2 separate networks with one internet connection

[S_K]

Hi,
I’ve recently installed a surveillance system in an office and it works at the moment as a separate private network that relies on an HP layer3 smart switch (lan1). In order to add remote viewing I need to connect the camera network to an existing small network (lan2) that already includes an internet connection. This is my first install and my networking knowledge is very basic. I know how I should configure it if it’s all on the same network, but I would like to keep the networks separated and independent and just allow internet access for NVR remote viewing via port forwarding (unfortunately VPN is not an option at the moment). What’s the best way to configure it and how?
Thanks

These are the 2 networks:
LAN1 (192.168.1.XX/24 all static): 16 x Hikvision cameras, Hikvision NVR 7632NI-I2, HP 1920 24-PoE L3 Switch (JG926A)
LAN2 (192.168.2.XX/24): 3 x PCs and printer, 8 port switch, VDSL2 modem/router TP Link TD-W9980 (for internet access)

 

[nayr]

You just need a router that can handle the 2 subnets.. either with separate network ports for each segment, or VLAN interfaces.

Each lan will have a gateway, say 192.168.1.254 and 192.168.2.254 that are 2 separate interfaces on the router.. all traffic not on the same subnet will hit the gateway/router and that will either route it to the other subnet, or the internet.

Most of the time networks are setup like this is so you can add firewall rules to further restrict access between the subnets.. ie, only allow certain devices to communicate across subnets or just allow specific ports.. basically isolate them by default and only allow the bare minimum traffic to transit the router.

 

[S_K]

Currently lan1 works independently with the HP switch that can function as a router. If I understand correctly, I can set the tp-link router to handle both of the subnets as you have suggested. But if I do this and the tp-link router is down, lan1 will be down too with nvr not receiving the camera streams? Or will it still remain working independently (not relying on the router)?

 

[nayr]

local traffic on the same subnet does not use the router, it just goes through the switch.. the router/gateway is only sent traffic that resides outside the local subnet.

so as long as the switch is up, anything on the same subnet can communicate directly with no additional network equipment.. of course DHCP will be down but anything with an existing or static network configuration wont notice the router is down until it tries to access something outside the subnet.

 

[S_K]

Thanks, I'll try it.

 

[S_K]

I've set up a VLAN interface for the cam network on the tp link router (Network>Interface Grouping settings). So now the office network is the default group connected to port1 of the router (gateway 192.168.1.1) , and the cam network is connected to port2 (gateway 192.168.2.1) via the hp switch. There was no way to assign a VLAN # (the only place where it's possible to assign a number is in the Network>WAN setting).

Here is a simulator of the router GUI:
http://www.tp-link.com/resources/simulator/TD-W9980(UN)/index.htm

On the switch I assigned all camera ports and NVR as VLAN 20 (PVID 20), access mode and untagged. The port that connects to the router I also assigned to VLAN 20, PVID 20 but in hybrid mode (wasn't sure if it should be access or trunk mode).

I've set up port forwarding on the router using the NVR IP and ports 8000 & 554 which I changed to other numbers between 1024-6500 (both on the NVR and port forwarding settings). For protocol I chose "All" (TCP+UDP).

Testing the remote viewing via iVMS 4200 was only partially successful. The iVMS connected successfully (received all NVR and camera info) but there was no video stream from the cameras. I tried changing the RTSP port back to the default 554 (both in NVR & port forwarding setting) but it didn't have any effect.

What could be the problem? Are the setting ok or there is a need for correction or improvement?

I still haven't enabled the router's firewall or set up any rules, as I don't have any previous experience with it. I understand that first I need to deny all traffic and then make an allow rule for outband traffic. What other rules should I create to increase security? There are 4 protocol options in the firewall rules setting: All, TCP, UDP, ICMP. Should it generally be TCP and UDP is just in case of media streaming? When does ICMP needs to be selected?

Thanks!

 

[nayr]

can you access them internally from one network to another?

 

[S_K]

I haven't tried that yet and not sure how to do it, but anyway I need to install the iVMS 4200 on one of the office computers for remote viewing. What should I configure in order to access the NVR on the cam network from a PC on the office network? (different subnet and VLAN interface)

 

[nayr]

if you have no firewalls up then there should be nothing to configure.. on the office vlan can you connect to the NVR's web UI? can you ping it? Need to make sure traffic is transiting one network to the other..

make sure your NVR has the gateway configured correctly.

 

[S_K]

I don't get ping response from the NVR. But shouldn't it be like that once these are 2 different subnets and VLANs? I can only get response from the router when I ping both of the subnet gateways.

Edit:
On the router:
The office interface address is 192.168.1.1
The cams interface is 192.168.2.1 - That's the gateway address I set on the NVR

 

[nayr]

with no firewall rules preventing pings, it should act as one big happy network right now.. what do you have under Static Routes? post a screenshot.

 

[S_K]

static route is empty and the firewall is in it's default factory configuration (not enabled)

 

[nayr]

try creating 2 static routes for:
192.168.1.0/255.255.255.0 GW:192.168.1.1
192.168.2.0/255.255.255.0 GW:192.168.2.1

 

[S_K]

I get this message:
Error code: 5108
"Gateway must be in the same subnet with interface IP address. Please input another one"

 

[nayr]

did you select the proper interface from the drop down? what interfaces do you have listed? this simulator is very limited

 

[copex]

This may help, Inter vlan routing

http://whp-hou4.cold.extweb.hp.com/pub/networking/software/ProCurve-SR-InterVLAN-Config-Guide.pdf
https://vmfocus.com/2012/09/26/how-to-configure-layer-3-static-routes-vlans-on-hp-v1910-24g/

 

[S_K]

the options for interface are:
pppoe_ptm_0_0_d
LAN

I tried LAN but then also the pppoe

 

[nayr]

I would expect you to have more than one lan device there, are you using more than 1 router or is your TP Link the gateway for both networks?

 

[S_K]

Yes, it's the gateway for both networks. But for the cam network only the NVR needs internet access (the gateway on NVR is set to 192.168.2.1)
The hp poe switch is layer3

 

[S_K]

Could it be the VLAN of the PoE switch that prevents communication b/w the subnets? Maybe I need to cancel the VLAN or set static route on the switch?