Questions on network topology for security camera setup

[thebean311]

Hi All,

I've spent a while reading various places on the internet, and am at a bit of a roadblock. I'm punching above my weight class here and am in need of a more educated opinion. I am in the midst of designing a security camera installation for my new house. I've read that for 'security', it's advised to have the cameras on their own 'network'. The first thing that came to my mind would be to house them and my main home networks on separate VLANs via a managed switch. You can get inexpensive L2 switches off of ebay, but I've never done this before and have some questions.

1. Do I really need a VLAN to do this? Why, and what's the tradeoff if I just put together a large, flat network? I only plan to access the cameras via OpenVPN, so I won't have them directly exposed to the internet.
2. I wanted an inexpensive option, hence the SRW248GP. However, being that it's an L2 switch, it does not do any DHCP. The main router feeding into this switch was planned to be a cheapo home network piece of junk. Is an old router up to the task of handling DHCP for a managed switch with two VLANs?
3. If I put something like this together, do I even need DHCP hanging off the cable modem? Can't I hard code IP addresses for everything on the camera VLAN, including the L2 switch, and then have a single router with another static IP fed off of the L2 that handles DHCP/NAT for my home network? I would then hang my APs off of this main router to provide whole-house coverage. I understand that I'd have a bandwidth bottleneck, but I never anticipate needing heavy traffic between the camera network and home network, so I don't think I'd be bothered by it.
4. I've never played with a managed switch before. How would I get communication between VLAN10 and VLAN20? I don't need a lot of bandwidth, but I'd like to be able to view the cameras from inside my own network.

 

[continuum]

Don't do static IPs, do DHCP reservation instead.

 

[oikjn]

The suggestion for an isolated IPCCTV network is for a couple reasons which you might ultimately not consider important.

1. Depending on the setup, the bandwidth requirements for IPCCTV can quickly consume ports and switchs and as such, it is simply easier to keep it separate so that it is easier to implement QoS or other ways to monitor and manage the network.
2. Most of those recommendations come from assuming that the IPCCCVT system is a critical infrastructure item similar to phones+911. With that, having non-critical items on the same network can potentially cause a situation where a rouge device can disrupt the network and take cameras offline.
3. Depending on the cameras you are using, there is definitely a potential security issue from vulnerable firmware getting hacked if exposed. On an isolated network, it is easier to setup a more restricted set of rules for what is and isn't allowed in/out of the IPCCTV camera network.

At work, we have ~70 cameras on their own VLAN, but at home, I've got 4 cameras on a flat network. If you are talking about 2-4 cameras, I vote K.I.S.S.

 

[hestermofet]

1. Do I really need a VLAN to do this?

1. 
   Nope. oikjn's post covers why you may want it, additionally, I would add a lot of people recommending a separate VLAN do so with the assumption you're buying random cheap Chinese crap for your cameras, which may either be backdoored, or easily hacked. A VLAN can make it easier to make rules on your firewall to block outbound traffic to the Internet and the rest of your network. You can do the same rules without a VLAN, but it takes more time because you need to make individual rules for each camera. In a home environment with something like 4 cameras, it's easier to just make rules for each camera than it is to learn how to setup a VLAN. If you buy your cameras from a reputable manufacturer, this isn't an issue.
   
   

   [*]I wanted an inexpensive option, hence the SRW248GP. However, being that it's an L2 switch, it does not do any DHCP. The main router feeding into this switch was planned to be a cheapo home network piece of junk. Is an old router up to the task of handling DHCP for a managed switch with two VLANs?

   DHCP is a very lightweight protocol. Your consumer grade router can handle it just fine. I wouldn't complicate your setup and inflate your costs by trying to get your switch to deal with it.
   
   

   [*]If I put something like this together, do I even need DHCP hanging off the cable modem? Can't I hard code IP addresses for everything on the camera VLAN, including the L2 switch, and then have a single router with another static IP fed off of the L2 that handles DHCP/NAT for my home network?

   As mentioned, don't use static IPs. Use DHCP reservations.
   

   [*]I've never played with a managed switch before. How would I get communication between VLAN10 and VLAN20? I don't need a lot of bandwidth, but I'd like to be able to view the cameras from inside my own network.

Your router would route between them, unless you get an L3 switch (more money) in which case your switch can do it.

edit: the switch you're planning to buy is fast ethernet only. If you're planning to use it for the cameras only, it'll be fine, but if you are planning on using other devices, I'd recommend something like this:
https://www.ebay.com/itm/ARUBA-NETWORKS ... SwBQ1dDQys

 

[Frennzy]

DHCP is a very lightweight protocol. Your consumer grade router can handle it just fine. I wouldn't complicate your setup and inflate your costs by trying to get your switch to deal with it.

