VLAN Connection to the Internet

[Strikermed]

My Equipment:

GS724T - Netgear Switch

RT-N66U - Asus Router (Open to other options)

AC-Pro - Ubiquiti Wireless Access Point

Basic Motorola Modem with one port

 

The current state of things has all my devices, including servers, NAS's, PC's, Internet of things, plex, security cameras plus server recording, and chromecast devices on my home network.  I've been doing some research, and I want to ensure that my network is secure.  I especially want to ensure that my security cameras aren't accessible to the outside world except through the PC/software that I view them from.  Each of the cameras have their own individual log in, but I would like to disconnect them from the internet while keeping them networked together for accessibility through the server I use to record/control them.  

 

In addition I would like to completely cut off the internet of things devices (Alexa, thermostat, and various other devices) from my network, but allow them to connect to the internet on their own through a router/firewall.

 

I would like all these devices to still be connected to the DHCP.  (Cameras aren't necessary for this since they are static, but I would still like the possibility).  

 

To do this I have attempted to set up VLAN groups.  I used VLAN10 for security and VLAN 20 for IOT (Internet of Things). VLAN 1 remains the default.

 

I didn't go gung ho right away.  I wanted to test this solution via a single computer so I can verify that it can't connect to other devices, but also has an internet connection.  So I used Port 24 on the Netgear switch to connect a laptop directly (turning off Wifi to ensure a solid test).

 

I've tried all sorts of combinations, but I've been unsuccessful, but I wanted to get some feedback on what I assume is the correct configuration, and then hopefully someone can fill me in on what I'm missing.

 

First, I went to VLAN1(Default), and removed Port 24(Laptop) from that VLAn.  From there I "Tagged" Port 14 which has my router/internet connection.  I created VLAN 10(Security), and "Tagged" Port 14(Router/internet), and "Untagged" Port 24(laptop).  The remainder of the ports are removed.  From here I tested the internet connection.  I had no connection, and no IP assigned via DHCP. So I fiddled some more.

 

With the same configuration above I went into the "Port PVID Configuration" and under Port 24(Laptop) I changed the "Configured PVID" to "10." I ran the same tests and got the same results.

 

I used the same config and just changed the "Acceptable Frame Types" to "VLAN Only."  I got the same results.

 

Essentially, the only way I got a DHCP IP assignment and internet connection is with these settings:

On VLAN1(Default) I "untagged or tagged" port 24(Laptop), and all other ports are "untagged." On VLAN10(Security) I "untagged" Port 24(Laptop), and Tagged Port 14(Router/Internet).  I changed the Port PVID Configuration back to it's defaults (Port 24(Laptop) "Configured PVID" to "1" and "Accept all Frames").

 

The problem is: I still have the device on VLAN1(Default) with all my other devices.  What I'm assuming is I have an issue either at the Switch level where I'm missing something (I do have a VLAN Routing Tab that I haven't configured), or I'm missing something at the router level(either compatibility, or other issue).

 

Any help would be appreciated.

 

Thanks,

Eric

 

 

[bcguru9384]

4 minutes ago, Strikermed said:

My Equipment:

GS724T - Netgear Switch

RT-N66U - Asus Router (Open to other options)

AC-Pro - Ubiquiti Wireless Access Point

 

The current state of things has all my devices, including servers, NAS's, PC's, Internet of things, plex, security cameras plus server recording, and chromecast devices on my home network.  I've been doing some research, and I want to ensure that my network is secure.  I especially want to ensure that my security cameras aren't accessible to the outside world except through the PC/software that I view them from.  Each of the cameras have their own individual log in, but I would like to disconnect them from the internet while keeping them networked together for accessibility through the server I use to record/control them.  

 

In addition I would like to completely cut off the internet of things devices (Alexa, thermostat, and various other devices) from my network, but allow them to connect to the internet on their own through a router/firewall.

 

I would like all these devices to still be connected to the DHCP.  (Cameras aren't necessary for this since they are static, but I would still like the possibility).  

 

To do this I have attempted to set up VLAN groups.  I used VLAN10 for security and VLAN 20 for IOT (Internet of Things). VLAN 1 remains the default.

 

I didn't go gung ho right away.  I wanted to test this solution via a single computer so I can verify that it can't connect to other devices, but also has an internet connection.  So I used Port 24 on the Netgear switch to connect a laptop directly (turning off Wifi to ensure a solid test).

