Home Business setup with vlans and security cams

[klinkenok]

Hi all I'm new to the forum and would appreciate some help with configuring my RT AC66U (merlin v380.70) and Cisco 3560 POE24 (IOS v12.2.55-SE12) to work together in a multi vlan topology. I have been spending literally weeks researching and trying to do it myself unsuccessfully and recently had to grab a bit life back and flatten my network out to one subnet whilst I get help. Consequently as it is (all on 192.168.1.0/24) it is slow and insecure. Hence why I am here. I realise my requirements are rather demanding but the folk here seem very helpful so...

A quick description so you can understand my requirements:

I need multi vlans because I want to isolate my security cams, ipdoorbell and associated android chimers (old phones dedicated to ipdoorbell video/audio/chiming only) on a vlan separate from the general house/nvr and studio business networks. I want to block the cams from accessing the internet and/or infecting the network. I'd like the NVR (Blue Iris and OpenHAB on a dedicated box which has overhead left for other server duties if needed) to be on its own vlan or on the management vlan but getting streams exclusively from the cams. Then I need to access Blue Iris via openvpn/BI android app globally from various non-secure locations hotels/cafes etc.

House and business also need to be isolated from each other due to the sensitive nature of my studio business. I need the studio network secure but quietened from busy cam and other house traffic so as to not disrupt my timing sensitive audio/midi networks. Occassionally my workstations (WS) need internet access for authorisations but think this should be thru a vpn (doesnt need to be fast). However the lan communication between WS on their own vlan needs to be ultrafast for audio/midi. In fact Dante and similar nets require you to setup a voice vlan type topology.

Ideally I would like to be able to access home and management vlans from my online machine in the studio either via vpn or the switch.

I should also mention there is only one ethernet cable from the ASUS/CISCO cabinet to the basement studio where there are pcs and devices that need to be on various vlans so my topology cant be solely physical port based. Also there is a global cache GC100 in the studio (essential for HDMI switching) that has old firmware allowing to ONLY be on one fixed and unchangeable ip 192.168.1.70.

And my ipdoorbell can only be given an ip from a server, you cant set a fixed ip internally.

Location is all Windows 10/android machines except one ipad and hackintosh in the studio.

Basic topology: TPLink ADSL2 modem (bridge mode) > wan port Asus RT AC66U, lan port > Cisco L3 switch where house and cams have their own ports > 1 port/cable goes to TPLink SG3216 L2 router in basement studio with studio net and more house devices and studio Wireless AP running off that. Please see attached diagram for more detail.

I have successfully setup these: (albeit on my current flattened network)

1. Asus as Entware based NTP server, all devices set to its ip where possible.
2. Asus as DHCP and OpenVPN server with fixed ips assigned for most devices. My vpn clients on NVR, online studio WS and phone are working using a non common subnet 192.168.254.0/24 to avoid clashes abroad.
3. Envisalink alarm communicator, opensprinkler and Blue Iris are all communicating to their corresponding apps on my Galaxy7 phone, on LAN in the house and WAN when away. Via my VPN (I think?)
4. Blocked the cams from internet by clicking on the client icon in Asus gui main page and enabling the Block from Internet switch (I read this may not be thorough enough now)

What I need help with:

So access and functioning of all my devices is all working BUT all in a non-isolated, busy/slow, non-secure topology. I have to separate and isolate using vlans. I cant stress enough how important it is to secure and quieten my studio network (its a contractual requirement), from the cams and IOT devices plus the home network. So even if I paid a consultant to configure the Cisco/Asus I would still need to know how it works so I can maintain it. I think I have got pretty close but the CLI/linux nature of the config on both the asus and cisco has beaten me so far. I am a fast learner, given the right path

When I have created separate vlans in Cisco as per diagram, the following issues are present:

I have made numerous attempts to configure the cisco with network assistant (I am better with a gui) and CLI to no avail. I cant get my NVR to see my cams nor can Blue Iris server machine access internet/vpn.

What I can deduce (perhaps Im wrong) is that I need the Asus to be able to see (dhcp serve and reserve ips to some) all devices on all vlans in order to be the openvpn server and to also route them (except cams) to the internet within and outside the vpn where required.

In other words I need help with the CLI commands to setup and serve ip on the asus router for multi vlans whilst keeping it as the openvpn and ntp server (as per the diagram). I guess these vlans are also defined in the cisco switch (and the studio TPlink L2 as well?) to correspond. I can go to the Routing forum to get help on the cisco part.

Maybe this could be achieved by making the cisco the dhcp/ip server instead of the asus? So that each vlan is properly served ips and given selected access to other machines and/or the internet?

I tried Private vlans in the cisco (via gui) but it crashed. It may not have the license for it.

Maybe I could have a policy based routing topology because my network is pretty fixed, I can make an entry for every machine as I add plus a dhcp pool in the house for phones. However it has to be fast and secure in the studio net and I thought vlans were better for that.

I would really appreciate what ever suggestions you have. I feel like its just some basic things the in complex world of CLI that hasn't clicked yet. See diagram below.

Note: I have edited my original image here and updated to v2. Updated again, to v3 to have vlans (except vlan1) in multiples of 10. IOT devices are now on management vlan 20 along with NVR.

 

[kfp]

Maybe this could be achieved by making the cisco the dhcp/ip server instead of the asus? So that each vlan is properly served ips and given selected access to other machines and/or the internet?

You’re on the right track, but your post deserves a more detailed answer than that, I’ll edit later or make another comment.

Just want to give you some quick feedback, and I’m amazed by the effort you’ve already put into this. This sub needs more post like this.

 

[klinkenok]

Wow thanks! Looking forward to your response. I think I'll have another look at the diagram because I made it in the beginning before I learnt more, I put my cams on the vpn subnet thinking that was necessary. Also since you're a regular, do you think this is the right subforum given that there is cisco assistance needed as well? Would it be rude to continue with talk on the cisco here? I am prepared to spend up to AUD$600 on another upstream router instead of the asus (and just use it as an AP). Maybe I could even go straight from the TPLink ADSL mdem to the Cisco?

 

[klinkenok]

I have updated my diagram with new ip and vlan values and inserted back in the original post. I havent yet changed the Cisco to be the DHCP ip server because I dont think it can be an OpenVPN server, and I think the asus depends on being the master dhcp/ip server in order to be the OpenVPN server. Is this the case?

I have assumed that:

1. a management vlan (my case vlan 2) is the subnet for all switches, routers and APs even when the devices running off those devices are on different vlans. Is this correct?
2. My NVR and OpenHAB server (bottom of diag), which has the potential to be a main DHCP server, firewall etc should be on vlan 2 to reduce traffic on other nets since all the cams are streaming exclusively to it from vlan 4 (which is restricted from intenet access). But I am in dilemma because to be an OpenHAB server it should be on the same subnet as all house IOT devices, opensprinkler, Envisalink...maybe I should move all those to vlan 2?
3. I put the NVR server off the hub (1st point in basement) because I wanted to keep it in basement. However this isnt neccessary I can put it up in the cabinet with the Asus and Cisco so it can have it's own phhysical port off the Cisco. Would that help?

 

[Martineau]

I need help with the CLI commands to setup and serve ip on the asus router for multi vlans whilst keeping it as the openvpn and ntp server (as per the diagram). I guess these vlans are also defined in the cisco switch (and the studio TPlink L2 as well?) to correspond. I can go to the Routing forum to get help on the cisco part.

If you have £350 to purchase suitable hardware to supplement/replace the RT-AC66U/v370.70 then this may be the preferred solution.

However, if you wish to retain the RT-AC66U then (as per your diagram) you need to configure switch port 1 on the RT-AC66U as a trunk port for the appropriate VLANs.

I created VLANSwitch.sh script for my environment:
How to segment my network (VLANs, UTM, Cascading)
IoT VLAN Netdata graph
and it may not (initially) work on the RT-AC66U (it is biased towards the RT-AC68U and the 384.xx firmware etc.) but you can give it a Beta test....

NOTE: On the Asus it is recommended that you create custom VLANs numbered 10 or above to avoid clashes with reserved Asus VLANs.

e.g. As a test create say vlan80 on the Cisco then map vlan80 to switch port 1 on the RT-AC66U

./VLANSwitch.sh   80   1   autodnsmasq

If you then plug in a device into the port hosting vlan80 on the Cisco then it should acquire an I/P address (in range 192.168.80.2-20) and allow access to the internet.

