Communication and visibility between main network and a subnet

1

I am thinking how to structure a small home video surveillance system.

Actually in my house I have an only gateway/ADSL modem/router with the following setting:

ADSL modem/gateway IP: 192.168.7.1

Subnet mask configured: 255.255.255.0

DHCP enabled: start IP: 192.168.7.2, end IP: 192.168.7.200

I'm planning to create a subnet buying a new router on which I'm going to connect some outdoor ethrnet IP cameras.

All of these IP cameras record video on a specific NAS inside the subnet.

I have some doubts about the configuration I have to make to get these features:

  • from the main network I'd like to see all clients of the subnet (all IP cameras + NAS)
  • subnet doesn't have Internet access and can't see clients of the main network

I have no problems in installing/buying new hardware components to reach the specified features. The main goal is to guarantee the "one way" visibility between the main network and the subnet.

In a couple of weeks I also have to change my main gateway (due to migration from ADSL to VDSL/FTTC) and I'm going to buy a FritzBox. Can the change of the main gateway offer me a valid solution to my problem?

Thanks in advance for your help.

Roberto Milani

Posted 2018-08-15T13:57:50.057

Reputation: 61

I'm not sure about Fritzbox, but using a Fortigate 60E you can connect your WAN and create 2 networks using VLAN. You then need to configure firewall rules to allow/deny access in certain directions. If the Fritzbox support this, you can do the same here. – CustomX – 2018-08-21T14:18:34.307

Thanks for the answer! I've quickly read some specs about FritzBox and it doesn't allow to create VLANs :( In your opinion a firewall is mandatory or I only need to setup my LAN and a subnet in a proper way to reach my goals? – Roberto Milani – 2018-08-22T20:23:16.337

1Well I know you can achieve this using a small firewall. Technically you'd be able to do the same using a router, but a firewall is all about policies ;-) – CustomX – 2018-08-23T08:11:47.917

Answers

1

  1. Buy another router like you said and configure a different IP set for LAN:

e.g. IP: 192.168.1.1 Subnet mask: 255.255.255.0

  1. Configure static external facing IP on the new router e.g. 192.168.7.222

  2. Block internet access for 192.168.7.222 on your modem/first router

t4u51f

Posted 2018-08-15T13:57:50.057

Reputation: 96

>

  • I'm doing some tests with a Linksys E3000 as a second router; I've set it with IP 192.168.1.1 like you said.
  • In my main router I've set IP 192.168.7.222 (using address reservation feature) for the MAC address of the second router and from all the clients of the main network I can now access to the second router web interface.
  • done and working :)

    • From the main network I still can not reach with the 192.168.1.x LAN segment. For example doing a ping from a PC (192.168.7.3) to an IP camera (192.168.1.10) -> request timed out. – Roberto Milani – 2018-08-26T09:46:35.097

    To fix the problem I'm trying to use static routes and I've tried to set a static route in the main router that way: https://ibb.co/eaR0dU (Destination IP Address: 192.168.1.0, Subnet Mask: 255.255.255.0, Gateway: 192.168.7.222).

    But I still can not ping from 192.168.7.3 to 192.168.1.10. :-(

    – Roberto Milani – 2018-08-26T09:46:51.147

    1

    Are you going to connect the cameras via LAN or WLAN? I'll assume LAN for this answer.

    What you need is two LAN segments, a firewall between them and proper routing rules everywhere unless your default gateway(s) do(es) all the routing.

    Simplest setup with a single router:

        192.168.7.0/24      DSL    192.168.8.0/24
          |              |           |
          |              |           |
    PC  --|              |           |--  Camera
          |----------- Main ---------|
          |           Router         |
 Laptop --|                          |--  Camera
          |                          |

    Note that the concept of a LAN segment is different from a Router: Usually, a LAN segment is made up by a switch which connects all machines. Such a switch can also be part of a router. A LAN segment can also be a WLAN access point. You can connect LAN ports of a single router to different LAN segments (if you configure that properly).

