Building separate networks for home use

ibdone

n3wb
Joined
Mar 14, 2020
Messages
4
Reaction score
0
Location
Nebraska
Hi, I’ve done several IPCtalk searches, Google searches, YouTube searches and read the wiki on network setups with no direct answer for my particular basic-user level questions. (VLans, Virtual Machines, Windows servers, and enterprise-level equipments aren't realistic for my home surveillance system.) I recently purchased a Dahua NVR with a couple starlight cams from Andy. Great guy to work with!

For protection, I am separating my main home network from my local home surveillance network using 2 different/separate wireless routers (programmed to different subnets) while using the same internet modem connection line out. My thought design is simple: plug the home network into port #1 of the internet modem and plug the cam net into port #2 on the same internet modem for future WAN connectivity. To locally view the cam network I simply connect to the corresponding wireless router (SSID: homeNet vs. SSID: camNet). Is this the best practice for keeping these networks isolated or am I missing something?

As for remote viewing I haven’t quite figured out what the best road to take is just yet. My ‘cam router’ does have VPN capabilities built-in but I’ll cross that bridge when I get the local separation/security part nailed down.

Any/all advice is greatly appreciated…
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Hello @ibdone! Welcome to IPCT!

You are asking the right questions! However the answer is a bit depending on how you actually connect "two" routers (with two different subnets) to one single ISP WAN_OUT. Can you please draw your schematics with associated subnets please?

There are multiple options possible:
  • if your ISP allows multiple WAN IP addresses (like my ISP does): you simply put a single switch after the ISP UTP, and you hook your two (wifi) routers in parallel on that switch. Both receive a unique WAN IP and it is like you have two different households. VPN to the Cam Router is like being "abroad" but still in the house. This keeps your network crisp and clean, secured and isolated. This would be my simplest and cheapest solution.
  • if you only get 1 single WAN IP address, you have to start with one main (wifi)router. Independantly whether (or not) you work with a different subnet in the downwards chained router, there is always a "route" defined between the downstream subnet towards the upstream subnet. What does that mean (hence my question for the drawing): ISP - Subnet1 - Subnet2: Subnet 2 can reach Subnet 1 (like your pc can always join the internet services), yet subnet 1 can never reach subnet 2 (unless a VPN service is enabled). Which means one should put your camera's in the "less secure" zone (being subnet 1) hence these cams can never reach your NAS etc. Which means your pc/mobile (residing in subnet 2) can always reach the cams (in subnet 1), OR, when you are out of the house, through the VPN service running on router 1 (to reach subnet 1). The complex stuff you'll run into here, is when you want to reach also towards your NAS (which resides in subnet 2), then you have to hocus pocus with additional firewall rules/routings. Because you are you working with "home" routers, you are bit limited in capabilities. Not my preferred nor adviced way.
  • if you can "miss" 50$, I'd go for a (simple) Edgerouter X (there is a tutorial somewhere on this forum), where you terminate your ISP WAN port onto. Configuring vlans takes like 10 minutes (with the scripts in the tutorial), and you have much more flexibility in configuring access "FROM" and "TO" certain devices.
  • ...

Hope this helps a bit!
CC
 

ibdone

n3wb
Joined
Mar 14, 2020
Messages
4
Reaction score
0
Location
Nebraska
Wow, thank you much, catcamstar! This will help immensely. Will call my ISP tomorrow to ask if they allow multiple WAN IP addresses. That route seems be the easiest but probably not that lucky (small town Nebraska, Centurylink DSL service). I created a cheap-o visual probably more for your entertainment than it'll provide help/insight. :) I am certainly willing to part with $50 - $150 extra just to make this right so option #3 is definitely in the cards. Hopefully you've answered my questions with one simple post - which is fantastic, thank you again! ibd
 

Attachments

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Hi @ibdone,

all depends whether (or not) your ISP "modem" is configured as a "modem", "bridge" or "router". Typically, an "real" modem only has WAN IN and one LAN OUT, and "bridges" the WAN IP address to your "inside" network were a router takes over. If there are more than one LAN OUT, then probably you are facing a "router", which means that the modem not only connects to the WAN, but also NAT translate that WAN IP into LAN IPs (eg 192.168.x.x). That was my fourth bullet in my list above: it does not really match the "two WAN IPs from the ISP", however you can then treat the two router IPs (eg 192.168.1.100 and 192.168.1.200) as "pseudo-WAN-IPs". What does that mean? Each router will (behind its own NAT) provide their own subnet (eg 192.168.111.x for the .100 router), however you will face an additional barrier (unlike in my first bullet) that when you want to connect from the real outside world, you might have to implement TWO OpenVPN services (one to connect through the ISP NAT towards the CamLAN-router, and one to connect through the ISP NAT towards the LanLAN-router).

A bit more "challenging", but not un-do-able.

But before opting any diagram/solution, await your ISP's response, as we can write tons of tutorials and tips, but (as always): "it depends" ;-)

Stay safe!
CC
 

ibdone

n3wb
Joined
Mar 14, 2020
Messages
4
Reaction score
0
Location
Nebraska
Hello @catcamstar, as somewhat as a novice, and have been out of the computer field for several years now, it's taken me a while to comprehend everything. I have not called my ISP yet however have been poking around and came to the conclusion this probably won't be easy. For starters I believe you are absolutely correct in thinking my ISP modem is most likely a standard router w/ switch granting only the modem's internal local IP address. When looking at each of my wireless router's WAN settings they both list 192.168.0.x as their 'external' WAN address. Have a peek at my latest cheap-o wiring diagram with included IP addressing. I also included a photo of my CenturyLink (Actiontec C1900A) DSL modem's back panel showing the wan-in and wan-out w/ a built in 4-port switch.

One possible good thing I noticed when fumbling around in my home wireless router's settings was a possible VLAN section? Perhaps I'm making this way too complicated and should focus on it instead of the splitting w/ separate routers? I included a screen cap of that particular section as well. Again, super appreciative of your help, sorry for the rookie questions. :)
IMG_0073.jpegWAN Diagram Template - VP Online 2020-04-06 02-25-11.jpgScreen Shot 2020-04-06 at 2.31.17 AM.png
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Hello @ibdone ! These pictures do help! Indeed, your ISP gear is a "simple" modem+router device which does NAT and "translate" WAN IP to 192.168.x.x range. However you wrote a 10.1.1.x address to your ASUS router?

The screenshots of your owned router with the vlan indeed looks promising! Even an EdgerouterX cannot manage vlans in the GUI ;-) This having said: my advice would not be to combine your "dual router" strategy with vlans, however you might opt to work with 1 router ànd vlans. It also depends on what's behind the possibilities in the "advanced routering" tab.

It will basically come down to the "same" but with another learning curve. If you don't have managed switches downstream, you'll have to acquire them. Or you work with untagged switches, but then you'll need a physical switch for each vlan independantly.

Good luck!
CC
 
Top