models or Merlin firmware on your current router.

 

[bbunge]

I've just got a new Asus AX 6000 router.
I need to replicate the existing camera IPs on the new router & examples of the existing IPs are below.
[Reason: Existing CCTV is MotionEyeOS, which is "abandonware" & not all the functionality works if I install a "new camera". So I need the same camera settings. Kicking the can down the road.]

What is the best way to do this ? Should I create a new separate subnet, assuming that's possible ?

192.168.3.33​	Automatic IP​
192.168.3.66​	MAC-IP Binding​

Is that a TUF-AX6000 or a GT-AX6000? Big difference between the two.

 

[jaizan]

Thank you all for the advice. I have an Asus GT-AX6000.

Perhaps I should not dismiss the firmware change. I did have a look at the Merlin site, but only saw a few screenshots. How different is the interface to Asus ? My previous router was an Asus & playing around with the new one, it's good to have a similar layout. Merlin might add features, but do they delete anything ? What is the effect on warranty ?

I'm not exceptionally bothered about security. Perhaps I ought to be, but if anyone hacks my security system, they have photos of the outside of the house. It's not like I have a camera in the bedroom. I don't have a NAS & if I did, for the foreseeable future, I would only store CCTV pictures on it.

 

[PunchCardBoss]

Perhaps I should not dismiss the firmware change. I did have a look at the Merlin site, but only saw a few screenshots. How different is the interface to Asus ?

I have not used Merlin. So others would be able to answer with more detail.

My understanding is that Merlin's UI is very similar to Asus'. A few superfluous features are absent. Better features are included. Of note is Merlin's 3td party script capabilities which extend its capabilities. And, Merlin firmware has a strong record of being more stable.

My reasons for staying with asus firmware has everything to do with "mainance continuity". I'm old and some day others in my family will need to carry on. And they are not techies.

So, unfortunately, I need to keep things simple so others can assume the role of router maintenance. Otherwise, I would be using Merlin.

 

[jaizan]

Well, I switched all my IP cameras over onto the Asus GT-AX6000, all on the same re-numbered subnet as everything else. Very easy.

I gather this might not be the most secure way, but exactly what are the risks ? I don't have CCTV cameras in my bathroom & am therefore not too worried in the unlikely event someone gets a live feed of my outdoor cameras. I don't even have a NAS at present.

 

[PunchCardBoss]

I gather this might not be the most secure way, but exactly what are the risks ?

Cameras, like other IOT devices, connect to the internet. That (many) receive time sync and firmware updates (some automatically).

If they have a security flaw, then they are subject to hacking. If they are hacked, and you have 'trusted devices' on the same subnet (without device isolation), these trusted devices are more at risk.

So you have to ask yourself, "how valuable is your trusted device data"? Think bank info or ransom-ware. And "how much effort would it take to recover"?

 

[jaizan]

Cameras, like other IOT devices, connect to the internet. That (many) receive time sync and firmware updates (some automatically).

If they have a security flaw, then they are subject to hacking. If they are hacked, and you have 'trusted devices' on the same subnet (without device isolation), these trusted devices are more at risk.

Thank you.
So if I move my cameras and the raspberry pi with the CCTV onto the subnet, it is more secure.
How do I then access these devices from my main PC, on the other subnet ? Does that access method reintroduce the security risk ?