Setting up VLAN for NVR and Cameras with WAN, but oneway LAN access
Hello everyone.
My home network is built on the basis of Asus Mesh and 10Gbe unmanaged switch. It works well.
Now I need to install security cameras, video intercom and NVR on a VLAN in order to segregate them from the LAN. I want this VLAN to be accessible from LAN, but no LAN devices or router should be available from VLAN. WAN availability is also required for VLAN. I attach a sketch of my LAN setup for the reference.
For this purpose I got GS1900-8HP switch, connected to the router and I tried to set up a VLAN accordingly. I watched guides on Youtube from Zyxel and also read the manual carefully. Unfortunately I could not manage this. When the VLAN10 is created either for tagged or untagged ports 5-8 and other ports excluded, devices on these ports do not get IPs at all. If I do not exclude or forbid other ports from this VLAN on default VLAN1, there is no segregation in the network at all.
Could anybody give me an advice what I do wrong or a link for this purpose?
Thanks in advance
My home network is built on the basis of Asus Mesh and 10Gbe unmanaged switch. It works well.
Now I need to install security cameras, video intercom and NVR on a VLAN in order to segregate them from the LAN. I want this VLAN to be accessible from LAN, but no LAN devices or router should be available from VLAN. WAN availability is also required for VLAN. I attach a sketch of my LAN setup for the reference.
For this purpose I got GS1900-8HP switch, connected to the router and I tried to set up a VLAN accordingly. I watched guides on Youtube from Zyxel and also read the manual carefully. Unfortunately I could not manage this. When the VLAN10 is created either for tagged or untagged ports 5-8 and other ports excluded, devices on these ports do not get IPs at all. If I do not exclude or forbid other ports from this VLAN on default VLAN1, there is no segregation in the network at all.
Could anybody give me an advice what I do wrong or a link for this purpose?
Thanks in advance
0
Accepted Solution
-
@koaly,
About the new product schedule is still under discussion, therefore I cannot provide the precise date. at this moment.
Our gateway currently does not support third-party VPN and the 2.5G throughput WAN speed.0
All Replies
-
@kodly,
Welcome to the community!
I assume that camera is connect from sw port 5 to 8 and should be untagged out, besides this may I know if you have configure the PVID as 10 on those ports?
Also did you configure the switch uplink port fixed on VLAN10 and tagged out?
If still has the issue please attached your configuration file for me.0 -
Zyxel_Chris said:@kodly,
Welcome to the community!
I assume that camera is connect from sw port 5 to 8 and should be untagged out, besides this may I know if you have configure the PVID as 10 on those ports?
Also did you configure the switch uplink port fixed on VLAN10 and tagged out?
If still has the issue please attached your configuration file for me.
I did it exactly:
- VLAN1 is default and set for management.
- VLAN10 is set for CCTV
- Ports 5-8 are untagged to VLAN10 with PVID10 and excluded from VLAN1
- Port 1 (as uplink to a router) is untagged to VLAN10 with PVID10 and excluded from VLAN1
- Ports 2-4 are untagged to VLAN1 and excluded from VLAN10.With this config all devices in VLAN10 receive IPs and have access everywhere including WAN and to LAN devices, connected to the 10Gbe unmanaged switch. No access to GS1900 web-interface. The main problem is that I need to restrict VLAN10 from LAN, which receives the same subnet IPs from router.Could it be that VLAN10 is separated from ports 2-4, but consider all packets coming through port 1 as WAN and therefore it still get access to other devices, connected to router via LAN ports on the 10Gbe unmanaged switch and also via WLAN from the router?May that be the case?Is my current topology totally wrong or I need another device to replace the 10Gbe unmanaged switch (e.g. XS1930-10), which should be capable to assign subnets to VLANs with access restrictions?I have attached the config file. Thanks in advance for advices.0 -
Fred_77 said:
Now I need to add security cameras and Video Intercom and I could not find a working config with GS1900-8H. Devices on VLAN10 (CCTV) are either restricted from getting IPs from the router or have access everywhere accept Web-GUI.
I have installed Entware on Asus ax86u, but there also no packets for VLAN management.0 -
As far as i kwow RT series doesn't manage vlans tagging like the BRT series does.
I fear that with this device you will not be able to segment traffic as you would like.
You could install a "small-size" firewall on top of your router. In this way you can manage more zones / vlan and define the security policies as you wish.0 -
@kodly,
Good to know you can get VLAN10 IP, so the LAN router (which connect on modem, directly) is not support VLAN? Since there is the limitation to restrict traffic direction via switch.
The LAN access control in this case is better configured on the gateway.
If your gateway is not support VLAN then can consider Zyxel USG Flex has the guest interface can fulfill this case.0 -
Zyxel_Chris said:@kodly,
Good to know you can get VLAN10 IP, so the LAN router (which connect on modem, directly) is not support VLAN? Since there is the limitation to restrict traffic direction via switch.
The LAN access control in this case is better configured on the gateway.
If your gateway is not support VLAN then can consider Zyxel USG Flex has the guest interface can fulfill this case.
thanks for the the proposal on changing the router. I am afraid that USG Flex would be an overkill for me. I have found another model of a consumer-grade router from Zyxel (Zyxel Armor G5). The Armor G5 (NBG7815) "User's Guide" tells on the page 11 that it does support VLANs, but I have not found any description in the Armor G5 (NBG7815) "User's Guide" on how I can do that on the device. This chapter is completely missing.
Could you please advise whether I can use it for organizing VLANs?0 -
@kodly
I'm sorry, there is a mistake on the user guide, NBG7815 is not supporting VLAN however, there will be a new product that can support it.0 -
Zyxel_Chris said:@kodly
I'm sorry, there is a mistake on the user guide, NBG7815 is not supporting VLAN however, there will be a new product that can support it.@Zyxel_Chris , thank you for making this point clear. This means the User's Guide is measleading with incorrect informaiton.
Could you please tell me how long would be waiting time for the new Zyxel router?
I need a device, which satisfies the following functional criteria:
- Wifi mesh (min. AC)
- Custom DDNS (e.g. Duckdns)
- OVPN and Wire Guard clients
- OVPN and Wire Guard server
- Firewall, routings
- VLANs
- 2,5G WAN port
- 2,5G to 10G LAN ports.
For the moment I use Asus ax86u, which satisfies many of the features, but has no VLANs, and only 1x 2,5G port. Otherwise it is very powerful works well on custom FW.
thanks in advance
Best Regards0 -
Some SMB or upper tier firewalls don't support whole list of desiderata. A consumer one with all the box checked maybe will appear 3-5 years since now...10G also with RJ connectors it's still quite tough to achieve...0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight