Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 12 replies
  • Subscribers 28 subscribers
  • Views 4881 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG - VLAN setup with security camera

Jason Etten

I am going to be setting up some security cameras and would like to know the best way to make them secure on my network.

What I would like to do is have the cameras separate from the LAN network where all my devices are. The intent here is that if one of my outside cameras was unplugged and someone plugged in a laptop they would not have access to the LAN network. 

 

From what I gathered so far I would need to setup a VLAN on a separate port. I have 2 ports not being used right now.

 

(IP addresses below are just for reference)

 

The LAN IP is 192.168.10.XXX

This VLAN I would use something like 192.168.20.XXX as the IP .

I would create firewall rules to allow the traffic to flow from the VLAN to the LAN where the NVR is located to record.

 

Is this possible with just using XG and a normal switch?

 

How would I setup the camera? Does it get an IP on the VLAN and how do I point that to an IP on the LAN?



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    if you are planning on using a spare port on the XG then you will need another unmanaged switch to isolate the networks. If you plan to share the switch ports you will need a managed switch.

    If using the spare XG port you will not need a VLAN, just a DHCP.server on the XG and some rules to allow traffic between LANs.

    Ian

Reply
  • 0

    Hi,

    if you are planning on using a spare port on the XG then you will need another unmanaged switch to isolate the networks. If you plan to share the switch ports you will need a managed switch.

    If using the spare XG port you will not need a VLAN, just a DHCP.server on the XG and some rules to allow traffic between LANs.

    Ian

Children
  • 0 in reply to rfcat_vk

    Thanks for the response. Your answer will make it much simpler.

     

    I do have a unmanaged switch to isolate the network.

     

    How do I setup the rules for the traffic to flow?

    Right now I have my camera setup as a static IP of 192.168.20.15 on the new DHCP network 192.168.20.1.

     

    Do I need to forward the 192.168.20.15 IP to the other LAN with a similar IP 192.168.10.15?

    How will the NVR "see" the IP address on my isolated LAN?

     

    This type of network configuration is new to me. This is a learning process. I appreciate any suggestions or help.

  • 0 in reply to Jason Etten

    Hi,

    the camera will send its output to the NVR. I assume it will only be one way traffic, by that I mean always initiated by the camera.

    You will need a LAN to LAN rule from you camera to the NVR LAN. You can be c=very specific 

    source LAN -> Camera IP -> destination -> LAN -> NVR IP -> allow ANY (at this stage) -> log. (No MASQ required)

    When you have this working you can change the ports to be specific for the camera to send data to the NVR.

    Now if you require access to the camera directly you will need another firewall rule, the reverse of the one above, except instead of the NVR you could put your PCs IP address.

    Ian

  • 0 in reply to rfcat_vk

    After re-reading your messages I decided that you have a great point on the switch setup. I have a 48 port switch that has spare ports. 

    I have setup a VLAN with 8 ports for the security cameras and the rest of the ports on the existing network.

    While setting this up I noticed that the spare port I used for the cameras has internet access.

    I do not want it to have internet access. What is the best way to resolve this? Do I create a firewall rule above my general rule and do not allow HTTP & HTTPS? Can I select the whole port somehow?

  • 0 in reply to Jason Etten

    Hi Jason,

    you create firewall rule at the top with the IP address of the camera and select drop. Source LAN -> IP camera -> destination -> WAN -> any -> drop.

    Ian

  • 0 in reply to rfcat_vk

    I have made some progress and now have run into an issue.

    Here is what I have done so far.

     

    Setup a spare port on the XG with DHCP 192.168.20.1.

    Used an existing 48 port managed switch to create a VLAN for ports on the 192.168.20.1 LAN.

    Setup firewall rule for the 192.168.20.1 LAN so that it will drop all internet connections.

    I connected my laptop to the 192.168.20.1 LAN so I could configure the camera. I have it working and set it up with a static IP.

    The static IP is being used in 2 firewall rules. On rule for the forwarding and one for the reverse.

     

    Source LAN (.20.1) -> Camera IP -> destination -> LAN (.10.1) ->, Forward to NVR on LAN

    Source LAN (.10.1) -> NVR -> destination -> LAN (.20.1) ->, Forward to Camera IP on LAN

     

    My NVR does not see the camera IP.

     

    Does this appear to be setup correctly?

    What is the "No MASQ" required in a previous post?

  • 0 in reply to Jason Etten

    Hi Jason,

    the NO MASQ is about you connecting to private addresses in the same internal network.

    The rues look okay, what ports did you allow in each rule.

    Have you checked the  log viewer to see what packets are flowing during you connect attempts. Do you have any rules higher up the order that could affect the NVR? Try tuning off your block rule and see what happens.

    Ian

  • 0 in reply to rfcat_vk

    Thanks for the response.

    I did not specify any ports.

    I turned off the block rule which did not help.

    I tried to use the NVR to find the camera on the .20 LAN by manually connecting and using the IP.

    The log viewer says that the firewall rule was allowed on rule #11 (that is the new one of the new ones I created).

    The In interface is Port 4, the Out interface is Port 1. I have the cameras setup on Port 1 and the original LAN on Port 4. This appears to be correct.

    The source IP is my NVR (192.168.10.100) and the Destination IP is the main LAN IP (192.168.10.1). I never see any traffic on the .20 LAN for a firewall log.

    I feel like the traffic is not making it to the .20 LAN.

  • 0 in reply to Jason Etten

    Hi Son,

    you do have the gateway set in the rule?

    Ian

  • 0 in reply to rfcat_vk

    Not sure which option you are referring to. The Destination/Host Network refers to the port # and gateway IP on both rules. (Port 4 -192.168.10.1 & Port 1 - 192.168.20.1)

  • +1 in reply to Jason Etten

    Hi Jason,

    the rule looks a bit like this, source LAN -> NVR IP, destination LAN -> Camera IP -> any (service) -> log -> gateway IP of NVR network if you want the NVR to be the only device that talks to the camera.

    The alternate rule is source LAN -> Camera IP, destination LAN -> NVR IP -> any (service) -> log -> gateway IP of the Camera network.

    Ian