VLAN Question

[techierookie]

My parents have a Hikvision NVR at their place. I am looking to improve their network security while trying to keep it as simple as possible.

The goal is to allow my parents to view the cameras from their mobile devices, while ensuring the cameras aren't on the same network as other devices that access personal data.

Assuming the router is compatible, if I create a VLAN with internet access and assign it to the NVR, would this segregate the cameras from the rest of the home network?

Or am I missing something else?

 

[tangent]

My parents have a Hikvision NVR at their place. I am looking to improve their network security while trying to keep it as simple as possible.

The goal is to allow my parents to view the cameras from their mobile devices, while ensuring the cameras aren't on the same network as other devices that access personal data.

Assuming the router is compatible, if I create a VLAN with internet access and assign it to the NVR, would this segregate the cameras from the rest of the home network?

Or am I missing something else?

If you do that, supporting it is likely to be a bit of a nightmare.

I would probably do this instead:

• Set up a computer on their network to run a local NTP time server, point NVR to that.
• Disable P2P / Easy 4 IP on NVR
• Disable UPNP on router
• Use parental controls on router to block NVR from connecting to the internet
• Set up tailscale or zerotier to provide remote access to the network using a computer that's usually on or a compatible router (uncommon, but possible; may require alternate firmware).
• Use tailscale / zero tier to remotely access NVR.

 

[The Automation Guy]

My parents have a Hikvision NVR at their place. I am looking to improve their network security while trying to keep it as simple as possible.

The goal is to allow my parents to view the cameras from their mobile devices, while ensuring the cameras aren't on the same network as other devices that access personal data.

Assuming the router is compatible, if I create a VLAN with internet access and assign it to the NVR, would this segregate the cameras from the rest of the home network?

Or am I missing something else?

Creating a separate VLAN for the camera/NVR devices will segregate those devices from the rest of the network, but whether the can communicate with the rest of the network and/or outside of your local network depends on how you set up the firewall rules for that VLAN. But yes, you can put all your camera related devices (NVR & cameras) on a new VLAN and prevent that VLAN from communicating with anything else (ie block all local and non-local communication). You could/should still allow devices on the "main" VLAN to initiate communication with the camera VLAN devices, so they would still be able to check the cameras using phones, tablets, computers, etc connected to their regular network.

As far as remote access, a self hosted VPN, Tailscale, Zero Tier etc are all good options. Which is best is highly debatable - they all have their pros and cons - but none of them is a bad choice.

None of this is going to create a "nightmare" support situation IMHO. VLANs don't "break" by themselves and as long as they are set up correctly (ie they work as expected), they will continue to work until there is a hardware failure (firewall, network switch, etc) which would cause a network failure even if you weren't using VLANs.

 

[IAmATeaf]

By router do you mean what the ISP gives? Here in the UK I don’t think I’ve ever had a router from an ISP that support VLANs and most only come with 4 ports so limits what you can do.

If assuming that this router does support it and you create a VLAN for that port and give it internet access then how will the rest of the cams be connected?