 

I've tried all sorts of combinations, but I've been unsuccessful, but I wanted to get some feedback on what I assume is the correct configuration, and then hopefully someone can fill me in on what I'm missing.

 

First, I went to VLAN1(Default), and removed Port 24(Laptop) from that VLAn.  From there I "Tagged" Port 14 which has my router/internet connection.  I created VLAN 10(Security), and "Tagged" Port 14(Router/internet), and "Untagged" Port 24(laptop).  The remainder of the ports are removed.  From here I tested the internet connection.  I had no connection, and no IP assigned via DHCP. So I fiddled some more.

 

With the same configuration above I went into the "Port PVID Configuration" and under Port 24(Laptop) I changed the "Configured PVID" to "10." I ran the same tests and got the same results.

 

I used the same config and just changed the "Acceptable Frame Types" to "VLAN Only."  I got the same results.

 

Essentially, the only way I got a DHCP IP assignment and internet connection is with these settings:

On VLAN1(Default) I "untagged or tagged" port 24(Laptop), and all other ports are "untagged." On VLAN10(Security) I "untagged" Port 24(Laptop), and Tagged Port 14(Router/Internet).  I changed the Port PVID Configuration back to it's defaults (Port 24(Laptop) "Configured PVID" to "1" and "Accept all Frames").

 

The problem is: I still have the device on VLAN1(Default) with all my other devices.  What I'm assuming is I have an issue either at the Switch level where I'm missing something (I do have a VLAN Routing Tab that I haven't configured), or I'm missing something at the router level(either compatibility, or other issue).

 

Any help would be appreciated.

 

Thanks,

Eric

 

 

is modem built into router?

 

[bcguru9384]

i would get a router with guest mode 

use guest mode for alexa type devices

set cams in firewall with block inbound/outbound 0.0.0.0 then add cams allowed outbound/inbound 192.168.1.1/24 or your routers gatewayip/24

this takes care of your big issues

[Strikermed]

9 minutes ago, bcguru9384 said:

i would get a router with guest mode 

use guest mode for alexa type devices

set cams in firewall with block inbound/outbound 0.0.0.0 then add cams allowed outbound/inbound 192.168.1.1/24 or your routers gatewayip/24

this takes care of your big issues

I suppose that would be a more simplistic way of doing things, and I really don't have a reason not to do it that way, except for if I want to isolate more devices into more groups...  

 

For instance I may have a NAS/Server I want to isolate from the network, but still have access to the internet to run off site backups.  I essentially have a small business set up in my home.

 

Any info on how to set up a VLAN that can connect to the internet?  For example, Router/Internet plugged into Port 14, VLAN1(Default) has 14, and VLAN10(Security) has Port 14 also assigned.  But I don't get any kind of internet on the Device I have on VLAN10.

[Strikermed]

19 minutes ago, bcguru9384 said:

is modem built into router?

 

The modem is separate, and doesn't have a switch built in.  It's a basic Moterolla Modem.  It connects to the Asus Router, and The router connects directly via 1 port to the Netgear Switch.

[bcguru9384]

Just now, Strikermed said:

I suppose that would be a more simplistic way of doing things, and I really don't have a reason not to do it that way, except for if I want to isolate more devices into more groups...  

 

For instance I may have a NAS/Server I want to isolate from the network, but still have access to the internet to run off site backups.  I essentially have a small business set up in my home.

 

Any info on how to set up a VLAN that can connect to the internet?  For example, Router/Internet plugged into Port 14, VLAN1(Default) has 14, and VLAN10(Security) has Port 14 also assigned.  But I don't get any kind of internet on the Device I have on VLAN10.

use firewall as i showed with cams but instead of /24 just put gateway now there isolated

[Lurick]

Vlan 1 is the native VLAN and all traffic tagged with VLAN 1 or any untagged traffic will go through this VLAN.

You need to create an SVI somewhere in the network for each additional VLAN so they can use that as the default gateway and then from there static routes pointing out to the internet.

[bcguru9384]

the /24 sets so only last octet of ip is dynamic so you get only clients under x.x.x.# as allowed/blocked

so if you rule all blocked then do an allow for only what you want you are isolating

[bcguru9384]

1 minute ago, Lurick said:

Vlan 1 is the native VLAN and all traffic tagged with VLAN 1 or any untagged traffic will go through this VLAN.

You need to create an SVI somewhere in the network for each additional VLAN so they can use that as the default gateway and then from there static routes pointing out to the internet.

he wants dhcp not static

[Lurick]

Just now, bcguru9384 said:

he wants dhcp not static

DCHP hosts are not the same as static routes out of a network.

Native VLAN tagging sets a default VLAN for all untagged traffic and gives it a default gateway.

Adding an SVI will give all traffic on another VLAN a default gateway out to the network. He'll have to setup a DHCP scope for each additional VLAN.

[Strikermed]

So I looked up what an SVI is, and that seems like it's more complicated than I'm thinking, or it's something I may not be capable or implementing.

 

Does a VLAN essentially just isolate connections on a separate Subnet?  When I create networks on my Wireless Access point I assign an IP with a different subnet.  For instance, I assign 192.168.10.1, and then assign it to VLAN10.  When you connect a device to that new SSID, it's then on the 192.168.10.1 subnet, although I don't have internet access.  I'm not entirely sure if I get a DHCP IP either.  

 

Now with that said, I don't believe my Asus Router can handle more than one subnet.  Thus, it wouldn't be able to utilize DHCP.  Am I correct in saying this?  

 

It seems like there should be an easy way to take hardwired devices, and just isolate them on the switch, and still pass info through the Port that's connected to the router, thus connected to the internet.

 

 

[Lurick]

12 minutes ago, Strikermed said:

So I looked up what an SVI is, and that seems like it's more complicated than I'm thinking, or it's something I may not be capable or implementing.

 

Does a VLAN essentially just isolate connections on a separate Subnet?  When I create networks on my Wireless Access point I assign an IP with a different subnet.  For instance, I assign 192.168.10.1, and then assign it to VLAN10.  When you connect a device to that new SSID, it's then on the 192.168.10.1 subnet, although I don't have internet access.  I'm not entirely sure if I get a DHCP IP either.  

 

Now with that said, I don't believe my Asus Router can handle more than one subnet.  Thus, it wouldn't be able to utilize DHCP.  Am I correct in saying this?  

 

It seems like there should be an easy way to take hardwired devices, and just isolate them on the switch, and still pass info through the Port that's connected to the router, thus connected to the internet.

 

 

Yah, the switch is probably making the SVI on the backend but giving it the IP address is creating it.

If you can do static routes to those new subnets then you'll get internet access. Traditionally you would point a 192.168.0.0/16 route to the switch and it would know how to route from there but you'd need a single L3 interface to point it to.

 

You can setup routes like in this guide and point them to the .1 IP address:

http://help.unotelly.com/support/solutions/articles/165803-setup-static-routes-on-asus-routers

 

VLANs are, by default, separated and isolated from everything else and unless you have a router that can route between them, they'll never be able to talk to each other.

[PETRGangKing]

3 hours ago, bcguru9384 said:

he wants dhcp not static

DHCP and static routes are too completely different things. DHCP deals with assigning logical addresses to the hosts on a network. Setting a static route entails manually entering the route , in this case the default route out of the LAN.

 

 

 

[Strikermed]

1 hour ago, Lurick said:

Yah, the switch is probably making the SVI on the backend but giving it the IP address is creating it.

If you can do static routes to those new subnets then you'll get internet access. Traditionally you would point a 192.168.0.0/16 route to the switch and it would know how to route from there but you'd need a single L3 interface to point it to.

 

You can setup routes like in this guide and point them to the .1 IP address:

http://help.unotelly.com/support/solutions/articles/165803-setup-static-routes-on-asus-routers

Interesting...

 

I'll try the static routes and see if that continues to isolate the VLAN and allow for internet access...

 

Otherwise I'll consider getting an Edge Router or a Security Gateway to assist with this.  Surprisingly they are much cheaper than what I paid for my Asus Router, and are probably better fit for this kind of networking.  I guess my router is nearing the 10 year mark.

[Lurick]

21 minutes ago, Strikermed said:

Interesting...

 

I'll try the static routes and see if that continues to isolate the VLAN and allow for internet access...

 

Otherwise I'll consider getting an Edge Router or a Security Gateway to assist with this.  Surprisingly they are much cheaper than what I paid for my Asus Router, and are probably better fit for this kind of networking.  I guess my router is nearing the 10 year mark.

Whoops, completely blanked on that bit.