    While a Fritzbox is a fine machine, you can't deploy open source firmware on it, and it's not easy to change the existing firmware. So with a Fritzbox, you'd need a dedicated second router as a firewall:

        192.168.7.0/24      DSL    192.168.8.0/24
          |              |           |
          |              |           |
    PC  --|              |           |--  Camera
          |----------- Main          |
          |           Router         |
 Laptop --|                          |--  Camera
          |                          |
          |--------- Firewall -------|
          |                          |

    The firewall must also act as DHCP server for the 192.168.8.0/24 segment. Now you have the problem that all machines in the 192.168.7.0/24 segment need explicit routes with the Firewall as gateway into the 192.168.8.0/24 segment. You can distribute routes by DHCP, but again, on a Fritzbox this will be difficult to set up. One workaround is to let the firewall router handle the DHCP, and deactivate it on the Fritzbox (which will make the Fritzbox a lot less useful).

    TL;DR: You'll need to be able to configure firewall rules and DHCP routing options. This can be done on routers with open source firmware (like OpenWRT od DD-WRT), but will often be difficult on consumer grade routers with the available firmware.

    How to exactly input the required firewall rules etc. depend on what hardware and firmware you end up with. You'll also have to learn networking basics to understand what you have to do, and why you need to do it.

    Edit

    Basics about routing: Every computer where the default route is not the correct route for that particular destination must have the route set. So if you want to reach 192.168.8.* from 192.168.7.*, every computer in 192.168.7.* (in the picture: "PC", "Laptop") must have the route set. That's why I mentioned it would be good to distribute routes via DHCP: In that way, you don't have to set static routes everywhere by hand.

    That said, let's stick with the static routes. Assume "PC" runs Linux, and everything is wired up as in the second picture, and the firewall/POE injector has 192.168.7.222.

    Then on "PC", set the static route manually (making them permanent comes after everything works):

    ip route add 192.168.8.0/24 cia 192.168.7.222

    Verify with ip route show that the route uses the correct interface, and with ip route get 192.168.8.1 that everything works and you don't have other rules/route which take priority.

    You said you get 192.168.7.1 as first hop when tracerouting from "PC"; this is wrong and shouldn't happen if you set the route correctly on "PC". While it is in principle possible to set the route only on the main router, this is inefficient, could result in ICMP REDIRECT messages which depending on the OS may or may not obeyed, and generally could lead to funny situations where things break.

    If you got 192.168.7.1 as second hop after 192.168.7.222 as first hop, then the routing on the second router/POE is wrong.

    dirkt

    Posted 2018-08-15T13:57:50.057

    Reputation: 11 627

    Thanks for your answer! I'm going to connect cameras via LAN. In my case, the second router that handles the 192.168.8.0 segment, is a POE injector that has also a built-in managed firewall. Now from the main network I still can not reach with the 192.168.8.x LAN segment. For example doing a ping from a PC (192.168.7.3) to an IP camera (192.168.8.10) -> request timed out. To fix the problem I'm trying to use static routes and I've tried to set a static route this way: destination IP 192.168.8.0, subnet: 255.255.255.0, gateway: 192.168.7.222). But I still got request timed out :( – Roberto Milani – 2018-08-26T10:07:38.423

    Where 192.168.7.222 is the IP of 192.168.8.1 POE injector seen from the segment 7 of my LAN. – Roberto Milani – 2018-08-26T10:08:40.187

    (1) 192.168.8.0 is not a valid address in the segment, use a different one, e.g. 192.168.8.1 (2) Verify with ip route get 192.168.8.1 that the static route is correct. (3) Verify with tcpdump that the ping packet is going out on the interface. (4) If this all works, it must be something in the configuration of the firewall. – dirkt – 2018-08-26T13:05:25.777

    I've tried to follow all your precious advices:

    1. I've changed from 192.168.8.0 to 192.168.8.1 the destination IP address of the static route but nothing have changed.

    I'm not familiar with static routes: I haven't understood if I have to set as destination IP, the IP of all the LAN segment (e.g. 192.168.8.0 to indicate the range 192.168.8.1-192.168.8.254) or only a particular IP (and have a static route for each IP address of the "segment 8" LAN that I want to reach from the "segment 7" LAN).

