Help with current network setup

[justinneed]

I have a DVR system setup on my network. I access it using a VPN and port forwarding has been disabled. I also blocked the camera itself from the internet using an iptable firewall rule. I confirmed that the camera was inaccessible through port forwarding when I had this rule setup, so I believe the camera doesn't have access to the internet and is only accessible from within the network. Before I implemented this rule, I was able to access my DVR online using port forwarding, when I had it enabled for testing purposes. I do not have any VLANs setup so all of my devices are essentially able to communicate with each other. I'm using a Raspberry Pi as a VPN.

I wanted to know if I should consider setting up isolated VLANs on my network. How much of a security risk is it for me to not have VLANs even if the DVR itself is blocked from accessing the internet?

I'm not a networking expert so I don't have a lot of understanding of how to setup VLANs, but I think I'm capable of figuring it out. The reason why I haven't embarked on that is because my router doesn't seem to have VLAN capabilities through its DD-WRT interface. I might be able to set it up using SSH, but that would make things even more complicated and I wanted to know if it would be worth the time or see if anyone can suggest a guide or some advice before I started doing some serious research.

 

[SamM]

Firstly, stop the port forwarding, and get yourself an Asus router to use OPENVPN. check out VPN Primer for Noobs on the forum.

This should should sort out your troubles.

 

[mat200]

I have a DVR system setup on my network. I access it using a VPN and port forwarding has been disabled. I also blocked the camera itself from the internet using an iptable firewall rule. I confirmed that the camera was inaccessible through port forwarding when I had this rule setup, so I believe the camera doesn't have access to the internet and is only accessible from within the network. Before I implemented this rule, I was able to access my DVR online using port forwarding, when I had it enabled for testing purposes. I do not have any VLANs setup so all of my devices are essentially able to communicate with each other. I'm using a Raspberry Pi as a VPN.

I wanted to know if I should consider setting up isolated VLANs on my network. How much of a security risk is it for me to not have VLANs even if the DVR itself is blocked from accessing the internet?

I'm not a networking expert so I don't have a lot of understanding of how to setup VLANs, but I think I'm capable of figuring it out. The reason why I haven't embarked on that is because my router doesn't seem to have VLAN capabilities through its DD-WRT interface. I might be able to set it up using SSH, but that would make things even more complicated and I wanted to know if it would be worth the time or see if anyone can suggest a guide or some advice before I started doing some serious research.

Hi @justinneed

Sounds like you've done the most important part of the work.

No port forwarding
Using a VPN running on your network to access video remotely

VLANs .. some go the extra mile and use VLANs to segment their setups, depends imho how many IoT stuff you have on your network. If you have some IoT products, I would go with VLANs or separate with separate switches and routing rules

If you have a simple LAN and no IoT stuff.. then I would be OK with what you have already done.

 

[SouthernYankee]

What is your VPN ?
If your router is DD-WRT it should support OpenVPN.
Who is your manufacture of your router ?
Is your Router seperate form your modem ?

-----------------------------------------------

My general VPN post
There are two types of VPN, do not get them confused.
The type depends on where the traffic conversation (traffic) originates

1) origination: local home network, destination the internet.
This type of VPN purpose to hides your activity from the internet, it is outbound, it normally costs a monthly fee to use. Direction is from your home PC to the internet, going to your bank, google, porn sites,,,, this not what you want. This VPN uses a VPN server that is in the middle of your communications.

2) Origination: the internet world wide web, destination: your home network.
This VPN type is used to provide a secure connection onto your local network, in bound to you local home network, from your office computer, your cell phone in your car, tablet at the coffee shop.. This is what you want, it does not have a monthly fee and is normally completely free. OpenVPN is this type of VPN.

If you home internet provider is a cellular network, then DDNS (dynamic Domain Name System) may not work, the DDNS is needed for most Inbound VPN services (OpenVpn), so OpenVPN may not work for you.
------------------------------------------------------
A video on the paid VPN.

------------------------------------------------------

 

[justinneed]

Hi @justinneed

Sounds like you've done the most important part of the work.

No port forwarding
Using a VPN running on your network to access video remotely

VLANs .. some go the extra mile and use VLANs to segment their setups, depends imho how many IoT stuff you have on your network. If you have some IoT products, I would go with VLANs or separate with separate switches and routing rules

If you have a simple LAN and no IoT stuff.. then I would be OK with what you have already done.

I don't have any IoT devices, but I do plan on setting up a Google Chromecast. Right now I have only PCs, phones, and the DVR connected to the network. I think I will look into VLAN setup anyway as it seems like the more secure method and I want to have a guest network setup anyway.

What is your VPN ?
If your router is DD-WRT it should support OpenVPN.
Who is your manufacture of your router ?
Is your Router seperate form your modem ?

-----------------------------------------------

My general VPN post
There are two types of VPN, do not get them confused.
The type depends on where the traffic conversation (traffic) originates

1) origination: local home network, destination the internet.
This type of VPN purpose to hides your activity from the internet, it is outbound, it normally costs a monthly fee to use. Direction is from your home PC to the internet, going to your bank, google, porn sites,,,, this not what you want. This VPN uses a VPN server that is in the middle of your communications.

2) Origination: the internet world wide web, destination: your home network.
This VPN type is used to provide a secure connection onto your local network, in bound to you local home network, from your office computer, your cell phone in your car, tablet at the coffee shop.. This is what you want, it does not have a monthly fee and is normally completely free. OpenVPN is this type of VPN.

If you home internet provider is a cellular network, then DDNS (dynamic Domain Name System) may not work, the DDNS is needed for most Inbound VPN services (OpenVpn), so OpenVPN may not work for you.
------------------------------------------------------
A video on the paid VPN.

------------------------------------------------------

I'm using OpenVPN configured through PiVPN on a Raspberry Pi 4. The router I have has low flash memory (TP-Link TL-WR841ND), so it cannot run OpenVPN with DD-WRT. It's a cheap old router, but it's still supported by DD-WRT firmware and it works for my single story area and 50 Mbps download speed. I got the RPi instead of a new router assuming that quad-core RPi4 would provide me with better speeds than a cheap $40 router, but I've learned that might not be the case due to some kind of AES encryption not being supported by the RPi CPU, but I still get 20 Mbps download using it, so it's good enough. Router is separate from modem.

So I did click through my settings on DD-WRT and found that it might support VLAN configuration. It's just relabeled as "switch configuration" instead of "VLAN" which is what I saw on some tutorial. Also, under the Networking tab I see configuration options for VLAN tagging and bridging, which I'm assuming will need to be setup when configuring VLANs? Does this mean I can setup VLANs using this router? I've attached screenshots of the pages I'm talking about.

What I have in mind is to setup 5 VLANs. 1 - trusted PCs/devices (port 1+wireless), 2 - security DVR (port 2), 3 - Raspberry Pi VPN (port 3), 4 - guest network (port 4+wireless), 5 - IoT devices (wireless only). I only have 4 ports though, would it still be possible for me to have 4 VLANs associated with those ports and 1 additional that's wireless only for IoT?