Once you put in the route then they'll be able to communicate, without something smarter that you can tell "don't let X talk to Y" in the form of an ACL. I manged to find an online test GUI for the router and it doesn't appear to have that functionality unfortunately, so you'll need a smarter router or a security appliance and router such as the Edge Router or Security Gateway from Ubiquity which you mentioned.

 

Edit:

The switch might be able to do ACLs but I'm not sure if that's for the model you have or not. If you see the same UI as shown in this link then you're golden, if not then ignore this bit

https://kb.netgear.com/21714/How-do-I-set-up-an-IP-Access-Control-List-ACL-with-two-rules-using-the-web-interface-on-my-managed-switch

[Levisallanon]

Do you by any chance have a server running windows server with 2 network adapters?
If so you can use the Hyper-V role to create a virtual switch inside the server. If you trunk your network adapter and trunk all vlans over this connection you can use this virtual switch to give seperate Ip addresses to the virtual adapters and have them be the gateways. You can set up this windows server to be the DHCP server and lease addresses in the different addres spaces.
From here you can use the routing role in windows to route all trafic to the second network adapter which you connect to the router over a seperate vlan.

[Strikermed]

4 hours ago, Lurick said:

Whoops, completely blanked on that bit.

Once you put in the route then they'll be able to communicate, without something smarter that you can tell "don't let X talk to Y" in the form of an ACL. I manged to find an online test GUI for the router and it doesn't appear to have that functionality unfortunately, so you'll need a smarter router or a security appliance and router such as the Edge Router or Security Gateway from Ubiquity which you mentioned.

 

Edit:

The switch might be able to do ACLs but I'm not sure if that's for the model you have or not. If you see the same UI as shown in this link then you're golden, if not then ignore this bit

https://kb.netgear.com/21714/How-do-I-set-up-an-IP-Access-Control-List-ACL-with-two-rules-using-the-web-interface-on-my-managed-switch

I do have that option, but I have no idea how to use it.  This is definitely going into uncharted territory for me.  I'll have to do some research on ACL.

 

As for the Router, I think you're correct.  I'm looking into a Security gate or an Edge Router.  I haven't quite decided on which I want.

[Strikermed]

1 hour ago, Levisallanon said:

Do you by any chance have a server running windows server with 2 network adapters?
If so you can use the Hyper-V role to create a virtual switch inside the server. If you trunk your network adapter and trunk all vlans over this connection you can use this virtual switch to give seperate Ip addresses to the virtual adapters and have them be the gateways. You can set up this windows server to be the DHCP server and lease addresses in the different addres spaces.
From here you can use the routing role in windows to route all trafic to the second network adapter which you connect to the router over a seperate vlan.

I do not have a Windows server up and running currently.  I have one that I've been meaning to get some hands on experience with, but currently it's just sitting dormant in a prepped VM.  It's kind of a down the road sort of project, and big rabbit hole I haven't gone down yet.

[scottyseng]

1 hour ago, Strikermed said:

I do have that option, but I have no idea how to use it.  This is definitely going into uncharted territory for me.  I'll have to do some research on ACL.

 

As for the Router, I think you're correct.  I'm looking into a Security gate or an Edge Router.  I haven't quite decided on which I want.

Yeah, I wanted to play with VLANs myself but the Verizon (Froniter now) Quantum Gateway is super consumer friendly and doesn't do much...

 

I went for broke and got a USG Pro-4 (I should be breaking my internet when it comes in from me poking at too many settings).

 

If you want all green bubbles in UniFi though, you should get a USG. The Edgerouter does more though (Though the USG is getting more features).

 

Indeed I was surprised your ASUS router even has some VLAN support (Stares at Quantum Gateway)

[leadeater]

@Strikermed

Could you provide a bit more detail on how you control and view the security cameras? Do the cameras send their footage only the security camera server and there is an application on that server or on clients that point only to the server? What OS is the security camera server?

 

If this is the case you can just setup a security VLAN (VLAN10) and set all the ports to untagged VLAN10 for the cameras. For the server this does depend on what OS or if it's a VM but essentially for a physical server you need to configure two virtual interfaces (tied to a physical NIC) then on the switch port set the mode to trunk and allow VLAN10 and VLAN1 then VLAN tag one virtual NIC to one VLAN, you can also just use two physical NICs and set the switch ports to untagged which server VLAN you need them on.

 

If it's a VM it's simpler but you need to configure the host correctly, basically you give the VM to NICs one on the VLAN1 virtual switch and one on the VLAN10 virtual switch.