    1. I've tried to do a tracert of 192.168.8.10 (from 192.168.7.3).
      2. < – Roberto Milani – 2018-08-26T17:08:05.213

    A first hop appears after 1ms and it is the main router 192.168.7.1, then I got expired request and tracert does not complete. So it seems that the main router have not redirected the packet to 192.168.7.222 and I don't understand if it is the main router that have not followed the static route or if it is the second router that didn't receive the packet for some reasons.

    1. I've tried with with SmartSniff (while doing the ping from 192.168.7.3 to 192.168.8.10) and I can see the packet going out from my network interface but it does not receive any answer.
      2. < – Roberto Milani – 2018-08-26T17:08:21.667

    Is it right to expect that the main router receives the packet and redirects it to 192.168.7.222?

    1. I've disabled the embedded firewall of the second router (I'm using a Linksys E3000 for doing these tests).
      2. < – Roberto Milani – 2018-08-26T17:08:29.920

    0

    You will need to perform two different actions:

    • routing of traffic between two networks
    • a firewall controlling the traffic between the networks

    Actually, you have three different networks if we also count the public Internet, but that will be taken care of by the router you already have. Basically you COULD use a Fritzbox to do all the jobs, but it is not intended to do this job and there's some manual work required. Also, things are not very easy to see - especially if you haven't touched the system for several weeks...

    I would suggest you use a separate firewall which also has routing capabilities. Every PC which has more than one network card can be a router - it depends on its configuration. So your Fritzbox is definitely a router. It routes network traffic and decides whether or not a packet is to be sent out to the Internet or into your local network.

    You need an additional router which is connected to your internal network (where your Fritzbox is located) and to your video camera surveillance network. The box you need should therefore have two network cards. (Of course you could do it with one network card and use VLANs, but I wouldn't do that because it complicates things much more than necessary.)

    As soon as both networks are connected to your router, it does not need any static routes as it already knows both the internal network and the video network. So it can decide to which network interface network traffic is to be sent. (You just will need to tell the router where it should send all the other traffic, i. e. all the packets destined for the Internet. That's done using the default gateway.)

    Your Fritzbox is not aware of another network, so it will try to send the packets destined to you video LAN out to the Internet (which won't work of course). So, either you add a static route on the Fritzbox telling it to send all the packets for you video LAN to your new router or you change the default gateway on your Fritzbox's DHCP server to the new router. (I would prefer the static route as it does not cause that much traffic in your internal network.)

    Now that the routing should work, you should take care of the firewalling. You need to define policies, which devices are allowed to do what in which directions. You do that with a firewall.

    There are certainly many products out there which all are perfectly fine for doing that job.

    I would probably use pfSense for this job. This product is free-of-charge and has many, many options. Also, it's very reliable and easy to configure once you get familiar with it.

    But maybe you like a product like IPFire better that pfSense, as it's easier to configure, but that's up to you. I would suggest you to use pfSense.

    All the above is probably the "easy" way. The "beautiful" way would be to directly connect all networks to your router:

    • The internet line (directly connect the FritzBox to the router)
    • the internal network
    • the video network

    This would make your router the center of your network where you can control everything in one place. You then only need the Fritzbox to act as an DSL modem... But that setup is a little bit more complicated ;-)

    Have fun :-)

    Best Thomas

    TomS

    Posted 2018-08-15T13:57:50.057

    Reputation: 274

    Asked: 2018-08-15T13:57:50.057

    Viewed: 519 times

    Active: 2018-08-26T19:39:29.160