Who knows networking? How can I keep my new NVR septate from personal network?

Joined
Jul 20, 2016
Messages
26
Reaction score
2
I'd like to keep my new NVR and camera separate from my personal network. It's not a concern for speed, it's just to keep my personal network safe from malware or other attacks. How is this accomplished? Are there ways to partition off my router? Thanks
 

tomw

Getting the hang of it
Joined
Nov 30, 2015
Messages
114
Reaction score
22
Yes. This is easily doable...but, you'll need a router/firewall (and switch if you use vlans) that is capable of it.

I ran something like this on a DD-WRT wrt54G where I physically segregated the ports (with some command line magic) then went to a pfsense implementation where I segregate using vlans (much easier).

What router and switch do you have? Do they both support vlans?
 
Joined
Jul 20, 2016
Messages
26
Reaction score
2
Yes. This is easily doable...but, you'll need a router/firewall (and switch if you use vlans) that is capable of it.

I ran something like this on a DD-WRT wrt54G where I physically segregated the ports (with some command line magic) then went to a pfsense implementation where I segregate using vlans (much easier).

What router and switch do you have? Do they both support vlans?
I have an Asus ac68u. I don't have a switch. What switch do you mean?
 
Joined
Jul 20, 2016
Messages
26
Reaction score
2
Yes. This is easily doable...but, you'll need a router/firewall (and switch if you use vlans) that is capable of it.

I ran something like this on a DD-WRT wrt54G where I physically segregated the ports (with some command line magic) then went to a pfsense implementation where I segregate using vlans (much easier).

What router and switch do you have? Do they both support vlans?
I did a little more reading. My router is running merlin custom firmware. Turns out that I'll need to flash tomato to get vlan functionality. I can then dedicate one LAN port as a vlan (I think) this will be the one I use to connect my NVR. I saw smart switch mentioned, is this the switch you're referencing? I don't think I need one, but I don't fully comprehend most of the projects I undertake. Lol. Please correct me where needed. :)
 

Akoya

n3wb
Joined
Jul 9, 2016
Messages
5
Reaction score
1
Agree this can be done with vlans on routers, I personally run pfsense, but I think ddwrt is capable too. I have heard great things about the new Ubiquiti router though which I think for the money, is the single best solution for network isolation in a home setting, and there is room for another vlan for internet of things devices. I have not purchased this and have no first hand experience, I am very close to buying it though. :)

Ubiquiti EdgeRouter X Advanced Gigabit Ethernet Routers ER-X 256MB Storage 5 Gigabit RJ45 ports

[h=1]https://www.amazon.com/Ubiquiti-EdgeRouter-Advanced-Gigabit-Ethernet/dp/B00YFJT29C/ref=sr_1_1?ie=UTF8&qid=1469406532&sr=8-1&keywords=edge+router[/h]
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.
Joined
Jul 20, 2016
Messages
26
Reaction score
2
Agree this can be done with vlans on routers, I personally run pfsense, but I think ddwrt is capable too. I have heard great things about the new Ubiquiti router though which I think for the money, is the single best solution for network isolation in a home setting, and there is room for another vlan for internet of things devices. I have not purchased this and have no first hand experience, I am very close to buying it though. :)

Ubiquiti EdgeRouter X Advanced Gigabit Ethernet Routers ER-X 256MB Storage 5 Gigabit RJ45 ports

[h=1]https://www.amazon.com/Ubiquiti-EdgeRouter-Advanced-Gigabit-Ethernet/dp/B00YFJT29C/ref=sr_1_1?ie=UTF8&qid=1469406532&sr=8-1&keywords=edge+router&tag=ipctk-20[/h]
That is pretty nice. Affordable too. If I had a more robust network I think I'd grab something like that, but my 4 channel NVR with 1 cam will do fine on a vlan on my existing router, I think. I'll look into that other firmware you mentioned too. I've always heard of ddwrt so I could look into how that compares to tomato. Thanks for all the help :)
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.

Akoya

n3wb
Joined
Jul 9, 2016
Messages
5
Reaction score
1
On second thought, just adding any old router to your current setup would allow you the isolation you are after. Any additional router within your network could be asigned its own subnet, and I don't think you need gigabit for cameras just yet...
 

jdougal

n3wb
Joined
Jul 24, 2016
Messages
26
Reaction score
0
What are the best common practices as far as setting up your IP network? I would like to keep it secure, however I would also like the convenience of using apps like TinyCam when away.

I currently have a wired network with 3 of 4 ports filled on my router (Asus RT-ac56u). My basement is also wired into a 8 port switch, which is then fed into one of the ports in the router. Is it even possible to secure my NVR and have it connected to the router for internet feeds?
 
Joined
Jul 20, 2016
Messages
26
Reaction score
2
What are the best common practices as far as setting up your IP network? I would like to keep it secure, however I would also like the convenience of using apps like TinyCam when away.

I currently have a wired network with 3 of 4 ports filled on my router (Asus RT-ac56u). My basement is also wired into a 8 port switch, which is then fed into one of the ports in the router. Is it even possible to secure my NVR and have it connected to the router for internet feeds?
Im pretty sure you can set up a vlan and then create a VPN that is accessible from outside the network with ip cam apps. I have a very rudimentary understanding of all of this and am learning as I go, so don't take my word for it.
 

tomw

Getting the hang of it
Joined
Nov 30, 2015
Messages
114
Reaction score
22
What I would do (and have done) is:
1: Run separate vlans for Cam lan and home lan (though home lan does not need to be a vlan)
2: Set firewall rule(s) that blocks Cam vlan from accessing the home lan and only allows it to connect to the internet
3: Set firewall rule that allows homeLan to access Cam lan (and internet) allows people on the home lan to access the cams.
4: Setup a VPN that enables you to connect into your home lan from the internet so you can access the cams as if you were at home.