 

For DHCP to work you need to setup DHCP-Relay, usually on your router or L3 switch if you have one.

 

If the security VLAN10 doesn't need internet access don't setup a static route for it at all, that way it's impossible for them to get out to the internet or anyone to get in. ACLs can also stop this but it's basically easier to not create a route if you don't need it.

 

Realistically you are going to need a better router such as an Ubnt ERLite so you can be sure you have all the required features needed to make this type of network configuration work.

[Strikermed]

13 hours ago, leadeater said:

@Strikermed

Could you provide a bit more detail on how you control and view the security cameras? Do the cameras send their footage only the security camera server and there is an application on that server or on clients that point only to the server? What OS is the security camera server?

 

Sure!  Currently my security cameras all have static IP addresses assigned to them, and each have their own individual login.  I then use Blue Iris which runs on a Windows 10 Virtual machine.  I use this Windows 10 Machine to also run Plex, Home Automation, and SyncBack Pro jobs on regularly scheduled tasks.  The VM has a 10GbE port passed through, and a 1GbE connection which I believe is through the virtual connection that is shared among Virtual Machines and UNRAID.  The 10GbE is direct connected to a FreeNAS VM for fast access.  The cameras currently are connected hardwired, except for 2 via wifi.  They can be accessed via their IP and login credentials or they can be accessed via Blue Iris where each connection has been set up with credentials.  I essentially want to semi isolate them, by not giving them access to the outside world, but giving the Windows 10 OS access via a direct connection to them.  Essentially I can set up their own subnet and IP configuration, and then make another Connection on the Windows 10 VM connect it to the VM via trunking, and with the same Subnet to keep them private.  I think this is kind of what you're getting at below.

 

13 hours ago, leadeater said:

If this is the case you can just setup a security VLAN (VLAN10) and set all the ports to untagged VLAN10 for the cameras. For the server this does depend on what OS or if it's a VM but essentially for a physical server you need to configure two virtual interfaces (tied to a physical NIC) then on the switch port set the mode to trunk and allow VLAN10 and VLAN1 then VLAN tag one virtual NIC to one VLAN, you can also just use two physical NICs and set the switch ports to untagged which server VLAN you need them on.

I definitely see having physical NIC would make this easier, but I could essentially add another virtual NIC to the VM, and set it up with the proper IP and bypass DHCP with all my Cameras have a set IP address.  The question is the configuration.  I may not have fully understood this.  Lets Say camera A and B are port 2 and 3, and the 1GbE port that the VM share is on port 10.  Would I just "T"ag port 10 on VLAN 1(Default) and VLAN10(Security) and then "U"ntag Port 2 and 3 on VLAN10(Security)?  Would this be the right configuration.  I may be a little confused on what should get the "T" and what should get the "U."  To my knowledge, end devices get the U (like cameras/PC's), and the one port in which the whole VLAN connects to other LAN's like for instance the Windows 10 VM, you would place the "T."  Is this correct?

 

 

13 hours ago, leadeater said:

If it's a VM it's simpler but you need to configure the host correctly, basically you give the VM to NICs one on the VLAN1 virtual switch and one on the VLAN10 virtual switch.

To configure this how would you best do this?  Essentially, I use UNRAID, and in the configuration for the VM you can add connections, but there isn't options for any kind of VLAN option.  It just gives you the option to use Br0 or VirtBr and to refresh the MAC address on it.  If you mean inside windows, can you run me through the steps quickly?  I'm not super savvy with VLAN setups in windows yet.

 

13 hours ago, leadeater said:

If the security VLAN10 doesn't need internet access don't setup a static route for it at all, that way it's impossible for them to get out to the internet or anyone to get in. ACLs can also stop this but it's basically easier to not create a route if you don't need it.

 

Realistically you are going to need a better router such as an Ubnt ERLite so you can be sure you have all the required features needed to make this type of network configuration work.

Do you mean in my router?  I attempted to set up a static route, and even it didn't provide any kind of internet access.  I was able to ping devices on the VLAN, but never the internet after setting up static routes in my router.  I haven't dove into ACL's yet, they seem like a whole new ball game, and I need to do some research, but it sounds like that's a switch level feature, but you're right, I need a new router, so I'm taking the plunge.  I've decided on a Ubnt Edge Router X.  It's far cheaper than my Asus router, and since I don't need switch functionality or wireless capability, I can make the upgrade.  

 

It arrives Friday, where I hope to dive into it over the weekend, and start configuring it offline, and at least get it functioning to my network's current functionality before implementing it.  I checked out a few videos on youtube on how to configure it for VLAN, and it seems pretty self explanatory.  Creating separate DHCP's will be a nice option too, so I can auto assign IP's to VLANs.

 

Let me know what you guys think about my comments, and any additional information or tips you can give me as I dive into this new category of networking.  Thanks again for all the help and advice!

[bcguru9384]

24 minutes ago, Strikermed said:

Sure!  Currently my security cameras all have static IP addresses assigned to them, and each have their own individual login.  I then use Blue Iris which runs on a Windows 10 Virtual machine.  I use this Windows 10 Machine to also run Plex, Home Automation, and SyncBack Pro jobs on regularly scheduled tasks.  The VM has a 10GbE port passed through, and a 1GbE connection which I believe is through the virtual connection that is shared among Virtual Machines and UNRAID.  The 10GbE is direct connected to a FreeNAS VM for fast access.  The cameras currently are connected hardwired, except for 2 via wifi.  They can be accessed via their IP and login credentials or they can be accessed via Blue Iris where each connection has been set up with credentials.  I essentially want to semi isolate them, by not giving them access to the outside world, but giving the Windows 10 OS access via a direct connection to them.  Essentially I can set up their own subnet and IP configuration, and then make another Connection on the Windows 10 VM connect it to the VM via trunking, and with the same Subnet to keep them private.  I think this is kind of what you're getting at below.

 

I definitely see having physical NIC would make this easier, but I could essentially add another virtual NIC to the VM, and set it up with the proper IP and bypass DHCP with all my Cameras have a set IP address.  The question is the configuration.  I may not have fully understood this.  Lets Say camera A and B are port 2 and 3, and the 1GbE port that the VM share is on port 10.  Would I just "T"ag port 10 on VLAN 1(Default) and VLAN10(Security) and then "U"ntag Port 2 and 3 on VLAN10(Security)?  Would this be the right configuration.  I may be a little confused on what should get the "T" and what should get the "U."  To my knowledge, end devices get the U (like cameras/PC's), and the one port in which the whole VLAN connects to other LAN's like for instance the Windows 10 VM, you would place the "T."  Is this correct?

 

 

To configure this how would you best do this?  Essentially, I use UNRAID, and in the configuration for the VM you can add connections, but there isn't options for any kind of VLAN option.  It just gives you the option to use Br0 or VirtBr and to refresh the MAC address on it.  If you mean inside windows, can you run me through the steps quickly?  I'm not super savvy with VLAN setups in windows yet.

 

Do you mean in my router?  I attempted to set up a static route, and even it didn't provide any kind of internet access.  I was able to ping devices on the VLAN, but never the internet after setting up static routes in my router.  I haven't dove into ACL's yet, they seem like a whole new ball game, and I need to do some research, but it sounds like that's a switch level feature, but you're right, I need a new router, so I'm taking the plunge.  I've decided on a Ubnt Edge Router X.  It's far cheaper than my Asus router, and since I don't need switch functionality or wireless capability, I can make the upgrade.  

 

It arrives Friday, where I hope to dive into it over the weekend, and start configuring it offline, and at least get it functioning to my network's current functionality before implementing it.  I checked out a few videos on youtube on how to configure it for VLAN, and it seems pretty self explanatory.  Creating separate DHCP's will be a nice option too, so I can auto assign IP's to VLANs.

 

Let me know what you guys think about my comments, and any additional information or tips you can give me as I dive into this new category of networking.  Thanks again for all the help and advice!

how many of the router eth ports do you have running to switch??? i would send all 4 to switch with router carrying a subnet of 255 255 255 192(establish 4 subnets 1 for each router eth port) now vlan group your devices to these 4 subnets(isolation like you want plus internet control(as simple firewall rules will keep cam group off internet))

[leadeater]

1 hour ago, Strikermed said:

Essentially I can set up their own subnet and IP configuration, and then make another Connection on the Windows 10 VM connect it to the VM via trunking, and with the same Subnet to keep them private.  I think this is kind of what you're getting at below.

