Hi All!
I am rather new to VLANs, so, I am considering my options for the upgrade of RT-AC86U, and would like to find out which of the Merling-supported ASUS routers would give the functionality described below. (I am open to both AX and BE, primarily 88/86 types of routers, including their Pro variants, as I don't want to spend much more than that.)
Here are the desired capabilities (I am not sure if all of these is possible).
1. There are a few security cameras and an NVR (network video recorder) (Reolink, if that matters). The cameras (WiFi-6 capable) are connected to 5 GHz WiFi, and the NVR is connected via Ethernet.
The NVR and the cameras need to be on the same "network" - to talk to each other (and discover each other). However, ideally, I would like to isolate all the cameras from the rest of LAN and WLAN, but have the NVR being accessible from the LAN, and allowing it accessing WLAN. (So, it would in a sort of "DMZ" of the VLAN.)
2. There is one (or more) other IoT device(s) on a VLAN or Guest network that would not have access to LAN or WLAN themselves, but I would be able to access them from my device (laptop or phone) that is either on LAN, or connected to the LAN via OpenVPN.
I suspect this could be a bit tricky and probably couldn't be done via GUI configuration but only via scripted firewall configuration. Moreover, while I have fixed IPs assigned to my devices on the LAN, so, it should be possible to open connection to these devices from 2 specific IPs, I am not sure if that could be done when the devices connected to the LAN via VPN.
Alternatively, I don't know if the firewall of ASUSWRT-Merlin devices is stateful and allows to configure that the connections could be started only from a LAN (or LAN from VPN) device to the devices within this special subnet (VLAN/Guest Network), and once established, there could be a two-way communication, but it couldn't be started from the subnet device. (I know it would be possible in stateful firewals like FreeBSD's ipfw.)
3. Optional: for each of the VLAN's described above, to be able to open their access to WLAN temporarily without physically accessing the devices in them, when I need to upgrade those devices' firmware.
I am rather new to VLANs, so, I am considering my options for the upgrade of RT-AC86U, and would like to find out which of the Merling-supported ASUS routers would give the functionality described below. (I am open to both AX and BE, primarily 88/86 types of routers, including their Pro variants, as I don't want to spend much more than that.)
Here are the desired capabilities (I am not sure if all of these is possible).
1. There are a few security cameras and an NVR (network video recorder) (Reolink, if that matters). The cameras (WiFi-6 capable) are connected to 5 GHz WiFi, and the NVR is connected via Ethernet.
The NVR and the cameras need to be on the same "network" - to talk to each other (and discover each other). However, ideally, I would like to isolate all the cameras from the rest of LAN and WLAN, but have the NVR being accessible from the LAN, and allowing it accessing WLAN. (So, it would in a sort of "DMZ" of the VLAN.)
2. There is one (or more) other IoT device(s) on a VLAN or Guest network that would not have access to LAN or WLAN themselves, but I would be able to access them from my device (laptop or phone) that is either on LAN, or connected to the LAN via OpenVPN.
I suspect this could be a bit tricky and probably couldn't be done via GUI configuration but only via scripted firewall configuration. Moreover, while I have fixed IPs assigned to my devices on the LAN, so, it should be possible to open connection to these devices from 2 specific IPs, I am not sure if that could be done when the devices connected to the LAN via VPN.
Alternatively, I don't know if the firewall of ASUSWRT-Merlin devices is stateful and allows to configure that the connections could be started only from a LAN (or LAN from VPN) device to the devices within this special subnet (VLAN/Guest Network), and once established, there could be a two-way communication, but it couldn't be started from the subnet device. (I know it would be possible in stateful firewals like FreeBSD's ipfw.)
3. Optional: for each of the VLAN's described above, to be able to open their access to WLAN temporarily without physically accessing the devices in them, when I need to upgrade those devices' firmware.
