Vlan and phisical interface
-
I have defined a vlan2 to be used for part of my CCTV cameras. As my pfsense device has multiple NICs, I want to use one of those NIC for a switch that will connect some of the camera directly, while others cameras will be served by other switches on other part of the network connected on another port used for other traffic too.
In essence:
NIC1 => all traffic with all Vlans tagged that go to the rest of the network
NIC2 => untagged traffic for vlan2 (CCTV) onlyVlan 2 works fine when setting switches connected to NIC1 and setting the switches port to untagged for vlan2 - but...how can I set NIC2 to allow vlan2? If I just set a static IP on the CCTV vlan subnet, pfsense complains about the network overlapping.
-
@ciclopeblu you can't do that without creating a bridge in pfsense. Or pfsense itself having a switch.
The easier solution would be to just connect this switch you want for your cameras to just connect to your current switch.. Vs trying to connect it to a discrete interface on pfsense.
-
@johnpoz Of course, that would definetly work, however, I really strugle to believe isn't a way to get what I want as it's hardly an uncommon scenario.
-
@ciclopeblu You can do it - but you have to create a "bridge"..
And its not a optimal solution for sure.. Just plug your switch into your other switch and set up the port you plug it into to be on the vlan you want your cameras on.. 30 second setup and done vs going through all the hassle of setting up a bridge and all the complexity that comes with that, and subpar performance vs just plugging into your current switch.
And then I am not even sure you could run other vlans on the other port you put in the bridge you have other vlans on.. I don't think you can do that..
You could prob do it, but it would take 3 interfaces vs just 1.. You could use another port as the uplink for vlan X which you bridge to other interface that is also your vlan X your cameras are on. But these would just be native and not vlans to pfsense. And then use another interface on pfsense to your other switch that handles all the other vlans you have on the main switch. And then the 3rd interface you bridge with the first and plug your 2nd camera switch into.
Your trying to figure out how to put the square peg into the round hole, when the square hole is right there next to the round one.
So you would end up using 3 ports on pfsense, and 2 on your main switch vs just 1 on pfsense, and 2 on your main switch
edit: and we do get this sort of question all the time. I think it users use to their soho wifi router with switch ports all in the same network and trying to compare that to a router with discrete interfaces that they try and turn into a "switch" which they are not..
-
@johnpoz I disagree that this isn't the optimal solution, that depends on the scenario, but beyond that, the question wasn't even if this is the best, optimal solution. Having to plug another switch to the existing one means, at least, a waste of power and an additional link on an infrastructure that can fail. When designing any IT project I like and, I believe this should be a best practice, to minimize costs and complexity. Beyond that, I like also the idea of a "cleaner" solution where traffic, especially a heavy and critical one like CCTV cameras, to be, as much as possible, separated from the rest. Also, ports on my pfSense device are 2.5g, I do not have another vlan capable 2.5 switch to use just to untag traffic. Again, there are valid points while people would want to use the physical port on their firewall in this scenario.
-
@ciclopeblu said in Vlan and phisical interface:
want to use the physical port on their firewall in this scenario.
I went over how to do it.. Do it that way if you want... I showed you how you could do it with a bridge if you wanted to.. Maybe you can run the tags on one half of the bridge? But the ports on pfsense are not a switch, unless you have a netgate appliance that has a built in switch.. Then you could easy do what your wanting.
Yes there are valid reasons why someone would setup a bridge.. This scenario is not one.. Brides do have specific use cases.. But wanting to leverage discrete interfaces as "switch" ports is not one of them if you ask me..
You could also do it this way if you want..
-
@ciclopeblu said in Vlan and phisical interface:
Beyond that, I like also the idea of a "cleaner" solution where traffic, especially a heavy and critical one like CCTV cameras, to be, as much as possible, separated from the rest.
What you are trying to do is the exactly opposite to that in my opinion. If that is really important to you, you would create a truly independent network for it. My surveillance cameras with its NVR are on a completely separate hardware. My surveillance network can function on its own and, by all means, I would not want its traffic to flow through my Internet gateway. I can access only the NVR from the rest of my network and the cameras can be access only through the NVR or a dedicated port on the surveillance network.
-
@kjk54 exactly... I have just recently setup NVR and some cameras - another camera coming today.
the NVR is on its own vlan.. The cameras are behind the NVR and connected to the NVR switch ports. Until I put a leg into this network I could not directly access the cameras.
I sure do not want any traffic between cameras and nvr flowing over interfaces used by my normal networks. The only time I want that to happen is if I am accessing a view..
