Network Segmentation

[macster2075]

This is the best I can come up with...

When I run a cable from the switch on the right to the WAN port of AC68P, no cameras are visible.

If I connect a cable from NIC 2 from the NVR to a LAN port on AC68P, then only the wireless cameras start to show up on the NVR.. which are on 192.168.2.x network.. but I cannot see the POE cameras.

but.. if I use that same Ethernet cable coming from NIC 2 and plug the other end into the switch..then I can see the POE cameras, but not the wireless cameras. so it's either one or the other.
I apologize if this is very simplistic, idiotic and doesn't make any sense..hence why I am here asking for help.


I also have a few old Cisco routers I can flash Tomato to make them smart switches.

 

[ColinTaylor]

So to be clear, from the diagram in the previous post your cameras are not "on the 192.168.2.x" network. They are on the 192.168.1.x network but you have configured them with static IP addresses for a different network, 192.168.2.x.

Now, those POE cameras, they are on a static IP for the 192.168.2.x network.

 

[macster2075]

So to be clear, from the diagram in the previous post your cameras are not "on the 192.168.2.x" network. They are on the 192.168.1.x network but you have configured them with static IP addresses for a different network, 192.168.2.x.

Yes they are. I have manually assigned them a static IP in the 192.168.2.x subnet range. I can verify this by going into the cameras gui.

 

[ColinTaylor]

Yes they are. I have manually assigned them a static IP in the 192.168.2.x subnet range. I can verify this by going into the cameras gui.

Are you confirming you understand what I just said?

 

[macster2075]

That's correct.

 

[ATLga]

Clear as mud

 

[drinkingbird]

Yes they are. I have manually assigned them a static IP in the 192.168.2.x subnet range. I can verify this by going into the cameras gui.

Physically connecting them to network 1 and giving them IPs from network 2 is not going to work, nor will it give you segmentation. Read through my last couple posts, all the necessary connections are listed out. You need to remove the connection between poe switch and router 1 and cable that poe switch directly to a router 2 LAN port.

Non poe switch needs to connect to router 1 LAN and router 2 WAN.

Again do these cameras even need internet or just to connect to the NVR?

 

[macster2075]

do these cameras even need internet or just to connect to the NVR?

They do not need internet. I have another Tomato Router with me right now and I would like to try the vlans option or is this not an option at this point?

 

[drinkingbird]

They do not need internet. I have another Tomato Router with me right now and I would like to try the vlans option or is this not an option at this point?

Just to confirm, you cannot run a second cable between "area 1" and "area 2"?

And some of your cameras are wired to "area 1" and others are wireless to "area 2"?

Can you get the wired cameras to come into area 2 instead (assuming not, but worth asking). Or alternatively the wireless cameras connect to area 1 and NVR moved to area 1?

If all you want is to have them on a different subnet that is doable with what you have now but it is NOT isolated in that case. It provides some amount of isolation but definitely not enough to be considered secure. Depending how much/little you trust those cameras, it may be enough for you. But if you want them totally isolated, you either need a second physical link between the two areas, or VLANs on that single link.

Start with answering those and we'll go from there.

 

[macster2075]

Ok.. I cannot move the NVR nor the POE cameras nor the POE Switch... so nothing can be moved. I cannot run a 2nd cable ( I wouldn't be here if that were the case lol).
Everything would be have been simple enough for me to do what I need if all those things were possible hehe..but unfortunately this is what I have to work with.

 

[sfx2000]

Start with answering those and we'll go from there.

Just in case - the questions have been asked and answered already in the thread...

There's always the case of being "too helpful" and getting caught in that particular trap...

 

[macster2075]

Is this where I need to be? and if so, how do I trunk the two networks 192.168.2.1, 192.168.1.1...sorry if I am using the wrong term here,..but I think you know what i mean.

 

[drinkingbird]

Just in case - the questions have been asked and answered already in the thread...

There's always the case of being "too helpful" and getting caught in that particular trap...

Lots of things have been asked and answered only to find out there were hidden gotchas. I just want to make sure we're on the same page.

If OP feels I'm being too helpful, happy to stop.

 

[drinkingbird]

Is this where I need to be? and if so, how do I trunk the two networks 192.168.2.1, 192.168.1.1...sorry if I am using the wrong term here,..but I think you know what i mean.

View attachment 51368

Slow down. One step at a time. You still haven't answered all my questions from the previous post. Quote it, and insert your answers after each item please.

