Building separate networks for home use

[ibdone]

Hi, I’ve done several IPCtalk searches, Google searches, YouTube searches and read the wiki on network setups with no direct answer for my particular basic-user level questions. (VLans, Virtual Machines, Windows servers, and enterprise-level equipments aren't realistic for my home surveillance system.) I recently purchased a Dahua NVR with a couple starlight cams from Andy. Great guy to work with!

For protection, I am separating my main home network from my local home surveillance network using 2 different/separate wireless routers (programmed to different subnets) while using the same internet modem connection line out. My thought design is simple: plug the home network into port #1 of the internet modem and plug the cam net into port #2 on the same internet modem for future WAN connectivity. To locally view the cam network I simply connect to the corresponding wireless router (SSID: homeNet vs. SSID: camNet). Is this the best practice for keeping these networks isolated or am I missing something?

As for remote viewing I haven’t quite figured out what the best road to take is just yet. My ‘cam router’ does have VPN capabilities built-in but I’ll cross that bridge when I get the local separation/security part nailed down.

Any/all advice is greatly appreciated…

 

[catcamstar]

Hello @ibdone! Welcome to IPCT!

You are asking the right questions! However the answer is a bit depending on how you actually connect "two" routers (with two different subnets) to one single ISP WAN_OUT. Can you please draw your schematics with associated subnets please?

There are multiple options possible:

• if your ISP allows multiple WAN IP addresses (like my ISP does): you simply put a single switch after the ISP UTP, and you hook your two (wifi) routers in parallel on that switch. Both receive a unique WAN IP and it is like you have two different households. VPN to the Cam Router is like being "abroad" but still in the house. This keeps your network crisp and clean, secured and isolated. This would be my simplest and cheapest solution.
• if you only get 1 single WAN IP address, you have to start with one main (wifi)router. Independantly whether (or not) you work with a different subnet in the downwards chained router, there is always a "route" defined between the downstream subnet towards the upstream subnet. What does that mean (hence my question for the drawing): ISP - Subnet1 - Subnet2: Subnet 2 can reach Subnet 1 (like your pc can always join the internet services), yet subnet 1 can never reach subnet 2 (unless a VPN service is enabled). Which means one should put your camera's in the "less secure" zone (being subnet 1) hence these cams can never reach your NAS etc. Which means your pc/mobile (residing in subnet 2) can always reach the cams (in subnet 1), OR, when you are out of the house, through the VPN service running on router 1 (to reach subnet 1). The complex stuff you'll run into here, is when you want to reach also towards your NAS (which resides in subnet 2), then you have to hocus pocus with additional firewall rules/routings. Because you are you working with "home" routers, you are bit limited in capabilities. Not my preferred nor adviced way.
• if you can "miss" 50$, I'd go for a (simple) Edgerouter X (there is a tutorial somewhere on this forum), where you terminate your ISP WAN port onto. Configuring vlans takes like 10 minutes (with the scripts in the tutorial), and you have much more flexibility in configuring access "FROM" and "TO" certain devices.
• ...

Hope this helps a bit!
CC

 

[ibdone]

Wow, thank you much, catcamstar! This will help immensely. Will call my ISP tomorrow to ask if they allow multiple WAN IP addresses. That route seems be the easiest but probably not that lucky (small town Nebraska, Centurylink DSL service). I created a cheap-o visual probably more for your entertainment than it'll provide help/insight. I am certainly willing to part with $50 - $150 extra just to make this right so option #3 is definitely in the cards. Hopefully you've answered my questions with one simple post - which is fantastic, thank you again! ibd

 

[catcamstar]

Hi @ibdone,

all depends whether (or not) your ISP "modem" is configured as a "modem", "bridge" or "router". Typically, an "real" modem only has WAN IN and one LAN OUT, and "bridges" the WAN IP address to your "inside" network were a router takes over. If there are more than one LAN OUT, then probably you are facing a "router", which means that the modem not only connects to the WAN, but also NAT translate that WAN IP into LAN IPs (eg 192.168.x.x). That was my fourth bullet in my list above: it does not really match the "two WAN IPs from the ISP", however you can then treat the two router IPs (eg 192.168.1.100 and 192.168.1.200) as "pseudo-WAN-IPs". What does that mean? Each router will (behind its own NAT) provide their own subnet (eg 192.168.111.x for the .100 router), however you will face an additional barrier (unlike in my first bullet) that when you want to connect from the real outside world, you might have to implement TWO OpenVPN services (one to connect through the ISP NAT towards the CamLAN-router, and one to connect through the ISP NAT towards the LanLAN-router).

