Questions about network topology

intfxdx

n3wb
Joined
Jan 23, 2020
Messages
3
Reaction score
4
Location
Silver Spring, MD
Hi everyone,

So I am finally going to set up my cameras (probably follow suggestions from wiki pages), but before I start plugging cameras into my system (that I would eventually just leave unsecured, etc because it's working), I figured I would take a moment to plan.

Below is my network diagram. I am not sure how to set up the new network, so I've included two set ups (Proposed subnet #1 and #2). Which one is better? I'm assuming setup #1 would work just fine, but I have read many posts suggesting the double NIC approach.

My requirements:

a. access video streams from my main network (wife may want to check on backyard from her laptop or phone)
b. make it as secure as possible. I'm assuming that putting the cameras on a different subnet would allow me to control the flow of information. I can make vlans if necessary, but I would rather not mess too much with my existing subnet.
c. eventually access feeds remotely. I'm thinking of a vpn server (either via Synology NAS or Raspberry Pi). I suppose the EdgeRouter Lite could also handle that.

Any tips are greatly appreciated.

Thanks,

network_questions.jpg
 

erensfd

Getting the hang of it
Joined
Nov 17, 2017
Messages
48
Reaction score
32
Location
Chicagoland
I would go with your second option where I'm assuming you are considering two NICs. However, I would connect the second NIC to your existing network (eth1) instead of eth2 as your diagram shows. You are already isolating the cameras from your existing network by utilizing a dedicated NIC and a POE switch, so accessing the BI PC would be easier (no need to deal with adding rules between interfaces) if you put it on the same network as your other devices.

I have used the ER-Lite for 4-5 years with a VPN setup (l2tp over ipsec) without any issues. Not sure if you already had to deal with this, but the erl is notorious for its failing internal flash drive (USB), so I suggest either upgrading to the er4 at some point, which uses an eMMC memory, or keeping a backup erl for when your flash drive fails. Replacing the flash drive is an easy fix if you have a console cable, but I gave up and upgraded to er4 recently.
 

windguy

Getting comfortable
Joined
Sep 25, 2019
Messages
285
Reaction score
289
Location
Pacific Coast
@intfxdx - Welcome to the forum. Nice looking network diagram.
Check out the new thread linked below regarding setting up an ER-X, similar to your ER-Lite.
There is a network diagram suggested that mimics your Subnet 1 architecture. Good luck!

 

intfxdx

n3wb
Joined
Jan 23, 2020
Messages
3
Reaction score
4
Location
Silver Spring, MD
Thanks for the quick reply @erensfd and @windguy. It seems that @erensfd and @windguy (via @guykuo), have different opinions, the source of my dilemma. I have read the post shared above, which seems to be a modified version of my approach #1.

@erensfd:
Great point that if I'm going to use two (2) NICs in my BI PC, then there's no reason to have it on a separate lan, since I'm effectively creating a different subnet with it. As per the additional work in creating rules in the ER-Lite, I see your point; they can be rough. I am by no means literate in ER rules, but I have been able to configure it to do what I need (force use of Pi-hole, allow uPnP for only one device, etc), that I'm not afraid of battling through the process. I gravitate towards having "network rules" in one location (the ER-Lite) instead of spread out router/BI PC, with a single source of IP reservations, DHCP, etc. As a result, I'm currently leaning towards soution #1.

Also, I haven't experienced the internal flash drive issue you mentioned (crossing fingers), but thanks for the heads up. I can see myself scratching my head for days trying to figure it out if it indeed happened. I will be planning for its failure. I bought it for $20 used from a CL guy who apparently bought it for testing with company money and wanted to clean his cabinets. It's been running for over a year with only update reboots.

@windguy:
Although they're usually a source of my wife's laughter every time she's in the laundry/NOC room, I do like my network diagrams, so thanks for the love. :)
 

erensfd

Getting the hang of it
Joined
Nov 17, 2017
Messages
48
Reaction score
32
Location
Chicagoland
I should point out that I'm not an expert. I don't think there's one right way to do this, but I wanted to give my 2 cents based on my experience. The great tutorial @guykuo has put together is specifically for an ER-X. Unlike the ER-X, most edge routers (including the er-lite) do not have a hardware switch in them. Any network traffic between the physical interfaces uses additional CPU power. I don't think you should worry about that for viewing BI once in a while from your phone, but if you want to have a dedicated BI monitor in the future, that traffic would bypass the router if you keep the BI machine on the same subnet as your other devices.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
I use two NICs on the BI machine. Physical separation on a non routing PC. Use a sub net is a nice idea if you trusted the software, to enforce the rules. It is like router having parental controls to prevent a device from accessing the internet, the device changes its MAC address and bypasses the controls. You are dealing with Chinese software and Chinese hardware, it is cheap but trust none of it.
 

mikeynags

Known around here
Joined
Mar 14, 2017
Messages
1,034
Reaction score
940
Location
CT
Excellent drawings! Personally, I did option 1 (not with an ER-X). Either option will work for you but you may have to "bone up" on some networking skills if you are light in that department. Being able to separate camera traffic will require understanding how to configure VLANs for each segment of your network keeping the cameras separate and blocking access from the Internet. Also, you will most likely need an NTP server locally on your BI server so that all your cameras will have the same time. Search the forum here for Net Time server and you will come up with some hits on how to install & configure it for your network.
 
Top