Requesting some advice on proposed network topology

[Dunce Mode]

Hi all,

Long time, first time here. I've been looking at this stuff off and on for a number of years now, and have recently gotten serious about putting together a good, upgradeable camera system for my house. After reading the great advice here, I'm pretty ready to pull the trigger on the outdoor portion of my system. I will be purchasing the StarLight Dahua cameras (bullets and turrets) to begin. I'd also like to get a good managed switch so that i can isolate the cameras on their own network. Therein lies the source of my confusion. I had a few questions I was hoping you all can help me sort out.

1. I read that I'd need a managed switch like the SRW248GP to do the network isolation that is best for security. Is this assertion correct, and will this switch allow me to isolate networks appropriately?
2. I wanted an inexpensive option, hence the SRW248GP. Is this a good option for me, or would I be better served going another route? I really don't need all those ports and I do understand that there is an acoustic noise issue with this switch, but I'm OK with it.
3. I have an older router that I wanted to use as the firewall and DHCP server connected directly to my cable modem. This device does not allow for an OpenVPN installation. Could I instead simply run OpenVPN on my Blue Iris box? Are there any tradeoffs here, and would I be better served purchasing a new router that natively supported OpenVPN?
4. My house has a lot of dead spots. I would like to use old routers configured in 'AP mode' to act as wireless 'extensions' of my network. I understand that if I make them the same SSID with the same password that my devices will switch seamlessly. Is this correct?
5. Where do I put the Blue Iris box in the topology below? I'd like to be able to access it from the outside via OpenVPN, and it's not clear to me where it should be placed. I'd think that it should be on the same subnet as the cameras, but want to ask more knowledgeable people.
6. How does the switch allow for communication between VLAN10 and VLAN20? I've never worked with a managed switch before, so I'm at a bit of a loss on how it actually works.
7. How does DHCP work on the two different subnets if the Cisco switch is in the middle? Will all DHCP requests be passed through to my initial router?

 

[biggen]

You have a lot going on here and are approaching on some advanced networking topologies. I'd suggest you make this entire setup simpler.

1. So a managed switch would allow you to create VLANs. That segregates your network which I think you understand. However, you need to either have a L3 switch to route traffic to your VLANs or have a router that supports VLANs. L3 switches are crazy expensive typically so most people do this at the router.

2. I don't know anything about this switch. Honestly any managed Netgear, TPlink, Ubiquity switch that supports VLAN tagging would be fine.

3. You need to decide where you want to run OpenVPN. You can run OpenVPN on a Raspberry Pi though I have no idea on how it performs. I don't believe there is an OpenVPN AS Windows binary so you wouldn't be able to run it from the same machine you use to run Blue Iris. Your other option is to build a virtualization host and run BI in a Windows VM and OpenVPN in a Linux VM but that may be more than you are comfortable with. Some routers have VPN services built right into them. I'd look into that first.

4. Don't do this. Every time you "repeat" a wireless signal, bandwidth goes down by half. Take the time and run Cat 5e/6. There is simply no replacement to having hardline when you are talking about video.

5. The Blue Iris machine should be in the same subnet/VLAN as your cameras. That way your router in not involved in moving packets. Roles should always be in the major network that they provide services for.

6. As said earlier, you need a L3 switch or router that can handle VLANs.

7. If the router is handling your VLAN traffic, then the router should also handle all DHCP requests.

If I were you, I'd go to a much simpler setup. Just make one big /24 flat network. I think VLANs in the home setting are ridiculous overkill.

 

[Dunce Mode]

Thanks so much for the reply. I have additional questions, inline below in red.

edit: sorry for the formatting and inclusion of the reddit link inline. I'm not used to this board, and I can't get my post to format in the way I wanted it.

You have a lot going on here and are approaching on some advanced networking topologies. I'd suggest you make this entire setup simpler.

1. So a managed switch would allow you to create VLANs. That segregates your network which I think you understand. However, you need to either have a L3 switch to route traffic to your VLANs or have a router that supports VLANs. L3 switches are crazy expensive typically so most people do this at the router.
Do you have any idea on a decent cost router that would hadnle VLANs? I've seen some other people who seem to use this big iron Cisco switch (which is only desirable due to cost), so I'd presume that they would have some low cost solution to this problem.