Most of them won't be able to handle multiple scopes (i.e. VLANs and broadcast-unicast ip helper type stuff). It's not a loading problem, it's a feature problem.

That said, VLANs are quite simple, but not really necessary in this application. The main benefit here is avoiding overloading the camera NICs/CPUs (presumably quite wimpy) with broadcast traffic. Unless you already have a lot of this type of traffic, it'll probably be fine to build it flat.

Seems like all the other questions have been answered pretty well.

 

[Paladin]

Yeah for that few cameras having them on the same network is probably fine BUT if they are the kind of cameras that phone home to some kind of cloud service then I would be more wary. Best case scenario, nothing bad will happen and eventually (a year or three) the cloud functions will be abandoned by the provider and you will be stuck with half functional cameras. Worst case scenario, they phone home and somehow end up exploited and perverts around the world are watching you shower each day and eventually they figure out how to make the cameras start on fire and burn down your home.

That's not a likely scenario but ... I'd stay away from the ones that connect to some kind of cloud service unless you go for a service you feel you can really, really trust.

I would spend your money on the wifi access points. That is where you will get the most bang for the buck in your design. That and a good switch. It doesn't have to be managed but it should at least be gigabit and have plenty of ports, 16 or so at least in your scale of setup.

For your router that connects to the internet, don't cheap out there. You don't need the $400 'gaming' router, those are BS. Just something reliable that has enough grunt to keep your network running and not hang after a couple of weeks or slow down your internet service.

 

[thebean311]

Thanks for the replies and advice, all. I do plan on adding a few more cameras in the future, but I think I like the recommendation to KISS and make the thing flat. I'm purchasing good cameras that don't have cloud services and shouldn't phone home, so I think the main benefit to VLAN would be QoS and management, things that as you all mentioned are probably not a concern.

hestermofet, thank you for the recommendation on the switch.

 

[thebean311]

DHCP is a very lightweight protocol. Your consumer grade router can handle it just fine. I wouldn't complicate your setup and inflate your costs by trying to get your switch to deal with it.

Most of them won't be able to handle multiple scopes (i.e. VLANs and broadcast-unicast ip helper type stuff). It's not a loading problem, it's a feature problem.

That said, VLANs are quite simple, but not really necessary in this application. The main benefit here is avoiding overloading the camera NICs/CPUs (presumably quite wimpy) with broadcast traffic. Unless you already have a lot of this type of traffic, it'll probably be fine to build it flat.

Seems like all the other questions have been answered pretty well.

From what I've read, you are 100% correct that home routers do not support this. Do you know of a low cost router that can handle the VLAN DHCP?

 

[thebean311]

I would spend your money on the wifi access points. That is where you will get the most bang for the buck in your design. That and a good switch. It doesn't have to be managed but it should at least be gigabit and have plenty of ports, 16 or so at least in your scale of setup.

For your router that connects to the internet, don't cheap out there. You don't need the $400 'gaming' router, those are BS. Just something reliable that has enough grunt to keep your network running and not hang after a couple of weeks or slow down your internet service.

Do you have any specific products you'd recommend for AP and main router?

 

[Frennzy]

I think Mikrotik probably does, via ip dhcp-relay commands.

 

[Paladin]

I'd go with at least an Archer C7 or similar main router. It's a great consumer level wifi router. I've had one for years and had no issues at all.
If you want something more beefy, a used Fortigate or Fortiwifi (60D or similar level) will be overkill. There are a bunch of Edgerouter and Unifi USG models that people talk about a lot but I haven't messed with them, I keep seeing too much confusion about hardware processing issues when you turn on certain features, gotchas with certain options or models, model level identification issues, etc.

We're right at the edge of where WiFi 6 will come down to the reasonable consumer level, so I wouldn't break the bank on access points or wifi routers right now because new and great things are around the corner, say beginning of 2020 though you might see some good stuff hit the shelves in time for Christmas. I'm sure Netgear and similar companies want to hit that sales market with a new product line.

Personally I would go with an Archer C7 for router and more of them for access points. Set them all to have the same LAN network (10.30.30.0/23 with 10.30.30.1 on router 1, 10.30.30.2 on the first access point, 10.30.30.3 on the next and so on, as needed). Turn off DHCP on all but the main router. Connect the routers on their LAN ports to the main switch. Connect the rest of the equipment. Configure the rest of the stuff (DHCP, WiFi etc.).

The C7 model (and the A7 that is basically the same thing from what I read) should be dirt cheap and do a good job for you until WiFi6 options are out and affordable and relatively bug free.

 

[spiralscratch]

From what I've read, you are 100% correct that home routers do not support this. Do you know of a low cost router that can handle the VLAN DHCP?

Do you have any specific products you'd recommend for AP and main router?

