I figure that there must be a guide somewhere, but I couldn't find it.
I have several wired IP cameras connected to a private switch with only cameras and a Blue Iris PC connected. The switch is directly connected into a dedicated Ethernet port on the Linksys WRT1200AC router running OpenWRT 23.05.
So I would like for all the cameras and the Blue Iris PC to be on a single VLAN together. The intent is for the cameras, which generate a lot of traffic, to be isolated so that the rest of my network is not disturbed or slowed. And also to prevent unauthorized chatter between the cameras and the internet.
The cameras should not be allowed to access the internet or have the internet access them. They should only be accessible from the VLAN or the local LAN.
The Blue Iris computer should be allowed to access the internet and be able to accept port forwards. Likewise, it should also be able to have full access to and from the LAN and VLAN.
Currently everything is wired, but in the future I would like the possibility to add Wifi cameras to the VLAN.
Does this sound overly complicated? Is there a guide somewhere that explains how to do this?
This all sounds fine. There isn't a really good guide on this because there are always some things that make it hard to make a universal solution. But, that's where the community comes in -- we'll help you get there.
I'd recommend that you start with the guest AP guide. You don't need to create any actual wifi interfaces, but you'll use this to create the camera's subnet, DHCP server, and firewall zone. Once that is done, we can move one of your ethernet ports over such that it is serviced by the new network.
Once that is done, post your config files and we'll double check everything and advise about moving that ethernet port. (also, please let us know which physical port you will be using for the camera-switch connection)
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
On this -- it is worth noting that the traffic will largely stay on the dedicated camera switch (even if you don't create a VLAN) because the majority of the traffic is going from the cameras to the NVR which can be done direclty via the switch (no routing required). Broadcast and multicast traffic would flow between all devices on the same network, but that's generally not a lot of traffic and not likely to impact performance. But, it is much easier to limit internet access and such if you create a VLAN, so that part is certainly useful.
I went to the guide as suggested and it does not look like the same web interface that my router is using. I thought I installed the latest version. Luci says "OpenWrt 23.05.0 r23497-6637af95aa / LuCI openwrt-23.05 branch git-23.236.53405-fc638c8".
Is that not the latest version? If not, then how do I get the latest?
I thought about a second router because I would also be able to use a separate Wifi network, but in reality, its going over the same airspace, so I don't think it would be that big of an advantage. Double NATting would not hurt anything at the camera level because the cameras wont be allowed to connect to the WAN. However, Blue Iris does need internet access and double NATting would likely be an issue unless they have a workaround.
As it is right now, with no VLAN, there isn't a lot of traffic sent to the router. So really the main issue is to keep the cameras from sending data outside my house. I think a VLAN is best for that.
I think the biggest issue is that the Blue Iris server is on the same VLAN, but needs different rules.
23.05 is the latest (23.05.2 specifically -- so you could upgrade first). The GUI in the guide is old, but the concepts and general flow are the same. Try following the guide (other than the actual wifi radio configuration) and let me know if you get stuck.
The guide interface creation isn't truly dependent on the wifi creation, but I can see why that is confusing. I'd actually like to rewrite that guide to make wifi the last thing, but I haven't had time to do that.
If you're using LuCI, just navigate to Network > Interfaces then click Add new interface -- from there, you should be able to follow the prompts through -- use a static address and leave the device unspecified. Use a subnet that is non-overlapping with your lan... so if your lan is 192.168.1.0/24, you can use the address 192.168.5.1 with a subnet mask of 255.255.255.0. In the DHCP server tab, click the button for Set up DHCP Server, and in the firewall tab, select --custom and enter a name for your new firewall zone (then hit return). Save that and then save and apply the changes.
Once you've done all that, post your configs and we'll take care of the rest.
I found the new firmware. Thanks. I will need to wait because I have been unexpectedly called away for the weekend starting tomorrow and anything I do will have to be remote access. I installed wireguard and set SSH to only accept access from the LAN. Hopefully that will be enough, but I don't want to do something as risky as an upgrade remotely.
I did do the interface changes you specified, but I won't be able to post them tonight. If you don't hear from me then I probably didn't get the remote stuff working properly. I have wireguard working on the cell phone, but I will also need to get it working on windows 10. There is no way to scan a QR code on that computer. And I'm not sure if I need a new set of keys or just use the same ones that the cell phone uses.
From a practical perspective, you'll want to be in front of your router so you can literally plug devices into the port with the new network (test and observe the results), so there's not a ton of value trying to do it remotely... but if you want, we can certainly continue on it if you have access and time.
setup a second set of keys. if you're connecting locally, you can just copy/paste into the appropriate fields instead of worrying about QR codes (and how to read them on your computer).
Different subnet to reduce broadcast traffic, that parts easy enough, airspace wise the wifi has multiple bands and frequencies you can utilize to avoid direct interference, and as for the vlan I agree they are a good thing, but they aren’t your only option available
I am at the remote location now. Wireguard is installed on win10 and half working. It will not let me access internal LAN devices. So I can't access the router. However, it is letting me access external sites like this openwrt forum, amazon and google. I also have wireguard working on the cell phone which has no problem accessing the router. The problem is that it just isn't practical to do router reconfigurations on a cell phone.
So I need to figure out why windows is being windows before I can proceed from the remote location.
If the VLAN proves to be too complicated, then I might do something like a subnet, but can a subnet block all internet traffic both directions while allowing access via LAN and VPN?
We didn't review your WireGuard config, so I can't say what is wrong... and it sounds like it won't be easy to get the configs to evaluate (we'd need the network and firewall files -- if you can grab them, we'll see what's going on). If not now, we can always work on this once you're home (maybe in a new thread).
As far as the VLAN itself... this can wait until you get home, IMO, since the magic is really about plugging a device into the new VLAN (via the physical ethernet port) and seeing it work on a new subnet. And, in theory, there isn't much work to be done at this point -- should be a few quick changes.
I don't think the wireguard issue with windows has anything to do with openwrt. I did do a web search and there are a lot of people with the same problem who are using other router firmwares including pfsense. The android cell phone with wireguard works fine with openwrt.
Although there are many people with the same problem, nobody seems to have a solution so far. I reported it as a bug to wireguard. If they disagree, maybe they will share a solution.
One odd thing about the windows wireguard is that the only way to configure it is with a conf file. Android uses a gui.
Unless I can get wireguard working with windows, the VLAN will have to wait until I can get back.
It's hard to say at this point... it could be windows, or your local WG config on windows, or it could be the router's config... I'd be happy to look at what you have from the Windows side (be sure to redact the keys).
I don't use MACs here. The Blue Iris computer is running Win11 which is a requirement of Blue Iris. However, I did consider using a second Ethernet port with one being exclusive to the cameras. However, when I saw a video about VLAN, it seemed like a more elegant solution. Since I don't have ANY solution working at this time, I'm not saying No to any method, but I want to give VLAN a fair chance first.
