Are you going to connect the cameras via LAN or WLAN? I'll assume LAN for this answer.
What you need is two LAN segments, a firewall between them and proper routing rules everywhere unless your default gateway(s) do(es) all the routing.
Simplest setup with a single router:
192.168.7.0/24 DSL 192.168.8.0/24
| | |
| | |
PC --| | |-- Camera
|----------- Main ---------|
| Router |
Laptop --| |-- Camera
| |
Note that the concept of a LAN segment is different from a Router: Usually, a LAN segment is made up by a switch which connects all machines. Such a switch can also be part of a router. A LAN segment can also be a WLAN access point. You can connect LAN ports of a single router to different LAN segments (if you configure that properly).
While a Fritzbox is a fine machine, you can't deploy open source firmware on it, and it's not easy to change the existing firmware. So with a Fritzbox, you'd need a dedicated second router as a firewall:
192.168.7.0/24 DSL 192.168.8.0/24
| | |
| | |
PC --| | |-- Camera
|----------- Main |
| Router |
Laptop --| |-- Camera
| |
|--------- Firewall -------|
| |
The firewall must also act as DHCP server for the 192.168.8.0/24 segment. Now you have the problem that all machines in the 192.168.7.0/24 segment need explicit routes with the Firewall as gateway into the 192.168.8.0/24 segment. You can distribute routes by DHCP, but again, on a Fritzbox this will be difficult to set up. One workaround is to let the firewall router handle the DHCP, and deactivate it on the Fritzbox (which will make the Fritzbox a lot less useful).
TL;DR: You'll need to be able to configure firewall rules and DHCP routing options. This can be done on routers with open source firmware (like OpenWRT od DD-WRT), but will often be difficult on consumer grade routers with the available firmware.
How to exactly input the required firewall rules etc. depend on what hardware and firmware you end up with. You'll also have to learn networking basics to understand what you have to do, and why you need to do it.
Edit
Basics about routing: Every computer where the default route is not the correct route for that particular destination must have the route set. So if you want to reach 192.168.8.* from 192.168.7.*, every computer in 192.168.7.* (in the picture: "PC", "Laptop") must have the route set. That's why I mentioned it would be good to distribute routes via DHCP: In that way, you don't have to set static routes everywhere by hand.
That said, let's stick with the static routes. Assume "PC" runs Linux, and everything is wired up as in the second picture, and the firewall/POE injector has 192.168.7.222.
Then on "PC", set the static route manually (making them permanent comes after everything works):
ip route add 192.168.8.0/24 cia 192.168.7.222
Verify with ip route show
that the route uses the correct interface, and with ip route get 192.168.8.1
that everything works and you don't have other rules/route which take priority.
You said you get 192.168.7.1 as first hop when tracerouting from "PC"; this is wrong and shouldn't happen if you set the route correctly on "PC". While it is in principle possible to set the route only on the main router, this is inefficient, could result in ICMP REDIRECT
messages which depending on the OS may or may not obeyed, and generally could lead to funny situations where things break.
If you got 192.168.7.1 as second hop after 192.168.7.222 as first hop, then the routing on the second router/POE is wrong.
I'm not sure about Fritzbox, but using a Fortigate 60E you can connect your WAN and create 2 networks using VLAN. You then need to configure firewall rules to allow/deny access in certain directions. If the Fritzbox support this, you can do the same here. – CustomX – 2018-08-21T14:18:34.307
Thanks for the answer! I've quickly read some specs about FritzBox and it doesn't allow to create VLANs :( In your opinion a firewall is mandatory or I only need to setup my LAN and a subnet in a proper way to reach my goals? – Roberto Milani – 2018-08-22T20:23:16.337
1Well I know you can achieve this using a small firewall. Technically you'd be able to do the same using a router, but a firewall is all about policies ;-) – CustomX – 2018-08-23T08:11:47.917