Sorting Out How to Fix This Network

[MrSurly]

Ok, brief background: started on the BI trip a few months back and got it working well enough for a trip I had coming. I set up Open VPN in the router, worked super. I put in Dual NICs and reconfigured the physical network such that the cam net is completely isolated from the world except through my VPN. When I did that I LOST funtionality of my WiFi stuff in the shop etc but it didn't matter at the time. Now that I'm back home, I need to sort out what's needed to make everything work.
At issue is the need to broadcast my home LAN over two separate Access Points for TVs, door openers etc hopefully without having to pull even more cable. The APs were operational before I (finally) implemented my cam net as a secure system using a fixed ip, dual NIC etc. At this time, the cabling that goes to the areas where the APs are is strictly cam net and isolated from the Home LAN (and the internet). You guys probably have the trick I need to get my WiFi network everywhere. Here is a (TOO LARGE) drawing with the physical layout. I have 12 cams so far, an 8TB drive (and another 10tb)
P.S. the switch is a V7 managed PoE switch that I am NOT managing but could go that route if making it managed is the way to go.

 

[sebastiantombs]

Looking at your diagram, your access points are on the private LAN and need to be on the public LAN. Either plug them directly into the router or into a switch for the public LAN and you'll be good to go.

Hope your trip went OK.

 

[MrSurly]

Looking at your diagram, your access points are on the private LAN and need to be on the public LAN. Either plug them directly into the router or into a switch for the public LAN and you'll be good to go.

Hope your trip went OK.

Yes, I figured I could run more cable out to the shop and through the crawlspace; what I’m trying to learn is what alternatives might work without pulling more cable.
1. Is there any benefit to using the V7 switch as a “managed” switch? I’m thinking I could run one cable through the crawlspace from the router to the switch and then magically have the switch route just the APs to the router without co-mingling with the camnet? Create a VLAN?

Another thought, the cat6 that goes out to the shop... is it feasible to utilize the “splitter” devices I’ve seen mentioned to split that cable into two network feeds out to the shop so that connect to the switch (cams) and the AP (homelan)?
Is there something that allows a way to do similar?

 

[sebastiantombs]

I'm not an expert with VLANs, but a managed switch with a VLAN for the cameras should be able to be configured to forward traffic from devices that need public LAN access and still block the cameras. Exactly how that would be configured, I'm not sure, but it should be able to be done.

Splitting the pairs on the garage cable would be another option, but violates spec. That really doesn't matter since you're not "certifying" the installation for anyone It also introduces some cross talk which could become problematic, but I doubt it really would.

 

[Brendon06]

Without running an extra cable vlans will be your best bet
not sure how a splitter would work i have no experience with them

your access point in your spare bedroom looks like it could be connected directly to the router instead of the v7 switch as you have 2 cables already drawn so one would go from your camera pc network to the v7 switch and the other go from the router to the access point via a cable joiner or similar

however the shop access point will be isolated to the cam lan as long as that switch is connected that way
you could connect everything to the router with static ip on camera nodes and firewall those specific ip addresses but that is a quick fix (not so quick if you have to learn how to implement a firewall properly first) and not really ideal

my not so pretty picture hopefully may help as to how a vlan may work for you it is fairly similar to my network at home

 

[MrSurly]

Without running an extra cable vlans will be your best bet
not sure how a splitter would work i have no experience with them

your access point in your spare bedroom looks like it could be connected directly to the router instead of the v7 switch as you have 2 cables already drawn so one would go from your camera pc network to the v7 switch and the other go from the router to the access point via a cable joiner or similar

however the shop access point will be isolated to the cam lan as long as that switch is connected that way
you could connect everything to the router with static ip on camera nodes and firewall those specific ip addresses but that is a quick fix (not so quick if you have to learn how to implement a firewall properly first) and not really ideal

my not so pretty picture hopefully may help as to how a vlan may work for you it is fairly similar to my network at home

Thanks so much for this. You've illustrated were my largest fail-of-thought was occurring; I will need to ADD a managed switch in the computer room in order to implement a VLan properly.
That makes more sense.
I would also need to swap out the current 'dumb' switch in the shop for a managed version.
So now my dilemma is boiled down somewhat to option 1: get two VLAN capable switches (comp room and shop) and configure VLANs OR
Option 2: pull one new cable in the shop conduit from shop switch to V7 switch. Re-purpose existing cable shop cable as router to AP. Re-purpose existing crawlspace cable as router to bedroom AP with a splice, bypassing V7.

Option 1 costs *some money (buy two managed switches).
Option 2 is free (just a pita) and bonus: maintains effective isolation of CAMNET

Leaning pretty heavily towards #2

 

[sebastiantombs]

If pulling a cable is a real PITA, consider using a wireless bridge like the Nano Loco M5.

 

[Brendon06]

If pulling a cable is a real PITA, consider using a wireless bridge like the Nano Loco M5.

Yes this would definitely be the easiest way to sort your problem, no wire to run and no vlans to configure.

If you run an extra cable it would be cheapest and if you ever did reconfigure your network with vlans or something you would at least have a redundancy or dual trunk so it wouldn't be a bad thing either

Just a thought (now that it's not midnight and I've had some sleep) if your tplink access point will allow you to manually tag the vlan in the ethernet settings you could setup vlan on the router plug everything into there and have the router tag anything that is untagged the way it normally would and you manually tag the access points that way you could keep your "dumb" switch if this makes sence

Edit some dumb switches will strip vlan tags and others will pass them through I forgot to mention this as mine passes them on to the router