How many cameras do you have that you would need 2.5ge? And not sure why that would be needed to route through pfsense to get to the NVR? The NVR and Cameras should be on the same L2. And sure wouldn't want pfsense to have to handle this traffic via a bridge.
-
Yeah, surveillance cameras come with a 100Mbps interface and an HD or 5MP camera typically does not produce more than 10Mbps traffic.
-
@kjk54 I'm not a network expert, let me clarify that. But I'm pretty sure my traffic do not go thought the internet gateway. I'm not sure how I can accomplish what you are saying, unless you use separate cabling for all your CCTV? That would be too costly for me as I have cameras far away from in each others on different buildings that are connected with one Ethernet cable and my DVR is virtualized - if I didn't get you let me know as I would defo prefer something totally separated. I agree for the bandwidth requirement, however, keep in mind that all the traffic (including CCTV) go through the same LAN cable at some point of my network.
-
@kjk54 yeah my cameras when watching feeds are only about 3-4mbps each.. Waiting for my 3rd one today ;)
Mine are 4k.. Great picture but unless I directly connect to the nvr - end up watching a substream that is lower.. I can pull them up on my alexa show, or via my tvs.. But those would be substreams at lower res and bandwidth requirements.
But sounds like his are remote and not at his location.. So yeah would need to route over pfsense.. But 2.5ge seems a bit high for a requirement unless there were hundreds of them..
@ciclopeblu what is your connection that these cameras would be connected into.. I don't think have ever seen a camera with a gig interface.. Only 100.. And even with watching full res stream.. going to be far less than that... You would need a lot of camera feeds to use a gig..
I would put your nvr on the same network as your cameras - so doesn't even go over pfsense. Unless the cameras are across a wan interface on pfsense?
So really not under standing why you feel you should leverage one of the interfaces on your pfsense for this traffic.. Just connect this 2nd camera switch you want into your first switch that is already handling your other vlans.
-
@johnpoz Again, I'm not a network engeneer, my thinking was that not having to use an additional switch, that I don't have (but that's secondary) was not a smart move just becasue by adding a new device that consume power and that can fail, woudn't be "balanced" from something negative. I was basically using a port that already was there and alredy using powers vs adding a new device to do the same thing. Is that clear? I'm familiar with the term "bridge" but my assumption was that they were only for different network - to "bridge" them toghether - are the physical interface and the vlan different network? You see, I'm so confused
-
@johnpoz I got 6 cameras, I never actually done any calculation with regard the required bandwith and that's obviusly very wrong. As you can see I'm lerning, at least!
-
Some people use the term ‘CCTV’ even for IP cameras. I thought that was the case here, but it looks like it’s not. CCTV cameras are different than IP cameras and DVRs are not the same as NVRs. Also, multiple IP cameras cannot be connected with a single ethernet cable. A coax cable is used in CCTV and the signal is analog, not digital. I didn’t think that virtualized DVRs exist, but I don’t know much about the current state of CCTV. I can really discuss IP networks only.
-
The resolution, HD or 4K, is just one aspect of video quality. The bitrate and frame rate are very important, too. I do not have 4K cameras, but my bitrate and frame rate settings are rather high. I also use the ‘Constant Frame Rate’, not ‘Variable’. I have my NVR and IP cameras in a dedicated so-called ‘Private VLAN’.
-
@kjk54 I have reviewed a bit of settings yesterday, the bandwidth it's quite low, I'm not sure why I had this idea that the camera would create that much traffic, in my mind I didn't take in consideration the level of compression. I still don't know how I will proceed, I'm still reluctant on adding another switch on my rather already complex setup, but this might be the solution. I will first test the "bridge" approach and see what the actual downsides are, I was reading about how traffic will have to be processed by pfSense adding a considerable amount of load on the CPU but is that really the case? or maybe using an additional subnet for cameras plug on the pfsense interface and then allow traffic to flow on the "CCTV vlan".
-
@ciclopeblu said in Vlan and phisical interface:
for a switch that will connect
I'm still reluctant on adding another switch
Huh? Thought you already had a switch, that you stated in your first post? But now your reluctant to just plug it into your existing switch?
Here is what I would expect a typical setup to look like.. Where lets call vlan Z where you put your cameras and your DVR.
How does adding another switch, that you put on your camera network complex up the setup? If you already have a switch that you have your camera vlan and other vlans on?
Really the only time you would have traffic flow over a pfsense interface or interfaces would be if your accessing the camera or the DVR from some other network like vlan X or Y.. Your DVR and Cameras should all be on the same network/vlan.
You know what for sure would complex up the setup, trying to setup a bridge ;)