Yep, to do it properly you should also put that on it's own VLAN as well but the 2 wireless cameras might be an issue if your AP doesn't support SSID to VLAN assignment. Also for VLAN routing to work a device on the network needs to have an interface on the VLAN that can do routing, either a router or a L3 switch. On either of these network devices a virtual interface is created which will appear on the VLAN and will need an IP assigned to it, this is standard but it's important to note this usually doesn't happen by default and you don't have to create the virtual interface if you don't need the VLAN to be routable at all.

 

1 hour ago, Strikermed said:

I definitely see having physical NIC would make this easier, but I could essentially add another virtual NIC to the VM, and set it up with the proper IP and bypass DHCP with all my Cameras have a set IP address. 

If you want to do it this way it would be much easier, you mentioned you wanted DHCP was was going on that requirement. Another virtual NIC is simple to do and is the way it should be done if using VMs.

 

1 hour ago, Strikermed said:

To configure this how would you best do this?  Essentially, I use UNRAID, and in the configuration for the VM you can add connections, but there isn't options for any kind of VLAN option.  It just gives you the option to use Br0 or VirtBr and to refresh the MAC address on it.  If you mean inside windows, can you run me through the steps quickly?  I'm not super savvy with VLAN setups in windows yet.

I don't use unRAID so I'm sure but VLAN support was added in 6.2 and here's some info on how to configure it, https://www.reddit.com/r/unRAID/comments/6l3u14/unraid_and_trunk_port/

 

 

1 hour ago, Strikermed said:

Lets Say camera A and B are port 2 and 3, and the 1GbE port that the VM share is on port 10.  Would I just "T"ag port 10 on VLAN 1(Default) and VLAN10(Security) and then "U"ntag Port 2 and 3 on VLAN10(Security)?  Would this be the right configuration.  I may be a little confused on what should get the "T" and what should get the "U."  To my knowledge, end devices get the U (like cameras/PC's), and the one port in which the whole VLAN connects to other LAN's like for instance the Windows 10 VM, you would place the "T."  Is this correct?

Personally I do not use the default VLAN (VLAN1) for anything which actually makes things easier. Hopefully you'll see why when I explain how you would go about configuring the switch, host and VM.

 

VLAN10: Security

VLAN15: Data/General Access

 

On the switch set ports 2 & 3 to untagged VLAN10, on port 10 (to the VM Host) set mode to trunk and tagged VLAN10 & VLAN15. All other switch ports set to untagged VLAN15. On the VM host create two virtual switches and set their VLAN ID to 10 & 15 respectively and set them to use the same physical port that is plugged in to switch port 10. On the VM add a virtual NIC and set the virtual switch it will use to the network you want that vNIC to be on.

 

Mixing untagged and tagged traffic to a VM host is rather a pain so I avoid doing it, it's also best to not actually use the default VLAN anyway and keep tighter control on where you allow your traffic to flow over the network.

 

Untagged ports simply mean on the device side no configuration is required, once data enters the port the switch will tag packets with the set VLAN ID, only switch ports that are either tagged or untagged with that VLAN ID can see/accept that traffic, once data exits that port the VLAN ID is stripped off the packet.

 

Tagged ports mean that packets can only go in or out of the port that have the set VLAN ID and will retain the VLAN ID. Tagged ports are usually trunk ports, trunk ports allow multiple VLANs to go over the port, access ports only allow a single VLAN.

[Strikermed]

Ok, here's a partial follow up to make sure I'm on the right track.

 

Router update:

Currently I have a Unifi USG at the moment, and still debating to go with an Edge Router (I may buy one just for fun).  I got the USG configured this weekend, and I'm shortly going to replace my current router.  It was a pretty easy set up minus trying to get it to adopt due to it being inserted into my network instead of used as the gateway.  Both my router and the USG wanted to use the 192.168.1.1 gateway which made it difficult, but I eventually got the IP changed on the USG without fiddling with SSH.

 

Network update:

So currently, I have All my devices connected and configured on the Netgear switch in their respective VLAN.  Lan Devices are in VLAN1, Security is on VLAN10, and IOT devices are on VLAN20.  You can see their connection types and paths, and port tagging in the attached image.

 

My goal:

IOT (VLAN20) will have internet access, but will have no other access to other VLAN's.  They will be seclulded wifi devices that connect via the Unifi AC Pro AP which is capable of multiple SSID assigned to different VLANs

 

Security (VLAN10) will not have direct internet access, but will have the flexibility to quickly add and remove internet access when I choose to update the Firmware on the devices.  A single windows 10 virtual machine will have access to the security devices on VLAN10, but will also have internet access on VLAN1.  This is where I'll need some help with configuration.  I'm not entirely sure if I should be trunking this connection or not.  And what PVID it should have is also a mystery to me.  Since it's a VM I can add connections which all communicate over 1 shared physical connection.  This physical connection is also shared with another VM and the operating system (UNRAID).  Each camera will have a static IP so that the software I use to record can directly connect to each camera.  

