NVR, PoE Switch and isolation

KingDamjan

n3wb
Joined
Mar 27, 2017
Messages
8
Reaction score
0
Hi all,

i was searching forum but did not find answer to my question, maybe i did wrong search queries.. point me to the right topic, tnx.

My case: i am playing with Dahua NVR2108HS-8P-S2 with built-in PoE switch. It has nice feature, where switch has own LAN subnet for cameras and NVR has IP from my main LAN subnet which is also connected to internet. In such way i can access NVR, but cameras are isolated.

My question: how to achieve same behavior with NVR without built-in switch using standalone PoE switch? Based on my research so far the answer is in managed switches, but i did not find exact answer/sample.

Thank you for help/answers.

Regards,
Damjan
 

Fastb

Known around here
Joined
Feb 9, 2016
Messages
1,342
Reaction score
934
Location
Seattle, Wa
KingDamjan,

Welcome to the forum!

Dahua NVR2108HS-8P-S2 with built-in PoE switch. It has nice feature, where switch has own LAN subnet for cameras and NVR has IP from my main LAN subnet which is also connected to internet. In such way i can access NVR, but cameras are isolated.
Some consider the "isolated cameras" a disadvantage. Why? Some cam features can't be configured through the NVR. Instead, you need to be connected to the camera. An NVR with internal POE isolates the cam - a headache when you need to reach the cam.

I'm not sure why isolated cams are preferred.
- so they're not exposed to the internet?
- so someone on your home lan can't reach them? (but they can reach the NVR?)

You can achieve "isolation" in other ways. If someone on your home lan wants to view video from a cam, they need the u/n and p/w.

the answer is in managed switches
Managed switches provide more ability, but are trickier to set up than an unmanaged switch.

Here's some links on how switches are set up between NVR and cams.

Setting up HIKVISION NVR to IPCamera over LAN
Dahua NVR5216-4KS2 / NVR5216-16P-4KS2
 

spinrut

n3wb
Joined
Aug 13, 2015
Messages
15
Reaction score
2
Hi all,

i was searching forum but did not find answer to my question, maybe i did wrong search queries.. point me to the right topic, tnx.

My case: i am playing with Dahua NVR2108HS-8P-S2 with built-in PoE switch. It has nice feature, where switch has own LAN subnet for cameras and NVR has IP from my main LAN subnet which is also connected to internet. In such way i can access NVR, but cameras are isolated.

My question: how to achieve same behavior with NVR without built-in switch using standalone PoE switch? Based on my research so far the answer is in managed switches, but i did not find exact answer/sample.

Thank you for help/answers.

Regards,
Damjan
What are you trying to accomplish with camera isolation?

You can block the cameras from the internet by blocking rules on your router/firewall while still allowing access to them internally.

For what you've described you would probably want to use VLANs. Does the NVR have multiple NICs or support VLAN? The NVR would need to sit on both isolated and non-isolated VLANs
 

KingDamjan

n3wb
Joined
Mar 27, 2017
Messages
8
Reaction score
0
@Fastb
Thank you for greetings.
I see no problem reaching cameras directly - i just connected cable to empty PoE on NVR and to laptop, set NIC on laptop to proper IP and i can access every camera directly.
Why isolation? I like to keep stuff on my network separated on place where they belong - if some device has no business with another, why allow (and expose) communication between them? I also do not like this: network cables are hanging around the building from the walls to cameras, you can exploit them and connect some other devices on them.

@spinrut
I saw discussions about VLANs but no guide how to do it - you set them up at switch, router, ..? If you have link to some article or guide i will be grateful.
Yes, NVR in my case (NVR2108HS-8P-S2) has 8 PoE holes and one additional hole to connect it to other network device (switch, router). I can not tell what is inside, but my guess is that from hardware aspect must be two NICs inside: one for working with cameras on switch, and other for connecting to another network device (switch, router). And that is what i want to know: how to achieve same thing with NVR without built-in switch and external switch - having cameras on that switch with own subnet and NVR to work with cameras and be accessible from another network (subnet).
 

Fastb

Known around here
Joined
Feb 9, 2016
Messages
1,342
Reaction score
934
Location
Seattle, Wa
KingDamjan,

I understand a little better now.

In my home system, I don't have an NVR with internal POE. NVR has one ethernet port.
NVR --> unmanaged POE switch (with cams connected) --> router (for my cam subnet) ---> my home switch --> cable modem (comcast internet).
The home switch is connected to both subnets. The two subnets can't talk to each other, based on the different ip address and ip addr masks of the two subnets.
People on my home lan or the internet can't reach the cams using ip protocol. (for other protocols, I believe I have all ports closed, eg: telenet, UDP, etc).