 

[drinkingbird]

Is this where I need to be? and if so, how do I trunk the two networks 192.168.2.1, 192.168.1.1...sorry if I am using the wrong term here,..but I think you know what i mean.

Well I'm going to run on the assumption that:

1. Nothing can move, you have wireless cameras, and those wireless cameras have to connect to area 2.
2. You want more than ip/subnet isolation, you want the devices isolated at the physical/network level too since IP isolation is not enough to be considered secure. Personally, I would not do it that way, so I wouldn't recommend you do either.

Your options are:

Buy two smart switches - easiest and cleanest solution
Netgear GS305E (5 port) are $21 on amazon each, TP Link TL-SG108E (8 port) are $27 on amazon each. You could do one of each if you need more than 5 ports in either area. Probably get the 8 port for area 2 so you can eliminate that netgear switch, or just get 8 port for both areas. You'll still need the POE switch simply for POE.

Use two "spare" routers with Fresh Tomato as pseudo smart switches (assuming they both support FT and you can figure out the configurations). Could eliminate the netgear switch if the "FT Switch" in area 2 has enough ports. This is a bit of a messy solution as they will still technically be routers or APs and that stuff will be running, you just will be bypassing everything but the LAN ports.

Use one "spare" router with FT as pseudo smart switch in area 1 (again, a bit of a waste of electricity and a bit messy) and a script on the AC68 to make it a smart switch/router combo for the other end.
Or alternatively same thing in area 1 but put Freshtomato back on the AC68 in area 2 (more complex configs but it is all in the GUI instead of a script).

It is possible to do scripts on both the AC86 and AC68 however the 86 ones are very complex and I'm not sure if anyone has totally figured that one out. I don't have one so I can't play with it to figure out the right commands so that isn't an option here.

 

[macster2075]

OK.. lots to think about here. What If I just leave everything as I have now, but instead of the Ethernet cable coming from R1 LAN to R2 WAN...what if I do LAN on R2?
I know that means devices connected to R2 will not have internet access right?.. if that's the case, then that's fine.

I ask because if I connect to R2 using the LAN port instead of the WAN port, then I can see all wired and wireless cameras on the NVR... but not sure if this is will cause any issues or not.

 

[drinkingbird]

OK.. lots to think about here. What If I just leave everything as I have now, but instead of the Ethernet cable coming from R1 LAN to R2 WAN...what if I do LAN on R2?
I know that means devices connected to R2 will not have internet access right?.. if that's the case, then that's fine.

I ask because if I connect to R2 using the LAN port instead of the WAN port, then I can see all wired and wireless cameras on the NVR... but not sure if this is will cause any issues or not.

If you do that they are all on the trusted LAN and are all part of 192.168.1.0/24. Anything wired you may as well just connect to the netgear switch. You will also need to shut down DHCP on the second router as you can't have two DHCP servers on the same network. Actually just run router 2 in AP mode in that case so the DHCP server is disabled, since you don't need the routing functions. Router 1 will handle all your DHCP, DNS, etc. Nothing is segmented in that design obviously.

All devices will have internet access.

Alternatively, if you use that design and give your cameras and NVR port 2 all static IPs in another subnet (any subnet, doesn't matter at that point, you can use 192.168.2.x or 192.168.whatever.x) they will not have internet access and will be able to see each other, and it provides "pseudo segmentation" but in reality those devices still have access to your main LAN. Note they will not be able to look each other up by hostname since they won't have any access to DNS etc either. That's one of the options I mentioned - semi-segmented.

 

[macster2075]

All devices will have internet access.

Even the wireless ones connected to R2 wifi?

 

[drinkingbird]

Even the wireless ones connected to R2 wifi?

Yes as long as you let them get 192.168.1.x IPs. R2 just becomes an access point/switch at that point. You just have one network, no isolation, everything can access the internet and each other.

 

[macster2075]

I know the best thing for me to do here is to try to move the NVR PC over to area 1.
I just don't want to spend money at this time buying the equipment I need to achieve what I want.

Let's say I do that and move the NVR to area 1 and I am able to achieve what I need... one questions that's been lingering...
the Blue Iris NVR has an app which I use to view all cameras.. does this mean that the NVR web server will be on 192.168.2.x network and will I also need to have my smartphone connected to the same network in order to view the cameras?.. or is there a way for me to view them while connected to the main network 192.168.1.x?