Guidance Needed on LAN Set Up

[samplenhold]

Good day all. Obvious newb here. I have read all of the WIKI and the IPCAM Cliff Notes, along with the threads on security and VPN by Nayr. So I have come up with a plan that I think is what all of the referenced material is saying to set up for the LAN.

Please take a look at this and critique.

I know a little about networking, probably just enough to get into trouble. Ultimately the plan is to have 3-5 cameras outside and one or two inside.

Please see the attached graphic that describes what I think the set up should be. The items on the left are currently in place (“Secure LAN”). The items on the right (“Non-secure” (camera) LAN) are yet to be purchased, except for one 5231 which I just received today from Andy.

I understand the need to isolate the IP camera side from the Internet. But I am thinking that I need a router between the BI computer and the PoE Switch? If that is the case, then I could do away with the Wireless Access Point since a router would have WIFI, correct?

My other concern is that I am stuck with the Pace 5268ac Modem/Router as that is from the ISP (AT&T) which provides the Gigabit over fiber. The problem is it does not support VPN and a day-long search of sites have convinced me that there is no way to solve that issue.

 

[SouthernYankee]

I have a very similar setup. I do not have a router on the camera side of the BI network. All the address on the camera side have static IP addresses, on a unique subnet. I use a older ASUS router set up as an access point, with a unique name and a non conflecting channel number.

Both IP addresses in the BI computer are static.

If you can get a router that has openVPN support. Put the at&t router in a modem only mode.

 

[catcamstar]

My personal advice would be to work with a standalone router (and no, not all routers have include wifi - these are mainly aimed for the consumer market). It is not clear to me in your picture whether (or not) your netgear switch is a MANAGED or an UNMANAGED variant. But in any case, you can still opt for an edgerouter (like the word states: a router at the edge of your network), can be very cheap ($50-60): Ubiquiti Networks - EdgeRouter™ X -> this router has all you want (and need): multiple DHCP servers for multiple subnets, firewall, openvpn server (and client), and even VLANs. Especially the latter can help you "secure" your network down the line, in case your netgear is managed, this would make things lots easier. Otherwise you go the "multiple subnet" route, and you firewall all ALLOW-"secure->BI/CAM" and DENY-"BI/CAM->secure" rulesets.

I have managed some networks with consumer routers, the best experience was with Asus (with Rmerlin), which also has OpenVPN onboard, secured wifi, but lacks "native" VLANs (except for IPTV forwarding for example). Ubiquity material starts from the X towards the PRO and infinity range ($$$). They even have SFP models, which might be compatible with your AT&T gigabit, so you can ditch the pre-configured thing. To be investigated.

In the end, think about HA/DR, it might be of interest to add UPS/battery pack to the mission critical parts (and do not forget your ISP modem) so your BI can still push out notifications.

 

[samplenhold]

Thanks for the replies so far. To answer a few questions:

The current 16-port switch is unmanaged. I have yet to purchase the 8-port PoE switch, so that could be a managed switch.

The ATT fiber terminates at the ONV in the garage. From there it is Cat5e to the network room on the second floor. No fiber is run in the house.

The modem/router from ATT is a Pace 5268ac model supplied by the ISP. As far as I can tell from the firmware, guide, and online forums, it does not support IP Passthrough. I do not have the option of replacing this unit with something else.

All equipment are on UPS. Router/modem and switch share one. ONV in the garage is one its own. NAS on a separate one. When I purchase the PoE switch and computer, I will purchase additional UPSes.

 

[SouthernYankee]

You should be able to put the Pace 5268AC in bridge mode, so it only acts as a modem. You then can use your own router. I strongly recommend using a router that supports openVPN, this will make your network and IP cameras more secure. I use an ASUS router, there are other routers that support OpenVPN.

Do a google search on "Pace 5268ac bridge mode" there are videos and directions

 

[samplenhold]

You should be able to put the Pace 5268AC in bridge mode, so it only acts as a modem. You then can use your own router. I strongly recommend using a router that supports openVPN, this will make your network and IP cameras more secure. I use an ASUS router, there are other routers that support OpenVPN.

Do a google search on "Pace 5268ac bridge mode" there are videos and directions

Thanks. I had done several incantations of "vpn pace 5268ac" or "pace 5268ac vpn" and got lots of folks trying to get it to work but to no avail.

Much of the ones that showed up using your search words were basically turning certain things off and putting the new router in the DMZ+ zone. At least one states "...ipsec (site-to-site VPN) will not work. AT&T blocks it...". Not knowing enough about VPN or OpenVPN, is that the same as ipsec? So will it be blocked by ATT? Don't really want to spend the bucks on a router to get the VPN and then find out ATT blocks it.

BTW, I am in Spring, originally from Boston. I like your "Southern Yankee" name.

 

[SouthernYankee]

A VPN allows you to securely access your home network from the internet. There are other ways to set up a VPN with out using the router I am not familiar with how do do it.

I live in Pearland, been it Texas for more than 45 years. I do not miss the north at all.