A bit more "challenging", but not un-do-able.

But before opting any diagram/solution, await your ISP's response, as we can write tons of tutorials and tips, but (as always): "it depends" ;-)

Stay safe!
CC

 

[ibdone]

Hello @catcamstar, as somewhat as a novice, and have been out of the computer field for several years now, it's taken me a while to comprehend everything. I have not called my ISP yet however have been poking around and came to the conclusion this probably won't be easy. For starters I believe you are absolutely correct in thinking my ISP modem is most likely a standard router w/ switch granting only the modem's internal local IP address. When looking at each of my wireless router's WAN settings they both list 192.168.0.x as their 'external' WAN address. Have a peek at my latest cheap-o wiring diagram with included IP addressing. I also included a photo of my CenturyLink (Actiontec C1900A) DSL modem's back panel showing the wan-in and wan-out w/ a built in 4-port switch.

One possible good thing I noticed when fumbling around in my home wireless router's settings was a possible VLAN section? Perhaps I'm making this way too complicated and should focus on it instead of the splitting w/ separate routers? I included a screen cap of that particular section as well. Again, super appreciative of your help, sorry for the rookie questions.

 

[ibdone]

 

[catcamstar]

Hello @ibdone ! These pictures do help! Indeed, your ISP gear is a "simple" modem+router device which does NAT and "translate" WAN IP to 192.168.x.x range. However you wrote a 10.1.1.x address to your ASUS router?

The screenshots of your owned router with the vlan indeed looks promising! Even an EdgerouterX cannot manage vlans in the GUI ;-) This having said: my advice would not be to combine your "dual router" strategy with vlans, however you might opt to work with 1 router ànd vlans. It also depends on what's behind the possibilities in the "advanced routering" tab.

It will basically come down to the "same" but with another learning curve. If you don't have managed switches downstream, you'll have to acquire them. Or you work with untagged switches, but then you'll need a physical switch for each vlan independantly.

Good luck!
CC

 

[OhGeeNat]

Wow, thank you much, catcamstar! This will help immensely. Will call my ISP tomorrow to ask if they allow multiple WAN IP addresses. That route seems be the easiest but probably not that lucky (small town Nebraska, Centurylink DSL service). I created a cheap-o visual probably more for your entertainment than it'll provide help/insight. I am certainly willing to part with $50 - $150 extra just to make this right so option #3 is definitely in the cards. Hopefully you've answered my questions with one simple post - which is fantastic, thank you again! ibd

 

[OhGeeNat]

Hey there, Fellow Woman of the Corn here.

I'm currently doing this same process setting up a separate security network for my home and possibly a guest as well. I'm finding it to be harder than expected as I'm trying to integrate smart devices into a home with a resistant elder. Anyway. Thanks for this post I will refer back for help and with questions along my journey.

V/R
OhGeeNat

Hi, I’ve done several IPCtalk searches, Google searches, YouTube searches and read the wiki on network setups with no direct answer for my particular basic-user level questions. (VLans, Virtual Machines, Windows servers, and enterprise-level equipments aren't realistic for my home surveillance system.) I recently purchased a Dahua NVR with a couple starlight cams from Andy. Great guy to work with!

For protection, I am separating my main home network from my local home surveillance network using 2 different/separate wireless routers (programmed to different subnets) while using the same internet modem connection line out. My thought design is simple: plug the home network into port #1 of the internet modem and plug the cam net into port #2 on the same internet modem for future WAN connectivity. To locally view the cam network I simply connect to the corresponding wireless router (SSID: homeNet vs. SSID: camNet). Is this the best practice for keeping these networks isolated or am I missing something?

