Setting up VPN/VLAN and Dual NIC

[tech_junkie]

I'm not following ... we'd still have to have Internet at that switch, would we not?

In this diagram, this network doesn't have internet access:

So the AP would only be used for adding wireless cameras.
If you need it to have internet access, then on the static ip entry of the access point, you would put in a static IP address that would be in the IP pool of the computer network and on the blue iris server you would bridge the two connections in windows.
The other way to do it without turning the blue iris computer into a switch would be to insert a router and program the LAN with a different base IP (10.20.10.xxx) and its wan is connected to the computer network and assign the AP a bridge lan IP (10.20.10.xxx).
The only issue that might creep up with that is configuring the managed switch, but it was an unmanaged switch all of that would work.
The only advantage you will get using a router to bridge networks is that you can restrict internet access by using mac filtering and provide dhcp to wireless clients.
Managed switches are really for spitting the switch and vLan but VLANs create their own overhead on the network so that is another reason I avoid them. Besides unnecessarily complicating the install.

 

[Sonnie]

Still no idea what you are planning.

You try to avoid internet on the outdoor switch to add security for whatever reason. then you have this outdoor switch without any security. someone just go there, plug in network cable and have access to your camera system. port security not available. lol

then you have @tech_junkie recommend you a wifi client setup to connect to your house wifi 1000ft away. also wifi is so reliable, why not use it when have cable connection. lol

then you have this gate controller with needs internet to work, but @MTL4 recommend you a dumb gate controller which opens over bluetooth/rfid/keypad. if someone is in front the gate you drive 1000ft there to open it. lol

but you avoided internet and have dual nic setup.

applause !

I have no idea what I'm planning either. I had a planned, but it got disrupted, so I'm trying to figure out a new plan.

If I'm in the mountains it will be a bit more than 1,000ft to drive to open the gate.

MyQ is a good app for consolidating all your door opening devices including the gate but the important thing here is what else besides the gate are you looking to control? Keypads? Doors? Video/audio Intercoms? Other stuff? Then where are all of these located? The previous camera network diagram was done up assuming you wanted to isolate the cameras and didn’t need to bring your main network to the gate. I think going forward it would be very important to have a plan on exactly what you want to in order to find what solution works best for you.

You had asked about options for making the gate controller work so if you just need an internet connection at the gate to use MyQ you could use something like a cellular modem (netgear LB1120) with a simple VPN/firewall (if you already have a cell, they usually have very cheap data only sim cards available). If you want to tie into your main network then obviously there are other options like wifi bridging (need line of sight for that distance), running a second fiber connection (accessibility? cost?) and of course managed switches at both ends with VLANs (adds bit more complexity to your home network but absolutely doable and possibly preferable due to your existing infrastructure). Again I’d suggest to draw up a plan of what you’re looking to do first before deciding on how best to solve it.

Again... trying to figure out the plan to draw up... at this point... it appears we need Internet at the gate, and I don't want to rely on wifi line of sight (been there and done that with constant issues), and I don't want to run another fiber because I'd have to pay another monthly fee for access (I've used up all the fiber wires we have on the current access). So... looks like some sort of vlan structure... or maybe what @tech_junkie is recommending below, if I can figure that out.

The only use for MyQ is remote gate operation. I'm going to have a small camera on the keypad pedestal for communicating at the keypad. This will likely be a rare case use, but possibly needed from time to time. The gate will be open while I'm at home during the day. It will auto close at night and auto open in the mornings. It will be closed when we are away from home, which is likely the only time a scenario would come up where I need to let someone in remotely. I don't see it happening often, but I can see it happening.

In this diagram, this network doesn't have internet access:
View attachment 198807
So the AP would only be used for adding wireless cameras.
If you need it to have internet access, then on the static ip entry of the access point, you would put in a static IP address that would be in the IP pool of the computer network and on the blue iris server you would bridge the two connections in windows.
The other way to do it without turning the blue iris computer into a switch would be to insert a router and program the LAN with a different base IP (10.20.10.xxx) and its wan is connected to the computer network and assign the AP a bridge lan IP (10.20.10.xxx).
The only issue that might creep up with that is configuring the managed switch, but it was an unmanaged switch all of that would work.
The only advantage you will get using a router to bridge networks is that you can restrict internet access by using mac filtering and provide dhcp to wireless clients.
Managed switches are really for spitting the switch and vLan but VLANs create their own overhead on the network so that is another reason I avoid them. Besides unnecessarily complicating the install.

Initially, I thought we needed the AP for the gate operations, but I have since learned that it is not needed. I have never intended to use wireless cameras, just to clear that thought up.

