Vlan alternatives using raspberry pi

[d5775927]

I have a Dahua NVR and a few Dhua cameras connected to the NVR.
I want to prevent internet access from the NVR, with minimum investment (there are too many devices connected to the same socket, don't want to add more).
I thought about using a raspberry Pi (which I already have running):
1. The NVR will be connected to the lan port of a raspberry pi 3 (which have supports both wired and wireless connection).
2. The raspberry pi will also be connected to the router using WIFI.
3. Using IP tables define rules to drop packets from the lan port to the internet (not sure yet how, but guessing this is possible).
Did someone try such approach (or tell me if I should avoid it)?

Plan B:
I have an old router which not in use and supports openWRT, I can use and configure VLANS (but rather not, to avoid connecting another device to the same electrical socket, which have 7 devices connected to it).

 

[biggen]

Why not just connect the NVR directly to the router? Then you block all outgoing access from the IP address associated with the NVR.

 

[d5775927]

Why not just connect the NVR directly to the router? Then you block all outgoing access from the IP address associated with the NVR.

My router doesn't support this feature (It supports this feature only for WIFI clients).
It's a new WIFI 6 router (so I don't plan to replace it soon)

 

[biggen]

You can't block incoming/outgoing traffic per IP address in your router for wired Ethernet?? That is... odd...

Anyway to do what you want with the RPi you will have to have a different subnet on the Ethernet port than the subnet on the Wifi. So basically, your RPi will have two networks/subnets: One subnet for the wired Ethernet interface (where your NVR would connect) and then your LAN subnet on the WiFi interface. Then you can setup routing rules in the RPi via iptables to route/bridge between the two subnets.

If you have a switch that is VLAN capable and your router supports VLANS, it would be far easier to just forget about the RPi and just setup a VLAN just for the NVR. Then assign the switchport that the NVR plugs into that VLAN ID. Then you setup the routing rules you want for that VLAN ID in your router.

 

[iwanttosee]

Can you not setup an IP address with blank for gateway address and DNS for the NVR?

 

[d5775927]

You can't block incoming/outgoing traffic per IP address in your router for wired Ethernet?? That is... odd...

Anyway to do what you want with the RPi you will have to have a different subnet on the Ethernet port than the subnet on the Wifi. So basically, your RPi will have two networks/subnets: One subnet for the wired Ethernet interface (where your NVR would connect) and then your LAN subnet on the WiFi interface. Then you can setup routing rules in the RPi via iptables to route/bridge between the two subnets.

If you have a switch that is VLAN capable and your router supports VLANS, it would be far easier to just forget about the RPi and just setup a VLAN just for the NVR. Then assign the switchport that the NVR plugs into that VLAN ID. Then you setup the routing rules you want for that VLAN ID in your router.

My current setup is a as following:
1) TP-LINK w9970 - used in bridge mode (to allow ADSL connection)
2) Hauwei WS7200 - used as wireless router
3) Raspberry Pi connected via Lan port to the router (used as a VPN server + dynamic IP client)

Other equipment I don't currently use:
1) TP-LINK 1043nd v1 (currently with stock OS, can flash openWRT easily)

I will try with the raspberry pi first(I don't think it's too complex, just need to forward one port from wifi to wired card).

 

[d5775927]

Can you not setup an IP address with blank for gateway address and DNS for the NVR?

Not sure all devices honor the DNS config, some devices use preconfigured DNS servers if connection fails (or even static IPs which don't require DNS).

 

[cctv-dave]

Not sure all devices honor the DNS config, some devices use preconfigured DNS servers if connection fails (or even static IPs which don't require DNS).

Yeah, so in your router you can point the IP for the DNS at the router itself through static route and the DNS servers no longer work.
I do this to stop devices on my LAN using hard coded DNS like any google devices ignores the DHCP assigned DNS - added bonus internal name space works too.

But his main point was if the NVR doesn't know the gateway address it isn't going to connect to the internet.

 

[d5775927]

Yeah, so in your router you can point the IP for the DNS at the router itself through static route and the DNS servers no longer work.
I do this to stop devices on my LAN using hard coded DNS like any google devices ignores the DHCP assigned DNS - added bonus internal name space works too.

But his main point was if the NVR doesn't know the gateway address it isn't going to connect to the internet.

I don't have an option for static routes in my router.
I will try to set the NVR DNS to blank and sniff its traffic to see if this really blocks all.

 

[cctv-dave]

Shame you're using the TP link in bridge mode and not just as a normal router, then hang the ws7200 off the lan for the extra wifi capability.
The TP link can be flashed with open wrt potentially to make it more secure and "featureable".

Thanks to openwrt and a consumer grade router I've got a backup wifi link to my neighbours in case my broadband goes down.
Which is at least using the built in wifi for something when running external (non router based) wifi AP's.

