Network Access Problem
-
I have a Foscrap IP camera that I want to keep caged in a tighly firevalled VLAN, but I have a problem that the control plugin will only allow access to devices on the same network as the camera.
So for example I want to create something like:
Main network 192.168.1.0/24 - VLAN 1
Camera 192.168.2.10 in VLAN2 192.168.2.0/24Is there a way to create an ip gateway 192.168.1.0/24 that allows a PC to connect and tunnel through to 192.168.2.0/24 and appear as if it were on 192.168.2.0/24?
I don't even have the vocabulary to know what to google, but I suspect that there is a way to do it.
Any assistance would be much appreciated.
I want to make it very hard for the camera to pivot should it become infected and by isolating it to a VLAN any improper traffic will stand out and be easy to detect.
-
I assume the control plugin runs on a computer. You'd have to put that computer on the same network as the camera. You could then route from the camera network to the main network.
-
@jknott said in Network Access Problem:
I assume the control plugin runs on a computer. You'd have to put that computer on the same network as the camera. You could then route from the camera network to the main network.
Yes, I'm likely stuck with a stripped down Windows XP running on Virtualbox with an Older version of Firefox. (Host machine is Linux and Foscrap doesn't support linux for the control functions). I need some way to make the VM look like it's in the same network with the camera.
-
@guardian said in Network Access Problem:
I need some way to make the VM look like it's in the same network with the camera.
The easiest way would be to put a 2nd NIC in the computer. Disable routing in the Linux box to keep the networks isolated. Otherwise you'd need to use a managed switch to separate VLANs, with the Linux box configured to use VLANs.
-
There are several ways to do this, however, how is your network designed? Do you have the proper equipment? You'll need a managed switch to properly implement VLANS.
-
@marvosa said in Network Access Problem:
There are several ways to do this, however, how is your network designed? Do you have the proper equipment? You'll need a managed switch to properly implement VLANS.
Thanks for the reply @marvosa. Yes, I have a managed switch, and pfSense is essentially a router on a stick and internet gateway/firewall for the whole network.
-
Ok, well you can do things like:
-
Stick a specific laptop or workstation on your camera VLAN and have it be the camera admin PC
-
If you have a NIC that supports VLAN tagging, you can trunk your workstation to your switch and either swap VLANS on the fly when you want to manage your cameras (which would be lame) or run a VM on your workstation and have the VM tagged to your camera VLAN
-
Stand up an ESXi host and trunk it to your switch, create port groups on your vSwitch that are tagged to each VLAN, spin up a VM that sits on your camera VLAN which can be controlled via RDP, VNC, host client, vsphere client, etc whenever you need to manage your cameras
-
You could also create a NAT rule to translate your IP to the camera subnet when accessing your cameras from another VLAN, which sounds more like the solution you're looking for.
-
-
@marvosa said in Network Access Problem:
- You could also create a NAT rule to translate your IP to the camera subnet when accessing your cameras from another VLAN, which sounds more like the solution you're looking for.
Thanks @marvosa - You are 100% right here - this is for home use, so I am looking to keep the amount of excess HW to an absolute minimum.
Can someone give me a few hints - possibly what tab to use and/or references/good keyphrases to google etc. I understand NAT in principle, but I'm very sketchy on the details of how it works in pfSense.