For the router, the Ubiquiti EdgeRouter line is certainly capable of handling multiple VLANs and supporting services (DHCP, etc.). I'd suspect that pfSense/OPNsense could probably do it as well, if you're willing to put together your own box.

For APs, the "standard" for home seems to be Ubiquiti's UniFi line. IIRC TP-Link also has a line of AP-only (no routing/etc.) units.

 

[hestermofet]

I'm very happy with my two TP-Link EAP245. They're very low cost and don't require a controller to run unless you need a more complex setup. I used to use Unifi UAPs but I found the firmware and software buggy. It was great when it worked, but when it didn't it was a real mess. Stuff like my controller completely disassociating from all my APs, and then needing to setup the entire system all over again from scratch as a result. The TP-Links just work.

The EdgeRouters from Ubiquiti are pretty good, but I had a couple die from hardware failures. Not sure what the cause was. Paladin is very right about different models supporting or not supporting certain software features and/or hardware acceleration of other features in very subtle not-obvious ways. You really need to do your research to figure out which model supports the features you need at the performance level you want.

I use pfSense now, and really love the easy to use interface. There's a huge level of power and configurability lying under the hood if you need it, but if you want to use it as a simple consumer grade router, you can. Most people build their own (I did) but Netgate does sell appliances too.
https://www.netgate.com/products/appliances/

 

[thebean311]

Thanks again for all the discussion and advice. I have a real stupid question now, so please bear with me. Actually, two stupid questions.

It was mentioned earlier that an Aruba switch would provide a low cost GbE option that would probably do a great job. I was having trouble finding datasheets on that model, but I did find another model on eBay that's similar (S3500-24P, link below). This is an L3 switch and will do all the VLAN stuff if I choose to go that route. IE, it looks like a good option, but here's the dumb question. These router for sale are configured with a 10G SFP+ uplink option, and I don't want to have to deal with that. Can I simply use any of the other 24 standard GbE ports to act as an 'uplink' and still get the full L3 managed feature set?

Second dumb question, if I use an L3 managed switch, can I get rid of the 'Router, Firewall, DHCP' box in my network topology diagram?

https://www.ebay.com/itm/Aruba-S3500-24 ... 3081172996

 

[spiralscratch]

1. I don't know that particular switch, but I'd be surprised if you couldn't. Typically, the 10 Gb ports on a switch support all the same features as the 1 Gb ports.

2. All that a layer-3 switch gets you is direct routing between the two VLANs/subnets that contain your security setup and your PCs/etc (i.e., communication between the two will not have to pass through the router). You'll still need the router/firewall unit for you internet uplink.

 

[Frennzy]

These router for sale are configured with a 10G SFP+ uplink option, and I don't want to have to deal with that. Can I simply use any of the other 24 standard GbE ports to act as an 'uplink' and still get the full L3 managed feature set?

Yes, unless the manufacturer is an idiot.

Second dumb question, if I use an L3 managed switch, can I get rid of the 'Router, Firewall, DHCP' box in my network topology diagram?

Not a stupid question at all. And L3 switch is in all aspects a functional, high speed router. For routing. What *else* it can do depends on make and model. I would be very surprised if it can't do DHCP, but like spiralscratch, I don't know that particular switch.

As for firewall...now we're getting a bit into the weeds. Can it do ACLs? Probably Can it do NAT? Probably. Can it do anything more meaningful from a firewall perspective? Doubtful...nor would you want it to. FW and especially SPI/DPI/NGFW stuff is very processor intensive...stuff you don't want happening on a box that you rely on primarily to push packets. So, I'd offload that to another purpose-built box. Roll yer own, or SOHO/prosumer, doesn't matter. Let the switch handle the VLANs, and L2/L3 switching. Let the other box handle DHCP (if it can for multiple VLANs) and firewall/NAT duties.

 

[Paladin]

Yeah, layer 3 switches are for getting packets from this VLAN to that VLAN. Not much else.
I have seen switches with a lot of features like DHCP snooping, and DHCP relay, DNS features even (very slim ones), ACLs for limiting traffic from one network to another and even integrated wireless access point management. Personally, I don't want any of that in a switch. I want the switch to switch/forward frames and packets. That's it. It can spit out SFlow traffic reporting or similar and have management features. Adding on fabric integration, stacking, and advanced Link Aggregation and redundancy features are all great. However, the primary role should be moving traffic in some ports and out some other ports.

My network configuration and management features like DHCP, DNS, traffic control and inspection are to be done on another box and I really don't want the two mingled unless it is a very small network and then the box should primarily be a firewall with a built in 5-8 port switch. That's the only time I want those things hooked up in one device.