./VLANSwitch.sh   80   status

If it works then you would perform the following (NOTE: you may need to check the assigned subnets) to give your existing VLANs WAN access etc.

e.g. IPCams=30,Doorbell/Chimers=40 and Studio=50 etc.

./VLANSwitch.sh   30   1    nodnsmasq
./VLANSwitch.sh   40   1    nodnsmasq
./VLANSwitch.sh   50   1    nodnsmasq

 

[klinkenok]

Thanks Martineau! so I understand the RT AC66U (mine has firmware v380.70 not 370.70) is capable of serving ips to many vlans using a modified version of your script.

Before I embark into the CLI world of the asus, I am curious as to what router you'd recommend given that I dont need wireless, I have many old wifi routers re-purposable as APs, incl ac66u.

I was looking at the Ubiquity Unifi USG. I also wonder if I should get a cisco so I can use clusters or to gain similar cisco snmp advantages. I do dislike CLI and the cisco way but I'm destined to use it on the 3560 to some degree. I could up my budget a bit (up to AUD1000) and buy a new router, IF it has a gui I can work with rather than CLI. And it needs to play well with the cisco.

Now I see 4 options:

Option 1. Keep the Asus. Derive a set of CLI commands (ie a script I guess) to be stored on its local ffs (or the usb thumb drive hanging off the ac66u used for entware?) that serves ips to many vlans, selectively route cams from one vlan to another whilst blocking their internet plus is able to route openvpn throughout all vlans and serve NTP. Seems a big ask of the asus.

Option 2. New small enterprise level router capable of multi vlan ip management. But probably not capable of serving OpenVPN nor NTP. So run the openvpn and ntp server on my NVR/OpenHAB machine. As that is going to be running constantly along with the cisco switch. Is there an opensource windows NTP server?

Option 3. I could run multiple vmware OSs (with dual nics) on the NVR/OpenHAB server to run Blue Iris together with a linux server. Blue Iris is Windows 10 only and I dont know of any affordable or open sourced DHCP/ip server apps that run on windows. I'm unsure if running BI on a virtual OS allows proper access to the intel gpu for accelleration and the sound cards? I may also be in over my head getting the Linux server up and running on a vmware virtual OS. But up for the challenge if there isnt a better solution.

Option 4. Run the Cisco as DHCP/ip server whilst still somehow running the asus (in dhcp mode/not as server) as an OpenVPN and NTP server (only because the Cisco wont). I'm waiting to hear the suggestions from member "kfp" who said he would post soon.

Option 4 (if it were possible) seems like the easiest, cheapest option. I then favour Option 2 before option 1 and 3. Purely because I dont want to have a system I cant get my head around or that is hard to remember in a few years if it needs modifying.

Will there be many lines of code involved in modifying your script Martineau? Your method may not be that hard for me after all, I got the NTP server running on Entware.
I will however, need to document as much as I can.

 

[klinkenok]

Updated the diagram to v3

 

[Martineau]

Thanks Martineau! so I understand the RT AC66U (mine has firmware v380.70 not 370.70) is capable of serving ips to many vlans using a modified version of your script.

Whoops sorry about the firmware version typo

The VLANSwitch.sh script itself shouldn't need modification (except if the robocfg port mappings are incorrect) as it will automatically configure the appropriate VLAN subnets. (If the resulting subnet ranges are not to your liking - the script sets the third octet xxx.xxx.vlanID.xxx as the VLAN ID by default - then you simply edit the dnsmasq config.)

I would suggest that you continue your hardware/topology requirements/queries in the more relevant forums LAN & WAN Article Discussions or Switches, NICs and cabling where knowledgeable members such as @coxhaus provide sound advice regarding the pros and cons of consumer equipment vs SOHO / Small Business and even Enterprise options for similar setups.
e.g.
VLAN How To: Segmenting a small LAN
Please help me troubleshoot duplicate ACKs and missing packets on home network

Option 1. Keep the Asus. Derive a set of CLI commands (ie a script I guess) to be stored on its local ffs (or the usb thumb drive hanging off the ac66u used for entware?) that serves ips to many vlans, selectively route cams from one vlan to another whilst blocking their internet plus is able to route openvpn throughout all vlans and serve NTP.

Seems a big ask of the asus.

My RT-AC68U manages to cope with all of the above although my scripts are run from /jffs/ just in case the external USB flash drive hosting Entware isn't yet mounted/available.

