Defined Subnet versus VLAN: Is there a difference in my example for Blue IrisI

[master_tinkerer]

I am struggling with the philosophy of VLANs . This example might help me understand some of the differences. YouTube examples show the subnet change but L3 documentation describe it as additional packet info. Does the Blue Iris computer see both cameras? My limited experience shows the managed path(L3 processing) is more time consuming but provides more flexibility. Thanks, rob
.

 

[mikeynags]

Rob - from what I see in your drawing, VLANs aside, the short answer is yes, the BI PC should be able to see cameras on both 192.168.0.X and 192.168.20.X. The is because the BI PC is on both networks via your dual NIC configuration. VLANs configured on managed switches ( or a combo of both managed and unmanaged in some cases) would be a different design methodology, it all depends on what you are trying to do. Are you trying to prevent the cameras from accessing the Internet?

 

[IAmATeaf]

In the above example I personally don’t see the point of implementing VLANs as the traffic has been separated by the dual network cards?

If you were to go to the trouble of configuring that then yes BI would be able to see the cams on both subnets.

 

[bp2008]

Based on that diagram, Blue Iris would see the two cameras but presumably not see the internet (if your router is not part of Vlan 20).

Using a different subnet mask is not necessary.

To really understand the purpose of the subnet mask, I think it helps to see things in raw binary form. Your computer has a network interface with the address 192.168.0.50. In raw binary, it looks like this:

11000000.10101000.00000000.00110010

So there you see your address is 32 "bits" long. I added a dot after every 8 bits for readability, so the dots appear in the same place as when you write out the address as 192.168.0.50.

Then comes the subnet mask. The subnet mask essentially tells the computer how big the network is.

255.255.255.0 is the most common subnet mask, which, converted to binary, is:

11111111.11111111.11111111.00000000

Note how each 8-bit section is all 1s or 0s. This is easy for us humans to intuitively understand and remember, which is why this is such a common subnet mask.

What this mask means is that the first 24 bits (3 full bytes) of the IP address define the network the machine is on, and the last 8 bits (1 full byte) is the machine's address on the network.

In other words, because of that subnet mask, we know that 192.168.0 defines the network, and 50 defines the machine's address on the network. The first and last addresses on the network (192.168.0.0 and 192.168.0.255) are always reserved for special purposes, which means all the addresses in between (192.168.0.1 to 192.168.0.254) are free to be assigned to devices.

When you use a second NIC and assign it the address 192.168.20.51 with subnet mask 255.255.255.0, that just means the network is 192.168.20 and the machine's address on that network is 51, and the usable addresses range from 192.168.20.1 to 192.168.20.254. This does not overlap with your first network, so you're all good.

If you wanted to make things painful, you could use a different subnet mask where the transition from 1s to 0s does not align with the byte boundaries such as 255.255.255.128, which in binary is:

11111111.11111111.11111111.10000000

If you used that subnet mask, then 192.168.0.50 would not be able to talk to 192.168.0.150 because those addresses would be on different networks. The boundary of the network does not align with a dot in the address. It is not nearly as intuitive to humans, which is why you don't ever see it being used.

 

[quiet.tea]

In your example, there are two network segments mentioned: VLAN 20 with the subnet 192.168.0.0/24, and another segment with the subnet 192.168.20.0/24. It's presumed that both subnets use a netmask of 255.255.255.0. VLANs (Virtual Local Area Networks) allow for the logical segmentation of networks on the same physical switch or infrastructure. This technology enables a single switch to support multiple separate LANs, hence the term 'Virtual' in VLAN. This is a significant advancement from older networking times when a physical switch or hub could only participate in a single LAN. By using VLANs, network administrators can create distinct broadcast domains in a partitioned fashion, which enhances network management, security, and reduces broadcast traffic.

Yes, Blue Iris does see both network segments as it has a dedicated NIC for each. In the diagram, there is no layer 3 processing (routing) involved (unless you have configured the Blue Iris PC to function as a router).

I hope that answer your questions and if it does not, feel free to ask further.

