Often asked, but so confused cameras and vlans. [newborn newbie]

Kerplunk

n3wb
Nov 29, 2024
3
0
MA
I just received my cameras from Andy and got them setup with static ips (192.168.68.xxx) and new passwords. I got them imported into blue iris. But I need some help with securing them. I have the cameras plugged into ports 1-8 of a PoE switch (TL-SG1016PE, IP @ 192.168.66.62). In the 802.1Q VLAN configuration I have ports 1-8 and 15 (computer with blue iris installed) marked as tagged. The VLAN ID is 2.

My understanding is that I have created a vlan, and those cameras and computer do not have internet access. But now I'm just lost. I'm not sure how to access the vlan.

My router is a Deco x60. I tried enabling IPTV/VLAN, with a Custom ISP Profile, Internet VLAN checked with a Internet VLAN ID of 2 and an Internet VLAN priority of 5. But that just took down my entire network. In other threads, I've read about firewall rules and setting stuff up in routers, but I just see port forwarding stuff on the Deco.

I'm expecting to get clowned on the Deco, but if the Deco is really the issue anything quick and easy I can use? I have an older Netgear NightHawk x6 if that is better, but I'm not really sure what i'm looking for here.

Thanks.
 
Simply creating VLANs on your switch doesn't mean your router knows what you want to do with them. It may be configured to allow inter-VLAN routing by default.

You have to create firewall rules in your router to tell it what you intend to happen with a packet that comes in with a tagged VLAN. If you don't want anything on VLAN 2 to have internet access, then you need block that VLAN from accessing the WAN. You have to create those firewall rules in your Deco x60 (I'm not familiar with that one).

You also need to make sure your uplink port on your switch (the one that connects your switch and router) is set to trunked mode so it passes all VLAN information to the router since the router is the one responsible for enforcing rules.
 
  • Like
Reactions: bigredfish
 
 
 
You have to create firewall rules in your router to tell it what you intend to happen with a packet that comes in with a tagged VLAN. If you don't want anything on VLAN 2 to have internet access, then you need block that VLAN from accessing the WAN. You have to create those firewall rules in your Deco x60 (I'm not familiar with that one).

You also need to make sure your uplink port on your switch (the one that connects your switch and router) is set to trunked mode so it passes all VLAN information to the router since the router is the one responsible for enforcing rules.

Thanks for the reply.

Yeah, I guess I'm getting hung up on firewall settings, not the concept, but the actual how to.

I'm getting lost in the weeds with terminology and what to look for. The Netgear Nighthawk x6 7900 has things like Static Routes and Block Services. But nothing with allow and disallow like I'd see in a firewall. Edit: meant to say inbound/outbound

Also, while it looks like the Nighthawk can setup a vlan and openvpn no where does it seem to allow me to "trunk" a port. My switch doesn't mention trunking but has PVID which seems similar to trunking, at least to me.

So now I'm wondering if my equipment can even do it. Anything out there with a friendly UI for newbies? If I have to get something new.
 
Last edited:
Thanks for the reply.

Yeah, I guess I'm getting hung up on firewall settings, not the concept, but the actual how to.

I'm getting lost in the weeds with terminology and what to look for. The Netgear Nighthawk x6 7900 has things like Static Routes and Block Services. But nothing with allow and disallow like I'd see in a firewall. Edit: meant to say inbound/outbound

Also, while it looks like the Nighthawk can setup a vlan and openvpn no where does it seem to allow me to "trunk" a port. My switch doesn't mention trunking but has PVID which seems similar to trunking, at least to me.

So now I'm wondering if my equipment can even do it. Anything out there with a friendly UI for newbies? If I have to get something new.
It may default to trunking on ports you don’t set as an access port with a vlan.
 
So now I'm wondering if my equipment can even do it.
I don't think the deco range supports vlans and/or multiple network addresses.

I use a unifi cloud gateway ultra and this guide is quite good for showing how to configure it and lock it down.

It's a really well priced router that has a cubic arseload of features.
I paired it with a Cisco switch because I already had the switch, you'll be able to use your existing tp link switch.
 
  • Like
Reactions: Kerplunk
I don't think the deco range supports vlans and/or multiple network addresses.

I use a unifi cloud gateway ultra and this guide is quite good for showing how to configure it and lock it down.

It's a really well priced router that has a cubic arseload of features.
I paired it with a Cisco switch because I already had the switch, you'll be able to use your existing tp link switch.

Thank you! Just got picked this up and will follow the guide once it gets here.