Creating a VLAN using a 2nd Router as an AP

[Richdem]

Good evening all,

I have been thinking about moving my 6 camera's onto a VLAN so they are off my main network. Currently I use an Asus AC86U and have blocked the internet access to all the cameras. I access BI remotely using OpenVPN and use the WebUI as if I was at home on the network. I was looking at buying a managed switch for the purpose of setting up the VLAN for the cameras but then I realized I had a spare Asus AC1900P that I wasn't using. Can I use this wireless router to create a VLAN. My local IP is 192.168.1.xx, Would I be able to setup the AC1900P as an AP so that it uses say 192.168.100.xx and then connect the camera's to this network? Basically setting it up as an access point but not having it part of my main network.

My BI machine sits on my 192.168.1.xx network and needs to stay on there, if the above is possible I know I could install a 2nd network card in my PC to get access to the network the cameras would be on but would it be possible for the PC with BI on my main network to access the cameras on the other network without a 2nd NIC?

I know a little about networking but this is making my brain hurt thinking about whether it would work lol. The other option is I could install DD-WRT on my main AC68U and then configure a VLAN all from the same router. I watched a YT tutorial on exactly how to do this and it was even possible for devices on the main network to access the cameras but not the other way.

Hope I have made myself clear in what I am trying to achieve.

Thanks in advance for any help,

 

[wittaj]

A downstream router can access the main router if the IP address range is known for that device, so it really doesn't act as a VLAN.

I thought the same thing once and someone here mentioned anything downstream can access the main router and IP address, and sure enough I typed in an IP address of the main and bam was into that IP.

 

[Richdem]

A downstream router can access the main router if the IP address range is known for that device, so it really doesn't act as a VLAN.

I thought the same thing once and someone here mentioned anything downstream can access the main router and IP address, and sure enough I typed in an IP address of the main and bam was into that IP.

Hmm ok,

Maybe I’ll just try the DD-WRT option on my AC1900 and create an actual VLAN. That way I have my original router as redundancy if I want to go back

 

[mikeynags]

You are better off looking at managed switches than creating VLANs on the router. Ubiquiti gear is pretty nice and easy to setup although not cheap. Ebay is a good source for used gear.

 

[Richdem]

You are better off looking at managed switches than creating VLANs on the router. Ubiquiti gear is pretty nice and easy to setup although not cheap. Ebay is a good source for used gear.

If I go down the route of a managed switch will I then need a 2nd network card in my PC so that Blue Iris will be able to see the cameras?

 

[mikeynags]

No you wouldn’t technically need the 2nd NIC in this scenario. My only point was to look at a managed switch versus going down the multiple router path trying to show horn VLANs in. It may still be a learning curve for you. Lots of videos on YouTube by Crosstalk Solutions or Lawrence Systems on setting up ubiquiti gear with VLANs.


Sent from my iPhone using Tapatalk

 

[wittaj]

Many of us just go with the dual NIC system because it works, it is easy, it is cheap, and no real learning curve than trying to set up an EdgeRouter VLAN for example.

 

[mikeynags]

It's really going to depend on your network knowledge, how much time you need to invest in learning what you need to know, the current state of what you have in terms of wiring etc. @wittaj brings up a good point though on the edge router. Here is a link if you wanna do some research on that. Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks

 

[d5775927]

Not sure if this fits what you are looking for, but in some new routers you can prevent internet access from a specific host.
If all you cameras are behind a NVR or other router, you can prevent internet access from that router/NVR and you are good (this is less secure from a VLAN but doesn't require you to buy more equipment)

 

[Richdem]

Hi All,

I appreciate all the advice.

I had some time to kill recently so I flashed an my Asus router with DD-WRT and setup a separate VLAN for my 6 security cameras. By using firewall rules I have blocked access from my new VLAN where the cameras are sitting to my private network and have allowed access from my private network where my BI machine is to the VLAN. (I wanted to try this option before I went down the 2nd NIC route) Now the cameras are all on a separate VLAN is there any need to block them from getting internet access? When they were all on my private network I did restrict internet access for them through the default Asus web interface and had to use the BI overlay to display date & time. I also have a new PC with an i7 - 8700 & 16GB DDR4 so it is not effected by having the overlays active on the 6 cameras.

I am just curious to see what you guys are doing