Which Merlin-capable routers can do this type of VLAN?

[StR]

Hi All!

I am rather new to VLANs, so, I am considering my options for the upgrade of RT-AC86U, and would like to find out which of the Merling-supported ASUS routers would give the functionality described below. (I am open to both AX and BE, primarily 88/86 types of routers, including their Pro variants, as I don't want to spend much more than that.)
Here are the desired capabilities (I am not sure if all of these is possible).

1. There are a few security cameras and an NVR (network video recorder) (Reolink, if that matters). The cameras (WiFi-6 capable) are connected to 5 GHz WiFi, and the NVR is connected via Ethernet.
The NVR and the cameras need to be on the same "network" - to talk to each other (and discover each other). However, ideally, I would like to isolate all the cameras from the rest of LAN and WLAN WAN, but have the NVR being accessible from the LAN, and allowing it accessing WLAN. (So, it would in a sort of "DMZ" of the VLAN.)

2. There is one (or more) other IoT device(s) on a VLAN or Guest network that would not have access to LAN or WLAN WAN themselves, but I would be able to access them from my device (laptop or phone) that is either on LAN, or connected to the LAN via OpenVPN.
I suspect this could be a bit tricky and probably couldn't be done via GUI configuration but only via scripted firewall configuration. Moreover, while I have fixed IPs assigned to my devices on the LAN, so, it should be possible to open connection to these devices from 2 specific IPs, I am not sure if that could be done when the devices connected to the LAN via VPN.
Alternatively, I don't know if the firewall of ASUSWRT-Merlin devices is stateful and allows to configure that the connections could be started only from a LAN (or LAN from VPN) device to the devices within this special subnet (VLAN/Guest Network), and once established, there could be a two-way communication, but it couldn't be started from the subnet device. (I know it would be possible in stateful firewals like FreeBSD's ipfw.)

3. Optional: for each of the VLAN's described above, to be able to open their access to WLAN WAN temporarily without physically accessing the devices in them, when I need to upgrade those devices' firmware.

(edited to correct the brain fart: WLAN -> WAN)

 

[degrub]

If you need these cameras for real security documentation/alerting, they need to be on cables not wifi back to the NVR. Wifi is easily jammed with inexpensive gear. This also simplifies the networking as the NVR becomes another LAN client on the network. Don't use wifi.

 

[StR]

Thank you for your concern!
Yes, I am aware of that.
The initial thought was indeed to use ethernet-connected cameras, in which case they would have been plugged in directly into the NVR, and #1 above wouldn't be needed. There are circumstances that pushed this decision, at least for now.

 

[StR]

I am reviving the thread, hoping someone might have some thoughts on the questions raised in the OP.

 

[ColinTaylor]

Your original post is confusing. Did you mean to say "WLAN" (wireless LAN) or do you really mean WAN (aka "the internet")? If it's the latter I suggest you correct your post.

 

[bennor]

I am reviving the thread, hoping someone might have some thoughts on the questions raised in the OP.

Not sure I follow exactly what you are trying to ask in the OP but the bottom line is the Guest Network Pro/VLAN feature is generally found on those routers that are supported by the 3006.102.x firmware. For Asus-Merlin firmware this means the following routers:
ZenWiFi Pro XT12
GT-AX6000
GT-AXE16000
GT-AX11000_PRO
RT-AX86U_PRO
RT-AX88U_PRO
RT-BE96U
GT-BE98_PRO
RT-BE86U
RT-BE88U
RT-BE92U
For the GNuton fork of Asus-Merlin the it means the following router(s) are supported under the 3006.102.x firmware.
GT-BE98/GT-BE2500

If you use the form search feature you'll find a number of discussions on trying to get Guest Network Pro/VLAN to work under certain conditions, among them are trying to isolate a Guest Network Pro profile from the main LAN while allowing those Guest Network Pro clients to access a specific LAN client (for Home Automation, NVR, etc.). People are resorting to using iptables scripting (similar to YazFi under the 386/388 firmware) to accomplish this type of setup. The following link is example of iptables scripting under 3006.102.x to allow communication between Guest Network Pro and main LAN, a forum search will turn up several other lengthy discussions.
https://www.snbforums.com/threads/t...st-network-pro-limitations.94438/#post-952345

Note that some or many IoT devices require WAN (Internet) access in order to operate or be accessed. Blocking WAN access to them may present issues with device use. There are a number of past discussions on trying to block WAN (Internet) access to Guest Network Pro (VLAN) clients that likewise can be found using the forum search feature.

Bottom line, under Guest Network Pro, to isolate the Guest Network Pro profile from the main LAN one would need to disable the Use same subnet as main network option when initially configuring the Guest Network Pro profile. Some are finding the Guest Network Pro profile option Access Intranet sometimes works, sometimes doesn't when enabled, which is why some have resorted to using iptables scripting. Again, use the forum search to find many past discussions on Guest Network Pro that are similar in nature to the questions (if I understood them right) that you seem to be asking.