 

[d5775927]

Shame you're using the TP link in bridge mode and not just as a normal router, then hang the ws7200 off the lan for the extra wifi capability.
The TP link can be flashed with open wrt potentially to make it more secure and "featureable".

Thanks to openwrt and a consumer grade router I've got a backup wifi link to my neighbours in case my broadband goes down.
Which is at least using the built in wifi for something when running external (non router based) wifi AP's.

If I use openWRT with TP-LINK 1043nd v1 at the main router I will get a decreased network performance (relatively to ws7200), see:

[Solved] TP-Link TL-WR1043N/ND v1 LAN Settings

@everyone Thanks for all the input. I have decided to shop for a switch to replace that old tp-link. The switch that caught my attention currently is the Ubiquiti EdgeRouter X. Here is de datasheet of that device: And also already found out how to enable offload on that thing trough ssh...

forum.openwrt.org

TP-LINK w9970 does not support openWRT.

 

[iwanttosee]

TP-LINK 1043nd v1 at the main router

The only task TP-LINK 1043nd V1 needs to do is DHCP server. You can turn the wifi off.

With OpenWRT installed, you can use the DHCP server to assign "blank" gateway and "blank" DNS address to specific devices so they can't go to the internet

Use OpenWRT DNS to blank out gateway, dns1, dns2

I used an OpenWRT router's DHCP server to force my NVR and cameras to take on "blank" for gateway, dns1, and dns2 for specific devices while all other devices get the proper gateway and DNS. I had to SSH into the router to make the changes as explained here. DNS and DHCP examples...

ipcamtalk.com

I'm not familiar with Raspberry Pi's to know if PI's DHCP server offering can to do the same.

 

[d5775927]

The only task TP-LINK 1043nd V1 needs to do is DHCP server. You can turn the wifi off.

With OpenWRT installed, you can use the DHCP server to assign "blank" gateway and "blank" DNS address to specific devices so they can't go to the internet

Use OpenWRT DNS to blank out gateway, dns1, dns2

I used an OpenWRT router's DHCP server to force my NVR and cameras to take on "blank" for gateway, dns1, and dns2 for specific devices while all other devices get the proper gateway and DNS. I had to SSH into the router to make the changes as explained here. DNS and DHCP examples...

ipcamtalk.com

I'm not familiar with Raspberry Pi's to know if PI's DHCP server offering can to do the same.

I tried what you suggested previously - to configure the DNS sever for the NVR as blank (or wrong value).
The tested scenario:
1.Used two Dahua cameras connected to the NVR
2. NVR uplink connected to computer Ethernet port
3. Wireshark running on the computer recording traffic from the wired network adapter
I rebooted the NVR and waited about 3 minutes than analysed the wireshark recording.
This is result of the recording (tried to filter by relevant protocols, I don't care about mdns or arp):

The IP of the NVR is: 192.168.1.108 or 10.1.1.1
I think this looks good, the only things I suspect are the UDP requests to:

1. 255.255.255.255 port 5050
2. 239.255.255.250 port 37810
   What do you think? guessing the UDP requests are not sent out of my network (only works in the same subnet), so it should be safe (assuming no hidden requests will be sent in 1 am when i'm not monitoring the traffic)

 

[Mike A.]

Those are broadcasts within your network. Nothing to be much concerned with. I don't use Dahua NVRs but probably can turn off most of the broadcast traffic within network settings. The latter is for UPnP. You should have that turned off at your router anyway but also should be able to turn off requests from the NVR. You can from the cams at least. Some still may try to do anyway ignoring your settings. Also on the cams you can't just deselect the first "enable" checkbox on that service page0. You also have to deselect each service below. Again, I don't know the NVRs but in case it's similar.

 

[d5775927]

Those are broadcasts within your network. Nothing to be much concerned with. I don't use Dahua NVRs but probably can turn off most of the broadcast traffic within network settings. The latter is for UPnP. You should have that turned off at your router anyway but also should be able to turn off requests from the NVR. You can from the cams at least. Some still may try to do anyway ignoring your settings. Also on the cams you can't just deselect the first "enable" checkbox on that service page0. You also have to deselect each service below. Again, I don't know the NVRs but in case it's similar.

Thanks, the NVR and cameras are in storage (hopefully will install them next week).
Will try to disable broadcasts and sniff again.
BTW, 192.168.1.3 is my computer, it is running a DLNA server (to stream to a television in the internal network), so, the traffic to: 255.255.255.250 port 1900 can be ignored (it is not from cameras/nvr).

 

[Mike A.]

Yeah, you'll see all kinds of broadcast traffic like that. You can drive yourself crazy with sniffers trying to figure out what everything is. Good that you're taking the time to look though.