NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
GS108PEv3 how to seutp vlan for ip cameras connected to NAS but still be able to access remotely?
I need help in setting up a vlan for my ip cameras connected to the NETGEAR 8-Port Gigabit Ethernet Smart Managed Plus PoE Switch. My setup is I currently have a Netgear X8 router that connects to th...
rjruiz wrote:I understand the function of a VLAN as far as isolating the ip cameras. But then I thought, can I isolate the cameras a different way. I do have a DS1513+ NAS that has 4 LAN ports. If I plug the switch with the ip cameras directly into one of the LAN ports of the NAS...
That far that good - OK, that's the way to set-up a dedicated surveillance network, using a dedicaed switch, or a switch with a deciated VLAN for the surveillance cameras.
rjruiz wrote:...and then defined in the NAS a specific IP address but not a gateway, wouldn't this isolate the cameras from the internet but still be able to access Surveillance Station to view the cameras?
More a QNAP user here, but similar on Syno. You can allow the Surveillance Station App to be accessible on designte(d) networks, while the Surveillance Station is able to record from cameras on any configured (V)LAN. For live view on the LAN and remote, Syno does no longer allow live streams direct from the camera for a while (because cameras are often limited in the number of concurrent streams avaiable, what does lead to "black" playback views on single and multi-view. Syno does relaying the live video streams on the Surveillance Station, so you can get the streams either in unicast, or there is an opiton to configure a unique unicast address.
This approach is kind of standard for having dedicated, isolated LAN or VLAN for a long time - one does run a dedicatec LAN or VLAN, on a dedicated IP subnet, with a DHCP server for devices connected new to the surveillance network (e.g. for adding more cameras). This does prohibit other LAN users accessing cameras, camera streams, ... on the often very weak camera IoT OSes, and it does free-up the data interfaces or LAG used for other storage purposes from the possibly heavy video stream bandwidth.
rjruiz wrote:...and then defined in the NAS a specific IP address but not a gateway, wouldn't this isolate the cameras from the internet ...
If the plan is only prohibiting the cameras being able to reach the Internet (the ubiquitous scare of cameras calling home, looking for firmware updaes, and many other useful features) you can think about the idea of not configuring (or configuring a non-existent) default default gateway address. For this you don't need a dedicated LAN/VLAN. Depending on the customer expectations, we commonly run dedicated subnets, and do routing on the NAS, or deploy in-house routing, e.g. L2+/L3 switch based, or use SMB security appliances with strict firewall rules.
rjruiz wrote:but still be able to access Surveillance Station to view the cameras?
You need only the Syno reachaale from the Internet, not the camera LAN/VLAN/IP subnet subnet IMHO.
rjruiz wrote:So then I wouldn't have the need for a VLAN? Am I wrong in this assumption?
If the plan is to run on the same IP subnet, probably not....
Howevr, I strongly suggest to do it the right way.
I don't meat to be rude but that confused me a bit. I understand the function of a VLAN as far as isolating the ip cameras. But then I thought, can I isolate the cameras a different way. I do have a DS1513+ NAS that has 4 LAN ports. If I plug the switch with the ip cameras directly into one of the LAN ports of the NAS and then defined in the NAS a specific IP address but not a gateway, wouldn't this isolate the cameras from the internet but still be able to access Surveillance Station to view the cameras? So then I wouldn't have the need for a VLAN? Am I wrong in this assumption?
rjruiz wrote:I understand the function of a VLAN as far as isolating the ip cameras. But then I thought, can I isolate the cameras a different way. I do have a DS1513+ NAS that has 4 LAN ports. If I plug the switch with the ip cameras directly into one of the LAN ports of the NAS...
That far that good - OK, that's the way to set-up a dedicated surveillance network, using a dedicaed switch, or a switch with a deciated VLAN for the surveillance cameras.
rjruiz wrote:...and then defined in the NAS a specific IP address but not a gateway, wouldn't this isolate the cameras from the internet but still be able to access Surveillance Station to view the cameras?
More a QNAP user here, but similar on Syno. You can allow the Surveillance Station App to be accessible on designte(d) networks, while the Surveillance Station is able to record from cameras on any configured (V)LAN. For live view on the LAN and remote, Syno does no longer allow live streams direct from the camera for a while (because cameras are often limited in the number of concurrent streams avaiable, what does lead to "black" playback views on single and multi-view. Syno does relaying the live video streams on the Surveillance Station, so you can get the streams either in unicast, or there is an opiton to configure a unique unicast address.
This approach is kind of standard for having dedicated, isolated LAN or VLAN for a long time - one does run a dedicatec LAN or VLAN, on a dedicated IP subnet, with a DHCP server for devices connected new to the surveillance network (e.g. for adding more cameras). This does prohibit other LAN users accessing cameras, camera streams, ... on the often very weak camera IoT OSes, and it does free-up the data interfaces or LAG used for other storage purposes from the possibly heavy video stream bandwidth.
rjruiz wrote:...and then defined in the NAS a specific IP address but not a gateway, wouldn't this isolate the cameras from the internet ...
If the plan is only prohibiting the cameras being able to reach the Internet (the ubiquitous scare of cameras calling home, looking for firmware updaes, and many other useful features) you can think about the idea of not configuring (or configuring a non-existent) default default gateway address. For this you don't need a dedicated LAN/VLAN. Depending on the customer expectations, we commonly run dedicated subnets, and do routing on the NAS, or deploy in-house routing, e.g. L2+/L3 switch based, or use SMB security appliances with strict firewall rules.
rjruiz wrote:but still be able to access Surveillance Station to view the cameras?
You need only the Syno reachaale from the Internet, not the camera LAN/VLAN/IP subnet subnet IMHO.
rjruiz wrote:So then I wouldn't have the need for a VLAN? Am I wrong in this assumption?
If the plan is to run on the same IP subnet, probably not....
Howevr, I strongly suggest to do it the right way.
Excellent this does help me understand abit more of what I am trying to accomplish. I think we are on the same page. I am only planning on running 2-4 ip cameras on the dedicated switch which will then be connected to one of the Synology NAS ports. I only plan on remotely acessing the Synology NAS, not the ip cameras remotely. So if I set the NAS port that is connected to the switch with a dedicated ip and no gateway, this would in turn isolate the ip cameras for security reasons and the ip cameras wouldn't see the internet at all which I believe is what I am trying to accomplsih. In that case like you had mentioned a VLAN wouldn't be necessarily neccsary. Is my assumption correct?
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