 

[Seth Harman]

Hi All!

I am rather new to VLANs, so, I am considering my options for the upgrade of RT-AC86U, and would like to find out which of the Merling-supported ASUS routers would give the functionality described below. (I am open to both AX and BE, primarily 88/86 types of routers, including their Pro variants, as I don't want to spend much more than that.)
Here are the desired capabilities (I am not sure if all of these is possible).

1. There are a few security cameras and an NVR (network video recorder) (Reolink, if that matters). The cameras (WiFi-6 capable) are connected to 5 GHz WiFi, and the NVR is connected via Ethernet.
The NVR and the cameras need to be on the same "network" - to talk to each other (and discover each other). However, ideally, I would like to isolate all the cameras from the rest of LAN and WLAN, but have the NVR being accessible from the LAN, and allowing it accessing WLAN. (So, it would in a sort of "DMZ" of the VLAN.)

2. There is one (or more) other IoT device(s) on a VLAN or Guest network that would not have access to LAN or WLAN themselves, but I would be able to access them from my device (laptop or phone) that is either on LAN, or connected to the LAN via OpenVPN.
I suspect this could be a bit tricky and probably couldn't be done via GUI configuration but only via scripted firewall configuration. Moreover, while I have fixed IPs assigned to my devices on the LAN, so, it should be possible to open connection to these devices from 2 specific IPs, I am not sure if that could be done when the devices connected to the LAN via VPN.
Alternatively, I don't know if the firewall of ASUSWRT-Merlin devices is stateful and allows to configure that the connections could be started only from a LAN (or LAN from VPN) device to the devices within this special subnet (VLAN/Guest Network), and once established, there could be a two-way communication, but it couldn't be started from the subnet device. (I know it would be possible in stateful firewals like FreeBSD's ipfw.)

3. Optional: for each of the VLAN's described above, to be able to open their access to WLAN temporarily without physically accessing the devices in them, when I need to upgrade those devices' firmware.

I currently run a setup similar to what you're trying to accomplish.

1. Guest Network Pro is an option from ASUS that gives you some flexibility. The advantage is you can combine it with AiMesh to create a mesh network that can provide better WiFi connections if you've got security cameras in remote locations. Configuring a VLAN using GNP causes the main router and any compatible AiMesh nodes to broadcast an SSID dedicated to that VLAN so any devices that connect to it wirelessly become part of that VLAN and get an IP address from that specific block. As well, GNP lets you configure the Ethernet ports on the main router to force any client connected to a given port onto a specific VLAN. Some AiMesh nodes are compatible with Ethernet VLANs and can also be used in this fashion but, if not, you can add a managed switch into the mix to accomplish the same thing. And you can easily set a firewall rule to make the NVR in a VLAN accessible from the main network (I do exactly this in my setup). There are various ways to block devices from WAN access using Parental Controls, firewall rules, etc...

2. Firewall rules would allow you to setup access from the main network into any VLANs you've created and you can configure it so access into a VLAN can only come from an IP block or specific IPs on your main network.

3. In this situation it would depend on how you're blocking WAN access to these devices. For example, if you're blocking WAN access using Parental Controls you just temporarily turn off the block. If you're blocking them using firewall rules maybe a script you could execute that can turn on/off those rules.

 

[Viktor Jaep]

Your original post is confusing. Did you mean to say "WLAN" (wireless LAN) or do you really mean WAN (aka "the internet")? If it's the latter I suggest you correct your post.

It's pretty clear he's trying to configure a Virtual WLAN over the WAN through a LAN over the VPN. Obviously.

 

[ChatmanR]

Which model will you choose (RT‑BE88U or GT‑AX6000) or do you want a recommendation between them? Do you have a managed VLAN‑capable switch between router and wired devices, or are wired devices plugged directly into the router/unmanaged switch? Where is the NVR physically connected (router LAN port, switch port, or separate network)?

How do cameras discover the NVR (direct IP, broadcast/multicast, mDNS/UPnP, or vendor discovery)? Do you plan to use the router as your OpenVPN server (clients connect into LAN via OpenVPN)? Do your OpenVPN clients receive fixed VPN IPs, or are they assigned dynamic IPs from the VPN pool?

Are you comfortable applying shell scripts on Merlin (iptables, ipset, possibly nftables depending on Merlin version)? Do you have fixed IPs reserved for the LAN devices that must access IoT devices, and do those include VPN client addresses if you connect via OpenVPN?

How many wired camera/NVR connections and how many IoT devices total (to size subnet/VLANs)?

 

[StR]

Your original post is confusing. Did you mean to say "WLAN" (wireless LAN) or do you really mean WAN (aka "the internet")? If it's the latter I suggest you correct your post.

It's pretty clear he's trying to configure a Virtual WLAN over the WAN through a LAN over the VPN. Obviously.