VLAN or Isolated LAN for IP Cameras using ASUS RT-AC68U?

[g725s]

First off, not sure if this is the best route, but I do have an ASUS RT-AC68R (same is U) for my router.

What I want to do is setup a VLAN or Isolated LAN, also heard it called a Walled Garden, for my IP Cameras. I see people talking about it but no actual setup descriptions or instructions with the equipment that I have.

If the ASUS RT-AC68U can create a VLAN for my IP Cameras how would I got about setting it up?

Or maybe I should put a second network card in the dedicated PC I am using to run Blue Iris as my camera software, and set that network card up as an Isolated LAN. As I have heard mention that this might be a way also.

 

[ColinTaylor]

Asuswrt doesn't have VLAN support. Your idea of using a dedicated PC with a second network adapter sounds like it would be much simpler (assuming it would be connected to a separate network together with your cameras). It probably comes down to the physical restrictions of your cameras (e.g. location and connectivity).

 

[g725s]

Asuswrt doesn't have VLAN support. Your idea of using a dedicated PC with a second network adapter sounds like it would be much simpler (assuming it would be connected to a separate network together with your cameras). It probably comes down to the physical restrictions of your cameras (e.g. location and connectivity).

I would connect from the Network Card I would install in my Dedicated Blue Iris PC to a PoE switch that will power each camera and receive the video stream. I am not extremely network savvy. I will search more on the subject. Basically I Don't Want the individual cameras to have access to the internet, I only want them to send a video stream to the Blue Iris software program.

 

[ColinTaylor]

I don't know anything about Blue Iris but that sounds like a good setup. The cameras are physically separated from the internet and if you ever need to access them remotely you could setup a VPN and remotely log into the PC.

 

[g725s]

I don't know anything about Blue Iris but that sounds like a good setup. The cameras are physically separated from the internet and if you ever need to access them remotely you could setup a VPN and remotely log into the PC.

I did ask a related question over in the QNAP topic because I have an unused adapter in my NAS. But I didn't get input on how I might use that and direct traffic to Blue Iris. https://www.snbforums.com/threads/u...solated-lan-for-ip-cameras.61235/#post-541859

And yes I have OpenVPN on my router to do that. That is what is recommended most by Blue Iris users over at ipcamtalk

 

[ColinTaylor]

I did ask a related question over in the QNAP topic because I have an unused adapter in my NAS. But I didn't get input on how I might use that and direct traffic to Blue Iris. https://www.snbforums.com/threads/u...solated-lan-for-ip-cameras.61235/#post-541859

Yes I saw that post. I didn't comment because not only do I know nothing about Blue Iris but I don't have a QNAP. That said, using a NAS + VLANs did sound unnecessarily complicated (when you have a dedicated PC) unless there are cabling issues forcing you down that route.

 

[pjv]

I use a guest network with the "access intranet" setting disabled for all my IOT devices.

Then I have a single host on my LAN (in my case, it is a little server running Home Assistant) that is able to communicate with the IOT devices via some custom ebtables rules in the nat-start script.

 

[ColinTaylor]

I use a guest network with the "access intranet" setting disabled for all my IOT devices.

Then I have a single host on my LAN (in my case, it is a little server running Home Assistant) that is able to communicate with the IOT devices via some custom ebtables rules in the nat-start script.

That would not be applicable in this case as all of his camera devices are wired not wireless.

But as an aside I would be interested to see what your ebtables rules look like as I have has limited success trying that myself.

 

[g725s]

That would not be applicable in this case as all of his camera devices are wired not wireless.

But as an aside I would be interested to see what your ebtables rules look like as I have has limited success trying that myself.

I guess I need to post this in another topic or keep searching since this is not related to the Asus router. I have read over at a forum specifically for IP Cameras called ipcamtalk .com that some have put a second Network Card/Adapter in the dedicated PC that they use for Blue Iris. But I'm not finding details on how they actually set it up. I am just not super network savvy, I am learning more since putting together an IP camera PC running Blue Iris. Typically when people post questions over at that site they often get the response from a couple of the Old Salts that this has been discussed before and are shunned to ask such questions and searching that site via Google site:ipcamtalk.com I cannot find a detailed explanation of how to set such an Isolated LAN up using a second adapter dedicated to just the cameras. This forum is much more helpful group so I am asking here.

