VLAN & Firewall rules

Post Reply
jeffshead
Posts: 2
Joined: Sun Aug 04, 2019 6:28 pm

VLAN & Firewall rules

Post by jeffshead »

I have created a detailed layout of my proposed network but I still cannot figure out the correct way to configure the VLANs/ports in the switches and the proper firewall rules that I need to create to route traffic and limit access. This whole surveillance scene is new to me. I have been searching for answers, all over the Internet, for weeks but I feel like I'm almost back to "square one" because of all of the conflicting information/advice that I have received. I want the untrusted IP cams to be on their own VLAN (Internet inaccessible) and the BI server box to also be on it's own VLAN. I would like to use the BI Android app and be able to receive notifications locally and remotely. I already have a VPN configured in the router.

I have a TP-Link TL-SG1016PE switch and a ZyXel GS1900-HP10 switch. I'm a little apprehensive about posting all of my details out in the public. Are there any security-minded pro's on here that know how to setup VLANs & firewall rules that would be kind enough to help me via email? I also created a fillable PDF form that contains a mock-up of the configuration pages of each switch to make it simple to communicate.

Thanks for reading!

Cheers,

Jeff
spammenotinoz
Posts: 51
Joined: Tue Jul 16, 2019 11:44 am

Re: VLAN & Firewall rules

Post by spammenotinoz »

Possibly Overengineering it a bit.
If you have BI and the CAM's on different networks, you then need a vLAN capable router or firewall router to bridge them together, but then you might as-well not have them separate. The router and firewall will also kill performance.

Typically, most people want the CAM's firewalled off from the Internet (run NTP on the BI box), so they run on an isolated Physical Network. The BI box will have a Network Interface on Two Networks (The CAM network, and a second for management) - Yes you can use vLANS, but too complex for a lot of people.
On the BI server the Interface connecting to the CAM's should NOT have a Gateway set (only one interface should have a gateway set), that should be the management interface.
For home, I wouldn't recommend trunking the vLANS, use the switch to keep the vLAN's for Management and CAM's separate (with no routing) and then use separate physical cables from the switch to your PC, but all depends on your internal cabling and layout.
others will disagree and say tag and trunk the vLANS. That is okay if you know what you are doing, you will be supporting it after all.

Exposing Foreign-made CAM's to the internet is probably the biggest risk, which can be mitigated by blocking all outbound access for their STATIC IP's (range) from any decent home router. If you give them static IP's, and don't specify a gateway, then they can not route \ communicate beyond their subnet.
A simple solution is to create a subnet within a subnet and don't specify a gateway.
eg: Using a subnet mask of (255.255.255.240) gives you 16 addresses (14 usable), If the BI server and cams are in the same range they can communicate, but if you don't specify a gateway on the cam's they can't communicate outside of that subnet. The BI server will have a gateway and a much larget subnet mask (eg: 255.255.255.0) and hence can communicate beyond the subnet and to other networks via the gateway. Sweet\simple and no vLANS or fancy switches.

PS: Also remember Firewalls are stateful, so no need to specify the return path, but when locking down via the switches (access control lists), you also need to allow the return traffic, as they are not stateful.
jeffshead
Posts: 2
Joined: Sun Aug 04, 2019 6:28 pm

Re: VLAN & Firewall rules

Post by jeffshead »

I can't tell you how much I appreciate your response!

I wish I had your response before I bought those two switches :-( Now I am truly back to "square one".

One problem I have is that I have devices (including AP's) on different floors of my home. Some devices should be on the same subnet but they are on different floors. That's why I wanted to go with VLANs. I never considered the router and firewall causing performance issues.

If you don't mind, I'll PM you a PDF with my network diagram to make it easier for you to see what I have.

Thanks again!
Post Reply