Home Business setup with vlans and security cams

Click here to view original web page at www.snbforums.com
Hi all I'm new to the forum and would appreciate some help with configuring my RT AC66U (merlin v380.70) and Cisco 3560 POE24 (IOS v12.2.55-SE12) to work together in a multi vlan topology. I have been spending literally weeks researching and trying to do it myself unsuccessfully and recently had to grab a bit life back and flatten my network out to one subnet whilst I get help. Consequently as it is (all on 192.168.1.0/24) it is slow and insecure. Hence why I am here. I realise my requirements are rather demanding but the folk here seem very helpful so...

A quick description so you can understand my requirements:

I need multi vlans because I want to isolate my security cams, ipdoorbell and associated android chimers (old phones dedicated to ipdoorbell video/audio/chiming only) on a vlan separate from the general house/nvr and studio business networks. I want to block the cams from accessing the internet and/or infecting the network. I'd like the NVR (Blue Iris and OpenHAB on a dedicated box which has overhead left for other server duties if needed) to be on its own vlan or on the management vlan but getting streams exclusively from the cams. Then I need to access Blue Iris via openvpn/BI android app globally from various non-secure locations hotels/cafes etc.

House and business also need to be isolated from each other due to the sensitive nature of my studio business. I need the studio network secure but quietened from busy cam and other house traffic so as to not disrupt my timing sensitive audio/midi networks. Occassionally my workstations (WS) need internet access for authorisations but think this should be thru a vpn (doesnt need to be fast). However the lan communication between WS on their own vlan needs to be ultrafast for audio/midi. In fact Dante and similar nets require you to setup a voice vlan type topology.

Ideally I would like to be able to access home and management vlans from my online machine in the studio either via vpn or the switch.

I should also mention there is only one ethernet cable from the ASUS/CISCO cabinet to the basement studio where there are pcs and devices that need to be on various vlans so my topology cant be solely physical port based. Also there is a global cache GC100 in the studio (essential for HDMI switching) that has old firmware allowing to ONLY be on one fixed and unchangeable ip 192.168.1.70.

And my ipdoorbell can only be given an ip from a server, you cant set a fixed ip internally.

Location is all Windows 10/android machines except one ipad and hackintosh in the studio.

Basic topology: TPLink ADSL2 modem (bridge mode) > wan port Asus RT AC66U, lan port > Cisco L3 switch where house and cams have their own ports > 1 port/cable goes to TPLink SG3216 L2 router in basement studio with studio net and more house devices and studio Wireless AP running off that. Please see attached diagram for more detail.

I have successfully setup these: (albeit on my current flattened network)

1. Asus as Entware based NTP server, all devices set to its ip where possible.
2. Asus as DHCP and OpenVPN server with fixed ips assigned for most devices. My vpn clients on NVR, online studio WS and phone are working using a non common subnet 192.168.254.0/24 to avoid clashes abroad.
3. Envisalink alarm communicator, opensprinkler and Blue Iris are all communicating to their corresponding apps on my Galaxy7 phone, on LAN in the house and WAN when away. Via my VPN (I think?)
4. Blocked the cams from internet by clicking on the client icon in Asus gui main page and enabling the Block from Internet switch (I read this may not be thorough enough now)

What I need help with:

So access and functioning of all my devices is all working BUT all in a non-isolated, busy/slow, non-secure topology. I have to separate and isolate using vlans. I cant stress enough how important it is to secure and quieten my studio network (its a contractual requirement), from the cams and IOT devices plus the home network. So even if I paid a consultant to configure the Cisco/Asus I would still need to know how it works so I can maintain it. I think I have got pretty close but the CLI/linux nature of the config on both the asus and cisco has beaten me so far. I am a fast learner, given the right path

When I have created separate vlans in Cisco as per diagram, the following issues are present:

I have made numerous attempts to configure the cisco with network assistant (I am better with a gui) and CLI to no avail. I cant get my NVR to see my cams nor can Blue Iris server machine access internet/vpn.

What I can deduce (perhaps Im wrong) is that I need the Asus to be able to see (dhcp serve and reserve ips to some) all devices on all vlans in order to be the openvpn server and to also route them (except cams) to the internet within and outside the vpn where required.

In other words I need help with the CLI commands to setup and serve ip on the asus router for multi vlans whilst keeping it as the openvpn and ntp server (as per the diagram). I guess these vlans are also defined in the cisco switch (and the studio TPlink L2 as well?) to correspond. I can go to the Routing forum to get help on the cisco part.

Maybe this could be achieved by making the cisco the dhcp/ip server instead of the asus? So that each vlan is properly served ips and given selected access to other machines and/or the internet?

I tried Private vlans in the cisco (via gui) but it crashed. It may not have the license for it.

Maybe I could have a policy based routing topology because my network is pretty fixed, I can make an entry for every machine as I add plus a dhcp pool in the house for phones. However it has to be fast and secure in the studio net and I thought vlans were better for that.

I would really appreciate what ever suggestions you have. I feel like its just some basic things the in complex world of CLI that hasn't clicked yet. See diagram below.

Note: I have edited my original image here and updated.

FilmSonicNetwork2.png
Last edited: 12 minutes ago
Leave a Reply

Your email address will not be published. Required fields are marked *