 

[master_tinkerer]

Gentlemen, Great responses. I used this example to better understand VLANs. I should have stated the VLAN would be/was 802.1Q. I have implemented VLAN L3 in my home network to isolate the cameras off the internet. I have two camera VLANs with the isolation of the "eagle" watching cameras which go to the YouTube feed machine ( which is soon to be my backup BI server) . It would seem by non measurements that the system is slower thru the switches because of the L3 processing. I was wondering about using L2 lan isolation to avoid most of the L3 processing. ( I now have numerous unmanaged Netgear Switches). My L3 slow down was measured with the same internet speed test thru L3 (48 Port) versus direct to router. I have 90 versus 800 mbps , but just doing it now for this entry, they are basically the save at 650.?? I have Comcast, cable as ISP and it varies. Maybe something else is/was the cause of the difference. My wife says it is slow sometimes. Her path is via a trunk as the office switch in unmanaged.
Below is Current system based on suggestions by jmhmcse) and a possibly proposed( I've thought about it) alternative using an existing 24 port switch ( but the connection have not been marked or made). I will admit I get lost, sometimes, in the complexity and not really knowing how the switch works ( does it learn the paths and perhaps was slow before it learn whose where?) I set up a Wireshark connection and now that's a rabbit hole! and didn't understand the messages.
So thanks again for your consideration and any suggestions for improvement would be appreciated,



This is current system is working and has the cameras isolated ( except for the mesh node - work in progress) Netflix runs ok on the TV and TiVo

Possible Alternative for lower L3 processing

 

[The Automation Guy]

When thinking about whether to put the layer3 functionality on the switch, or leave it on the firewall/router, it's important to remember that all intra-VLAN traffic (data traveling on the same VLAN) is handled at the switch level in both cases. Only traffic traveling between VLANs needs to hit the firewall/router if the switch is set up for only layer2 where as if the switch is set up to handle layer3 traffic, even the data traveling between VLANs would be handled at the switch level and not have to traverse to the firewall/router. Honestly in a typical residential setting, leaving your firewall/router to handle the VLAN management and keeping your switches running at layer2 is probably the easiest method. If you carefully plan your VLANs - keeping traffic flow in mind - it is pretty easy to create VLANs where the vast majority of traffic stays confined to that VLAN. This simple design concept will prevent most bottlenecks that can occur when you use the firewall/router for VLAN management. Obviously in a large company or very large & complex residential network, making your switches act as layer3 devices might be necessary. But this adds a lot of complexity (especially for us non-IT professionals) that simply isn't needed in most residential situations.

That being said, if you are going to be running multiple switches, I would suggest that you look into managed switches that can be "stacked" together. This means that all of the switches are interconnected (physically and in the software) and they will present themselves as a single switch for management purposes. The switch's stacking ports are generally higher capacity ports (many times they are 40gb or higher) to prevent bottlenecks as well. The switches don't need to be near each other physically either - especially with fiber as cheap as it is today.

 

[master_tinkerer]

Automation Guy,
My network is in four locations 3 buildings and a 3 towers. My goal was to isolate the cameras from the internet as a result of an FBI inquiry ( my ip address was identified and possibly used to no good ) I was happy with an open, single subnet network and it worked fine. Netgear switches and Asus router were my choices back with a simple system. Asus routers don't support VLAN yet. So continued with a Netgear router. Cheaper paths to start over, for sure. I haven't VLANed the router as all of my interVLAN is done with different ports on the computers and the main switch. The layer 3 was to use trunks over single underground cables.

 

[quiet.tea]

Did someone hack into one of your cameras and compromise your network?

 

[master_tinkerer]

"Did someone hack into one of your cameras and compromise your network? "

No ,not my system. But someone used my system to forward/ hop a message, best I can tell. I HAD port forwarding open under UPnP on several cameras and apparently, someone found the weakness and used it for messaging. They were asking if I had logs of actions by my system. Months later from the event and I had major reorg and ISP issues so nothing was around.

 

[quiet.tea]

This is the first time I have heard of this on a security camera. My guess is some kind of proxy software was installed to allow the forwarding to happen.

 

[wittaj]

This is the first time I have heard of this on a security camera. My guess is some kind of proxy software was installed to allow the forwarding to happen.

We see breaches like that here all the time. All someone has to do is scan a QR code or use UPnP or intentionally port forward and crazy stuff like this happens. IoT devices have so many backdoor exploits which is why most of us here isolate and minimize those risks. Do not give cameras internet access is the first start.

 

[master_tinkerer]

Many on this site know of the weaknesses of port forwarding. I nievely thought it was just to see what is on the camera. Ie like my backyard. Others here know waaaay more about.

 

[wittaj]

Many on this site know of the weaknesses of port forwarding. I nievely thought it was just to see what is on the camera. Ie like my backyard. Others here know waaaay more about.

Yep, they don't care about seeing your camera feed, they want to use your internet for DDoS attacks or look at kiddie porn from your internet address or sniff your network for bank stuff, etc.

 

[The Automation Guy]

Automation Guy,
The layer 3 was to use trunks over single underground cables.

I think you have a misunderstanding of what layer 2 and layer 3 really mean with regards to a network switch. A switch that is "VLAN aware" does not necessarily mean that switch is functioning as a layer 3 device. A layer 3 device has routing capabilities built into it so that it can communicate with other devices at an IP address level (and therefore traverse across different networks). A switch running as a layer 2 device does not have this routing functionality turned on and it is communicating with devices at a MAC address level. In other words, a layer 2 switch has only "switching" functionality while a layer 3 switch has "switching" and "routing" functionality turned on.

Traffic traveling on the same VLAN will be handled by the switch, but traffic traveling between different VLANs on a layer 2 switch must traverse to the router/firewall. Because a layer 2 switch cannot send traffic between different networks, that traffic is sent to the router/firewall (a layer 3 device) where it routes the data traversing between different networks. A layer 3 switch can route traffic traveling between different networks because it has been set up with Gateways and ACLs (effectively firewall/routing rules). Optionally, you can even set up a DHCP service on a layer 3 switch (although there many be valid reasons you would want separate DHCP servers running for redundancy, more control, etc). However if you have not set up Gateways and ACLs on your switch, it is functioning as a layer 2 device.

Looking at the documentation for your main switch (Netgear JCS524v2), it doesn't have any of the primary layer 3 capabilities. Long story short, your switches are acting as layer 2 devices and your router is still handling all of the "routing" functionality of your network. This is the method I would suggest however, even for a network as large and "complex" as this one. (Honestly this network really isn't complex, it just has lots of extra switches instead of home running network runs back to a single main switch for every hardwired device on the network).

EDIT - Let's see if a "diagram" can help....

Let's say "Device A" on VLAN10 needs to send data to "Device B" also on VLAN10
- with a layer 2 switch it looks like this:
Device A --> (Data traveling over VLAN 10) --> Layer 2 Switch #1 --> (Data traveling over VLAN 10)--> Device B
- with a layer 3 switch it looks exactly the same:
Device A --> (Data traveling over VLAN 10) --> Layer 3 Switch #1 --> (Data traveling over VLAN 10) --> Device B

Now let's say "Device A" on VLAN10 needs to send data to "Device C" which is on VLAN20
- with a layer 2 switch it looks like this:
Device A --> (Data traveling over VLAN 10) --> Layer 2 Switch #1 --> (Data traveling over VLAN 10)-->Router/firewall --> (Data traveling over VLAN 20) -->Layer 2 Switch #1 --> (Data traveling over VLAN 20) --> Device C
- with a layer 3 switch it looks like this:
Device A --> (Data traveling over VLAN 10) --> Layer 3 Switch #1 --> (Data traveling over VLAN 20) --> Device C

 

[quiet.tea]

I believe @master_tinkerer understands overall network concepts pretty well though. The network diagram shows a network that is more complex that 99.9% of most homes and small businesses. There is the router symbol on the Netgear PR60X but no indication of a trunk between it and the Netgear JGS524Ev2. Perhaps the camera VLAN is not meant to be routed? The Blue Iris PC would need a NIC on the camera VLAN for this to work, as indicated by the OP's first post.

 

[master_tinkerer]

Hey, This is darn near Greek to me. I thought L3 was packet modification ( adding VLAN id info) and L2 was switching based on decode of packet. Forgive my semantics if not right. My goal is to isolate cameras and have good internet performance. Automation Guy, i'm not surprised at your documentation comment on Netgear, I think it's Limited ( being polite).
Not that it matters, but I think this switch has routing cap based on the interface (see picture below). I don't think I need it Maybe I could use routing instead of additional NIC interfaces.
But I have them now installed.
Idea for maybe additional security. This switch has POE time control and I thought about a POE powered switch between Router and 48 port switch and I could schedule it off via de-powering the POE switch WiFi would be on internet so iPads at night would work. Thinking while writing this, another VLAN called TVs , I could isolate everything on the red VLAN from the web via time clock. Just limiting exposure to hacks.

Any reason to VLAN through Router? It support it, but currently just operating on one.

 

[The Automation Guy]

I think using VLANs is very helpful in breaking a network into different parts. However you don't want to get too granular with your VLANs because traffic traveling between two different VLANs will have to be routed through the router/switch while traffic traveling on the same VLAN will not. Therefore if you break your VLANs up too small and traffic ends up having the travel between two different VLANs, you will likely create an unnecessary bottleneck in your network.