 

[hestermofet]

https://www.ebay.com/itm/Aruba-S3500-24 ... 3081172996

I would have recommended this model instead of the s1500, but its fan is LOUD. Not suitable for most home use. The s2500 is an even better option that's an L3 switch. It's very, very quiet with almost all the features of the s3500 (minus modular PSUs and modular 10Gbit), but unfortunately, it's kind of expensive now secondhand because a lot of people caught on to how bangin' good deal it is.

On the s3500, the 4 10Gbit ports are on a removable module. On the s2500 they're built in. They're labelled "uplink" because two of the 4 ports can be used for switch stacking, but in the software you can turn them all into normal "switching" ports. You don't need to use the 10Gbit SFP+ cages at all if you don't want, you can just stick to the regular 1GbE RJ45 ports.

 

[thebean311]

I would have recommended this model instead of the s1500, but its fan is LOUD. Not suitable for most home use. The s2500 is an even better option that's an L3 switch. It's very, very quiet with almost all the features of the s3500 (minus modular PSUs and modular 10Gbit), but unfortunately, it's kind of expensive now secondhand because a lot of people caught on to how bangin' good deal it is.

On the s3500, the 4 10Gbit ports are on a removable module. On the s2500 they're built in. They're labelled "uplink" because two of the 4 ports can be used for switch stacking, but in the software you can turn them all into normal "switching" ports. You don't need to use the 10Gbit SFP+ cages at all if you don't want, you can just stick to the regular 1GbE RJ45 ports.

The datasheet I found had the 3500 noise level at around 42dBa, which I thought was pretty quiet. If you say it's loud though, I'd trust your experience. In any case, just to update everyone on the latest, I crunched some more numbers and the enterprise grade switches will cost more than their purchase price in power each year. Based off of that, I am really assessing whether or not I truly want to isolate the cameras using a VLAN. If not, then I can get by on something much more power efficient, such as the 16-port TP-Link below. There are two major drawbacks to it, namely that it only has 8 PoE ports and that it can only source up to 110W of total PoE.

https://www.amazon.com/gp/product/B0721 ... 0DER&psc=1

 

[continuum]

If you don't care about VLANs we've used a few Netgear GS116PP's in the largest power supply (183W PoE) model. 16 ports so nothing too crazy.

That said, total PoE power may not be as big a deal as you think it is, a friend is running a ton of stuff-- all 48 ports are full-- including cameras-- off his 48 port Ubiquity PoE switch without issues, IIRC it's the 500W model-- don't think it's the 750W one-- and hasn't had any issues.

 

[Utwig]

Since I'll be facing similar problems at work, I'm going to post to this thread. Currently we have flat network but we built new HQ building adjacent to existing one with a nice server room so I'll be able to get proper cabling and labelling in places. (Current situation is a bit messy). I'm also punching above my weight and learning new stuff.

In new building there are around 10-20 security cams on top of 8 or so existing ones. I want to create VLAN for cams (and some other VLANs for guests, phones, network equipment). I have Mikrotik RB2011 connected to fiber as our uplink and Windows server doing DHCP. The new switches are brand new Aruba 1950 with 48 ports and PoE - currently working on uplink between them working

Since I'll putting cams on separate subnet and VLAN I have a couple of questions:
It seems logical to not allow traffic from cams to servers, I'd only allow traffic from machines who need to access webcams (management).

Thus it seems it's better to get something else to act as DHCP server for webcams subnet and VLAN.
- do I add an inexpensive router (like existing Mikrotik)? Or Linux box in VM on existing ESX server?
- what acts as router/firewall between webcams and windows machines VLAN
- something else?

I will also do new Wifi access points throughout both buildings where I plan to have 2-3 Wlans (users, guests, perhaps phones separate)

 

[Paladin]

For the increase in complexity you are talking about, I would seriously recommend a better firewall. I am seeing issues from people about that Mikrotik saying it may max at around 35-80 megabit in some cases. That's not going to be great when you need to pass traffic from one VLAN to another VLAN through it. Either you need a bigger firewall from Mikrotik or something like a Fortigate, at least a 60D or better.

I would also suggest you keep things in a single thread to keep it sane for you to be on top of the various issues. You have a lot of changes you need to handle, make sure you have your own notes and ticket system for handling all the various parts you need to manage.

 

[spiralscratch]

Thus it seems it's better to get something else to act as DHCP server for webcams subnet and VLAN.
- do I add an inexpensive router (like existing Mikrotik)? Or Linux box in VM on existing ESX server?
- what acts as router/firewall between webcams and windows machines VLAN
- something else?

There's no reason do run a separate DHCP server for this. It's only a small scope of maybe 3 dozen addresses that should probably have longer lease times (the cameras aren't moving around). This is essentially no load on the DHCP server. Just set up your DHCP relay properly for the cam VLAN.