VLAN isolation still permitting net traffic

T

TrumanShow

n3wb
Dec 23, 2024
7
0
UK
Hi Guys - I have read the following posts this forum regarding Chinese equipment concerns and had taken the liberty of isolating my NVR/cctv traffic through a separate vlan , on my common router , to attempt to prevent external communication .

I moved all my nvrs and camera onto a separate subnet , and used another switch to integrate all my NVR/camera endpoints into a common rj45 connection, when I then plugged into a port on my router which I designated a separate vlan , and also enabled “port isolation” which should ensure no traffic from this port is ever allowed to exit through another port. I then configured a subnet specific vpn specifically for this VPN (as allowed for by the router) and was of the opinion that this should prevent my NVR / cameras having internet connectivity .

This is not the case however - when I use the test function on email send function on my NVR , it still succeeeds and also NTP connectivity is still seen to be active.

My router has a separate WAN port which is not part of the port configuration setup in the UI - but my understanding is that any router that allows a VLAN-specific vpn option must still allow internet traffic pass through a different vlan-configured port, otherwise how would vpn access to be provided to it ?

Can you advise if Dahua NVRs have some ability to communicate outside their assigned subnet - or has anyone some other full-proof way of isolating traffic ?
 
Change the Ip address range to one that isn't on your Router as having access to the internet.. Like for me I have a few different routers, Most of them are just bridges and get the info from my main router. However I have 1 router that I don't have setup that way and can also be done just by changing static info on your cameras/DVR/NVRs to have one outside of your normal range if in fact your Vlan is letting traffic flow. My Vlan from my Switch is setup to not be connected to the internet and if I send request one devices that if I open the Vlan to have internet access normally would send, When I put in that Vlan it will fail. Plus all NTP is going to my NTP server that does have access to the Vlan but for them devices that are in that Vlan is only setup to be allowed the NTP access. Anyway back to the other router. It has its own Ip and that IP has been denied internet access on my main router and because of that all devices connected to that router is also rejected.. So there are ways that it can be done.. I don't know what or why yours isn't cut off unless sit is being done through your VPN.. Not something I have setup in mine.. My main computer has multi Ip settings and I can access over my Vlan setup any of the devices. Now I do know that if I was to setup NGROK on my computers to give access to a blocked device it will tunnel past the Block that is because it is using a tunnel that is on my computer that has access.. So that is why I am guessing that it might have something to do with your VPN..?
 
I'm not sure what setting up a vpn has to do with preventing your vlan hitting the internet.

Perhaps if you tell us what model router you're using we can confirm the settings etc.
 
VPN is just providing access to the unique subnet - I wasn’t suggesting it had any bearing on preventing Internet access - other than a non -intended consequence of course, as the user above had suggested .
 
You must log in or register to reply here.
Top Bottom