Use of custom scripting is the main reason I use the Asus kit, but clearly if you truly dislike the CLI/scripting, then this may be the deal breaker for you.

 

[agilani]

Easiest route to get this done without a lot of work or purchasing enterprise gear would be to setup a cascaded router network. Plug the central router to your internet, and plug the wan ports of your two routers into the lan ports of the central router. Make sure the ip addresses/subnet do not overlap. This will however be a double nat solution which will work fine for outgoing traffic. Not really good if you want to host anything internally and will most likely break any UPNP devices if you are using that feature.

Central router connects to the internet - subnet 192.168.1.1/24 you can leave the wireless enabled or disabled. SSID - ROOT
router for home - subnet 192.168.2.1/24 SSID - HOME
router for studio - subnet 192.168.3.1/24 SSID - STUDIO

this way each router will provide the dhcp server for that subnet without needing to setup a central dhcp server with bootp/udp helper. The traffic will be segregated and you can have different ssid's for each network.

Its also cheaper to get 3 routers than a layer 3 managed switch.

If you can get business grade internet with a pool of static addresses, you can probably do better by a main switch and two routers and that would fix the double nat and upnp features if those are important.

 

[umarmung]

You have all the gear you need to do everything you wish already.

So, you have three main options:

1. Do a router-on-a-stick setup on a device that was not designed for it (RT-AC66U) and then use all other switches as L2.
2. Keep the gateway routing and secondary services on the RT-AC66U and do everything else including DHCP from the powerful L3 Cisco switch.
3. Do a router-on-a-stick with a routing OS, like a pfSense VM on your NVR box, and then use all other switches as L2 and the RT-AC66U as just an AP. This may require VLAN-aware NICs.

All else being equal, the optimum is 2.

This is because the Cisco should be designed for it, it is maintainable, it adds further integrity to your network because the DHCP is not on your gateway router. If your router goes down, or is compromised because it is Internet-facing, or if you need to upgrade it later, all your internal devices keep on ticking.

Option three is technically powerful but it puts an even more critical service on your gateway. This is sub-optimal and should only be considered if your Asus/existing gateway cannot support your needs, e.g. you got a symmetrical Gigabit Internet connection. However, this option could be changed to a (very) powerful VPN Server and Client instead, if needed in future and you had no other spare hardware.

You seem to have well-above average technical awareness and using any other VLAN-aware products will conceptually be identical to what you would be doing on the Cisco switch. It would just be a different challenge, going from Cisco CLI to that specific products GUI.

If you insist on GUI VLAN management or want a VLAN "testlab", this is not available on consumer devices in general but is available on SOHO or enterprise. You can get either a very cheap Ubiquiti Edgerouter ER-X/Unifi USG or a Mikrotik hAP ac2/RB750GR3 (Mikrotik preferred for plain routing but harder to initially understand) and setup your VLANs there. If you roll out that device as your Internet gateway, you can retire your RT-AC66U to serve as just a wireless access point. That whole exercise may then eventually give you confidence to use the Cisco switch to its full potential.

However, the time it takes to you to create the testlab and roll it out may be longer than simply having learned Cisco CLI for VLANs in production.

In all cases, make sure you document everything you do! Journals are invaluable the first time you learn to do something complex and makes it easier for maintenance later. Also, high priorities are:

A. Make frequent backups of VLAN configurations for your switches and routers.
B. Before enabling any form of VLAN filtering, make sure you do not lock yourself out of your own devices!
C. This is related to the previous point. Get your management VLAN working first.
D. Avoid the use of VLAN with ID 1 or 0 for trunks (yes, some devices allow you to fiddle with VLAN "0"). This can create painful configuration headaches, either upfront or later, especially interoperating between different manufacturers. Use anything else, e.g. VLAN 10.
E. Most L3 devices allow inter-vlan routing by default. In other words, VLANs only create L2 broadcast domains, they do not prevent devices talking to each other at higher levels. So, your VLAN-aware L3 device needs to have a strong and easy to manage IP firewall or ACL capability.

You have come far already. Only a little bit more to go!

TL;DR. Investigate Cisco CLI and use it to its full potential OR get a budget GUI VLAN router to replace your RT-AC66U as an Internet gateway and use the Cisco as a managed L2 until you are confident to use it as L3.