I can change the managed switch in the HOUSE - Office to an unmanaged switch. It's sitting right beside it, unused. It might even be better because last night, we lost connection to the cameras, and I had to restart that switch to resolve the issue. Something caused the switch to lose connection... dunno.

When you mention setting the static IP of the AP to the subnet of the cameras, how exactly will that provide Internet to the switch, as we need wired Internet for MyQ.

 

[Sonnie]

Oddly enough, that managed switch just caused a lost connection again. I just swapped it out for the unmanaged switch and cams are back up... we'll see how it does.

 

[MTL4]

Oddly enough, that managed switch just caused a lost connection again. I just swapped it out for the unmanaged switch and cams are back up... we'll see how it does.

It sounds like an IP conflict somewhere, did you look at the mac tables before pulling it out of service? There’s really no reason to go back to a dumb switch since a managed switch can be setup just like a dumb switch or it can handle L2/L3 security (VLANs, filtering, flow, etc) if need be.

I’m definitely curious about the fiber connection you said you’re paying monthly for, is there a reason why that’s a service and not a permanent installation? You don’t see that very often on the residential side.

 

[Sonnie]

I did not look, but if I end up needing it managed, I can stick it back in and figure it out. I just have way too much other to try to figure out right now before getting to that point.

 

[tech_junkie]

2.16

Oddly enough, that managed switch just caused a lost connection again. I just swapped it out for the unmanaged switch and cams are back up... we'll see how it does.

A lot of that tp link equipment will die on you like that if it doesn't last years. I've had both their routers and switches these last few years go out or go offline and reboot them. Since it has cost me more money in warranty repairs, I have discontinued that brand entirely from my new installs.

When you mention setting the static IP of the AP to the subnet of the cameras, how exactly will that provide Internet to the switch, as we need wired Internet for MyQ.

I wasn't really aware of the MyQ device needing it but you would do the same thing
I said the computer network (192.168.0.xxx) because in that scenario it involves taking the blue iris server and bridging its two connections that may or may not pass the home network's DHCP services to the other interface(cam network) in the computer.
I would recommend getting a router to service the internet into that network and use an IP pool(10.20.10.xxx) that would be unreachable to everything else on the camera network(192.168.1.xxx). Because if you use the BI computer to bridge, then it gives you less secure options because you will be stuck hosting BI through the house network(192.168.0.xxx). You could with the router (10.20.10.xxx) use DHCP and set the internet seeking devices to DHCP since there is no DHCP on the camera network.

What I got as a rundown of your internal network:
192.168.0.xxx is your come internet computer network
192.168.1.xxx is your camera network.

Problem is there is more than one way to do this. I try to pick the approach that will be easy to maintain in the event of a hardware failure. So I'm not or the customer is not spending a lot of time re configuring things.

One thing I want to know, what was the purpose or the goal of putting an AP at the gate?

 

[Sonnie]

The AP was something I thought we needed, as the gate opener installer said we needed wifi at the gate, but as it ends up, he meant an Internet connection (wired)... as wifi won't work.

The home network is 192.168.0.xxx
The camera network is 10.11.12.xxx

So I could take my old router, the ER605, and use it for that service pole switch that connects the four cameras I'll have installed there and the AP (or do we even still need the AP for any of this since I don't need it for the gate?)

I am no doubt confused on how the ER605 will connect into the network (to the 16 port switch?)

 

[tech_junkie]

Another way since the cameras are static addressed, take a wire from the home network switch and plug it into a camera network switch. Then put everything that needs internet on DHCP. The only downside to this is you have to rely on the AP security only and this wouldn't prevent rouge connections if someone gain access to the switch at the gate and plugged into the network.

 

[tech_junkie]

The AP was something I thought we needed, as the gate opener installer said we needed wifi at the gate, but as it ends up, he meant an Internet connection (wired)... as wifi won't work.

The home network is 192.168.0.xxx
The camera network is 10.11.12.xxx

So I could take my old router, the ER605, and use it for that service pole switch that connects the four cameras I'll have installed there and the AP (or do we even still need the AP for any of this since I don't need it for the gate?)

I am no doubt confused on how the ER605 will connect into the network (to the 16 port switch?)

I think we are getting somewhere...
Leave the unmanaged switch at the gate. Since you don't need the access point, its better to take it down and use it where you need to,
The router should be installed in the same area as the blue iris or where you can physically connect these two networks. I would run another wire from the home network to the BI machine room and plug it into the WAN outlet, then I would simply plug in the wire from the camera network into a LAN port and a jumper wire from one the router's LAN ports to the camera ethernet on the BI machine.
ER605? Interesting.. I had to replace about half of those I purchased so far. But if you are not worried about someone jacking into your network at the gate switch, and this router dies, you can replace it with an unmanaged switch.

