2

I am thinking how to structure a small home video surveillance system.

Actually in my house I have an only gateway/ADSL modem/router with the following setting:

ADSL modem/gateway IP: 192.168.7.1

Subnet mask configured: 255.255.255.0

DHCP enabled: start IP: 192.168.7.2, end IP: 192.168.7.200

I'm planning to create a subnet buying a new router on which I'm going to connect some outdoor ethrnet IP cameras.

All of these IP cameras record video on a specific NAS inside the subnet.

I have some doubts about the configuration I have to make to get these features:

  • from the main network I'd like to see all clients of the subnet (all IP cameras + NAS)
  • subnet doesn't have Internet access and can't see clients of the main network

I have no problems in installing/buying new hardware components to reach the specified features. The main goal is to guarantee the "one way" visibility between the main network and the subnet.

In a couple of weeks I also have to change my main gateway (due to migration from ADSL to VDSL/FTTC) and I'm going to buy a FritzBox. Can the change of the main gateway offer me a valid solution to my problem?

Thanks in advance for your help.

Roberto Milani
  • 71

3 Answers3

3

Are you going to connect the cameras via LAN or WLAN? I'll assume LAN for this answer.

What you need is two LAN segments, a firewall between them and proper routing rules everywhere unless your default gateway(s) do(es) all the routing.

Simplest setup with a single router:

    192.168.7.0/24      DSL    192.168.8.0/24
          |              |           |
          |              |           |
    PC  --|              |           |--  Camera
          |----------- Main ---------|
          |           Router         |
 Laptop --|                          |--  Camera
          |                          |

Note that the concept of a LAN segment is different from a Router: Usually, a LAN segment is made up by a switch which connects all machines. Such a switch can also be part of a router. A LAN segment can also be a WLAN access point. You can connect LAN ports of a single router to different LAN segments (if you configure that properly).

While a Fritzbox is a fine machine, you can't deploy open source firmware on it, and it's not easy to change the existing firmware. So with a Fritzbox, you'd need a dedicated second router as a firewall:

    192.168.7.0/24      DSL    192.168.8.0/24
          |              |           |
          |              |           |
    PC  --|              |           |--  Camera
          |----------- Main          |
          |           Router         |
 Laptop --|                          |--  Camera
          |                          |
          |--------- Firewall -------|
          |                          |

The firewall must also act as DHCP server for the 192.168.8.0/24 segment. Now you have the problem that all machines in the 192.168.7.0/24 segment need explicit routes with the Firewall as gateway into the 192.168.8.0/24 segment. You can distribute routes by DHCP, but again, on a Fritzbox this will be difficult to set up. One workaround is to let the firewall router handle the DHCP, and deactivate it on the Fritzbox (which will make the Fritzbox a lot less useful).

TL;DR: You'll need to be able to configure firewall rules and DHCP routing options. This can be done on routers with open source firmware (like OpenWRT od DD-WRT), but will often be difficult on consumer grade routers with the available firmware.

How to exactly input the required firewall rules etc. depend on what hardware and firmware you end up with. You'll also have to learn networking basics to understand what you have to do, and why you need to do it.

Edit

Basics about routing: Every computer where the default route is not the correct route for that particular destination must have the route set. So if you want to reach 192.168.8.* from 192.168.7.*, every computer in 192.168.7.* (in the picture: "PC", "Laptop") must have the route set. That's why I mentioned it would be good to distribute routes via DHCP: In that way, you don't have to set static routes everywhere by hand.

That said, let's stick with the static routes. Assume "PC" runs Linux, and everything is wired up as in the second picture, and the firewall/POE injector has 192.168.7.222.

Then on "PC", set the static route manually (making them permanent comes after everything works):

ip route add 192.168.8.0/24 cia 192.168.7.222

Verify with ip route show that the route uses the correct interface, and with ip route get 192.168.8.1 that everything works and you don't have other rules/route which take priority.

You said you get 192.168.7.1 as first hop when tracerouting from "PC"; this is wrong and shouldn't happen if you set the route correctly on "PC". While it is in principle possible to set the route only on the main router, this is inefficient, could result in ICMP REDIRECT messages which depending on the OS may or may not obeyed, and generally could lead to funny situations where things break.

If you got 192.168.7.1 as second hop after 192.168.7.222 as first hop, then the routing on the second router/POE is wrong.

dirkt
  • 17,461
1
  1. Buy another router like you said and configure a different IP set for LAN:

e.g. IP: 192.168.1.1 Subnet mask: 255.255.255.0

  1. Configure static external facing IP on the new router e.g. 192.168.7.222

  2. Block internet access for 192.168.7.222 on your modem/first router

t4u51f
  • 116
0

You will need to perform two different actions:

  • routing of traffic between two networks
  • a firewall controlling the traffic between the networks

Actually, you have three different networks if we also count the public Internet, but that will be taken care of by the router you already have. Basically you COULD use a Fritzbox to do all the jobs, but it is not intended to do this job and there's some manual work required. Also, things are not very easy to see - especially if you haven't touched the system for several weeks...

I would suggest you use a separate firewall which also has routing capabilities. Every PC which has more than one network card can be a router - it depends on its configuration. So your Fritzbox is definitely a router. It routes network traffic and decides whether or not a packet is to be sent out to the Internet or into your local network.

You need an additional router which is connected to your internal network (where your Fritzbox is located) and to your video camera surveillance network. The box you need should therefore have two network cards. (Of course you could do it with one network card and use VLANs, but I wouldn't do that because it complicates things much more than necessary.)

As soon as both networks are connected to your router, it does not need any static routes as it already knows both the internal network and the video network. So it can decide to which network interface network traffic is to be sent. (You just will need to tell the router where it should send all the other traffic, i. e. all the packets destined for the Internet. That's done using the default gateway.)

Your Fritzbox is not aware of another network, so it will try to send the packets destined to you video LAN out to the Internet (which won't work of course). So, either you add a static route on the Fritzbox telling it to send all the packets for you video LAN to your new router or you change the default gateway on your Fritzbox's DHCP server to the new router. (I would prefer the static route as it does not cause that much traffic in your internal network.)

Now that the routing should work, you should take care of the firewalling. You need to define policies, which devices are allowed to do what in which directions. You do that with a firewall.

There are certainly many products out there which all are perfectly fine for doing that job.

I would probably use pfSense for this job. This product is free-of-charge and has many, many options. Also, it's very reliable and easy to configure once you get familiar with it.

But maybe you like a product like IPFire better that pfSense, as it's easier to configure, but that's up to you. I would suggest you to use pfSense.

All the above is probably the "easy" way. The "beautiful" way would be to directly connect all networks to your router:

  • The internet line (directly connect the FritzBox to the router)
  • the internal network
  • the video network

This would make your router the center of your network where you can control everything in one place. You then only need the Fritzbox to act as an DSL modem... But that setup is a little bit more complicated ;-)

Have fun :-)

Best Thomas

TomS
  • 481