VLANs with multiple subnets

Hello!

I'm trying to get my head wrapped around how VLANs work and how I can use them to isolate my security IP cameras on my network.

I have two questions:
If I have a managed switch where I can create VLANS and tag/untag certain ports, does that information get passed along to the next device as well (assuming the port is "tagged"). I have a NanoPi with only two ethernet ports, eth0 (WAN) and eth1 (LAN). I would like to create two VLANs, one for my cameras (10.10.30.1/24) and one for my main network (10.10.10.1/24). If I create the VLANs on the switch and tag the port that connects to the NanoPis LAN port, will that tag be seen by OpenWRT on the NanoPi assuming I have matching VLAN IDs? Same with other devices that have VLAN capabilities, can they also use the data? Is that what tagging is for?

Second question: What would be the best way to create two LANs that I can create rules on how they can communicate? Can I make two interfaces, one for each subnet, that are both using eth1 and then create firewall rules for each network? Or do I need to virtualize eth1 into eth1.0 and eth1.1?

I'm having a hard time finding information that has helped me get my head around all of this.

Here is my network:
NanoPi R4S(router) -> GS1900-8HP (managed switch) -> clients
Right now everything is on 10.10.10.1/24 and I have a wireguard server with clients using 10.10.20.1/24.

Any insight would be apreciated!

Your router (r4s) makes the policies, via subnet routing between the individual VLANs (different firewall zones!) and firewall traffic rules, your switch (gs1900-8hp) executes them by distributing the VLANs among its ports and filtering away the VLANs your clients aren't supposed to see (on each port).

You have to decide between two (configurable) types of switch ports here:

  • trunk ports, carrying multiple (up to all-) VLANs in tagged form
    • the connection between your router- and switch
    • further managed switches, daisy-chained to your first switch
    • selected (trusted and carefully configured) servers, which are supposed to have access to multiple VLANs
  • access ports, only providing access to a single VLAN in untagged form
    • your PCs, they only get to see the LAN subnet (VLAN) in untagged form, plug in and play
    • your cameras, likewise they also only get to see their own camera subnet (VLAN) in untagged form

Your switch gets the responsibility to decide which incoming (e.g. on a trunk port on its LAN1) VLANs from your router are connected to which of its remaining (access-) ports, e.g. LAN1 (trunk), LAN2-5 (access port for the untagged LAN network), LAN6-8 (access port for the untagged camera network).

You never want to expose 'stupid' or 'untrusted' devices to a trunk port carrying multiple tagged VLANs (from which they could choose at their own courtesy), they typically only get to see their own VLAN in untagged form from an access port of your switch. That's the primary task of your managed switch, filtering VLANs and distributing them among its ports, so your clients only get to see what they're allowed to access.

More complex scenarios can be configured as necessary.

4 Likes

This is a fantastic and informative reply, written very clearly, thanks!

I'm in a similar position to the OP, I'm new to OpenWrt and just got set up on a NanoPi R4S. Next step will be attempting to set up 2 VLANs (main & IoT) to segregate the network.

I've had a few reads about DSA and the differences between trunk & access ports. Your reply certainly helps to clarify things.

I'm still not quite clear on how to set up the VLANs on OpenWrt, it will have to be via the command line unfortunately as Luci doesn't have any GUI options for setting it up on the R4S. More reading required...

Please keep this thread updated OP with any successful attempts!

1 Like

DSA only applies to devices with onboard switches running OpenWrt (and targets not using the legacy way with swconfig), your r4s does not fall into this category (no onboard switch at all, just two standalone full featured onboard ethernet 'cards'). There (and on other devices falling into this category, e.g. RPi, x86_64, etc.) you use eth0.1, eth0.7, eth0.42 or eth1.56 to indicate the network interface and the (tagged-) VLAN ID; respectively eth0/ eth1 for untagged traffic.

If your managed switch was running OpenWrt (the realtek target, e.g. rtl838x), DSA might play a role there.

1 Like

I've made a lot of progress because of your replies, I really appreciate it!

I created a new device, br-vlan, with VLAN filtering enabled, created VLAN1 and VLAN30 with eth1 being tagged for both 1 and 30 and left the "local" box checked for both.

