Looking for a NOOB friendly OpenVPN VLAN supported router

Joined
Oct 29, 2019
Messages
7
Reaction score
4
Location
Usa
Picked up some cameras, now time to work on the network. I will be purchasing a new router and am looking for advice on the right model. I'm looking to support VPN and also VLANs to segregate my cameras from the rest of the network. I would like to be able to use a UI and not have to use a CLI for setup and monitoring. From all of the sound advice on this forum, it sounds like Asus is the way to go for my experience level, but I'm not sure if they support VLANs for example the AC1900 listed in the CliffNotes on the Wiki makes no mention of VLAN capabilities in the user manual. Searching for other VLAN setup on other Asus routers show similar results. Would I need to flash the router with a different system to be able to have it support VLANs? New to networking setup so any advice to learn more about VLANs would also be much appreciated. So whats your recommendation for a NOOB friendly OpenVPN supporting, VLAN capable, UI accessible router? Thanks!
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
3,363
Reaction score
2,222
Location
Houston Tx
All New ASUS routers support OpenVPN. I have an old RT-AC66U_B1, it works great. The main difference in ASUS routers is the WIFI support.

Setting up OpenVPN on an ASUS router is very simple.

I do not us a VLAN. I use Blue Iris with a separate NIC to physically separate the cameras from my home network.
 
Joined
Oct 29, 2019
Messages
7
Reaction score
4
Location
Usa
Thanks @SouthernYankee, I'll take a look at that as an option. I like the idea of physically separating the two networks so less chance of access. So instead of the first topology below I would need the second...complicates things as I was hoping to not have to run any additional lines to my garage.

Single NIC
network.png
Separate BlueIris NIC
network_nic.png
I think it may be good to have VLAN support for some other uses as well. I'm still trying to learn the interplay of the router or the managed switch in VLAN setup. Anyone have any good primers to share? I would prefer an unmanged switch if I can setup VLANs just through the router but am unclear if that is possible or if it needs to be managed via the switch.
 

civic17

Getting the hang of it
Joined
Dec 7, 2018
Messages
153
Reaction score
52
Location
Canada
Asus routers you can have VLAN suport running Merlin firmware with scripts if you are comfortable with that. Some editing of the codes will be required. if you prefer using GUI then best to get a VLAN capable router and switch. Have a look at Ubiquiti products.
 
Joined
Oct 29, 2019
Messages
7
Reaction score
4
Location
Usa
Thanks @civic17, I found some info on a pfSense router/firewall and think I may pick up a SG-1100. Any reason to avoid that router or choose a ubiquiti product over that? Currently looking at vlan capable switches.
 

Q™

IPCT Contributor
Joined
Feb 16, 2015
Messages
4,865
Reaction score
3,791
Location
Megatroplis, USA
Asus RT-AC68U! I have seven and they're (7) all good. Caution get the RT-AC68U model and not the T-Mobile units which are often advertised incorrectly as the RT-AC68U...they're not. Also, I've had trouble uploading firmware to the RT-AC68R. When purchasing the RT-AC68U, try to get a unit with a "hardware revision" greater than "A1".
 

civic17

Getting the hang of it
Joined
Dec 7, 2018
Messages
153
Reaction score
52
Location
Canada
SG-1100 is good. I was debating on that one but went Ubiquiti EdgeRouterX instead cus it was cheaper. Both will be able to do what you need to do.
 
Joined
Oct 29, 2019
Messages
7
Reaction score
4
Location
Usa
Thanks for the input all. So my plan is to get a SG-1100 router/firewall running pfSense. I will be adding an additional NIC to my Blue Iris PC and have one NIC connected to the camera LAN and the other connected to my secured LAN. On the secured LAN side I will be getting a Ubiquiti UniFi POE Switch for VLAN setup for the rest of my network.

network.png
 

No No

n3wb
Joined
Nov 25, 2018
Messages
23
Reaction score
1
Location
No no
New and learning. What is the purpose of separating the cameras from the main network? ...security access from outside? If that why not just set up access control on the router to prevent the camera IP from contacting the WAN? Which is what I did, or does that not work. Even if your cameras are behind the BI computer, can't someone still get to them...they are technically still on the same network aren't they?
 

