Help setting up VLAN network

[CanCuba]

I'm looking at buying a managed switch and setting up a proper network for myself and my guests (max 8 devices connected at one time). Here's what I need to do:

• 16 IP cams connected to a POE NVR (labeled as DVR on diagram) as 10.1.1.x firewalled from talking to the internet (VLAN)
• OpenVPN or Wireguard VPN access into the NVR and cams
• laptop can access NVR and cams

The internet will be provided via a Ubiquiti Nano M5 and will provide internet access to the (probably hardwired) IPTVs and other non-surveillance devices. I'm new to VLANs but I believe that I can manage this through VLANs on a managed switch. This is the switch I'm looking at:

DGS‑1210‑10P - 10-Port Gigabit Smart Managed PoE Switch

8 x 10/100/1000BASE-T PoE ports2 x Gigabit SFP portsAdvanced L2 switching and security featuresL2+ Static RoutingOptional “standard mode” or “surveillance mode” management user interface65W PoE budget

www.dlink.com

Does this look like it will work? I don't have a huge choice of managed switches but I think this one will do what I need it to do (VLAN the cams/NVR and allow remote access via OpenVPN/Wireguard to the same).

 

[fenderman]

What are you currently using as a router/firewall?

 

[CanCuba]

What are you currently using as a router/firewall?

Cams/NVR have never been connected to the internet. I'm setting up this network as I'm having the Nano internet connection installed this week.

Think of this as a fresh setup.

 

[fenderman]

Cams/NVR have never been connected to the internet. I'm setting up this network as I'm having the Nano internet connection installed this week.

Think of this as a fresh setup.

Ok, but the nano is just an access point. Where is the internet/wan connection coming from? and what is the device you have under the switch?

 

[CanCuba]

Ok, but the nano is just an access point. Where is the internet/wan connection coming from? and what is the device you have under the switch?

Nano will provide the internet connection. This is common in Cuba. There's a gray-market of private wireless internet provided via Nano/Microtik.

That's a router below the switch. To allow for wireless connection for the laptops.

 

[CanCuba]

Should be router set up as access point. The Nano handles the DHCP assignments.

 

[fenderman]

Nano will provide the internet connection. This is common in Cuba. There's a gray-market of private wireless internet provided via Nano/Microtik.

That's a router below the switch. To allow for wireless connection for the laptops.

The problem with that is how will you use openvpn without a public ip? You can use something like tailscale or zeroteir
The bigger issue that the private internet provider has access to your network and unencrypted date flowing in/out

 

[CanCuba]

The problem with that is how will you use openvpn without a public ip? You can use something like tailscale or zeroteir
The bigger issue that he private internet provider has access to your network and unencrypted date flowing in/out

Excellent point. Ok, my other option for NVR access is to set up a router with a 4G SIM for direct access to the NVR with the VPN. I think I'll go that route then.

It will mean having two physically separate networks but it's probably safer that way.

Thank you

 

[fenderman]

Excellent point. Ok, my other option for NVR access is to set up a router with a 4G SIM for direct access to the NVR with the VPN. I think I'll go that route then.

It will mean having two physically separate networks but it's probably safer that way.

Thank you

Will 4g sim give you are routable public ip address?
Honestly I would be more concerned about my primary internet connection being on a private gray market internet connection than my cams.

 

[CanCuba]

Will 4g sim give you are routable public ip address?
Honestly I would be more concerned about my primary internet connection being on a private gray market internet connection than my cams.

The 4G SIM will give me a routable public ip address. I know people doing it for NVR access.

I understand the concern with the private gray market access but we use a VPN for everything regardless. Not so much to hide our usage from the local authorities but I can't log into Home Depot, Walmart, Lowe's, etc if they detect I'm in Cuba. Nor can I place Amazon orders without a VPN so we have our phones and laptops set to restrict any traffic that isn't through the VPN.

A few years ago, I had my PayPal account cancelled because I accidentally logged in from Cuba without a VPN. They blacklisted the bank account and credit card I had associated with that account which is a huge PITA. I had to get a prepaid credit card to be able to make payments through PayPal.

