Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks
guykuo
Getting comfortable
People are nervous, but coping well. Use of protective gear is increasing, but limited availability means lower risk situations get lesser equipment. At least, the death rate seems to be slowing in WA as NY and NJ outstrip our case count. It's quite surreal at work. Basically treating every single patient as if they have COVID-19 because our procedures routinely generates dangerous aerosols. Have to evacuate the operating room before we do our thing.
Maybe you should go ahead before something happens to me. Most likely I'll live (for a while yet).
Maybe you should go ahead before something happens to me. Most likely I'll live (for a while yet).
windguy
Getting comfortable
Thanks for the update. Hope you have enough supplies to properly do your work. It would be scary otherwise.
Hopefully your case load is greatly reduced with people in isolation.
Ha, if I ran out now and got an ER-X that would be bad karma for you. I'll wait. I've got a good feeling about your longevity.
Hopefully your case load is greatly reduced with people in isolation.
Ha, if I ran out now and got an ER-X that would be bad karma for you. I'll wait. I've got a good feeling about your longevity.
I read this thread again, and now have a couple more questions if you do not mind, @guykuo.
1. Will the Pre-configured file and OpenVPN configurations you provided work on an EdgeRouter 4?
2. With the set up you provided, will I need to buy more Ubiquity APs and another POE switch just for my wireless IoT? Or can I use my current APs for a IoT VLAN?
Thanks again in advance for your help!
1. Will the Pre-configured file and OpenVPN configurations you provided work on an EdgeRouter 4?
2. With the set up you provided, will I need to buy more Ubiquity APs and another POE switch just for my wireless IoT? Or can I use my current APs for a IoT VLAN?
Thanks again in advance for your help!
Last edited:
guykuo
Getting comfortable
I do not know whether they would work with EdgeRouter 4.
No, you can use your existing AP's. Does not' have to be an Ubiquity AP.
No, you can use your existing AP's. Does not' have to be an Ubiquity AP.
Thank you. And stay safe
Fiddelm3742
Getting the hang of it
I'm just getting started building my network and camera solution. I started out thinking that I could get something similarly setup with my current Router equipment that i have. Not the case (i must have been thinking of an older router that i had w/ DD-WRT installed on it) Thankfully i saw this thread, read through it and my mind was made up that I definitely needed to snag one of these highly functional little routers.
Absolutely excellent write up @guykuo This documentation as well as explanations are absolutely fantastic!
Long story short, I picked one up and got everything rolling on it in under an hour. Then i thought well i should probably play around and tweak things to my liking. I was attempting to change the Subnets from the 192.168.91,92,93 etc to the more common 192.168.1. 2. .3.4 etc. That's when trouble hit.
First i just changed the subnets from the dashboard page for each interface (well i started with just changing 91. to 1 first. I'm pretty sure i then locked myself out. So i reapplied the config and started fresh. This time I thought, ok I'll do one of the other subnets so i can still access the router and changed the subnet of eth4 to .94 and then disabeld the .94 dhcp server and created a new one for 192.168.4. Again no dice. Once i reboot and plugged into port 4 I could no longer access anything.
Guess i should just leave things alone
I was able to undo those changes and get back to a functional state. I guess I was hoping that when i made a simple change to the Subnet that an interface used (eth1) that those changes would just trickle down to any other settings or rules that also used that interface/subnet. Guess not
Absolutely excellent write up @guykuo This documentation as well as explanations are absolutely fantastic!
Long story short, I picked one up and got everything rolling on it in under an hour. Then i thought well i should probably play around and tweak things to my liking. I was attempting to change the Subnets from the 192.168.91,92,93 etc to the more common 192.168.1. 2. .3.4 etc. That's when trouble hit.
First i just changed the subnets from the dashboard page for each interface (well i started with just changing 91. to 1 first. I'm pretty sure i then locked myself out. So i reapplied the config and started fresh. This time I thought, ok I'll do one of the other subnets so i can still access the router and changed the subnet of eth4 to .94 and then disabeld the .94 dhcp server and created a new one for 192.168.4. Again no dice. Once i reboot and plugged into port 4 I could no longer access anything.
Guess i should just leave things alone
I was able to undo those changes and get back to a functional state. I guess I was hoping that when i made a simple change to the Subnet that an interface used (eth1) that those changes would just trickle down to any other settings or rules that also used that interface/subnet. Guess not
guykuo
Getting comfortable
If you really must change the IP range for your main network, you must do so while connected to the main LAN (Eth1). The other sub LAN's are not permitted to access the router configuration page. Remember, those are limited intentionally.