Profit.

Others will have other solutions.
 
Joined
Jul 20, 2016
Messages
26
Reaction score
2
What I would do (and have done) is:
1: Run separate vlans for Cam lan and home lan (though home lan does not need to be a vlan)
2: Set firewall rule(s) that blocks Cam vlan from accessing the home lan and only allows it to connect to the internet
3: Set firewall rule that allows homeLan to access Cam lan (and internet) allows people on the home lan to access the cams.
4: Setup a VPN that enables you to connect into your home lan from the internet so you can access the cams as if you were at home.

Profit.

Others will have other solutions.
Thanks x1000000. No one has laid it out this thoroughly yet this simply to understand. I have even asked on networking forums. Most people assume that other people already know networking, which I don't. Thank you!
 

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
172
Reaction score
36
What I would do (and have done) is:
1: Run separate vlans for Cam lan and home lan (though home lan does not need to be a vlan)
2: Set firewall rule(s) that blocks Cam vlan from accessing the home lan and only allows it to connect to the internet
3: Set firewall rule that allows homeLan to access Cam lan (and internet) allows people on the home lan to access the cams.
4: Setup a VPN that enables you to connect into your home lan from the internet so you can access the cams as if you were at home.

Profit.

Others will have other solutions.
This is exactly what I was thinking of doing in my setup. Thanks for laying it iut so nicely. Now just need to figure out if my Asus ac68u can do this!

Did anyone ever figure out if this works on the Asus router

Sent from my SM-G935F using Tapatalk
 

DavidDavid

Getting comfortable
Joined
Jan 29, 2017
Messages
605
Reaction score
267
Location
Ohio
2: Set firewall rule(s) that blocks Cam vlan from accessing the home lan and only allows it to connect to the internet.
I would actually block the cams from accessing the internet as well. No need for it if you have VPN and more secure.
 

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
172
Reaction score
36
I would actually block the cams from accessing the internet as well. No need for it if you have VPN and more secure.
My nvr would be on the same cam LAN so I would still want to open one port forward so I can use the mobile app without having to setup vpn on mobile but yeah disable all cams from accessing Internet

Sent from my SM-G935F using Tapatalk
 

DavidDavid

Getting comfortable
Joined
Jan 29, 2017
Messages
605
Reaction score
267
Location
Ohio
My nvr would be on the same cam LAN so I would still want to open one port forward so I can use the mobile app without having to setup vpn on mobile but yeah disable all cams from accessing Internet

Sent from my SM-G935F using Tapatalk
I would also block the NVR from the internet and use a VPN to securely connect and view cams from phone.

It's really not that hard....
VPN Primer for Noobs
 

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
172
Reaction score
36
I would also block the NVR from the internet and use a VPN to securely connect and view cams from phone.

It's really not that hard....
VPN Primer for Noobs
Well it depends on your interest speeds and router power. Last time I tried openvpn it was soo dog slow I couldn't even stream a low bit rate Mp3 so I doubt video would have ever had worked. Not tried it on my new router but worth a shot.

Sent from my SM-G935F using Tapatalk
 

DavidDavid

Getting comfortable
Joined
Jan 29, 2017
Messages
605
Reaction score
267
Location
Ohio
Not sure how much the router plays into it, but I would think any router in the past 5 years or so would work fine.
I think upload internet speed is the biggest consideration. I've got 1Mbps upload and it's slow. But definitely not unusable. I stream music from my NAS all the time. And have no issues with the camera feeds.
 
Joined
Feb 27, 2017
Messages
16
Reaction score
2
What I would do (and have done) is:
1: Run separate vlans for Cam lan and home lan (though home lan does not need to be a vlan)
2: Set firewall rule(s) that blocks Cam vlan from accessing the home lan and only allows it to connect to the internet
3: Set firewall rule that allows homeLan to access Cam lan (and internet) allows people on the home lan to access the cams.
4: Setup a VPN that enables you to connect into your home lan from the internet so you can access the cams as if you were at home.

Profit.

Others will have other solutions.
I just got my pfSense box setup and plan on doing something similar... now to just figure out how the hell to do all this. I was thinking about just putting the Cam + Blue Irish PC on it's own interface and subnet, but this should be easier.

Did you use pfSense to complete this? If so, do you have a recommended step by step?
 

Jagradang

Getting the hang of it
Joined
Aug 10, 2017
Messages
172
Reaction score
36
Does the phone get very hot when using vpn and streaming cameras? That'll be Quite a big trade off if you have to use low res settings?

Sent from my SM-G935F using Tapatalk
 

ztm

n3wb
Joined
Jun 23, 2017
Messages
24
Reaction score
6
Location
Hungary
I'd like to keep my new NVR and camera separate from my personal network.
If your NVR has built-in PoE ports than it's done. Use them. It's the simplest solution.
If not put another router (and switch if needed) after your recent one. But this solution was mentioned by Akoya as well. Let say your LAN is now 192.168.0.xxx. The new router and NVR and IP cams will be in 192.168.1.xxx. Plug your NVR and cams onto this network. And all your CCTV traffic is separated from your current network. Of course some port forwarding must be done to get it working.
 
Top