Question regarding setting up Vlan

Wael

Getting the hang of it
Joined
May 9, 2019
Messages
125
Reaction score
33
Location
California
Hello friends, ok I'm going to be setting up an NVR. Will be using a Dahua NVR5216 non POE and getting a managed POE switch. The switch I will be purchasing supports Vlan and is a 16 port switch with 8 of the ports being POE. My main concern is separating the IP cam traffic from my main network in fear of the cam traffic slowing down my network. I've also heard a lot of suggestions about security concerns in this forum. Ok so here are my thoughts/plans:

1: Connect all my 8 cameras to ports 1-8 on the switch.
2: Connect my NVR to port 9 of the switch
3: Connect my router to port 16 of the switch
4: setup Vlan to where ports 1-9 can communicate with each other however only port 9 will communicate with port 16 (which is my router/internet)

This way the cameras will not have direct internet/router access however the NVR will.

Is this the correct way to do it? Any suggestions or corrections are welcome. Thank you!!
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Hi @Wael no, that's not how it works. If you want to connect port 9 to both vlan "CAMS" (in which port 1-8 reside) and vlan "LAN" (on which port 16 reside), then you require the NVR network port to be able to understand vlan TAGGING. I assume this is not the case, so it will definitly not work.

The main question you'd ask yourself: is your managed POE switch being able to do level 3 routing? If yes (and I suspect not), then you'll put port 9 in the same vlan as your port 16 but you instituate routing and firewall rules that only the IP from the NVR (being in vlan LAN) can access vlan CAMS. If the switch is not able to do so, I'd suggest you add a vlan capable router (eg Ubiquity ER-X ($50$)) to do the intra-vlan routing.

If you need more info, I can explain you my setup in more detail.

Hope this helps!
CC
 

Wael

Getting the hang of it
Joined
May 9, 2019
Messages
125
Reaction score
33
Location
California
Hello catcamstar, thank you so much for your reply. I would love more detail. However I think I should give you more information and some results of my experimentation. I have a Tp-link 8 port managed smart switch. I connected two cams to ports 1 and 2. Then I connected a laptop to port 7 and my LAN to port 8. I then setup the Q-vlan as follows: Ports 1-8 were set to Vlan ID 1(default) and ports 7 and 8 set to Vlan ID 2.

Setting it up this way I was able to access the cameras from port 7(laptop). I was also able to access internet as well as my LAN from port 7. However when I plugged my laptop to any ports between 1-6, I was not able to access my LAN nor internet. Which I believe is exactly what I want?

I left all ports untagged in this setup.
 
Last edited:

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Hi @Wael - I understand the test you are performing, however if you are not tagging the ports, how are you then able to configure port 1 to 8 in (default) vlan 1 and port 7 & 8 in vlan 2 - which means that 7 and 8 carry two vlans. That's (to my humble understanding) vlan tagging. So if your pc "speaks" .Q tagging, then it's ok, but to my knowledge, an NVR will not be able to do so.

Doing the test in port 1-6 will indeed render the internet access useless. But that's only part of the equation: you do want your NVR to "serve" vlan 1, but also access vlan 2. So if the NVR isn't able to do so, you need an "external" helper.

How did I solve it?

First off, I got an NVR with POE+, which already "creates" an IPC vlan (which can luckily be accessed through a virtual host on the NVR), but my NVR is isolated in its own vlan. Vlans are, like you, created on a managed switch, with some ports being tagged, but most are untagged. However, all "vlan management" (eg firewall rules, routing etc) is done by an Edgerouter. If you want to have your switch do it, you should be loooking to layer 3 switch. But an ER-X is more a switching router. Pricewise it's much cheaper to do it this way, because a layer 3 switch is much more expensive. An ER-X is $50, way cheaper than any managed switch.

Hope this helps!
CC
 

Wael

Getting the hang of it
Joined
May 9, 2019
Messages
125
Reaction score
33
Location
California
Ok that's a good point about NVR not able to do Q tagging. I can test that out. I'll report back shortly.
 

Wael

Getting the hang of it
Joined
May 9, 2019
Messages
125
Reaction score
33
Location
California
Ok I did the experiment and the NVR which is connected to port 7 was able to connect to the LAN on port 8 as well as the cameras (ports 1-6). Ports 1-6 were not able to connect to the LAN directly as anticipated. attached are a couple screenshots of my config. Maybe this will help you determine why it's working and if it is sufficient.
2019-06-08 (1).png 2019-06-08.png
 
Last edited:

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
@Wael : yes your screenshots indeed explain why it is working: you are indeed working in the .Q section which does mean you ARE using port tagging. Your cams (port 1 to 6) will never be able see the internet (as there is no routing available). So if your PC does see the cams on port 7 and can work on the internet, it means that it knows how to work with the vlan tagging. What I was describing is 2 menus above: "port based vlan". Then you force a particular port into ONE vlan. Especially handy when a device cannot talk multi-vlan (eg vlan tagging on one port)

So back to my initial question: can your NVR handle these multi vlan tagging?

If it works: your setup is OK! If it doesn't work, you may have to add (at least 1) layer 3 component - which is not the end of the world.

PS. as a general best practice advice: do not use vlan 1 except for "management" purposes: especially when working with multiple switches, vlan 1 is used to let these switches/routers talk to each other. Just like with ip addresses and gateways, there are some advices to keep .1 as gateway, 255 is broadcast. DCHP often distributes above .100 etc. Same for vlans: keep "1" as "management", start your numbering from 10, 100, 1000. They need to be unique at least.
 

Wael

Getting the hang of it
Joined
May 9, 2019
Messages
125
Reaction score
33
Location
California
Yes catcamstar my NVR apparently is able to understand the Qlan tagging. Under the above scenario, I was able to communicate to the NVR via other PCs in my network so I assume the NVR can communicate with the internet as well.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Yes catcamstar my NVR apparently is able to understand the Qlan tagging. Under the above scenario, I was able to communicate to the NVR via other PCs in my network so I assume the NVR can communicate with the internet as well.
Then you are good to go! :) Didn't know that a 5216 could do that!
 

Wael

Getting the hang of it
Joined
May 9, 2019
Messages
125
Reaction score
33
Location
California
Thank you so much for your help. You gave me some good ideas regarding the ubiquity router. It looks like it has a lot of possibilities of some really cool stuff that can be done with it. Possibly separate the NVR itself from the main WAN? To allow me to open ports on the second WAN without risk of hacking to my main network. Any thoughts on that?
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
@Wael : that is exactly what I've done in my setup: NVR (and all other creepy spy stuff like IPC & Intercom) are in vlan 200'ish, but all my other stuff (NAS, IOT, SmartTV, ... ) are all in "secured" zones. The Ubiquity is the "brain" behind all the "who can talk to what" ruling. Even within a "simple" OpenVPN scenario, I can define which device is able to speak to my cams/intercom and which ain't.

So my advice to you: if you think you can "handle" it (you might have to do some linux command hocus pocus), then you'd love the ubiquity stuff!

Good luck!
CC
 

Wael

Getting the hang of it
Joined
May 9, 2019
Messages
125
Reaction score
33
Location
California
Well it sounds like maybe if I get stuck I can bounce a few questions off of you?
 
Top