Newb - Secure VLAN setup

[jeffshead]

I’ve never setup a VLAN or a surveillance system. I have searched this forum and others but I’m still confused about what is the best way and how to set up my network.

I already have a FW/router with a VPN. I just purchased a TP-Link TP-SG1016PE PoE switch which is the main source of my confusion. I’ve read conflicting info about this switch. Some have stated that you cannot restrict access to its admin and that you cannot remove/separate ports from VLAN1. Others have stated that this is not true. It seems a firmware update has solved these concerns:

New Features/Enhancement:

1. The port can be removed from VLAN1
2. The port of VLAN1 can choose tagged/untagged

So here is what I think my network should look like:

Questions & Comments:

1. VLAN1
   1. Is it OK to have my general LAN devices on VLAN1 or do I create a new VLAN for them and put nothing on VLAN1?
2. Blue Iris Box
   1. I want to use the Android app and receive alerts from BI.
      
   2. I would like to be able to access it via a PC from VLAN1. Is that safe?
   3. Should I isolate the BI box on a VLAN separate from the cameras?

I'm hoping some TP-SG1016PE owners chime in and can explain how to properly setup the VLANS on this switch. I want to make sure the cams cannot access the the Internet or other VLANs and that I limit/secure access to the switch's admin. The Tagged, Untagged, Not Member and PVID combination of settings is confusing the H3LL out of me!

 

[SouthernYankee]

What are you using to create the different VLAN.
What are the subnet address ip addresses.
What is the IP address of the BI PC.
What are the ip adresses of the cameras.

 

[NoloC]

So I have the 8 port version although it is pretty old and your firmware may be different.
My BI pc is a member of the main home lan and the camera lan, which is what you want as well.
I didn't use vlan 1 as that is a best practice, although I can't remember why. Here is my config:

 

[jeffshead]

What are you using to create the different VLAN.
What are the subnet address ip addresses.
What is the IP address of the BI PC.
What are the ip adresses of the cameras.

Thanks! I haven't gotten this far, yet.

I can create the different VLANs in the router. Currently, I have two physical network interfaces installed in the router and no VLANs. One interface is for incoming (LAN) and one for outgoing (WAN). With this router, I can create multiple VLANs on the same incoming port although I'm not sure of what to specify for each VLAN's default gateway. I use the router for DHCP and I can have multiple DHCP scopes (for each VLAN) if needed. Will I create a bottle neck if I have one physical cable running from the switch to the router that handles all traffic for all of the VLANs?

I'm thinking something like this for the subnets:
VLAN1 - not used
VLAN10 - 192.168.0.0/24 (Already using this subnet for my current network w/o a VLAN)
VLAN20 - 192.168.20.0/24
VLAN30 - 192.168.30.0/24

I don't have the BI PC setup yet so it can be assigned any IP.
I don't have the cameras setup yet so they can be assigned any IP's.

So I have the 8 port version although it is pretty old and your firmware may be different.
My BI pc is a member of the main home lan and the camera lan, which is what you want as well.
I didn't use vlan 1 as that is a best practice, although I can't remember why. Here is my config:
IMAGE REMOVED

Just what I needed. Thanks!

Based on your setup, it appears you are using port 7 to connect your BI box to the switch and port 8 to connect your switch to your router. Is that correct? I'm still confused by which ports have shared membership. Why do your cam ports have to be a member of port 8 if you do not want them to access the Internet? Shouldn't they just be a member of port 7 if that is the port for your BI box?

 

[jeffshead]

Currently, I have a single, non-VLAN subnet with every network device attached to a single, dumb switch. In the router setup, I can choose either Ethernet or VLAN when creating a new interface. The current interface is set to Ethernet. When I create the new VLANs in the router, do I keep the existing non-VLAN subnet and add the VLANs to the same interface or remove the current subnet and have only VLANs on that interface? It seems the router setup will let me do either.

Do most folks put the cameras on their own VLAN and rely on layer 3 for communication with the BI server or put them on the same VLAN?