As for remote viewing I haven’t quite figured out what the best road to take is just yet. My ‘cam router’ does have VPN capabilities built-in but I’ll cross that bridge when I get the local separation/security part nailed down.

Any/all advice is greatly appreciated…

 

[tech_junkie]

I have not called my ISP yet however have been poking around and came to the conclusion this probably won't be easy. For starters I believe you are absolutely correct in thinking my ISP modem is most likely a standard router w/ switch granting only the modem's internal local IP address. When looking at each of my wireless router's WAN settings they both list 192.168.0.x as their 'external' WAN address. Have a peek at my latest cheap-o wiring diagram with included IP addressing. I also included a photo of my CenturyLink (Actiontec C1900A) DSL modem's back panel showing the wan-in and wan-out w/ a built in 4-port switch.

One possible good thing I noticed when fumbling around in my home wireless router's settings was a possible VLAN section? Perhaps I'm making this way too complicated and should focus on it instead of the splitting w/ separate routers? I included a screen cap of that particular section as well. Again, super appreciative of your help, sorry for the rookie questions.

Splitting WAN isn't a big deal as its done often in certain business data solutions. The question you will have to ask the ISP is if you can run a dhcp IP with a purchased IP because some of those systems use separate DNS servers (common for PPoe IP systems).
The signal path is simple. All you do is put an unmanaged switch between the modem and router and add routers and enter your static IP info into the each router you added. Usually they lease the static IP addresses individually or in groups of four. Some ISP might change your account type to a buisness account because they are not set up to bill a yearly leased IP address on a consumer account. These are the things I ran into on spitting WAN comercially on a residential connection.

The signal path is simple:
Cablemodem -> unmanaged switch -> WAN port on routers -> seperate networks.

 

[Lawrence_SoCal]

I suspect @tech_junkie was implying a setup that came to my mind first. With you image, I think the following will be easier to explain, though in reality just a re-phrasing of this

• if you only get 1 single WAN IP address, you have to start with one main (wifi)router. Independantly whether (or not) you work with a different subnet in the downwards chained router, there is always a "route" defined between the downstream subnet towards the upstream subnet. What does that mean (hence my question for the drawing): ISP - Subnet1 - Subnet2: Subnet 2 can reach Subnet 1 (like your pc can always join the internet services), yet subnet 1 can never reach subnet 2 (unless a VPN service is enabled). Which means one should put your camera's in the "less secure" zone (being subnet 1) hence these cams can never reach your NAS etc. Which means your pc/mobile (residing in subnet 2) can always reach the cams (in subnet 1), OR, when you are out of the house, through the VPN service running on router 1 (to reach subnet 1). The complex stuff you'll run into here, is when you want to reach also towards your NAS (which resides in subnet 2), then you have to hocus pocus with additional firewall rules/routings. Because you are you working with "home" routers, you are bit limited in capabilities. Not my preferred nor adviced way

Which is a modified version of

In the above image, instead of the Linksys router connecting to modem, have it connect to a LAN port on the Asus router

• this means anything on the Dahua camera network can't reach the home network (router/firewall in-between), with specific settings. BUT, the home network can reach the Dahua camera network easy-peasy (though different subnet/IP range, so certain broadcast based protocols/software dependent being on same network may not work (at least as easily... it depends).
• The Home Network devices will have an extra hop to reach the internet, which shouldn't be an issue... but could be... I just re-did neighbors home network, and turns out a WiFi mesh network extra hop was cutting internet bandwidth in half.
• the downside to this is multiple points of failure one has to check when troubleshooting on home LAN... not that big a deal, but something that could easily be forgotten/overlooked

Another possibility (which I'd prefer) would a single router, if one of them has a port that is labelled or can be configured as Guest/DMZ (ie, separate network from LAN). Beware some old Linksys claimed DMZ but didn't actually separate the networks... only stopped pings between IPs, not much else)
or even better would be the VLAN on single device, as mentioned earlier, depending on routing options

