Setting up VLAN for NVR and Cameras with WAN, but oneway LAN access

koaly
koaly Posts: 14  Freshman Member
First Anniversary 10 Comments Friend Collector
edited August 2022 in Switch
Hello everyone.

My home network is built on the basis of Asus Mesh and 10Gbe unmanaged switch. It works well.
Now I need to install security cameras, video intercom and NVR on a VLAN in order to segregate them from the LAN. I want this VLAN to be accessible from LAN, but no LAN devices or router should be available from VLAN. WAN availability is also required for VLAN. I attach a sketch of my LAN setup for the reference.

For this purpose I got GS1900-8HP switch, connected to the router and I tried to set up a VLAN accordingly. I watched guides on Youtube from Zyxel and also read the manual carefully. Unfortunately I could not manage this. When the VLAN10 is created either for tagged or untagged ports 5-8 and other ports excluded, devices on these ports do not get IPs at all. If I do not exclude or forbid other ports from this VLAN on default VLAN1, there is no segregation in the network at all.


Could anybody give me an advice what I do wrong or a link for this purpose?
Thanks in advance

Accepted Solution

  • Zyxel_Chris
    Zyxel_Chris Posts: 653  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Answer ✓
    @koaly,
    About the new product schedule is still under discussion, therefore I cannot provide the precise date. at this moment.
    Our gateway currently does not support third-party VPN and the 2.5G throughput WAN speed. 
    Chris
«1

All Replies

  • Zyxel_Chris
    Zyxel_Chris Posts: 653  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    @kodly,
    Welcome to the community!  :)
    I assume that camera is connect from sw port 5 to 8 and should be untagged out, besides this may I know if you have configure the PVID as 10 on those ports?
    Also did you configure the switch uplink port fixed on VLAN10 and tagged out?

    If still has the issue please attached your configuration file for me.
    Chris
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @koaly

    does your router support vlan, tag etc..)?

  • koaly
    koaly Posts: 14  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited April 2022
    @kodly,
    Welcome to the community!  :)
    I assume that camera is connect from sw port 5 to 8 and should be untagged out, besides this may I know if you have configure the PVID as 10 on those ports?
    Also did you configure the switch uplink port fixed on VLAN10 and tagged out?

    If still has the issue please attached your configuration file for me.
    Hello Chris, thanks for the reply and recommendation on settings.
    I did it exactly:
    - VLAN1 is default and set for management.
    - VLAN10 is set for CCTV
    - Ports 5-8 are untagged to VLAN10 with PVID10 and excluded from VLAN1
    - Port 1 (as uplink to a router) is untagged to VLAN10 with PVID10 and excluded from VLAN1
    - Ports 2-4 are untagged to VLAN1 and excluded from VLAN10.

    With this config all devices in VLAN10 receive IPs and have access everywhere including WAN and to LAN devices, connected to the 10Gbe unmanaged switch. No access to GS1900 web-interface. The main problem is that I need to restrict VLAN10 from LAN, which receives the same subnet IPs from router. 
    Could it be that VLAN10 is separated from ports 2-4, but consider all packets coming through port 1 as WAN and therefore it still get access to other devices, connected to router via LAN ports on the 10Gbe unmanaged switch and also via WLAN from the router?
    May that be the case?
    Is my current topology totally wrong or I need another device to replace the 10Gbe unmanaged switch (e.g. XS1930-10), which should be capable to assign subnets to VLANs with access restrictions? 
    I have attached the config file.  Thanks in advance for advices.
  • koaly
    koaly Posts: 14  Freshman Member
    First Anniversary 10 Comments Friend Collector
    edited April 2022
    Fred_77 said:
    Hi @koaly

    does your router support vlan, tag etc..)?

    Hi Fred, I have Asus ax86u, working as a router, firewall, VPN-client and WLAN AP. Another similar device is installed in Mesh with a LAN backhaul. Asus has a guest WLAN with restrictions from LAN for IoT devices, but no options in Web-GUI for VLANs unfortunately. 
    Now I need to add security cameras and Video Intercom and I could not find a working config with GS1900-8H. Devices on VLAN10 (CCTV) are either restricted from getting IPs from the router or have access everywhere accept Web-GUI.
    I have installed Entware on Asus ax86u, but there also no packets for VLAN management.
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    As far as i kwow RT series doesn't manage vlans tagging like the BRT series does.
    I fear that with this device you will not be able to segment traffic as you would like.
    You could install a "small-size" firewall on top of your router. In this way you can manage more zones / vlan and define the security policies as you wish.
  • Zyxel_Chris
    Zyxel_Chris Posts: 653  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    @kodly,
    Good to know you can get VLAN10 IP, so the LAN router (which connect on modem, directly) is not support VLAN? Since there is the limitation to restrict traffic direction via switch. 
    The LAN access control in this case is better configured on the gateway.
    If your gateway is not support VLAN then can consider Zyxel USG Flex has the guest interface can fulfill this case. :)
    Chris
  • koaly
    koaly Posts: 14  Freshman Member
    First Anniversary 10 Comments Friend Collector
    @kodly,
    Good to know you can get VLAN10 IP, so the LAN router (which connect on modem, directly) is not support VLAN? Since there is the limitation to restrict traffic direction via switch. 
    The LAN access control in this case is better configured on the gateway.
    If your gateway is not support VLAN then can consider Zyxel USG Flex has the guest interface can fulfill this case. :)
    Hello Chris, 
    thanks for the the proposal on changing the router. I am afraid that USG Flex would be an overkill for me. I have found another model of a consumer-grade router from Zyxel (Zyxel Armor G5). The Armor G5 (NBG7815) "User's Guide" tells on the page 11 that it does support VLANs, but I have not found any description in the Armor G5 (NBG7815) "User's Guide" on how I can do that on the device. This chapter is completely missing.
    Could you please advise whether I can use it for organizing VLANs? 
  • Zyxel_Chris
    Zyxel_Chris Posts: 653  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    @kodly
    I'm sorry, there is a mistake on the user guide, NBG7815 is not supporting VLAN however, there will be a new product that can support it. :)    
    Chris
  • koaly
    koaly Posts: 14  Freshman Member
    First Anniversary 10 Comments Friend Collector
    @kodly
    I'm sorry, there is a mistake on the user guide, NBG7815 is not supporting VLAN however, there will be a new product that can support it. :)    

    @Zyxel_Chris , thank you for making this point clear. This means the User's Guide is measleading with incorrect informaiton.

    Could you please tell me how long would be waiting time for the new Zyxel router? 

    I need a device, which satisfies the following functional criteria:

    - Wifi mesh (min. AC)

    - Custom DDNS (e.g. Duckdns)

    - OVPN and Wire Guard clients

    - OVPN and Wire Guard server

    - Firewall, routings

    - VLANs

    - 2,5G WAN port

    - 2,5G to 10G LAN ports.

    For the moment I use Asus ax86u, which satisfies many of the features, but has no VLANs, and only 1x 2,5G port. Otherwise it is very powerful works well on custom FW.

    thanks in advance
    Best Regards

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Some SMB or upper tier firewalls don't support whole list of desiderata. A consumer one with all the box checked maybe will appear 3-5 years since now...
    10G also with RJ connectors it's still quite tough to achieve...