Would the configuration of a card used for this be mostly Windows Network settings?

 

[ColinTaylor]

Would the configuration of a card used for this be mostly Windows Network settings?

I would imagine so. The potentially difficult bit might be getting the cameras configured with an IP address for your new "camera network". Quite often the manufacturer of a network device provides a utility that you can run on your PC that automatically detects the device and allows you to configure its network settings. If necessary you could always plug a camera into your "normal" LAN, configure it and then move it to the camera LAN.

EDIT: What is the make/model of your cameras?

EDIT 2: Just to be clear, the configuration of the network card in the PC should be very straight forward.

 

[g725s]

I would imagine so. The potentially difficult bit might be getting the cameras configured with an IP address for your new "camera network". Quite often the manufacturer of a network device provides a utility that you can run on your PC that automatically detects the device and allows you to configure its network settings. If necessary you could always plug a camera into your "normal" LAN, configure it and then move it to the camera LAN.

EDIT: What is the make/model of your cameras?

EDIT 2: Just to be clear, the configuration of the network card in the PC should be very straight forward.

Yes there is a utility that the manufacturer provides to allow configuration including IPs . Cameras are all Dahua

I currently have the cameras setup but not on their own Isolated Network. I did use this ConfigTool https://dahuawiki.com/ConfigTool

Which is found here... https://dahuawiki.com/Software/Dahua_Toolbox

 

[ColinTaylor]

Yes there is a utility that the manufacturer provides to allow configuration including IPs . Cameras are all Dahua

I currently have the cameras setup but not on their own Isolated Network. I did use this ConfigTool https://dahuawiki.com/ConfigTool

Which is found here... https://dahuawiki.com/Software/Dahua_Toolbox

Looks like it should be straight forward. All you need now is a second network adapter in your Blue Iris PC.

 

[g725s]

Looks like it should be straight forward. All you need now is a second network adapter in your Blue Iris PC.

And then what kind configuration either with the adapter , my router, or within Windows?
I guess am going to start looking for an adapter then
. Do you have any suggestions?

Looks like it should be straight forward. All you need now is a second network adapter in your Blue Iris PC.

I did a lot more searching and think I found what I was looking for. First I found this thread... https://ipcamtalk.com/threads/how-do-you-setup-dual-lan.31085/

Then I found the info I needed in the Cliff Notes at the site there.
I need to determine what network card/adapter I should get now. Those Cliff Notes suggest this one... https://www.amazon.com/dp/B001CY0P7G/?tag=snbforums-20

...Blue Iris Server with Dual LAN

Concept & Configuration

Similar to the way Dahua NVR’s use a separate subnet for the cameras, you can set up a Blue Iris computer the same way by using two network interfaces. If the motherboard on the computer does not have dual LAN interfaces, and there is a spare PCI-E slot, just get an additional Network Interface Card (NIC), like this one. Use one of the network interfaces for your secure LAN, and the other one for the non-secure camera LAN. The Blue Iris PC needs to have access to Ethernet cables for both of the secure and non-secure networks, on different subnets; i.e. 192.168.1.X secure, and 192.168.0.X non-secure. Just make sure the two subnets share the same subnet mask, like 255.255.255.0.

The non-secure network would connect to the PoE switch w/all your cameras. The cameras should be configured with static IP addresses, and no gateway, so they cannot access the internet. Alternatively, establish firewall rules that prevent the cameras from directly accessing the internet and the secure LAN subnet. With this configuration, only the Blue Iris server will be able to access both the (secure) LAN and the (non-secure) camera network. Note the trick is to leave the gateway address blank for the non-secure LAN NIC settings in the Blue Iris server; only the secure LAN NIC will have a gateway address.

The Blue Iris computer acts as the time server for the cameras, and the cameras point to the server’s non-secure LAN IP address (i.e. 192.168.0.X secure). To allow the communication from the cameras to the time server IP address, set a rule on any firewall used on the Blue Iris server to allow port 123/UDP to pass through the firewall of the non-secure network. IPCamTalk user @DognamedTank recommends using the NTP server built into Windows 10; see setup guide here.

Viewing Cameras Remotely

While a physically segmented network as described above is an excellent security practice, accessing the camera web interface is more challenging. You can use Google Remote Desktop to view the Blue Iris computer without having to forward port(s) in the router. The Blue Iris computer can be used to view individual cameras, as well as clips and videos saved. You can also use Google Remote Desktop to log into the cameras separately via the web interface, for configuration purposes. All this is possible because Google Remote Desktop is a connection to the desktop of the computer that has access to both the (secure) LAN and the (non-secure) camera network. Google Remote Desktop, TeamViewer, and similar software do NAT traversal by keeping a connection active to a remote server that can be used to connect to your computer, just like he P2P function on many cameras. Unfortunately, using a remote desktop application will significantly increase CPU utilization, so don’t leave it connected full-time.

Viewing Cameras at Home

If you want to log into the web interface of your camera without using Google Remote Desktop, use the Blue Iris computer that has access to both the (secure) LAN and the (non-secure) camera network. Alternatively, use the “Remote Desktop” apps native to both Windows and OSX. From a security perspective, it would not be a good idea to use a computer temporarily connected to the (non-secure) camera network, as it defeats the purpose of having separate networks.

Above info found in Cliff Notes here... https://ipcamtalk.com/wiki/ip-cam-talk-cliff-notes/

 

[ColinTaylor]

@g725s You appear to have everything covered. That network adapter looks OK. You don't need anything special (or expensive). EDIT: Obviously check that your PC has a free slot of the appropriate type.

 

[g725s]

@g725s EDIT: Obviously check that your PC has a free slot of the appropriate type.

Yes PC has 2 slots free.

 

[pjv]

That would not be applicable in this case as all of his camera devices are wired not wireless.

But as an aside I would be interested to see what your ebtables rules look like as I have has limited success trying that myself.

Ah so. Sorry I missed that part about the camera's being wired.

So then this is off-topic, but my ebtables rules script looks like this:

#!/bin/sh

## allow home assistant to talk to IoT devices on firewalled guest network
MAC="XX:XX:XX:XX:XX:XX" # HA box ether mac address
EBT=$(ebtables -L --Lx --Lmac2) # existing ebtables FORWARD chain rules

if echo "$EBT" | grep -iq "$MAC"
then
  # do nothing because custom rules already in place
  logger "nat" "Custom ebtables rules already in place"
else
  # add custom rules
  ebtables -I FORWARD -i wl0.1 -d $MAC -j ACCEPT
  ebtables -I FORWARD -o wl0.1 -s $MAC -j ACCEPT
fi

 

[Kenneth Andersen]

Ah so. Sorry I missed that part about the camera's being wired.

So then this is off-topic, but my ebtables rules script looks like this:

#!/bin/sh

## allow home assistant to talk to IoT devices on firewalled guest network
MAC="XX:XX:XX:XX:XX:XX" # HA box ether mac address
EBT=$(ebtables -L --Lx --Lmac2) # existing ebtables FORWARD chain rules

if echo "$EBT" | grep -iq "$MAC"
then
  # do nothing because custom rules already in place
  logger "nat" "Custom ebtables rules already in place"
else
  # add custom rules
  ebtables -I FORWARD -i wl0.1 -d $MAC -j ACCEPT
  ebtables -I FORWARD -o wl0.1 -s $MAC -j ACCEPT
fi

I'm trying to accompolish something similar. Move my IOT devices to an isolated quest network, and only allow access (preferably only MQTT port, but that's the next step) to my controller.
Tried using your script, pointed to the correct network and also tried adding the IP-address, but no success.
The ebtables look like this:

###@RT-AC87U-CA68:/jffs/scripts# ebtables -L --Lx --Lmac2
ebtables -t filter -A FORWARD -p IPv4 -o wl0.2 --ip-src 10.0.0.10 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -i wl0.2 --ip-dst 10.0.0.10 -j ACCEPT
ebtables -t filter -A FORWARD -s aa:bb:cc:dd:ee:ff -o wl0.2 -j ACCEPT
ebtables -t filter -A FORWARD -d aa:bb:cc:dd:ee:ff -i wl0.2 -j ACCEPT
ebtables -t filter -A FORWARD -i wl0.1 -j DROP
ebtables -t filter -A FORWARD -o wl0.1 -j DROP
ebtables -t filter -A FORWARD -i wl0.2 -j DROP
ebtables -t filter -A FORWARD -o wl0.2 -j DROP

Any suggestions?