 

LAN Devices (VLAN1) will have internet connection, and all devices will be on the sam LAN/VLAN allowing others to connect to it.  This is pretty standard, and not nearly as complicated as the rest of it.

 

 

My Questions:

1. Please reference the Security update above.  I included questions about that setup on the switch.  This includes whether or not the port should be trunked, and what PVID it should have.  To my knowledge, I only need to set the PVID if I have a port untagged and I want it to reside on a specific VLAN.

 

2. How do IP's work on VLAN.  Do I need to have a different Subnet set up for each VLAN? ie. VLAN1 = 192.168.1.x, VLAN20 = 192.168.20.x, VLAN3 = 192.168.30.x?  Or can I have them all on the same subnet since they are divided into VLAN's transmitting packets with a different header specifying the VLAN it belongs to?  Or is this based on equipment?  I have a Netgear GS724Tv4 Switch with Layer 2 and some Layer 3 options.  My router is Unifi USG with layer 3 capabilities.

 

3. Can someone explain when and why you would change the PVID.  Also, a general explanation of Tagging and Untagging, and when you would do either or.  I've read a ton, and it seems like I just haven't completely wrapped my head around it.  I may have it right, but I keep second guessing myself.

 

In the image I attached, I've included tagged and untagged assignments for my switch.  Let me know what you think.  I've also color coded each cable for the VLAN's they will be carrying.  A note, the cable running to the router, AP, and Security Server have multiple VLAN's on a single cable.

 

Thanks!

 

[leadeater]

29 minutes ago, Strikermed said:

1. Please reference the Security update above.  I included questions about that setup on the switch.  This includes whether or not the port should be trunked, and what PVID it should have.  To my knowledge, I only need to set the PVID if I have a port untagged and I want it to reside on a specific VLAN.

The port will need to be trunk mode, only trunk ports allow more than VLAN traffic to pass through it which is what you need. For that port you can leave the native VLAN as 1 which will for the most part make it act like any other port but this will allow you to setup tagging in unRAID and give your security VM two nics on different VLANs.

 

29 minutes ago, Strikermed said:

How do IP's work on VLAN.  Do I need to have a different Subnet set up for each VLAN? ie. VLAN1 = 192.168.1.x, VLAN20 = 192.168.20.x, VLAN3 = 192.168.30.x?  Or can I have them all on the same subnet since they are divided into VLAN's transmitting packets with a different header specifying the VLAN it belongs to?  Or is this based on equipment?  I have a Netgear GS724Tv4 Switch with Layer 2 and some Layer 3 options.  My router is Unifi USG with layer 3 capabilities.

You can use the same IP range on different VLANs but it's easier not to. You would need a router with an interface on each VLAN and you would not be able to have an IP address overlaps otherwise routing won't work correctly. Far as traffic flow it's not going to be any different if each VLAN uses a different IP range since to go between VLANs the traffic must go through a router.

 

29 minutes ago, Strikermed said:

3. Can someone explain when and why you would change the PVID.  Also, a general explanation of Tagging and Untagging, and when you would do either or.  I've read a ton, and it seems like I just haven't completely wrapped my head around it.  I may have it right, but I keep second guessing myself.

PVID or native VLAN is for when you want to set a trunk port's untagged VLAN. You would do this to control what traffic by default would go across this port, you might not want the default VLAN1 traffic going through that port.

 

Untagging: Switch looks at all packets coming in to the switch, evaluates any tags on the packets and then sends the traffic down any ports on the switch that are untagged for that VLAN. The VLAN tag is removed from the packet when exiting the untagged port. Untagged ports are usually client access ports for general network devices.

 

Tagging: Tagging is the process of inserting a VLAN ID on to network packets. A network switch port that is set to a tagged VLAN will only allow packets with that VLAN ID tag on it to flow. Normally a tagged port is set to trunk mode which allows multiple VLAN tags on that port. Tagged and trunked ports usually go between switches and servers (mostly VM hosts and the like).

 

For you ports 1, 16 and 21 will need to be trunk mode.