I'm not an IT guy, so my explanation is clumsy. My point is, it is very possible to isolate your cam subnet from main subnet. One reason I did it was to keep camera traffic off the home lan, and consuming bandwidth (degrading Netflix, for example)

Fastb
 

KingDamjan

n3wb
Joined
Mar 27, 2017
Messages
8
Reaction score
0
@Fastb
But in your case you also can not access NVR from your home lan nor internet (in my case i need this).
In my case of built-in switch the beauty is that you can access NVR from home lan (other lan) and internet, but not individual cameras directly. NVR is like a bridge between subnets. And same design i am trying to do with NVR w/o built-in switch and stand alone switch.
I agree with you about bandwidth consuming, that is also one reason i want to keep surveillance network separated.
 

Fastb

Known around here
Joined
Feb 9, 2016
Messages
1,342
Reaction score
934
Location
Seattle, Wa
KingDamjan,
I can reach my NVR from the internet. I'm ashamed to say, but I use port forwarding. I intend to set up VPN, but I need to reflash my Netgear router to DD-WRT. And risk not getting the home network back up quickly if problems. So I procrastinate.

I can't reach the NVR or cameras from my home lan. You're correct.
One detail I omitted is that I have a WiFi access point on the cam subnet. I bought a WiFi cam for a hard-to-reach location. I've since switched to wired (WiFi sucks for security cams)

The switch on the cam subnet is accessible, if I want a wired connection to reach the NVR or cams. Or I use WiFi to the cam subnet.

Like I said, the only connection between the two subnets is at the main router that is connected to the cable modem.

Fastb
 

KingDamjan

n3wb
Joined
Mar 27, 2017
Messages
8
Reaction score
0
@Fastb
ok, now i understand your network, yes in such case you can access NVR from internet yes.
It seems i will also explore in a way of one router + two switches.
 

beingaware

Pulling my weight
Joined
Mar 16, 2017
Messages
217
Reaction score
179
Location
Australia
Hi all,

i was searching forum but did not find answer to my question, maybe i did wrong search queries.. point me to the right topic, tnx.

My case: i am playing with Dahua NVR2108HS-8P-S2 with built-in PoE switch. It has nice feature, where switch has own LAN subnet for cameras and NVR has IP from my main LAN subnet which is also connected to internet. In such way i can access NVR, but cameras are isolated.

My question: how to achieve same behavior with NVR without built-in switch using standalone PoE switch? Based on my research so far the answer is in managed switches, but i did not find exact answer/sample.

Thank you for help/answers.

Regards,
Damjan
Short answer? Layer 2/3 Managed switch.
Long answer, layer 2 managed switch with Router on a Stick Configuration or Layer 3 switches that can route between VLANS while providing basic Access Control.

Way I've been doing deployments is to use a Managed Layer 3 switch with POE.
The NVR and Cameras live on their own subnet/vlan.
This VLAN/Subnet can then only be accessed by the Management VLAN on the network, with ACLs in place to block all other traffic to/from the Camera VLAN.

Usually allowing for NTP to pass through to the Server VLAN and PPTP traffic to access the NVR.

That's on the corp scale.

At home or for someone with limited IT know how?

Set the physical ports that connect to the cameras and NVR to one VLAN, then the rest of your network to the other VLAN.
Any higher end SMB router will allow for VLAN assignment per port.
Run 2 network cables to the router, one to the main part of your network and another to the VLAN Port connected to the Camera Network.
Set firewall rules to block all traffic going to/from Camera VLAN to the Internet.
Allow access to the NVR via a VPN.
Allow access to the Cameras/NVR from your main network.
Then set static routes within your router between each VLAN subnet.

Hopefully that gives you a better idea of how to go about it.
 

KingDamjan

n3wb
Joined
Mar 27, 2017
Messages
8
Reaction score
0
@beingaware
Thank you for your explanation.

I want to know more about static routes - if they enable communication between two VLAN/subnets, are they not killing idea about having two subnets to prevent communication between devices? But true is, i need to go from main LAN to surveillance LAN somehow to access NVR.

My router is MikroTik RB2011UiAS-2HnD, it has tons of options. I found VLAN and Routing (here i think need to be static routes), but i am not sure yet if i can make VPN.

UPDATE: i also found 'VPN' in my rounter.. is unter PPP section. There is no VPN label so i found it after check tutorial on VPNs on MikroTik.
 
