1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

VLAN or Isolated LAN for IP Cameras using ASUS RT-AC68U?

Discussion in 'Asuswrt-Merlin' started by g725s, Jan 17, 2020.

  1. g725s

    g725s Occasional Visitor

    Joined:
    Jan 14, 2015
    Messages:
    30
    Location:
    California
    First off, not sure if this is the best route, but I do have an ASUS RT-AC68R (same is U) for my router.

    What I want to do is setup a VLAN or Isolated LAN, also heard it called a Walled Garden, for my IP Cameras. I see people talking about it but no actual setup descriptions or instructions with the equipment that I have.

    If the ASUS RT-AC68U can create a VLAN for my IP Cameras how would I got about setting it up?

    Or maybe I should put a second network card in the dedicated PC I am using to run Blue Iris as my camera software, and set that network card up as an Isolated LAN. As I have heard mention that this might be a way also.
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,687
    Location:
    UK
    Asuswrt doesn't have VLAN support. Your idea of using a dedicated PC with a second network adapter sounds like it would be much simpler (assuming it would be connected to a separate network together with your cameras). It probably comes down to the physical restrictions of your cameras (e.g. location and connectivity).
     
  3. g725s

    g725s Occasional Visitor

    Joined:
    Jan 14, 2015
    Messages:
    30
    Location:
    California
    I would connect from the Network Card I would install in my Dedicated Blue Iris PC to a PoE switch that will power each camera and receive the video stream. I am not extremely network savvy. I will search more on the subject. Basically I Don't Want the individual cameras to have access to the internet, I only want them to send a video stream to the Blue Iris software program.
     
    Last edited: Jan 17, 2020
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,687
    Location:
    UK
    I don't know anything about Blue Iris but that sounds like a good setup. The cameras are physically separated from the internet and if you ever need to access them remotely you could setup a VPN and remotely log into the PC.
     
  5. g725s

    g725s Occasional Visitor

    Joined:
    Jan 14, 2015
    Messages:
    30
    Location:
    California
    I did ask a related question over in the QNAP topic because I have an unused adapter in my NAS. But I didn't get input on how I might use that and direct traffic to Blue Iris. https://www.snbforums.com/threads/u...solated-lan-for-ip-cameras.61235/#post-541859

    And yes I have OpenVPN on my router to do that. That is what is recommended most by Blue Iris users over at ipcamtalk
     
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,687
    Location:
    UK
    Yes I saw that post. I didn't comment because not only do I know nothing about Blue Iris but I don't have a QNAP. :D That said, using a NAS + VLANs did sound unnecessarily complicated (when you have a dedicated PC) unless there are cabling issues forcing you down that route.
     
  7. pjv

    pjv Occasional Visitor

    Joined:
    Oct 17, 2017
    Messages:
    16
    I use a guest network with the "access intranet" setting disabled for all my IOT devices.

    Then I have a single host on my LAN (in my case, it is a little server running Home Assistant) that is able to communicate with the IOT devices via some custom ebtables rules in the nat-start script.
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,687
    Location:
    UK
    That would not be applicable in this case as all of his camera devices are wired not wireless.

    But as an aside I would be interested to see what your ebtables rules look like as I have has limited success trying that myself.
     
  9. g725s

    g725s Occasional Visitor

    Joined:
    Jan 14, 2015
    Messages:
    30
    Location:
    California
    I guess I need to post this in another topic or keep searching since this is not related to the Asus router. I have read over at a forum specifically for IP Cameras called ipcamtalk .com that some have put a second Network Card/Adapter in the dedicated PC that they use for Blue Iris. But I'm not finding details on how they actually set it up. I am just not super network savvy, I am learning more since putting together an IP camera PC running Blue Iris. Typically when people post questions over at that site they often get the response from a couple of the Old Salts that this has been discussed before and are shunned to ask such questions and searching that site via Google site:ipcamtalk.com I cannot find a detailed explanation of how to set such an Isolated LAN up using a second adapter dedicated to just the cameras. This forum is much more helpful group so I am asking here.

    Would the configuration of a card used for this be mostly Windows Network settings?
     
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,687
    Location:
    UK
    I would imagine so. The potentially difficult bit might be getting the cameras configured with an IP address for your new "camera network". Quite often the manufacturer of a network device provides a utility that you can run on your PC that automatically detects the device and allows you to configure its network settings. If necessary you could always plug a camera into your "normal" LAN, configure it and then move it to the camera LAN.

    EDIT: What is the make/model of your cameras?

    EDIT 2: Just to be clear, the configuration of the network card in the PC should be very straight forward.
     