Personally, I prefer a small enterprise class switch with VLANs, and a SMB (or branch office) firewall for my home network... but that is geeking out.
And yes, I know how to get systems that don't like be on separate subnets to work together (Sonos, Roku, etc). Cameras to DVR being on same subnet makes sense.. .all else I'd want separate ... I'm running 7 VLANs at my house and that is before IP camera network

I have come across numerous consumer (home) routes that had a real DMZ (guest/untrusted network) capability [though I don't recall exactly which models. before my current setup I had a number of Netgear consumer routers]. Then you'd just add a cheap/simple ethernet switch for the camera network [unless cameras directly connected to NVR? . just food for thought. I'm all for keeping it simple, but secure (unless I'm playing and wanting to learn something new...)
and except for my front door of a 2story house that will be an absolute bear to get Ethernet to, I won't consider WiFi for any other cameras .... not secure, reliable, not worth the long-run hassle, etc. but I do realize I'm fortunate to be in a situation where running ethernet cable wherever I want is relatively easy

 

[tech_junkie]

I suspect @tech_junkie was implying a setup that came to my mind first. With you image, I think the following will be easier to explain, though in reality just a re-phrasing of this



Which is a modified version of
View attachment 200548

What you have is similar but it operates differently.
What happens when you lease an IP or two (sometimes you even have to lease four ip addresses, depends on how the local isp sells them ) is that those IP addresses are assigned at your routers. And instead of sharing bandwidth, you are switching so you don't lose bandwidth between multiple ip addresses being serviced on one cable modem. The cable modem IP address is not an outside address anymore as now it is the first node with a node ip address from the local system. Its also considered bridged out so the local ISP may referr to this as being bridged out.

SO it would look like this in splitting the WAN. Each router would be manually set on a different outside IP address that was leased. Some local isp will allow one of these routers to dhcp and grab a consumer outside address, while other local isp would want a leased ip address per outside router. :

 

[Lawrence_SoCal]

Some newer cable modems/WAN 'modems' have multiple ethernet ports
- for some that can be for multiple devices... for others, that 2nd port is for bonding multiple links for bandwidth aggregation (ie 2x1GbE)

I could see time/place to use multiple routers with separate WAN IPs at a single residence .... but those circumstances, in my opinion, would be pretty rare. And IP Cams would NOT be one of those scenarios where I'd do that typically, unless that cams and related gear is all managed by a 3rd party and one has budget and wants unmistakable complete separation (no chance of a self-inflicted 'oops')

There are lots of ways to have a single WAN IP, single router connected to WAN, and still isolated internal IP cam network (possibly with a 2nd downstream router). My general starting point for a residential design would be 1 WAN IP vs 2 WAN IPs... though, like most things IT, 'it depends'

 

[tech_junkie]

Some newer cable modems/WAN 'modems' have multiple ethernet ports
- for some that can be for multiple devices... for others, that 2nd port is for bonding multiple links for bandwidth aggregation (ie 2x1GbE)

I could see time/place to use multiple routers with separate WAN IPs at a single residence .... but those circumstances, in my opinion, would be pretty rare. And IP Cams would NOT be one of those scenarios where I'd do that typically, unless that cams and related gear is all managed by a 3rd party and one has budget and wants unmistakable complete separation (no chance of a self-inflicted 'oops')

There are lots of ways to have a single WAN IP, single router connected to WAN, and still isolated internal IP cam network (possibly with a 2nd downstream router). My general starting point for a residential design would be 1 WAN IP vs 2 WAN IPs... though, like most things IT, 'it depends'

Its all in application. But I would assign a different outside IP for camera hosting instead of port forwarding on my home network. Not only i remove potential hacking from having a different IP address, I wouldn't have the performance hit either.

In town I have only set up 3 businesses that needed multiple outside IP addresses. So its not very common. Two use them as VPN plus web hosting and internet. One was a security/fire alarm monitoring which I was replacing 32 phone lines with 12 IP addresses across different alarm receiver servers, and redundant IP routes from different broadband internet service providers.