Isolate cameras: DHCP server, 802.1q trunk port, and "eth0.vid" interface

[Lorenz Redlefsen]

I would like my IP cameras to be in their own sandbox, with no access to the internet or rest of my home network. (There is story after story of security holes in IP camera software.) One could also say they want to protect the IP cameras from other devices on your home network.

It would be awesome if the Camect box could:

1. Run its physical Ethernet port in 802.1q tagged mode.

2. Run an "eth0.vlanId" interface on the physical Ethernet port, with a configurable VLAN ID. On the "normal" "eth0" interface, run a DHCP client (like today). On the "eth0.vlanID" interface, use a private IP address from a configurable pool. Disable routing between eth0 and eth0.vlanID, of course.

3. Become the DHCP server on the "eth0.vlanID" interface using a configurable pool of private address.

This would let me

1. Configure an "IP Camera" VLAN on a managed switch, and plug my IP cameras into ports in that VLAN.

2. Configure the switch port that the Camect plugs into as an 802.1q trunk, and add the port to the "IP Camera" VLAN.

3. Configure the native VLAN on that switch port to be the "regular" VLAN that my router/DHCP server sits on.

When the Camect comes up, it DHCPs its own IP address (an untagged packet on "eth0"), as it does today. If so configured, it also brings up "eth0.vlanID", and starts handing out IP addresses to IP cameras on that port.

This should be fairly straightforward to implement using off-the-shelf software -- it's "just" a bunch of config files, plus isc-dhcp-server. And a bunch of testing, of course. ;)

[Dolf Starreveld]

You can also consider:

1) Put all your cameras on an isolated VLAN (presumably attached to some switch)

2) Have your router run DHCP on that VLAN as typical (so cameras and Camect) can get an IP

3) Put Camect on that VLAN as well, and put a static reservation for its IP address

4) Configure your router to back all ingress/egress from the VLAN except to the Camect IP

5) Allow routing from your preferred computer VLAN to the Camect/Camera VLAN (conceivably allow ingress/egress to your cameras only from/to here for camera management)

The above would work, out of the box, if Camect currently ignores a VLAN tag, or if it simply adapts it because it appears on its interface (probably won’t work without you suggested change 1 and 2 you propose)

--
You received this message because you are subscribed to the Google Groups "Camect User Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to forum+un...@camect.com.
To view this discussion on the web visit https://groups.google.com/a/camect.com/d/msgid/forum/94f466b3-6bc2-431a-b94b-a72ff4e5aeeco%40camect.com.

[Lorenz Redlefsen]

Thanks for your suggestion.

My suggestion was to allow a Camect box to contain all the intelligence needed to isolate the IP cameras without having to do any major reconfiguration on the rest of the network, or to have any routers fancier than a Linksys/Apple Airport/etc. I just want to use a PoE switch that also handles VLANs, and an existing consumer-grade router. Those usually only allow you to "turn DHCP on or off", and they usually do not support multiple VLANs, .1Q trunks, etc.

To unsubscribe from this group and stop receiving emails from it, send an email to fo...@camect.com.

[Dolf Starreveld]

True, but if you have the knowledge to want VLANs etc. you might be better off with a non-consumer-grade router. I, for example, run a Ubiquiti EdgeRouter POE. It costs much less than many consumer routers, and does a much better job…

Just saying...

To unsubscribe from this group and stop receiving emails from it, send an email to forum+un...@camect.com.
To view this discussion on the web visit https://groups.google.com/a/camect.com/d/msgid/forum/c5da9323-9e4a-4c67-a09d-c5c9b6ff83aco%40camect.com.

[CamectArup]

I thought Dolf's suggestion was a pretty reasonable one, assuming you want something VLAN-based. I doubt we're going to have the incentive to anything with VLANs soon, although perhaps I will be surprised. 

It's actually also already possible to do what you want using consumer-grade hardware if you plug a USB ethernet adapter into Camect to get a second ethernet interface. You'd set up your cameras on a physically separate network, and connect one Camect interface to your main network and one to your camera network. Camect will not route packets between the two interfaces. 

Configuring a second ethernet interface requires hooking a keyboard and an HDMI monitor to Camect. We do not plan to make it possible do this from the web UI, because if you mess up the network configuration you'll lose the web UI, and requiring the keyboard and monitor ensures that you have what it takes to recover from a mistake before you try changing it. Send email to sup...@camect.com if you want to know more details about this option. 

[Devesh Batra]

that's how i have setup our camera VLAN. Cameras can only go out to get NTP and DNS. 

Camect has DHCP reservation and can go out to internet

To unsubscribe from this group and stop receiving emails from it, send an email to fo...@camect.com.

[Graham Bird]

As a complete novice, I'd love some pointers to best practice guides for setting up cabers on VLANs etc.

I am looking to run the cameras on a separate LAN, but to "bridge" (if that's the right term) only the viewing aspect to computers in the home.

That make sense?

Cheers

[Damon Sisola]

IMO, I wouldn’t want the Camect to manage the network isolation – let the NVR do what it does and let network devices provide isolation and access controls.

 

I’ve achieved the described configuration using Ubiquiti Unifi USG, switches, and WiFi AP’s. Unifi is quite advanced for the simplicity of configuration it offers and at a reasonable price. I have separate vlan’s/SSID’s for cameras, other IoT devices like Alexa, Smartthings, etc., and computers. This allows very granular control of traffic to and from your cameras and other risky devices while allowing your PC’s access to whatever you want.

To unsubscribe from this group and stop receiving emails from it, send an email to forum+un...@camect.com.
To view this discussion on the web visit https://groups.google.com/a/camect.com/d/msgid/forum/c3e084ee-d517-4944-9855-b4df361e14ddo%40camect.com.