2. I don't know anything about this switch. Honestly any managed Netgear, TPlink, Ubiquity switch that supports VLAN tagging would be fine.
Thank you, I saw some of these switches as well, but I was drawn to the potential future upside and cost of the Cisco device.

3. You need to decide where you want to run OpenVPN. You can run OpenVPN on a Raspberry Pi though I have no idea on how it performs. I don't believe there is an OpenVPN AS Windows binary so you wouldn't be able to run it from the same machine you use to run Blue Iris. Your other option is to build a virtualization host and run BI in a Windows VM and OpenVPN in a Linux VM but that may be more than you are comfortable with. Some routers have VPN services built right into them. I'd look into that first.
I was reading about setting up OpenVPN on a windows box at a link on reddit (removed due to the board inlining content). Is this not a viable alternative? I could be missing something, but at first glance I thought that this was exactly what I'd need to do unless I did the VM route with a Linux VM. Thank you for that idea, BTW, as this would also be something I could look into. I'm basically trying to avoid having to purchase even more hardware (IE, a router that supports VPN).

4. Don't do this. Every time you "repeat" a wireless signal, bandwidth goes down by half. Take the time and run Cat 5e/6. There is simply no replacement to having hardline when you are talking about video.
Why does it halve bandwidth? The way I've done it in the past is to hardline a cable to the AP, which then provides radio. I also only use the AP wifi for smart phone, tablet, and chromecast. No security cameras will be anything BUT cat5e/cat6 cabling. In my network topology, all the blue lines are actual hard cable.

5. The Blue Iris machine should be in the same subnet/VLAN as your cameras. That way your router in not involved in moving packets. Roles should always be in the major network that they provide services for.
Thank you.

6. As said earlier, you need a L3 switch or router that can handle VLANs.
Thank you.

7. If the router is handling your VLAN traffic, then the router should also handle all DHCP requests.

If I were you, I'd go to a much simpler setup. Just make one big /24 flat network. I think VLANs in the home setting are ridiculous overkill.
I had read that VLAN was a good security measure to protect against possibly vulnerable IP cameras. With a large flat network, how would I guard against a possible intrusion via one of the cameras? Again, this could be ignorance on my part. If VLAN isn't needed for security, then why do people recommend implementing it?

 

[biggen]

1. I'm a big fan of Ubiquity gear. The USG is the exact router I have at home and it will handle VLANS, VPN, etc... I'm also running it with this PoE switch to run my home cameras. I use a RP3 to host the Unifi controller to tie it all together. Makes it pretty easy.

2. Answered above.

3. I don't know anything about OpenVPN on Windows. I run the paid version of OpenVPN AS in my business but I run it on a Debian VM on my virtualization host.

4. Ok, I misunderstood what you were wanting to do. Yes, you can do this with no problem. Just make sure you don't have overlapping channel coverage. Keep everything the same SSID.

<skip>

7. You are going to get different opinions here. I think if you stay with reputable cameras like Axis, Dahua, Hikvision etc. I just don't see this being a concern in a home setting. I think if you are buying a $25 special off Aliexpress then, sure, there may be some cause for concern.

In my business, I have over a dozen cameras and looking to add about half a dozen more. What I did when I set it all up was purchase a Cisco router that had assignable LAN interfaces. So I gave my camera LAN a subnet and then I gave my regular computer LAN a subnet. I then purchased two HPE switches (one PoE and one not). My cameras connect to the PoE switch which connects to the router CAM LAN interface while my regular computers connect to the non-PoE switch which connects back to the router COMPUTER LAN interface. The router then can route between those two subnets. This is very much like using VLANS. I just like to break it out this way when we are only talking about a handful of networks. My brain just works with separate LAN interfaces/subnets better than VLANS.

If you are limited to using one switch and want segmentation, then you have to use VLANS. I chose to go with two switches since I wanted a 24 port PoE switch and didn't want to waste PoE ports on non-PoE devices.

In my home, I didn't do anything like this level of complexity. I have two Axis cameras running in my house. I have four Axis cameras running I setup for my father in his house. I just setup a flat /24 network for each. Creating Vlans here just adds to much complexity than I want to deal with.

 

[Dunce Mode]

Thank you, biggen, for the detailed feedback. You make a lot of great points and have given me a lot of good ideas to consider. I do like the idea of a flat network; it's just so much simpler.