Therefore I would suggest something like this VLAN structure:
VLAN1 - Management VLAN - provides access to all VLANs and network devices. The only devices on this VLAN will be your network hardware (switches, routers/firewall, etc) and perhaps one "management" computer (a dedicated computer just for this purpose. No "personal computer" should be assigned to this VLAN by default). Most network switches have a "default" VLAN (usually VLAN1) that gives universal access to all VLANs. This is how you utilize that "default" VLAN. In reality, you'll access this VLAN only when you are "working" on the network.
VLAN10 - Protected VLAN - gives internet access and blocks access to some of the other VLANs. You'll probably want to give this VLAN access to the Main VLAN and Camera VLAN, but not the Management VLAN. This is where your devices that contain your family's "personal" information/documents live so that that you can prevent most other devices from accessing this data. Devices you should put on this VLAN includes most personal computers, any NAS that includes personal documents, backups, etc. but it does NOT include your phones or other mobile devices. Those should be considered insecure devices and put on the Main VLAN.
VLAN20 - Main VLAN - gives internet access but blocks other VLAN access except Camera VLAN access (at least for some devices - I don't think I would give all universal access to the Camera VLAN from this VLAN) and possibly the NoT if you are doing a lot of automation things. Basically anything that needs the internet, but doesn't need to regularly access the "personal family data" goes on this VLAN. Includes media streamers, TVs, automation/smart devices that need internet, kids computers, inlaw computers, any printers/scanners/fax machines, ALL mobile devices including your personal phones/tablets, any "guest" devices, etc
VLAN30 - Camera VLAN - blocks internet access and blocks access to other VLANs. Includes all cameras and the BI machine. You can write a rule that allows the BI computer access to the internet and turn it on/off as needed.

Honestly this structure will work for 85% of the typical residential settings out there. There many be legitimate reasons to add more VLANs however. For example, if you have a lot of other devices that you want to keep off both the internet and away from your personal information (perhaps you are like me and have a lot of home automation devices that don't need internet access to work), then perhaps you want to add another VLAN for these devices:
VLAN40 - NoT VLAN - blocks internet access and access to other VLANs. Includes anything you want to keep off the internet and away from your family's personal information. Things like lights, appliances, alarm system, HVAC, etc

If you try to segment your network more than this, you aren't really adding any network security (because those devices should already be blocked from your "personal data") and you are greatly increasing the odds that normal traffic will have to cross over VLANs. For example, having the TVs isolated on their own VLAN is going to prevent you from "casting" videos from your phones or other devices and even if the rules allow it, it is going to potentially cause a bottleneck at the router because all that traffic has to flow in and out of the router. If you have the TVs on the same VLAN as the media streamers and your mobile devices, then all that traffic will be allowed and only have to flow through the switch, not the router as well.

Now all that being said, this is all just my personal opinion. There might be valid arguments for setting up your network differently, but don't be tempted to break your network into a bunch of VLANs with a relatively small number of devices on them. Doing so will tend to cause more problems than they solve.

 

[master_tinkerer]

A. Guy wrote:
I think using VLANs is very helpful in breaking a network into different parts. However you don't want to get too granular with your VLANs because traffic traveling between two different VLANs will have to be routed through the router/switch while traffic traveling on the same VLAN will not. Therefore if you break your VLANs up too small and traffic ends up having the travel between two different VLANs, you will likely create an unnecessary bottleneck in your network.

I was thinking about a VLAN that stays up 24 hours for surfing and TV while I shut down most other web interfaces. None of my VLANS are connected thru the router , separated by nicards. I was thinking about time clocking network access to web.

I have one more nut to crack and that is VPN access. My ASUS supporting it and was working but I added the NETGEAR PR60x ( for VLAN routing) (probably a mistake)which only supports router to router VPN ( building to building) and not device to router like the ASUS and most other home routers do. ( I only use it for off site BI access. )
Thanks A.G.
rob

 

[quiet.tea]

Some of my considerations when I consider setting up a VLAN include,
1. Group devices with similar functions
2. Group devices with similar security requirements
3. The need to inspect or control traffic to and from the VLAN. Traffic within the same VLANs are not easily inspected or controlled unless there is virtualization.
4. Multicast usage. I have spent many hours trying to get multicast traffic across firewalls and routers.
5. The number of devices in the VLAN now and in the future. I will not create a VLAN for only device.

All my VLANs are trunked back to my firewall which also functions as my router. I have an enterprise grade firewall that can easily handle the dozen or so cameras. If your firewall or router cannot handle the traffic, that would be another consideration you will need to make.

I would recommend that you only have one device handling routing unless you just like to tinker around with network routing.

Have you taken a look at overlay network solutions like Zerotier, Tailscale, or Netbird for remote access?