 

[ZFactor]

I have a somewhat similar setup (multi VLAN for security isolation) at home. I went with PFsense on a dedicated box (cheap old Dell SFF desktop with a 4-port NIC - supports serving DHCP to multiple VLAN's easily). It's probably well within your ability. My switch is a Netgear S3300, so it's probably not as smart as your Cisco. Using ASUS wireless routers as WAP's.
My only wishlist item is VLAN support on the WAP so I could put 2.4GHz as a guest network (solely) and 5 GHz as a privileged network on a separate VLAN. I can accomplish this with 2 separate WAP's though.
Good luck.

 

[klinkenok]

Thanks everyone the replies so far are encouraging and have given me a few ideas, and a few questions:

1. Umarmung and kfp I like your option 2, the idea of the Cisco being the DHCP server and the asus doing secondary services. It helps load balancing, also the Network Assistant gui in Cisco could help me a bit there (I hope). The only qualm I have is in order for the asus to be the openvpn server I have read that it needs to reserve the clients ip in the lan page and... perhaps? also be the dhcp server. With the cisco as dhcp/ip server is it still necessary/possible to reserve the client ips in the asus? Can it have those reservations listed and not conflict with the ciscos server duties. How will they work together in this way? Similar with the NTP entware server. Will it be ok with the cisco being dhcp/ip server? Is there some code that needs changing in ntp script to allow for an external dhcp/ip server?

2. For a first test however I will try Martineau's script to see if it can all be based from the asus. After backing up everything

3. I will need to use vlan tagging because some physical ports on the cisco will be trunks to aps and to the basement which have a few different vlans. How will vlan tagging work in the above 2 scenarios?

agilani thanks for your suggestions but as mentioned before I cant be entirely physical port based. Many machines and their different vlans will be hanging off one port out of pure neccesity.

ZFactor I havent entirely counted out the possibility you suggest but hope to be able to do it between the cisco and the asus.

The cisco has to be where it is, in a recessed hallway cupboard (vented into ceiling), and it is loud! A burglar would hear it and go strait to it and rip out the wires. I will eventually go to something more compact, energy efficient and with no fans but this setup will tie me over for a while. NBN via VDSL or direct wireless will be coming soon. I dont think the asus will be good for that. At that point I will upgrade to something like the Draytek 2862 that can do VDSL, WAN over ethernet, 8 vlans, 8 subnets and vpn server. And passive cooling! Not sure about NTP sevrer and if I would need it.

Meanwhile I appreciate what people are offering here to use what I have. I will change my house vlan from 1 to 10 and push on with above option 2 test. Still relevant to this subforum.

 

[coxhaus]

Have you thought about a Cisco RV340 router? They are fairly inexpensive. I would think the VLANs would work fine. I run a Cisco SG300-28 layer 3 switch with my new RV340 router. I setup a router VLAN on a 30 bit mask with DHCP on the switch. This keeps the router focused on just internet traffic.

 

[klinkenok]

Hi all, a final update to this thread.
I tried Martineau's script (thanks Matineau) and also DD-WRT which seemed fantastic and just what I needed, but I got caught down a rabbit hole for days trying to get it to work in the capacity of the ac66u. Which doesnt implement everything in DD-WRT, and consequently buggy.

In my travels I came across talk of the VPNfilter virus and also how both my asus rt-ac66u (merlin) and cisco 3560 would no longer receive updates. It occurred to me I was flogging 2 dead horses and decided to go another route.

In the end I went with ZFactor's suggestion of OPNsense. I bought an amazing little fanless Qotom i5 8gb/40gb with 4 intel ports for less than the price of the Draytek or new Asus I was contemplating earlier. Around AUD400. I've gotta say OPNsense makes a lot of sense as it will always be supported by the opensource community behind it. Things like VPNfilter and other threats in the future will always have a remedy. Plus I will have enough headroom for all kinds of nifty things including openhab on this little beast.

Now I am up for a new set of challenges but happy the bar has been lifted and, really there is no limit to how deep I want to take this new router. I will still be going for a similar setup as above but in OPNsense. The asus now sits behind as an AP+switch. I'll be running it on stock firmware or merlin (which ever wins), more than occasionally clearing nvram, resetting it and re-building with not much trouble due to its simple use. To avoid nasties like VPNfilter.

Thanks everyone for your contributions and good luck on your journey. We soon may be talking in other parts of the forum.