    Last edited: Jan 18, 2020
  11. g725s

    g725s Occasional Visitor

    Joined:
    Jan 14, 2015
    Messages:
    30
    Location:
    California
    Yes there is a utility that the manufacturer provides to allow configuration including IPs . Cameras are all Dahua

    I currently have the cameras setup but not on their own Isolated Network. I did use this ConfigTool https://dahuawiki.com/ConfigTool

    Which is found here... https://dahuawiki.com/Software/Dahua_Toolbox
     
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,687
    Location:
    UK
    Looks like it should be straight forward. All you need now is a second network adapter in your Blue Iris PC.
     
  13. g725s

    g725s Occasional Visitor

    Joined:
    Jan 14, 2015
    Messages:
    30
    Location:
    California
    And then what kind configuration either with the adapter , my router, or within Windows?
    I guess am going to start looking for an adapter then
    . Do you have any suggestions?
    I did a lot more searching and think I found what I was looking for. First I found this thread... https://ipcamtalk.com/threads/how-do-you-setup-dual-lan.31085/

    Then I found the info I needed in the Cliff Notes at the site there.
    I need to determine what network card/adapter I should get now. Those Cliff Notes suggest this one... https://www.amazon.com/dp/B001CY0P7G/?tag=snbforums-20

    ...Blue Iris Server with Dual LAN

    Concept & Configuration

    Similar to the way Dahua NVR’s use a separate subnet for the cameras, you can set up a Blue Iris computer the same way by using two network interfaces. If the motherboard on the computer does not have dual LAN interfaces, and there is a spare PCI-E slot, just get an additional Network Interface Card (NIC), like this one. Use one of the network interfaces for your secure LAN, and the other one for the non-secure camera LAN. The Blue Iris PC needs to have access to Ethernet cables for both of the secure and non-secure networks, on different subnets; i.e. 192.168.1.X secure, and 192.168.0.X non-secure. Just make sure the two subnets share the same subnet mask, like 255.255.255.0.

    The non-secure network would connect to the PoE switch w/all your cameras. The cameras should be configured with static IP addresses, and no gateway, so they cannot access the internet. Alternatively, establish firewall rules that prevent the cameras from directly accessing the internet and the secure LAN subnet. With this configuration, only the Blue Iris server will be able to access both the (secure) LAN and the (non-secure) camera network. Note the trick is to leave the gateway address blank for the non-secure LAN NIC settings in the Blue Iris server; only the secure LAN NIC will have a gateway address.

    The Blue Iris computer acts as the time server for the cameras, and the cameras point to the server’s non-secure LAN IP address (i.e. 192.168.0.X secure). To allow the communication from the cameras to the time server IP address, set a rule on any firewall used on the Blue Iris server to allow port 123/UDP to pass through the firewall of the non-secure network. IPCamTalk user @DognamedTank recommends using the NTP server built into Windows 10; see setup guide here.

    Viewing Cameras Remotely

    While a physically segmented network as described above is an excellent security practice, accessing the camera web interface is more challenging. You can use Google Remote Desktop to view the Blue Iris computer without having to forward port(s) in the router. The Blue Iris computer can be used to view individual cameras, as well as clips and videos saved. You can also use Google Remote Desktop to log into the cameras separately via the web interface, for configuration purposes. All this is possible because Google Remote Desktop is a connection to the desktop of the computer that has access to both the (secure) LAN and the (non-secure) camera network. Google Remote Desktop, TeamViewer, and similar software do NAT traversal by keeping a connection active to a remote server that can be used to connect to your computer, just like he P2P function on many cameras. Unfortunately, using a remote desktop application will significantly increase CPU utilization, so don’t leave it connected full-time.

    Viewing Cameras at Home

    If you want to log into the web interface of your camera without using Google Remote Desktop, use the Blue Iris computer that has access to both the (secure) LAN and the (non-secure) camera network. Alternatively, use the “Remote Desktop” apps native to both Windows and OSX. From a security perspective, it would not be a good idea to use a computer temporarily connected to the (non-secure) camera network, as it defeats the purpose of having separate networks.

    Above info found in Cliff Notes here... https://ipcamtalk.com/wiki/ip-cam-talk-cliff-notes/
     
    Last edited: Jan 18, 2020
  14. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,687
    Location:
    UK
    @g725s You appear to have everything covered. That network adapter looks OK. You don't need anything special (or expensive). EDIT: Obviously check that your PC has a free slot of the appropriate type.
     
  15. g725s

    g725s Occasional Visitor

    Joined:
    Jan 14, 2015
    Messages:
    30
    Location:
    California
    Yes PC has 2 slots free.
     
  16. pjv

    pjv Occasional Visitor

    Joined:
    Oct 17, 2017
    Messages:
    16
    Ah so. Sorry I missed that part about the camera's being wired.

