Open up a vlan ip to the outside
-
@rashadmahmood direction in what exactly - why do you think you need to open up any ports to access your cameras? Do they connect to the NVR? I have no ports open on my nvr and can access my cameras - most modern systems phone home and create the connection you can use to connect to it.
If not - I would setup a vpn into your network, and access your cameras that way.
As to devices in one network access devices in another network, just create the firewall rules you want..
The default rules are any any on the pfsense lan, so devices on this network would be able to connect to anything in any of your other networks you add. If you want to prevent that then you would put in some block rules above the any any rule.
Same goes for say this cctv network you create, if you don't want it to connect to your lan - put in some block rules above your rule that allows this network to the internet. If you want to allow that?
-
Thanks for the response. I hadn't thought of using a VPN. Yes, the NVR will be connected to those cameras. The cameras are IP, so they will also have their own IP addresses.
What is the best way to deal with this? My understanding is that you want to segment the CCTV LAN; otherwise, the whole network would be broadcasting all over the place. With a VLAN, I can confine this to the CCTV LAN.
-
@rashadmahmood said in Open up a vlan ip to the outside:
The cameras are IP, so they will also have their own IP addresses.
Not really the way it works with a IP NVR system - at least all the ones I looked at before I put mine in. Do your cameras connect to poe ports on the NVR? But yeah the cameras get their own IP..
If so mine NVR puts that on its own network - this is normally how you would want it actually because you wouldn't want that traffic flowing over your normal network where your other network traffic is - its best to isolate that camera traffic to its own segment.
For me to directly access my cameras I had to actually put a leg of pfsense into the camera segment by connecting an interface on pfsense into the poe switch. Then little source natting because the cameras use the NVR IP on its own network as their gateway.
So for example my NVR is the network I setup for it.. which is a 192.168.110/24 network, its "wan" if you will connect into this network. But the cameras plug into its NVR ports and they get a 10.1.1 address from the nvr
I did this because I wanted to leverage the RTSP stream directly from the cameras on my TVs via an APP, and also just have VLC shortcut on my PC so I can instantly see the stream of the cameras vs having to walk through the NVR interface or some other APP, etc.
The only time I actually use the camera app from lorex is when remote on my phone, etc.
What specific NVR do you have? I have the lorex N847A6, but all the ones I looked at seemed to function pretty much the same way. So unless you setup your own NVR on some PC or NAS or something with some software.. They prob work the same way mine does. If it has poe switch ports on the actual NVR.
More than happy to help you through segmenting your cameras onto their own network, etc. if not already being done by the NVR.. So being able to look up the manual of the NVR, and camera models your using with it might be helpful.
Even if your NVR puts the cameras on its own isolated network, happy to help you walk through how you can get direct access to the cameras if you want via connection on pfsense into this network.
I personally would never open a port to the public internet for something like this - I would vpn in..
-
I should have been clearer. It's a PC running Windows 10 with AXIS Camera Station 5 software. The cameras are AXIS dome IP cameras, which are powered via a PoE switch. I believe I need to create VLANs to segment the network.
@johnpoz said in Open up a vlan ip to the outside:
More than happy to help you through segmenting your cameras onto their own network
Thanks that would help, for sure.
-
@johnpoz I would love to hear your thoughts.
-
@rashadmahmood how many interfaces does your router have - you don't have to create vlans to segment networks, unless you need to run more than 1 network over the same physical interface.
And your prob going to want to have multiple interfaces on this PC being used as your nvr, or all the camera traffic will be using the same interface it uses to talk to the network for other stuff.
A vlan still uses the bandwidth on that physical interface.. You more than likely are going to the camera to nvr completely different network interfaces.
Might not be an issue, but how many cameras - what resolution? Are they recording constant or just on events?
-
I have the Netgate 4100 which has 2 WAN and 4 LAN ports.
I can install install another NIC in the windows 10 machine (NVR)
I will have 4 camera's all doing 1080P, they can be set to record on events to save disk usage.