Last edited:

beingaware

Pulling my weight
Joined
Mar 16, 2017
Messages
217
Reaction score
179
Location
Australia
@beingaware
Thank you for your explanation.

I want to know more about static routes - if they enable communication between two VLAN/subnets, are they not killing idea about having two subnets to prevent communication between devices? But true is, i need to go from main LAN to surveillance LAN somehow to access NVR.

My router is MikroTik RB2011UiAS-2HnD, it has tons of options. I found VLAN and Routing (here i think need to be static routes), but i am not sure yet if i can make VPN.

UPDATE: i also found 'VPN' in my rounter.. is unter PPP section. There is no VPN label so i found it after check tutorial on VPNs on MikroTik.
Ahahaha the MikroTik's are amazing but overly complicated beasts.
:)

Lets say VLAN1 is assigned to Port 1 of your router and VLAN2 is assigned to port 2 of your router.
Lets assume the IP range for VLAN1 is 192.168.1.xxx with the router at 192.168.1.254
VLAN2 is 192.168.2.xxx with the routers IP set to 192.168.2.254

Now on your managed switch, you set all the IP camera ports, the NVR port and the cable running to port 2 on the router to VLAN2
Then everything else in the network goes to VLAN1.
Or if you have 2 unmanaged switches, connect all the camera gear and NVR to one switch and connect that to Port 2 of the router.

Tell the router VLAN1 is at Port1 and VLAN2 is at port2.

Now in the router you want to set a static route so it knows where to send the traffic to.
Some routers are smart enough to figure that out on its own but with some it may need a helping hand.

So the static route would be as follows
192.168.1.0 255.255.255.0 192.168.2.254
192.168.2.0 255.255.255.0 192.168.1.254

Remember to set the firewall rules to allow traffic between the two VLANs at first, then you can dial in the security Policies.
 

KingDamjan

n3wb
Joined
Mar 27, 2017
Messages
8
Reaction score
0
Ahahaha the MikroTik's are amazing but overly complicated beasts.
Hahahaha could not agree with you more, when i got this MikroTik, i did not sleep for three night :D

Thank you for your explanations, i understand now VLAN idea. Not i need to clear this static routes. For firewall rules i think i will only allow from VLAN1 (main LAN) to VLAN2 (surveillance) access to NVR.
 

beingaware

Pulling my weight
Joined
Mar 16, 2017
Messages
217
Reaction score
179
Location
Australia
Hahahaha could not agree with you more, when i got this MikroTik, i did not sleep for three night :D

Thank you for your explanations, i understand now VLAN idea. Not i need to clear this static routes. For firewall rules i think i will only allow from VLAN1 (main LAN) to VLAN2 (surveillance) access to NVR.
Download Winbox, should help you a bit with configuration.

MikroTik
 

magonicola

n3wb
Joined
Jun 8, 2017
Messages
1
Reaction score
0
Hi all and thank you in advice for your help.
I have a DAHUA NVR 2108HS-8P-S2 with built-in POE switch, and 8 Foscam IPCAMERA Onvif FI9901EP.
Because of is not possible to have motion detection directly on NVR, I want that my IP Cameras go on internet, so I wanto to remove the isolation of built-in switch.
I attach 2 images that explain the situation.
Is possible to add a route or a gateway that tells to switch-connected devices "if you wanto to go outside (another network), your gateway is the uplink port of NVR", just like a normal Router/Access point with LAN ports and WAN port?
Thank you so much.
- - - -
ORIGINAL SITUATION

- - -
WORKAROUND
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
@Fastb

Why isolation? I like to keep stuff on my network separated on place where they belong - if some device has no business with another, why allow (and expose) communication between them?
By this logic you should not have the NVR on your primary network either...you will need a vlan to isolate it.
 

carteriii

Pulling my weight
Joined
Jan 8, 2016
Messages
146
Reaction score
156
Location
USA
I realize this is an older thread but the topic/question is exactly what I want to know. Can the switch’s isolation be disabled or reconfigured such that all cameras can be accessed outside the NVR?

I’ve seen other threads in which people talk about running BlueIris and a Dahua NVR, but I’m struggling to see how that would work without changing the default switch configuration (or having BI operate strictly internal to the NVR’s vlan). Is it possible to ignore the uplink port and simply connect another switch to one of the camera ports of the NVR, treating it much like an unmanaged switch?
 
Joined
Mar 4, 2019
Messages
18
Reaction score
1
Location
New Zealand
Anyone has an answer for this? Is there any way I can connect one of the poe ports to the router and configure the cameras to route any internet traffic to this poe port?
 
Top