I then tied my main LAN interface to br-vlan1. This locked me out so I knew it was working but I needed to change my switch settings to account my new VLAN settings. This is now where I am stuck. My switch has two "port" settings, "port" and "VLAN port" I took a screenshot below.
"Port" tab:


"Port" tab after selecting port and clicking edit:
image
"VLAN port" tab:

Port 1 is connected to the NanoPi, port 2 and 3 are my APs and port 4 is my security camera. I'm trying to keep everything on VLAN1 and the camera on VLAN30, and give access from VLAN1 to VLAN30 but not VLAN30 -> VLAN1.

I tried using the "VLAN port" tab first by tagging port 1 on VLAN1, untagging 2 and 3, and excluding 4. On VLAN30, I tagged port 1, excluding 2 and 3 and untagged 4. This did not work.

I then put everything back to untagged for both VLANs under "VLAN port" and then went to the "port" tab, selected port 1, and clicked edit. I enabled Ingress filtering, enabled VLAN Trunk and changed to tag only. This finally worked and gave me access to my router after confirming the new VLAN settings on my NanoPi but now I'm stuck on getting VLAN30 to work. I have created a new interface with br-vlan.30 and made firewall rules for the two, but no matter what I do I cannot access the camera unless I untag port 4 on VLAN30. If I exclude it, and untag port 4 on VLAN30, I thought it would then follow the firewall rules for br-vlan.30.

I'm mainly confused about the two different port tabs, I've only had experience the options under "VLAN port" tab and I'm not sure what the "Port" tab is for or why it worked.
The Zyxel documentation hasn't helped me understand it better either.

This video helped me out a ton!

Just to see what would happen, I changed the switch settings back to default and everything still worked. I then started over with the VLAN settings on the NanoPi and it's doing the same thing. It locks me out when I tag eth1 on VLAN1 and 30. I've tried everything on the switch like I listed above and I couldn't get it to connect before Luci reverts back. So I have no idea what is going on now. I was told VLAN ID 1 should not be used to I wanted to use ID 10 and 30 instead of 1 and 30.

When you're using eth1 as a trunk port with tagged VLANs on it, tag every VLAN that is to be on the port. In other words make sure you don't have eth1 without a VLAN number anywhere in your config.

You should be connected through eth0 (or serial or wifi if available) while doing this so you don't get locked out.

It is OK to use 1 as a VLAN here you just have to watch out with some switches it is hard to de-configure 1 being the default for all ports, so it may not be secure as a trusted network.

This is how I have it set up.
vlan1 - 10.10.10.1/16
vlan30 -10.10.30.1/16
My PC IP = 10.10.10.49
camera = 10.10.30.2
My PC is connected to port 3 of the switch, camera is port 4. Router is connect on port 1.

Interfaces:

Devices:

Firewall:

VLAN configuration:

Switch VLAN1 config:

Switch VLAN30 config:

Switch PVID config: (leaving Ingress check and VLAN trunk disabled on port 1 still allows me to access the router so I'm not sure what those settings are for).
image
According to Zyxel documentation:

With this setup, I can still connect to the router and switch no problem, so it seems br-vlan.1 is working but I'm not able to communicate with br-lan.30. I was under the impression that I should be able to since I have configured the firewall to allow it while also stopping the camera from accessing vlan1 or the internet.

Do you see anything wrong with my configuration?

I appreciate the help!

Your subnets are invalid because they overlap. Why are you using /16 networks? Generally, using a /24 is sufficient in terms of a network size, but you could use larger if necessary. However, the /16 you've got defined means that this won't work.

If you want a proper review of your config, please show us the complete config in text form...

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
2 Likes

Thanks for the reply.
I actually had them at /24 but changed them when I was fiddling with it and forgot to change it back.