My network will consist of the following:
1 x Netgate 4100 router
1 x Freepbx server (intel NUC)
1 x AXIS Camera Station 5 running in a Lenovo ThinkCentre M720q (windows 10)
4 x IP camera with 1080P
3 x voip Polycom telephones
1 x Netgear POE switch
2 x WIFI Zyxel access pointsIn the future I would like to add in a NAS drive
-
@rashadmahmood so your not currently using all your lan ports on the 4100?
I mean you could do it with vlans - but if you have the physical interfaces prob best to keep that video traffic off your normal network, and wouldn't be running it over your wifi, etc.
Can your poe switch do vlans? If not do you use it for your other traffic?
I mean 4 1080P cameras prob not all that much traffic - but why mix it with normal traffic if you don't have to.. What about if/when you add more cameras, etc.
-
The router is only using the 1 LAN which the connects to the POE switch, the switch supports vlans.
-
@rashadmahmood How many ports do you have free on your poe switch, you can use another port on the poe and pfsense for your other segmented network without having to vlan them.
I do this - I have some networks just native, and then some networks that are vlans over the same physical wire. The networks that are vlans are just wifi networks, and don't actually talk to each other so no hairpin traffic over the same physical interface.
For remote access I would setup a vpn.. So you don't have to expose cameras or the nvr to the public internet at all.
-
The POE switch will have 3-4 ports free.
so I should segment the access points, using the two lans on pfsense? - and set up firewall rules so they can speak to the other network in the house (some pcs will be connected to the physical lan)
Do I still need two NICS in the NVR?
-
@rashadmahmood do your AP support vlans? You can for sure segment out your wifi ssids to different networks if you desire. But your cameras are not over wifi are they? You really wouldn't need a wifi segment for your cameras if they are wired.
And again - your cameras are not going to be saturating the wire or anything, not with 4 of them.. But I would keep traffic between the cameras and the nvr on a completely different network than your normal network traffic. If your wanting to segment it out, might as well keep it from riding over the same wires as your normal network if possible.
For example - lets say your cameras are doing 40mbps per second.. If that rides over the same wire as your normal traffic to your router as all your other traffic for other networks, or even over the same wire to say your nvr machine. That is 40mbps that is used that your devices can't use.. Or if you saturate that link with other traffic, maybe your cameras have issues with recording..
It is best if possible to put this sort of traffic on its own wires so that it doesn't compete or interfere with your normal day to day network traffic.
its not the end of the world if you can't, and it might never be problem - but if your going to take the time to set it up on its own network anyway, might as well keep this traffic off your normal day to day connections.
-
yep the access points can do vlans.
@johnpoz said in Open up a vlan ip to the outside:
It is best if possible to put this sort of traffic on its own wires so that it doesn't compete or interfere with your normal day to day network traffic.
absolutely agree, I will do this, thanks so much for your help and advice!
-
@rashadmahmood said in Open up a vlan ip to the outside:
What is the best way to deal with this? My understanding is that you want to segment the CCTV LAN; otherwise, the whole network would be broadcasting all over the place. With a VLAN, I can confine this to the CCTV LAN.
Does your NVR have 2 ports? If so, you use one to access the NVR from elsewhere and one for an isolated LAN for your cameras.
-
thanks, yes I will separate the camera network from the NVR.
-
@rashadmahmood keep in mind if your going to multihome this box your using as your nvr. The interface you add to the cam network you create wouldn't have a gateway set, nor dns on this interface.
I would just have an IP with proper mask for the network your attaching it too.
-
You mean such as 192/168.0.1/24 (proper subnet mask?) and omit the gateway?
-
@rashadmahmood yeah your just going to use this interface to talk to cameras on this same network - you would not want your pc being used as nvr to use it for any other connections to other networks - so there would be no gateway set on it.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.03 | Lab VMs 2.7.2, 24.03 -
Many thanks
-
@rashadmahmood example - my main pc connection to my nas at 2.5ge.. That I use only to move files back and forth from my pc and nas.
This network 192.168.10/24 isn't use for anything else.. Kind of like the network your pc/nvr will user to talk to the cameras..
if I want to talk to the nas for say admin of the nas, then I talk to it on its 192.168.9 IP address.
