VLANs, Netgear Switch only to PC 2nd Ethernet Jack

Joined
Aug 23, 2019
Messages
7
Reaction score
2
Location
United States
First time setting up a system and attempting this level of network setup... Question regarding VLANs.

I have all cameras connected to 1 Netgear PoE switch, which is then connected to my PC's 2nd ethernet port. According to Netgear, all cameras must be members of the switch's built-in camera VLAN group, so I have all cameras, plus my PC, as a member of the camera VLAN. The PC is also the only member of the other "default" VLAN because without that membership, I can't connect/admin the switch.

My problem is I had not been able to connect to my camera (only 1 Dahua connected for testing) until trying something new: added the camera's switch port to the "default" VLAN, so it is now a member of both the camera VLAN and the default/admin VLAN like the PC. Now I can detect the camera! Woohoo! My question, though, is if this is a correct / smart setup. It seems to defeat the purpose of having the camera on its own VLAN if it is a member of the other VLANs -- no? Or maybe a broader question is, if my switch is ONLY dedicated to my PC and cameras with no direct access to my router/internet, do I even need to worry about VLANs for security/network traffic purposes?

By the way, by VLAN membership, I mean the PC and the camera both are marked as "untagged" ("U") in the switch's VLAN setup pages.

Thank you and sorry for my ignorance on this subject.
 

Hammerhead786

Pulling my weight
Joined
Apr 23, 2018
Messages
248
Reaction score
165
First time setting up a system and attempting this level of network setup... Question regarding VLANs.

I have all cameras connected to 1 Netgear PoE switch, which is then connected to my PC's 2nd ethernet port. According to Netgear, all cameras must be members of the switch's built-in camera VLAN group, so I have all cameras, plus my PC, as a member of the camera VLAN. The PC is also the only member of the other "default" VLAN because without that membership, I can't connect/admin the switch.

My problem is I had not been able to connect to my camera (only 1 Dahua connected for testing) until trying something new: added the camera's switch port to the "default" VLAN, so it is now a member of both the camera VLAN and the default/admin VLAN like the PC. Now I can detect the camera! Woohoo! My question, though, is if this is a correct / smart setup. It seems to defeat the purpose of having the camera on its own VLAN if it is a member of the other VLANs -- no? Or maybe a broader question is, if my switch is ONLY dedicated to my PC and cameras with no direct access to my router/internet, do I even need to worry about VLANs for security/network traffic purposes?

By the way, by VLAN membership, I mean the PC and the camera both are marked as "untagged" ("U") in the switch's VLAN setup pages.

Thank you and sorry for my ignorance on this subject.
What model is your POE switch and do you know if it is capable of doing Layer 3 routing? I have a HP POE switch and I have 3 vlans set up on it. One vlan goes to my home router, one vlan is for the Blue Iris pc and the last vlan is for the cameras. The Blue Iris pc is has internet connectivity for update and maintenance purposes and traffic from the cameras is only allowed to go to that pc. They cannot connect to the internet.

If you don't want internet connectivity to the pc or the cameras, then you don't really need to set up the vlans, however, this means that you cannot access your cameras externally from your network.

Not everyone can be a subject matter expert. We all were "ignorant" at one time or another. Life is a learning process, no matter how old you are. Ask and ye shall find.
 
Joined
Aug 23, 2019
Messages
7
Reaction score
2
Location
United States
What model is your POE switch and do you know if it is capable of doing Layer 3 routing? I have a HP POE switch and I have 3 vlans set up on it. One vlan goes to my home router, one vlan is for the Blue Iris pc and the last vlan is for the cameras. The Blue Iris pc is has internet connectivity for update and maintenance purposes and traffic from the cameras is only allowed to go to that pc. They cannot connect to the internet.

If you don't want internet connectivity to the pc or the cameras, then you don't really need to set up the vlans, however, this means that you cannot access your cameras externally from your network.

Not everyone can be a subject matter expert. We all were "ignorant" at one time or another. Life is a learning process, no matter how old you are. Ask and ye shall find.
Thank you. Although connecting straight switch-to-PC has some of its own setup challenges, it seemed like a more bulletproof way to avoid security issues for someone at my knowledge level. My understanding is I won't be able to connect to the cameras from some of the web interfaces (outside home network) but can still use the mobile version of Blue Iris talking to my PC's BI client -- is that not true? I don't need advanced management ability while away from home, just to see camera feeds and can review details from recordings stored once home.