Hammerhead786

Pulling my weight
Joined
Apr 23, 2018
Messages
241
Reaction score
152
New and learning. What is the purpose of separating the cameras from the main network? ...security access from outside? If that why not just set up access control on the router to prevent the camera IP from contacting the WAN? Which is what I did, or does that not work. Even if your cameras are behind the BI computer, can't someone still get to them...they are technically still on the same network aren't they?
If you currently have an Asus router you could install FreshTomato firmware which would give you vlan capability. Cameras can be easily hacked. You would not want a compromised camera on the same network as your main network. If you have blocked your cameras at the router from contacting the internet, then in all likelihood you are good.

My personal preference is to have the cameras on one vlan and the BI machine on a separate vlan using a managed layer 3 switch. I can then configure the vlan for the cameras to only pass traffic to the BI machine. I have the BI machine connected to my router and therefore it has internet access for software updates and time synchronisation.

If I need to access the cameras directly, I RDP into the BI machine and access them from there. I can also do this externally using a VPN. Some might say this is overly complicated when I could use a PC with dual NICs, but for me it works and provides me with a great level of flexibility.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
3,363
Reaction score
2,222
Location
Houston Tx
NO NO. The cameras are on a separate network not connected to the internet so there is zero access for the cameras to the internet. The cameras can call home. With the way networking works and the current state of software passwords and access control is nearly useless.

If you try to block a device at the router by either an IP address or a MAC address, the device will just change its address and by pass the block. Physical separation is the only way to go.
 

The Automation Guy

Getting the hang of it
Joined
Feb 7, 2019
Messages
48
Reaction score
52
Location
USA
If you try to block a device at the router by either an IP address or a MAC address, the device will just change its address and by pass the block. Physical separation is the only way to go.
No argument that physical separation is the BEST way to go, but it is a stretch to say it is the the only way to go.......

and I've never seen a device that when set to a static network address (either locally or by a static DHCP rule on the router), automatically update it's address because it couldn't access the internet......
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
3,363
Reaction score
2,222
Location
Houston Tx
I have seen a number of device change there mac an static IP address. I have seen no name cameras do it. I have seen hacked network equipment do it. I have seen refurbished equipment do it, like printers I use to work in a top 10 S&P company in software engineering. The company does not even let any outside devices use there local network. No personal cell phones or tablets on wifi. All devices must go through in house test and certification. NO USBs are allowed as the micro code in them is hacked.
 
Last edited:

VorlonFrog

Known around here
Joined
Aug 3, 2015
Messages
1,313
Reaction score
834
Location
Charlotte
Asus RT-AC68U! I have seven and they're (7) all good. Caution get the RT-AC68U model and not the T-Mobile units which are often advertised incorrectly as the RT-AC68U...they're not. Also, I've had trouble uploading firmware to the RT-AC68R. When purchasing the RT-AC68U, try to get a unit with a "hardware revision" greater than "A1".
If you login via SSH and delete the .tar.gz file of T-Mobile security certificates from mtd5, it's exactly the same as an RT-AC68/U. ;)
 

VorlonFrog

Known around here
Joined
Aug 3, 2015
Messages
1,313
Reaction score
834
Location
Charlotte
No argument that physical separation is the BEST way to go, but it is a stretch to say it is the the only way to go.......

and I've never seen a device that when set to a static network address (either locally or by a static DHCP rule on the router), automatically update it's address because it couldn't access the internet......
Many Chinese firmwares will use hard-coded DNS server IP addresses when they cannot get out to the internet. You would not believe some of the things they do.
 

iseeker

Getting the hang of it
Joined
Nov 16, 2018
Messages
204
Reaction score
81
Location
TEXAS
Thanks for the input all. So my plan is to get a SG-1100 router/firewall running pfSense. I will be adding an additional NIC to my Blue Iris PC and have one NIC connected to the camera LAN and the other connected to my secured LAN. On the secured LAN side I will be getting a Ubiquiti UniFi POE Switch for VLAN setup for the rest of my network.

View attachment 50466
What is the headless audio player in your system?
 
Top