Connecting Dahua Surveillance System to VPN

[Arjun]

My network system contains the following,
FiOS Quantum Gateway Router (Modem)
Netgear Nighthawk R7000 (Wireless and Wired) with OpenVPN abilities
NVR (Dahua) -- with several cams

Four additions are on the way (which I need to narrow down to two),
I have two options for a PoE switch (Either a TP Link 8 Port PoE+ Unmanged) or Zyxel 8-Port PoE Managed (not PoE+)
and
Netgear PROSafe 8-Port Managed Wired Network Switch (to act as the new intermediate between the FiOS Router and the rest of the network). or 8-Port Unmanaged

Still debating as to if I want unmanaged vs managed

How exactly should the VPN be set-up in this matter? All within the Netgear wired switch?

 

[nayr]

VPN runs on the router and gives access to anything that the router can reach on the LAN side; managed/unmanaged wont do anything for VPN.. you can have 20 switches chained together and still reach devices on the last switch..

 

[Arjun]

Thanks, from a security standpoint, would I still be better off with unmanaged PoE switches and Unmanaged Wired Ethernet Switches. Wouldn't I be able to gain access to additional authentication protocols if I use managed switches across the entire network?

If I add the wired 8-Port Netgear switch as the main intermediate, and realize VPN capability is not built into it, would I need to retain the direct connection between the Dahua NVR, 8-Port PoE Switch, and Netgear (OpenVPN) router?

VPN runs on the router and gives access to anything that the router can reach on the LAN side; managed/unmanaged wont do anything for VPN.. you can have 20 switches chained together and still reach devices on the last switch..

 

[Arjun]

One the main reasons I'm trying to put a wired 8-Port Netgear Switch within my network is because it would have an additional hardware firewall (I'm sure modifying open ports would help here) built into it and also makes it easier to create and manage a central location for all my networking devices.

 

[nayr]

now your confusing even me.. draw a diagram

 

[Arjun]

As per your request Ryan, here is the diagram (solid lines represent current setup), dotted lines represent the proposal, thanks

now your confusing even me.. draw a diagram

 

[nayr]

iMHO should be:
FIOS -> Router/Firewall w/VPN -> 8p Switch -> PoE Switch -> NVR

 

[Arjun]

Thanks for the suggestion, once the 8p Switch, PoE Switch, and NVR are all connected to the R7000, will they all be automatically be connected to the VPN? What would I need to do for guest mode, reserve that function on the FiOS router? Thanks again

iMHO should be:
FIOS -> Router/Firewall w/VPN -> 8p Switch -> PoE Switch -> NVR

 

[Arjun]

Also, not to be off-topic here, but since I can't create a static IP with my ISP, how should I configure Dynamic DNS?

 

[nayr]

your router/firewall is not doing anything unless its sitting between the internet and your LAN, and everything on the LAN side will be reachable via VPN regardless how its wired.

whats guest mode? usually this is just a wifi network that dont allow any lan access, only internet.. tha'll be enforced by the wireless access point by dropping anything trying to access local devices.

 

[Arjun]

The guest mode is just to enable WiFi access for any guests, doesn't allow any LAN access as you said

your router/firewall is not doing anything unless its sitting between the internet and your LAN, and everything on the LAN side will be reachable via VPN regardless how its wired.

whats guest mode? usually this is just a wifi network that dont allow any lan access, only internet.. tha'll be enforced by the wireless access point

 

[Arjun]

Since its a Netgear router, I had to configure the Dynamic DNS with a service called No-IP, I'm actually wondering if this is safe protocol

 

[nayr]

setup DynamicDNS on your Router and it'll keep your hostname mapped with your IP automagically.. just use your DynDNS hostname in your VPN Client config for remote connections.

nothing unsafe about it, your IP address is public and every site you visit knows it..

 

[misterfredsr]

The netgrat router should have its own dns with netgear router. I have the same router and mine is XXXXX,mynetgear.com

 

[Arjun]

I'm having an issue where when I try to connect the following occurs towards the end of the log,
Tue Mar 14 20:07:38 2017 MANAGEMENT: >STATE:1489536458,WAIT,,,,,,

The connection is not establishing. Any idea what could be happening? This router has its own DHCP server apart from the Verizon Gateway router
The range is in 10.0.0.X, not 192.168.1.x

I have Dynamic DNS configured on the router, prior to enabling the VPN Service

The netgrat router should have its own dns with netgear router. I have the same router and mine is XXXXX,mynetgear.com

 

[misterfredsr]

I had to use TCP not UDP for mine to connect

 

[Arjun]

Looks like I'm stuck via TCP as well (Connecting Status)
"Tue Mar 14 20:18:50 2017 MANAGEMENT: >STATE:1489537130,TCP_CONNECT,,,,,,"

I had to use TCP not UDP for mine to connect

 

[misterfredsr]

Great, it took me a week to figure that out.

 

[Arjun]

I mean its not working
Its stuck at
Tue Mar 14 20:27:43 2017 MANAGEMENT: >STATE:1489537663,TCP_CONNECT,,,,,

Current State: Connecting

Great, it took me a week to figure that out.

 

[misterfredsr]

I had to set mine for home network only and I could not use the IPv6