    So then this is off-topic, but my ebtables rules script looks like this:

    Code:
    #!/bin/sh
    
    ## allow home assistant to talk to IoT devices on firewalled guest network
    MAC="XX:XX:XX:XX:XX:XX" # HA box ether mac address
    EBT=$(ebtables -L --Lx --Lmac2) # existing ebtables FORWARD chain rules
    
    if echo "$EBT" | grep -iq "$MAC"
    then
      # do nothing because custom rules already in place
      logger "nat" "Custom ebtables rules already in place"
    else
      # add custom rules
      ebtables -I FORWARD -i wl0.1 -d $MAC -j ACCEPT
      ebtables -I FORWARD -o wl0.1 -s $MAC -j ACCEPT
    fi
     
    ColinTaylor likes this.
  17. Kenneth Andersen

    Kenneth Andersen New Around Here

    Joined:
    Feb 21, 2020
    Messages:
    4
    I'm trying to accompolish something similar. Move my IOT devices to an isolated quest network, and only allow access (preferably only MQTT port, but that's the next step) to my controller.
    Tried using your script, pointed to the correct network and also tried adding the IP-address, but no success.
    The ebtables look like this:
    Code:
    ###@RT-AC87U-CA68:/jffs/scripts# ebtables -L --Lx --Lmac2
    ebtables -t filter -A FORWARD -p IPv4 -o wl0.2 --ip-src 10.0.0.10 -j ACCEPT
    ebtables -t filter -A FORWARD -p IPv4 -i wl0.2 --ip-dst 10.0.0.10 -j ACCEPT
    ebtables -t filter -A FORWARD -s aa:bb:cc:dd:ee:ff -o wl0.2 -j ACCEPT
    ebtables -t filter -A FORWARD -d aa:bb:cc:dd:ee:ff -i wl0.2 -j ACCEPT
    ebtables -t filter -A FORWARD -i wl0.1 -j DROP
    ebtables -t filter -A FORWARD -o wl0.1 -j DROP
    ebtables -t filter -A FORWARD -i wl0.2 -j DROP
    ebtables -t filter -A FORWARD -o wl0.2 -j DROP
    Any suggestions?
     
  18. pjv

    pjv Occasional Visitor

    Joined:
    Oct 17, 2017
    Messages:
    16
    here's what my ebtables look like

    Code:
    [email protected]:/tmp/home/root# ebtables -L --Lx --Lmac2
    ebtables -t filter -A FORWARD -s aa:bb:cc:dd:ee:ff -o wl0.1 -j ACCEPT
    ebtables -t filter -A FORWARD -d aa:bb:cc:dd:ee:ff -i wl0.1 -j ACCEPT
    ebtables -t filter -A FORWARD -i wl0.1 -j DROP
    ebtables -t filter -A FORWARD -o wl0.1 -j DROP
    my guest network setup:

    [​IMG]

    from your ebtables it's looking like you may have more than one guest network set up? I haven't tried that so don't know how it might affect things. Are you sure that the IOT devices are associated with your wl0.2 device/network (and not wl0.1)?

    Also don't know if different hardware (you AC87U, me AC68U) might have an effect as well.
     
  19. Kenneth Andersen

    Kenneth Andersen New Around Here

    Joined:
    Feb 21, 2020
    Messages:
    4
    True. Have one network for regular guests, and a second one for my IOT stuff.
    upload_2020-2-21_14-20-22.png
    Verified (ifconfig and WiFiman) that wl0.2 matches the IOT network.
    Also added similar rules for wl0.1 so revised ebtables look like this:
    Code:
    ebtables -t filter -A FORWARD -s 02:81:02:42:21:32 -o wl0.1 -j ACCEPT
    ebtables -t filter -A FORWARD -d 02:81:02:42:21:32 -i wl0.1 -j ACCEPT
    ebtables -t filter -A FORWARD -s 02:81:02:42:21:32 -o wl0.2 -j ACCEPT
    ebtables -t filter -A FORWARD -d 02:81:02:42:21:32 -i wl0.2 -j ACCEPT
    ebtables -t filter -A FORWARD -i wl0.1 -j DROP
    ebtables -t filter -A FORWARD -o wl0.1 -j DROP
    ebtables -t filter -A FORWARD -i wl0.2 -j DROP
    ebtables -t filter -A FORWARD -o wl0.2 -j DROP
    No access to any devices on the main network from either guest network :(

    Could it play any role that the script is not run on boot? Total noob and haven't figured out how to do that yet ;)

    UPDATE: Tried deleting all ebtables rules including the DROP ones created automatically. Still not possible to connect from either guest network to any devices on the main network...
    Which is really weird since all devices are visible in network scan on my Android device...
     

    Attached Files:

    Last edited: Feb 21, 2020
  20. pjv

    pjv Occasional Visitor

    Joined:
    Oct 17, 2017
    Messages:
    16
    I don't know the answer to that question, but reboots are often helpful. I have the script being called from the `nat-start` script. The merlin wiki has good documentation on getting started with scripts, here.

    Edit: Are you sure that the device on your main network that you want to be able to access the IOT devices (and vice versa) is connecting to the router via the MAC address you are whitelisting? Some devices have more than one MAC (i.e. wifi, Ethernet, bluetooth...)