Asus RT-AX82U: Trying to find a way to isolate security cameras

[smartbits]

I will be getting a security camera system. Here is the basic setup:
NVR will be connected directly to my router via ethernet
The app that I will use on my phone will connect to my guest network.

This app needs to be able to communicate with my NVR in order for me to view camera footage on my phone. Is there a way for me to have a wired device, such as the NVR connect directly to my guest network? I couldn't find any advanced network settings. I'd like to isolate both the NVR and the app from my main network.

 

[degrub]

Make sure the cameras are hard wired, remotely powered over LAN or coax , and communicate either over CAT5e/CAT6 LAN cable or RG59/6 coax to the NVR. NVR or power injectors can supply the power. Wireless cameras are easily blocked by wifi jammers that are readily available.

Single LAN cable to the NVR from your LAN. Use VLANs in the router and switch to isolate access to the NVR and restrict which devices can access.

 

[smartbits]

Make sure the cameras are hard wired, remotely powered over LAN or coax , and communicate either over CAT5e/CAT6 LAN cable or RG59/6 coax to the NVR. NVR or power injectors can supply the power. Wireless cameras are easily blocked by wifi jammers that are readily available.

Single LAN cable to the NVR from your LAN. Use VLANs in the router and switch to isolate access to the NVR and restrict which devices can access.

My router has vlan tagging for IPTV but that's it. I guess there is no way to force a wired device onto a guest network?

If not, what are my options to separate the entire security system from my main network? I'm guessing a second router would work. What about an unmanaged switch that has VLAN functionality?

 

[degrub]

The most secure, reliable architecture is : Camera(s) ---> NVR --> LAN. What you put between the NVR and the cameras doesn't matter as long as it is hardwired and not connected to your LAN.

You don't need a second router usually. Do the cameras need an IP address ? or are they addressable by the NVR port they plug into ? Where do the cameras get power from ?
Since there is no information on the camera / NVR system, it is hard to speculate what is needed.

 

[Analog-1]

Use VLANs in the router

I don't think his model router supports Vlan's.

 

[CaptainSTX]

My router has vlan tagging for IPTV but that's it. I guess there is no way to force a wired device onto a guest network?

If not, what are my options to separate the entire security system from my main network? I'm guessing a second router would work. What about an unmanaged switch that has VLAN functionality?

Using an inexpensive smart switch such as the TP-Link SG108E would allow you to set up port based VLANs. This will be much cheaper than purchasing a AX86Pro or AX88Pro which allow wired clients to connect to guest network VLANs.

Depending on your skills it might be possible to write a script for VLANs on your existing router.

 

[smartbits]

The most secure, reliable architecture is : Camera(s) ---> NVR --> LAN. What you put between the NVR and the cameras doesn't matter as long as it is hardwired and not connected to your LAN.

You don't need a second router usually. Do the cameras need an IP address ? or are they addressable by the NVR port they plug into ? Where do the cameras get power from ?
Since there is no information on the camera / NVR system, it is hard to speculate what is needed.

I don't think I've thought this through enough. I was worried about either the cameras being hacked or the app being insecure but I think the cameras will be fine sine they will be hardwired. So maybe all I need to worry about is the app. Maybe I'll look into Wireguard or tailscale as a way to allow the app (connected to a device on a guest network) to communicate with the NVR.

Sorry for not providing more details. A friend of mine is helping me install it and he is getting me an off brand Hikvision security system. I don't have the model number but I know that it's tvi, not IP cameras so I don't think they need an IP address. I believe the cameras are power over ethernet.

 

[bbunge]

There is a relatively simple way to do what you want. However, it depends on setting a virtual interface in the NVR. I have done this with a Linux box set up as an NVR with the main IP address, such as 192.168.50.4, and a virtual IP address, such as 192.168.100.2. The cams were on the same physical Ethernet but each was assigned a static IP address in the range of the NVR virtual address.
Now I do not bother with the cams on a different subnet. All my cams are on a PoE managed switch as well as the NVR, in my case running Zoneminder. I keep the cams firmware updated and all have static IP addresses.

 

[smartbits]

Using an inexpensive smart switch such as the TP-Link SG108E would allow you to set up port based VLANs. This will be much cheaper than purchasing a AX86Pro or AX88Pro which allow wired clients to connect to guest network VLANs.

Depending on your skills it might be possible to write a script for VLANs on your existing router.

Thanks. I'll look into this.

 

[smartbits]

There is a relatively simple way to do what you want. However, it depends on setting a virtual interface in the NVR. I have done this with a Linux box set up as an NVR with the main IP address, such as 192.168.50.4, and a virtual IP address, such as 192.168.100.2. The cams were on the same physical Ethernet but each was assigned a static IP address in the range of the NVR virtual address.
Now I do not bother with the cams on a different subnet. All my cams are on a PoE managed switch as well as the NVR, in my case running Zoneminder. I keep the cams firmware updated and all have static IP addresses.

When I get the NVR, I'll check if I have this option.