 

[fenderman]

The 4G SIM will give me a routable public ip address. I know people doing it for NVR access.

I understand the concern with the private gray market access but we use a VPN for everything regardless. Not so much to hide our usage from the local authorities but I can't log into Home Depot, Walmart, Lowe's, etc if they detect I'm in Cuba. Nor can I place Amazon orders without a VPN so we have our phones and laptops set to restrict any traffic that isn't through the VPN.

A few years ago, I had my PayPal account cancelled because I accidentally logged in from Cuba without a VPN. They blacklisted the bank account and credit card I had associated with that account which is a huge PITA. I had to get a prepaid credit card to be able to make payments through PayPal.

Well if you are already doing that might as well add the cams to same connection as you intended unless the 4g card is really cheap.

 

[CanCuba]

Well if you are already doing that might as well add the cams to same connection as you intended unless the 4g card is really cheap.

Not sure if I'll get a routable public IP, as you pointed out. I can always try and see what happens and if it doesn't pan out, go with the 4G router. I have the 4G router already.

 

[fenderman]

Not sure if I'll get a routable public IP, as you pointed out. I can always try and see what happens and if it doesn't pan out, go with the 4G router. I have the 4G router already.

In the US you dont get a routable IP on 4g/5g connections...you must a large fee for it. A 4g router will have the same issue.
I dont know if that dlink switch is going to be able to do what you want. You might be better off with a router that supports vlan.

 

[CanCuba]

In the US you dont get a routable IP on 4g/5g connections...you must a large fee for it. A 4g router will have the same issue.
I dont know if that dlink switch is going to be able to do what you want. You might be better off with a router that supports vlan.

The guys I know setting up routers for 4G access are also high-end installers. They may have some workaround but they offer this service to all their clients via the 4G network.

 

[Mike A.]

I understand the concern with the private gray market access but we use a VPN for everything regardless. Not so much to hide our usage from the local authorities but I can't log into Home Depot, Walmart, Lowe's, etc if they detect I'm in Cuba...

Understand the latter point but it's more than just using an outgoing VPN. The way that you have it drawn above, you're directly on their network and, more of concern, they're on yours. i.e., Anyone on that network can potentially access your stuff. You need some kind of firewall/router between you and them to better isolate yourself.

 

[CanCuba]

Understand the latter point but it's more than just using an outgoing VPN. The way that you have it drawn above, you're directly on their network and, more of concern, they're on yours. i.e., Anyone on that network can potentially access your stuff. You need some kind of firewall/router between you and them to better isolate yourself.

What about using the built-in firewall in the Nano M5? We don't need any ports forwarded.

 

[Mike A.]

Not very familiar with the M5 but it looking quickly does look like it can NAT your internal network so that should be OK. Check that there are no remote management options turned or other access ports that are opened that could permit someone to access it to change things.

 

[CanCuba]

Not very familiar with the M5 but it looking quickly does look like it can NAT your internal network so that should be OK. Check that there are no remote management options turned or other access ports that are opened that could permit someone to access it to change things.

Thank you. I'll be sure to lock it down tight once it's up and running.

 

[duplo]

with the setup shown in the picture you dont need a managed switch
you just need a "better" firewall with 4 or more nics

if you are able to get a mikrotik routerboard like RB5009 all would be possible
you can also use an old computer with pfsense and quad port intel nic

both can run zerotier

for any managed switch you need a firewall/router which is vlan compatible

i dont think the M5 has any router functionality. so if you get dhcp lease on clients this is managed by someone else

 

[CanCuba]

with the setup shown in the picture you dont need a managed switch
you just need a "better" firewall with 4 or more nics

if you are able to get a mikrotik routerboard like RB5009 all would be possible
you can also use an old computer with pfsense and quad port intel nic

both can run zerotier

for any managed switch you need a firewall/router which is vlan compatible

i dont think the M5 has any router functionality. so if you get dhcp lease on clients this is managed by someone else

When I had the M5 set up previously, I remember the M5 handling DHCP leases. We had it hooked up to a cheap router in repeater mode, IIRC.