SB8200 two ports == two vlans?

[Arnav Geva]

Hi,

You know the two Ethernet ports the SB8200 has? I know they can be used for link aggregation. However, if I were to instead plug in two routers, will it result in two separate networks (VLAN like)?
I spoke with Xfinity and they would provide two separate public IPs.

Thanks for the help!

 

[coxhaus]

Try it.

 

[Arnav Geva]

I prefer not to purchase in the first place if that is not the case (and go another route)...

 

[coxhaus]

What is your other route?

 

[Arnav Geva]

Context: I am on Xfinity fiber. I recently added 4 POE cameras (Armcrest). At the moment they are on a separate LAN but I want to connect them to the WAN for remote viewing. Not planning to port-forward, DMZ, or UPnP. Planning to use the mfr. P2P. I want them on a separate isolated network.

Here are the options that I see:
1. SB8200 with two routers (xfinity said no additional cost for a 2nd public IP).
Cons: not clear if it results in separation.

2. Two separate cable modems
Cons: $14/month for another BYOD

3. Double NAT. Put the Cameras behind the first router. Put all the home devices behind the second router. House devices will see the cameras. Cameras will not see the home devices.
Cons:
- The cameras still go through the first primary WAN facing router which perhaps is not ideal from a security standpoint?
- Unnecessary load on the "primary router" (trusty RT-AC68U). I am open to upgrade, but still.
- More importantly, instead of local NVR, I wanted to have the cameras save the motion clips direct to AWS S3. Mostly for fun but it also means the clips are in my own "cloud" (vs. Armcrest) and I don't need to expose a local NVR such as BlueIris through UPnP. To have the cameras upload direct to S3 in a secure manner, I wanted to setup a VPN tunnel from the cameras router to an AWS VPC. I don't think I can do it with a regular home router in a double NAT setup. It will send all traffic to AWS VPN which I don't want.
- I know latency will be negligible for the home devices but still...
- I'd hate for something to not be compatible/break because of the double NAT later on.

4. Managed switch to create two true separate VLANs.
Cons: The cameras still go through the first primary WAN facing router.

So #1 seems ideal. As much separation as I can get without having to activate a service for a second modem. This is why I was asking about the two ports on the SB8200...

What do you think?

 

[CaptainSTX]

I'd hate for something to not be compatible/break because of the double NAT later on.

A double NAT setup will not cause any difficulties unless you want to run a server of any type on the second network. If you want a server then you are going to have to use double port forwards to try and make it possible to see the servers from the WWW.

 

[Arnav Geva]

No servers. Other than the concern about security (having the cameras go through the primary WAN router which is perhaps not ideal), I just thought about these additional cons for double NAT:
1. Unnecessary load on the "primary router" (trusty RT-AC68U). I am open to upgrade, but still.
2 More importantly, instead of local NVR, I wanted to have the cameras save the motion clips direct to AWS S3. Mostly for fun but it also means the clips are in my own "cloud" (vs. Armcrest) and I don't need to expose a local NVR such as BlueIris through UPnP. To have the cameras upload direct to S3 in a secure manner, I wanted to setup a VPN tunnel from the cameras router to an AWS VPC. I don't think I can do it with a regular home router in a double NAT setup. It will send all traffic to AWS VPN which I don't want.

 

[Arnav Geva]

Here is a diagram of what I thought would be ideal (if the the two ports on the SB8200 provided isolation)

 

[ColinTaylor]

The two router setup you propose would be the most secure as you have two physically separate networks that are not connected to each other.

It would be wrong to call them VLANs though, they are just two (real) LANs. VLANs provide logical separation of virtual networks while sharing the same physical medium.

 

[Arnav Geva]

True. Now I just need an SB8200 owner to confirm... I contacted Arris as well. Lets see what they say. It would be cool if it worked like that. I suspect it would make a lot of people lives easier (who don't won't to deal with double NAT, managed switches etc')

 

[Arnav Geva]

Got this response from Arris:

Yes, It will result in two different networks, since the IP address of the 2 ports are different.

Does that make sense? Would it not only be true if the two IPs were in different subnets (and I have no idea how Xfinity assigns their dual IPs)?

 

[coxhaus]

I would think the 2 IPs would be in the same network just different IPs. The IPs would come from the same DHCP server and it seems like they would both be in the same broadcast domain. Are you sure you are going to get 2 IPs in separate networks?

I have Spectrum using a SB8200 modem but there is no talk of a second IP.

 

[Arnav Geva]

Right. Well, all I have is the chat with the Xfinity CSR saved, but who knows. She did check with a bunch of supervisors at the time.
So then, say the the two ports are not isolated, would a managed switch with two WAN ports be the next best thing (to have truly two isolated networks and not have to pay for another modem service)?

I'll start to look at some models.

 

[ColinTaylor]

Does that make sense?

Yes.

Would it not only be true if the two IPs were in different subnets?

No. You're over-thinking this. This is no different than say, you and your neighbour being assigned consecutive IPs by the same ISP. The isolation between each IP is done by your two routers, each of which has its own firewall and is performing NAT.

It would be a different case if you were to plug each port from the cable modem directly into the same (unmanged) switch because you would be physically connecting them together. That is not the case here.

 

[coxhaus]

Back in the old days with a business account you got 5 static IP addresses. They were all in the same network. You could add a switch after the single port modem and plug in multiple routers into the switch and they would receive an IP address each. They also made business routers which could handle 5 IP addresses.

 

[Arnav Geva]

Thanks for all the help. Bought one via the forum affiliate link
I'll you know how it went once I receive it...

 

[Arnav Geva]

Rrrrrr, surprise surprise
I spent literally the whole day talking to the WORST company in the world (I am looking at you Xfinity).
I was bouncing between residential and bulk services CSRs and couldn't get a straight consistent answer from anyone.
Some of the CSRs tried to "enable" it but no luck.

Bottom line: No second public dynamic IP from Xfinity for the SB8200 (at least in my area).

The SB8200 is going back and I planning to instead put a wired router between the modem and the two other routers. Probably one of the Ubiquiti EdgeRouters or the like...

 

[coxhaus]

The SB8200 is going back and I planning to instead put a wired router between the modem and the two other routers. Probably one of the Ubiquiti EdgeRouters or the like...

Instead of using 3 routers why not use 1 router and 2 VLANs? It is much cleaner than having multiple firewalls.

You can use an Edge router or a Cisco RV340 router. I use a Cisco RV340 router and the SB8200 modem.

 

[Arnav Geva]

Need wireless for each network anyway...
One would hope that with IPv6 they would have at least be willing to give you one of those.

 

[coxhaus]

Need wireless for each network anyway...
One would hope that with IPv6 they would have at least be willing to give you one of those.

All you need is a wireless AP that supports VLANs. Then it will work fine.