ASUS LAN subnet filtering/isolation

[BubbleOBill]

Hi, I have a ASUS routers (AX58U) that does not have vlan support. I’m looking to isolate a video doorbell and some security cameras that are connected via ethernet cable to an unmanaged POE switch. This switch is connected to the ASUS router, which in turn is connected to the NBN box.

Ideally I would like to create two subnets: one for my home network and the other for the cameras. Then create firewall rules to isolate those subnets from each another. Looking at the ASUS manual it seems the firewall only allows white listing of IPs rather than block. The other option is the Network Services Filter which seems to only filter LAN to WAN data so it won’t filter LAN subnets.

Any help appreciated. Thanks
Thanks

 

[bennor]

Maybe the following VLAN discussion is of relevance to your question:

Tutorial - How to use VLANs on your non-pro Asus router with 386 or 388 code (no scripting required)

With 386 and 388 code base, you can make use of two built in VLANs (plus the main LAN VLAN 1) to further segment your wired and wireless network, even on non-pro models. This definitely works in router mode on all models that support AIMESH and these code versions. From what I have seen (but...

www.snbforums.com

 

[bbunge]

The easy way is to assign static ip addresses to your cams and NBN box in a different subnet. If the main router is 192.169.50.1 use 192.168.51.0/24 addresses for the cams. There will be no gateway thus no Internet access for the clients using 192.168.51.0/24 addresses but they will be able to talk to each other. To manage that subnet give a client in the 192.168.50.0/24 subnet a second IP address in the 192.168.51.0/24 range. No firewall rules are needed.

 

[ColinTaylor]

I believe post #3 above had a typo. It said 192.169.50.1 when it should have said 192.168.50.1. I think the suggestion was to have your main LAN as the Asus default (192.168.50.0/24) and hard-code the addresses of the cameras in the 192.168.51.0/24 address range. I can't say I like this solution but it will probably work provided nothing in the "fake" 192.168.51.0/24 network uses broadcast traffic.

 

[BubbleOBill]

I believe post #3 above had a typo. It said 192.169.50.1 when it should have said 192.168.50.1.

That helps

hard-code the addresses of the cameras in the 192.168.51.0/24 address range.

Will the router recognise another subnet other than its default as standard home routers do not support multiple subnets.

To manage that subnet give a client in the 192.168.50.0/24 subnet a second IP address in the 192.168.51.0/24 range. No firewall rules are needed.

By client you mean a NIC that you can assign a second IP in Linux based on your past responses on other threads. Is it true isolation if NIC can communicate to both subnets? Also, the “fake” ip address assignment of the cam on another subnet will not be recognised by the router. This method is not compatible with my current hardware setup.

 

[ColinTaylor]

I can do that but the ASUS DHCP will complain it’s not within 192.168.50.0/28

You wouldn't be using Asus' DHCP, that's the point. The IP addresses will be statically configured in the network adapter settings of each camera.

I’m only aware of the routers default subnet. I would assume it’s best to assign default gateway of camera the same as its IP address to block internet access/broadcast traffic

The suggestion was to not use a default gateway at all.

 

[BubbleOBill]

The suggestion was to not use a default gateway at all.

If you leave the default gateway field blank in the camera's network settings, there's a chance that it might automatically assign the correct default gateway based on the network configuration.

Also, assigning a “fake” ip address in a “fake” subnet that a standard home router will not recognise is a problem.

 

[BubbleOBill]

Maybe the following VLAN discussion is of relevance to your question:

Tutorial - How to use VLANs on your non-pro Asus router with 386 or 388 code (no scripting required)

With 386 and 388 code base, you can make use of two built in VLANs (plus the main LAN VLAN 1) to further segment your wired and wireless network, even on non-pro models. This definitely works in router mode on all models that support AIMESH and these code versions. From what I have seen (but...

www.snbforums.com

Unfortunately my router and my switch do not support vlan

 

[ColinTaylor]

If you leave the default gateway field blank in the camera's network settings, there's a chance that it might automatically assign the correct default gateway based on the network configuration.

Also, assigning a “fake” ip address in a “fake” subnet that a standard home router will not recognise is a problem.

I'll leave @bbunge to explain his post rather then me putting words in his mouth.

If you can't use his suggested solution then you cannot achieve your objective without buying some additional hardware.

 

[BubbleOBill]

I'll leave @bbunge to explain his post rather then me putting words in his mouth.

While waiting for bbunge to reply you are welcome to give an opinion if you like. I’m sure others here, including myself, will be interested in learning more about this subject.

At this stage getting new hardware seems to be the way forward.