 

[pjv]

Any suggestions?

here's what my ebtables look like

pjv@rt-ac68u:/tmp/home/root# ebtables -L --Lx --Lmac2
ebtables -t filter -A FORWARD -s aa:bb:cc:dd:ee:ff -o wl0.1 -j ACCEPT
ebtables -t filter -A FORWARD -d aa:bb:cc:dd:ee:ff -i wl0.1 -j ACCEPT
ebtables -t filter -A FORWARD -i wl0.1 -j DROP
ebtables -t filter -A FORWARD -o wl0.1 -j DROP

my guest network setup:

from your ebtables it's looking like you may have more than one guest network set up? I haven't tried that so don't know how it might affect things. Are you sure that the IOT devices are associated with your wl0.2 device/network (and not wl0.1)?

Also don't know if different hardware (you AC87U, me AC68U) might have an effect as well.

 

[Kenneth Andersen]

here's what my ebtables look like

pjv@rt-ac68u:/tmp/home/root# ebtables -L --Lx --Lmac2
ebtables -t filter -A FORWARD -s aa:bb:cc:dd:ee:ff -o wl0.1 -j ACCEPT
ebtables -t filter -A FORWARD -d aa:bb:cc:dd:ee:ff -i wl0.1 -j ACCEPT
ebtables -t filter -A FORWARD -i wl0.1 -j DROP
ebtables -t filter -A FORWARD -o wl0.1 -j DROP

my guest network setup:

from your ebtables it's looking like you may have more than one guest network set up? I haven't tried that so don't know how it might affect things. Are you sure that the IOT devices are associated with your wl0.2 device/network (and not wl0.1)?

Also don't know if different hardware (you AC87U, me AC68U) might have an effect as well.

True. Have one network for regular guests, and a second one for my IOT stuff.

Verified (ifconfig and WiFiman) that wl0.2 matches the IOT network.
Also added similar rules for wl0.1 so revised ebtables look like this:

ebtables -t filter -A FORWARD -s 02:81:02:42:21:32 -o wl0.1 -j ACCEPT
ebtables -t filter -A FORWARD -d 02:81:02:42:21:32 -i wl0.1 -j ACCEPT
ebtables -t filter -A FORWARD -s 02:81:02:42:21:32 -o wl0.2 -j ACCEPT
ebtables -t filter -A FORWARD -d 02:81:02:42:21:32 -i wl0.2 -j ACCEPT
ebtables -t filter -A FORWARD -i wl0.1 -j DROP
ebtables -t filter -A FORWARD -o wl0.1 -j DROP
ebtables -t filter -A FORWARD -i wl0.2 -j DROP
ebtables -t filter -A FORWARD -o wl0.2 -j DROP

No access to any devices on the main network from either guest network

Could it play any role that the script is not run on boot? Total noob and haven't figured out how to do that yet

UPDATE: Tried deleting all ebtables rules including the DROP ones created automatically. Still not possible to connect from either guest network to any devices on the main network...
Which is really weird since all devices are visible in network scan on my Android device...

 

[pjv]

Could it play any role that the script is not run on boot? Total noob and haven't figured out how to do that yet

I don't know the answer to that question, but reboots are often helpful. I have the script being called from the `nat-start` script. The merlin wiki has good documentation on getting started with scripts, here.

Edit: Are you sure that the device on your main network that you want to be able to access the IOT devices (and vice versa) is connecting to the router via the MAC address you are whitelisting? Some devices have more than one MAC (i.e. wifi, Ethernet, bluetooth...)