Networking Guru's - Tell me why this wouldn't work

[Les White]

I know CFF has some sharp network guys, so I thought I'd bounce this off the collective.

As I add more IP cameras to my security system, my home network/router is starting to get bogged down with internal traffic. I want to separate the cameras and DVR off onto their own subnet, but I don't want to spend the money on a multi-port router - I'm proficient in cisco IOS so Cisco would be my first spendy choice. My router is a Netgear R8000, and while reasonably robust, it just can't do subnets.

I have a spare wifi router with a gigabit switch laying around, so I thought rather than get one big business class cisco router, I'd let the spare router do that bit of routing. Just disable the radio and use it as a wired router.

I realize I'd have to do some tricky double NATting and port forwarding to get outside access to the BlueIris web interface on the 192.168.2.xxx subnet, but I think it's doable.

Thoughts?

 

[Jp8819]

intrested to hear the answers to learn myself.

 

[Tim]

IT 101: The fact that it looks like it ought to work is sufficient proof that it won't.

 

[Love2shoot]

That design will work, I am actually using something similar in my network (Meraki), just put the second router 192.168.1.2 interface into the router WAN/Internet port, that is the routing interface. Then also be sure to port forward to THAT ip in your first subnet, then on that router forward to the 192.168.2.X (camera serverIP) server. Remember to set the DHCP pool correctly to block out the range of your static devices, or set reservations. Good luck!!!

Just to add to this, and I am sure your router wont do it but VLANS would be the most effective way to configure this.

 

[Jeppo]

That design will work, I am actually using something similar in my network (Meraki), just put the second router 192.168.1.2 interface into the router WAN/Internet port, that is the routing interface. Then also be sure to port forward to THAT ip in your first subnet, then on that router forward to the 192.168.2.X (camera serverIP) server. Remember to set the DHCP pool correctly to block out the range of your static devices, or set reservations. Good luck!!!

Just to add to this, and I am sure your router wont do it but VLANS would be the most effective way to configure this.

Yeah, that's exactly what I was thinking.

 

[noway2]

Looks like it will work. The difficulty I see is accessing your cameras from the home network. I think you will need a static route in the main wifi router that says traffic destined for 192.168.2.x goes through 192.168.1.2 (your second router with wifi disabled).

 

[Love2shoot]

The Blue Iris app allows you to configure both an internal and external IP seperately, so in the "local" field you would just set the ip of your secondary "video" subnet. That would hit the 192.168.1.X interface and the port fwd rule would send to your 192.168.2.x BI server.

(192.168.1.X LAN BI client APP) --> 192.168.1.X (outside interface of video network router) --> Port FWD rule to video server --> LAN interface of video router network (192.168.2.1)--> BI server (192.168.2.X

 

[Gunbelt]

Huh?

 

[Jabroni]

I dont see why this wouldnt work. VLANs would be preferred as noted above, but work with what you got and save the dough on gun stuff.

 

[Les White]

I dont see why this wouldnt work. VLANs would be preferred as noted above, but work with what you got and save the dough on gun stuff.

My concern is that all vlan traffic still has to flow thru the primary router even tho it's isolated on the vlan. With this scenario I'm hoping the second router will keep the camera traffic completely off the primary router.

 

[Love2shoot]

My concern is that all vlan traffic still has to flow thru the primary router even tho it's isolated on the vlan. With this scenario I'm hoping the second router will keep the camera traffic completely off the primary router.

Both of those points are valid and true however with higher end processing power of a cisco or meraki device segregating the traffic is minimal additional load, especially for 1 vlan. But either way both of those scenarios will get you the desired result.

 

[Jayne]

On your 2nd (camera) router have it give out bogus gateways to the cameras via DHCP. You don't want them talking off your network at all. Some of the smarter cameras I have were set with a static gateway and they DHCP'ed one anyway to try to get around my block (because my crappy router won't let me firewall off more than 14 IPs or something I can't block everything I wanted to block). Maybe they were just trying to be helpful and connect to some Chinese cloud server, or maybe not. Best not to let them even try.

If you want it even more secure, don't let the 2nd router route at all, just dual home the blue iris box. I've done that too, there is no way for anyone to get off your .2 camera subnet (unless you hack the iris server and turn it into a router/nat box). The router at that point becomes a DHCP server for the cams and that's it. No double IP forwarding from your public IP to your .1 net to your .2 net needed.

EDIT: had to change IP ranges because you're some sort of commie who's not running 0.0/24 as your primary net.

 

[Les White]

A year later, I couldn't make the router(s) do what I wanted. Consumer grade routers only really care about one subnet. So I used a new server to act as the middle man and segregate the network.

The server has 4 network ports, I'm using two for now but if I need to I'll load balance in a third one to the 1.1 router.



The 0.1 network can see the 1.1 and access the internet, but the 1.1 can't see the 0.1 (yet). The server can see both. I can access the Blue Iris interface from anywhere on the 1.1. So far the traffic seems to be completely segregated and performance on the home network is greatly improved. When copying files to the server I've seen a 100%+ speed increase.

The server is an older T320, E5-2470 V2 10 core / 20 thread, 16GB, Quadro 4000 GPU, 8 - 2TB RAID5 array. Primary boot is a little 500GB 2.5" disk, the BI records to a 4TB drive stuffed into the gutted DVD drive.