Change the IP range on the main router page. You will lose connection until you manually set your computer to an address in the new IP range.
DHCP won't work until you also change the DHCP server range in the services tab.
I think you will also do some work with the VPN address ranges, but I'd have to dig into my router to check.
Change the IP range on the main router page. You will lose connection until you manually set your computer to an address in the new IP range.
DHCP won't work until you also change the DHCP server range in the services tab.
I think you will also do some work with the VPN address ranges, but I'd have to dig into my router to check.
Fiddelm3742
Getting the hang of it
That would make sense why I couldn't start with eth4 range and DHCP server and why I couldn't get back in after changing eth1 range. (Didn't manually set my up) I'll play around with it. And don't get me wrong, I dont have to change it, just figured why not give er' a whirl and see if I can make it work/learn something.
catcamstar
Known around here
- Joined
- Jan 28, 2018
- Messages
- 1,659
- Reaction score
- 1,193
If you buy an NVR with a "built-in-switch", I assume you mean a POE model? Then your camera's are out-of-the-box "isolated" in their proper lan (eg 10.x.x.x). However the NVR does "magic" tricks so you can inbound connect to these camera's (temporary port forward to 10080 for dahua for example), so it's unsafe to assume all outbound traffic is blocked out-of-the-box. So putting the LAN port of the NVR in a vlan is the most secure you can get. If you buy an NVR without POE ports, you indeed simply deploy your camera's in that "cam-vlan", all together with your NVR itself, and configure all those to work together (eg in 192.168.x.x)
Hope this helps!
CC
Thanks for the explanation, I guess I will choose NVR with separated POE switch, since I already setup a wireguard in the router so I can easily access both NVR and camera
another question:
1. in OP configuration, there is
- Hairpin NAT >> eth1 and eth2, what is the explanation for only this two network interfaces that have hairpin ?
- mDNS >> eth1 and eth2, again same with hairpin NAT, why only two network interfaces ?
guykuo
Getting comfortable
LANS 3 and 4 are limited networks and I typically don't let those devices do much beyond their local duties.
You could add more rules to give them additional functionality, but I didn't for simplicity's sake.
You could add more rules to give them additional functionality, but I didn't for simplicity's sake.
saltwater
Getting comfortable
Assuming the network setup is as per this tutorial, I understand the four LAN IP addresses are
Ok, now for my silly question. If purchasing a new Dahua camera, the default Cam IP is 192.168.1.108 (from memory), can that still be accessed via the browser in order to change the IP?
Code:
192.168.91.*,
192.168.92.*
192.168.93.*
192.168.94.*guykuo
Getting comfortable
Simply connect your computer and the camera to your POE switch. Set your computer manually to an address 192.168.1.x range.
Point browser at 192.168.1.108 and do your configuration work (which would include shifting its address to one in your camera IP range)
Point browser at 192.168.1.108 and do your configuration work (which would include shifting its address to one in your camera IP range)
it is fine if I uncheck the eth2 port from hairpin and mdns ?
guykuo
Getting comfortable
it is fine if I uncheck the eth2 port from hairpin and mdns ?
You will lose ability to use DYN DNS names to reference devices in your LAN.
Yes, if you are OK with always using IP numbers from inside your LAN
Also will lose DNS lookup for all devices on LAN2
Just try it and see what breaks.
You will lose ability to use DYN DNS names to reference devices in your LAN.
Yes, if you are OK with always using IP numbers from inside your LAN
Also will lose DNS lookup for all devices on LAN2
Just try it and see what breaks.
I'm trying to get a push notifications (GDMSS Plus), I've created a ruleset in WAN_OUT source camera_ip destination port 2195, but it seems not working, any idea where should I put the outbound for port 2195 ? thank you
catcamstar
Known around here
- Joined
- Jan 28, 2018
- Messages
- 1,659
- Reaction score
- 1,193
Interesting question and why it doesn't work. There are couple of "schools" on how to implement the firewall on an Edgerouter, either you put it on WAN_OUT, or on the "local"_(vlan)_OUT. I opted for the latter:
Code:
rule 40 {
action accept
description "Allow TCP/2195"
destination {
port 2195
}
log disable
protocol tcp
source {
group {
network-group IPC_catcamstarvlan
}
}
}Good luck!
CC
I've tried this and its seems still not working, from the apps side, its working if all the OP ruleset disabled. I guess I should try again with different ruleset