 

[Sonnie]

I have two Ethernet cables coming into the office where the BI computer is located.

One is connected to the switch to which all the other cameras in the house will be connected, and that switch is connected to the BI computer.

The other cable is connected directly to the BI 2.5G NIC.

 

[tech_junkie]

I have two Ethernet cables coming into the office where the BI computer is located.

One is connected to the switch to which all the other cameras in the house will be connected, and that switch is connected to the BI computer.

The other cable is connected directly to the BI 2.5G NIC.

Ok, that was the house-office switch for the camera network.
So how many internet devices will be on the camera network? so far I counted just 1 will there be others in the future?.

 

[tech_junkie]

I think since you don't need the AP at the gate, set the AP as a bridge client and plug it into the network switch located at the house-office ( the camera network), then DHCP the MyQ so it will get an address of the home network.
I never dealt with that particular brand of fiber media converters and it could have a mac/arp table which means its going to take up a node count. you can only run 3 nodes on a network in tandem. Some routers take up a node count which what would happen is your MyQ device would sometimes have internet. Was that your issue to begin with? if so, then plugging in the AP to supply internet will work there because its a new clock source with no node count.
I'll post some more diagrams here in a bit of possible ways because if a router is used, the media converter needs to be plugged into it due to node count limits. And the access point can either be directly connected to the switch or connected through a router the switch and fiber converter would be connected to.

But I'm getting called to supper, so I will post something here in a little while.

 

[tech_junkie]

Here are two possible ways, the first one would use the AP directly with a switch, the other is with a router serving your current connections, that you could either put the access point on the WAN connection, or run a wire back to the computer network.

 

[Sonnie]

This is my complete network now... I don't want a wifi AP feeding my home network... that won't ever work for 10G and 2.5G.

 

[tech_junkie]

This is my complete network now... I don't want a wifi AP feeding my home network... that won't ever work for 10G and 2.5G.

View attachment 198859

In those picture examples above I posted, the WIFI AP is just supplying your devices on the camera network. Why would you think any different? If you don't like it you can run a wire in its place from the same switch on the home internet network feeding the BI machine, no difference. I would sell off the AP and just wire it, but I figure I show you how to use what you have.
Btw the MyQ device is still not in the drawing, But I assume its connected to that POE switch at the gate.

 

[Sonnie]

Sorry ... it's not making any sense to me. I don't see any reason to use an AP's wifi to feed anything I can hardwire.

The home network cannot go thru the ER605 router other than to provide Internet to the camera switch at the service pole... assuming that will help secure it.

I need the Internet to go thru the 2.5G network to the BI machine, as I use it for more than just the cameras.

It seems to me the easiest solution would be to create two vlans on the 8411 router using the Omada OC300 controller. That way we don't have to introduce another router. What am I missing? (That's a serious question because I'm not a network guru by any stretch of the imagination... just thinking out loud.)

 

[Sonnie]

Let me see if I can wrap my head around it with a full diagram... I think I see what you are suggesting.

 

[tech_junkie]

Sorry ... it's not making any sense to me. I don't see any reason to use an AP's wifi to feed anything I can hardwire.

The home network cannot go thru the ER605 router other than to provide Internet to the camera switch at the service pole... assuming that will help secure it.

It seems to me the easiest solution would be to create two vlans on the 8411 router using the Omada OC300 controller. That way we don't have to introduce another router. What am I missing? (That's a serious question because I'm not a network guru by any stretch of the imagination... just thinking out loud.)

Maybe I need to explain that APs can be used in reverse creating a wired network from a wifi connection.
the ER605 looks like it should either live in the utility room or the house-office area before the 10 port switch. The application of this router would be called a bridging router instead of what you normally see as an internet router which is connected to your C-Spire ONT .

 

[Sonnie]

Yeah... that's what I'm not really understanding.

Is this correct for Option 1?

 

[tech_junkie]

Yeah... that's what I'm not really understanding.

Is this correct for Option 1?

View attachment 198867

yes that will work. Because your switch/node count is 3.

The second one works just as well with a switch/node count of 2.
The only thing I would have to work on is play with a network calculator because that router doesn't need to connect 2048 machines. I know it would work even though I did it in my head, but I imagine I could find a network scheme with less possible connections. When you run all switches you don't have a network clock and adding the AP or a router will provide that because the network clock does not go past 3 switches/nodes.