Switch = Netgear GS324TP. Here is how Netgear describes its layer capabilities. "Fully Managed. Fully Managed switches offer all the features of Smart Managed Plus switches with additional Layer2 (switching) and Layer 3 (routing) functionality. Advanced Layer 2 features include granular traffic shaping (using ACLs) and scalable deployment options (using L2/L3 DHCP relay agents). Network Access Control offers tiered authentication with 802.1x defaulting on MAB defaulting on captive portal. Advanced Layer 3 features include resilient and load-balanced static routing (all series) or dynamic routing (RIP, VRRP, OSPF, PIM available in some series)."
 

Hammerhead786

Pulling my weight
Joined
Apr 23, 2018
Messages
248
Reaction score
165
Thank you. Although connecting straight switch-to-PC has some of its own setup challenges, it seemed like a more bulletproof way to avoid security issues for someone at my knowledge level. My understanding is I won't be able to connect to the cameras from some of the web interfaces (outside home network) but can still use the mobile version of Blue Iris talking to my PC's BI client -- is that not true? I don't need advanced management ability while away from home, just to see camera feeds and can review details from recordings stored once home.

Switch = Netgear GS324TP. Here is how Netgear describes its layer capabilities. "Fully Managed. Fully Managed switches offer all the features of Smart Managed Plus switches with additional Layer2 (switching) and Layer 3 (routing) functionality. Advanced Layer 2 features include granular traffic shaping (using ACLs) and scalable deployment options (using L2/L3 DHCP relay agents). Network Access Control offers tiered authentication with 802.1x defaulting on MAB defaulting on captive portal. Advanced Layer 3 features include resilient and load-balanced static routing (all series) or dynamic routing (RIP, VRRP, OSPF, PIM available in some series)."
You will need some form of network connectivity be it Wi-Fi or network to use the mobile version. Your switch does support L3 routing which is great because you could set things up the same way as I have. If you need some assistance let me know. Btw love your username because it describes me to a T.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
I'm not following your logic on the dual nic BI pc setup. Normally, with such a setup, you simply connect:
1 NIC BI to your LAN (+ WAN)
1 NIC BI to your (standalone) POE switch towards your cameras.

By doing so:
- only BI pc can access the cams
- the cams cannot phone home to the internet
- only BI is accessible from LAN/VPN.

Now you are combining the "advanced" layout (through vlans) to separate the POE/CAM LAN from your home LAN. Combined on a dual NIC setup. That is ... getting much more complicated that required.

What I would do, in your case:
- NIC 1 BI pc: vlan 100 (LAN) with an IP (for example) 192.168.100.50. Gateway on your Netgear (192.168.100.1)
- all your cams in vlan 200 (CAMLAN) with an IP (for example) 192.168.200.10 - 11 - 12 etc) Gateway on your Netgear (192.168.200.1)
- allow in your netgear routing table ONLY traffic from 192.168.100.50 towards 192.168.200.10-11-12 etc.
- allow in your netgear routing table ONLY traffic from 192.168.200.10-11-12 etc towards 192.168.100.50
- "deny all" on all others

In any case, do NEVER give cams access to vlan 1, then you "downgrade" your POE managed switch to a "dump" switch.

Will the above be easy? You might be lucky if your BI pc NIC is vlan tagging capable, then you can ent 2 ip stacks on the NIC (one in vlan 100 and one in vlan 200 for the CAM LAN access, so you don't have to mess with firewall/routing rules).

Good luck!
CC
 

civic17

Getting the hang of it
Joined
Dec 7, 2018
Messages
175
Reaction score
60
Location
Canada
Netgear has detailed write ups on their support pages on how to set up VLANS.
 
Joined
Aug 23, 2019
Messages
7
Reaction score
2
Location
United States
I'm not following your logic on the dual nic BI pc setup. Normally, with such a setup, you simply connect:
1 NIC BI to your LAN (+ WAN)
1 NIC BI to your (standalone) POE switch towards your cameras.

By doing so:
- only BI pc can access the cams
- the cams cannot phone home to the internet
- only BI is accessible from LAN/VPN.
Sorry for any confusion. Photo should clarify, I believe your description is exactly how I've set everything up, not the more complex way.
 

Attachments

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Well, after re-reading this thread completely, I still do not understand why you would have opted for a dual-NIC BI pc. If you pull ONE cable from the POE switch into the Vlan capable router, you put all the vlans in the CAM-vLAN. Then you tag both your "LAN" and "CAMvLAN" on your BI pc's network card, then BI pc can get both to internet AND to the cams, without having to mess around with routing rules and firewall stuff. If your BI pc, for whatever reason, cannot work with vlan tagging, you put VLAN LAN on NIC 1, and CAMvLAN on NIC 2. Easy peasy.

Good luck!
CC
 
Top