Here you go (this device has no wireless, router only with two ports)

root@router:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd13:28af:8def::/48'

config device
        option name 'eth1'

config interface 'lan'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option device 'br-vlan.1'
        option netmask '255.255.255.0'

config device
        option name 'eth0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config device
        option type 'bridge'
        option name 'br-vlan'
        list ports 'eth1'
        option ipv6 '0'

config bridge-vlan
        option device 'br-vlan'
        list ports 'eth1:t'
        option vlan '1'

config bridge-vlan
        option device 'br-vlan'
        option vlan '30'
        list ports 'eth1:t'

config interface 'CAMLAN'
        option proto 'static'
        option device 'br-vlan.30'
        option ipaddr '10.10.30.1'
        option netmask '255.255.255.0'

root@router:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'desktop'
        option dns '1'
        option ip '10.10.10.49'
        option leasetime '0'

config domain
        option name 'desktop'
        option ip '10.10.10.49'

config domain
        option name 'pve'
        option ip '10.10.10.5'

config domain
        option name 'AP1'
        option ip '10.10.10.3'

config domain
        option name 'AP2'
        option ip '10.10.10.4'

config host
        option name 'AP1'
        option dns '1'
        option ip '10.10.10.3'
        option leasetime '0'

config host
        option name 'AP2'
        option dns '1'
        option ip '10.10.10.4'
        option leasetime '0'

config host
        option name 'switch1'
        option dns '1'
        option ip '10.10.10.2'
        option leasetime '0'

config domain
        option name 'switch1'
        option ip '10.10.10.2'

config dhcp 'CAMLAN'
        option interface 'CAMLAN'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'
        list ra_flags 'none'


root@router:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.6'
        option dest_port '51820'

config zone
        option name 'CAMLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'CAMLAN'

config forwarding
        option src 'lan'
        option dest 'CAMLAN'

Let me know if I should add anything else.

As @slh said earlier, your device does not use DSA so you should be using simple eth0.x or eth1.y notation.

And if you're not using Wifi on the device, you don't need any of these networks to be bridges.

So for example, all of the config device and config bridge-vlan stanzas should be removed.

Your lan will have option device eth1.1 and your camlan should simply be option device eth1.30

2 Likes

psherman is spot on, your config could be as simple as the following (I haven't checked the details (read, only /etc/config/network), and I really don't like upper case interfaces (camlan), so I 'needlessly' converted that to lower case <-- would need changing everywhere else as well (firewall/ dhcp):

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd13:28af:8def::/48'

config interface 'lan'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option device 'eth1.1'
        option netmask '255.255.255.0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'camlan'
        option proto 'static'
        option device 'eth1.30'
        option ipaddr '10.10.30.1'
        option netmask '255.255.255.0'

Your r4s (just as RPi4 or x86_64) doesn't have an onboard switch, that makes the router config easier.

2 Likes

So how would I do that in luci? Create a VLAN device under the device menu, and then tie that to the correct interface? This is the output after doing so. I also do not like uppercase, I was just copying a video and thought it was the right way lol. I have changed that as well.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd13:28af:8def::/48'

config device
        option name 'eth1'

config interface 'lan'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option netmask '255.255.255.0'
        option device 'eth1.1'

config device
        option name 'eth0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '1'
        option name 'eth1.1'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '30'
        option name 'eth1.30'
        option ipv6 '0'

config interface 'camlan'
        option proto 'static'
        option device 'eth1.30'
        option ipaddr '10.10.30.1'
        option netmask '255.255.255.0'

I'm still not able to access the camera unless I untag port 4 on VLAN1 and exclude port 4 on VLAN30 on my switch and delete the camlan interface on the NanoPi.

remove these ... you don't need them.

Did you update your firewall file with the correct case for camlan?

Post your latest config files.

1 Like

Ohhh, I didn't realize you could just enter in your own device at the bottom of the drop down in the "-- custom --" field.

I could just edit the config but I wanted to know how that interacts with luci as well.
Here are my updated configs:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd13:28af:8def::/48'

config device
        option name 'eth1'

config interface 'lan'
        option proto 'static'
        option ipaddr '10.10.10.1'
        option delegate '0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option netmask '255.255.255.0'
        option device 'eth1.1'

config device
        option name 'eth0'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'camlan'
        option proto 'static'
        option ipaddr '10.10.30.1'
        option netmask '255.255.255.0'
        option device 'eth1.30'

root@router:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'desktop'
        option dns '1'
        option mac '70:85:C2:BE:B9:65'
        option ip '10.10.10.49'
        option leasetime '0'

config domain
        option name 'desktop'
        option ip '10.10.10.49'

config domain
        option name 'pve'
        option ip '10.10.10.5'

config domain
        option name 'AP1'
        option ip '10.10.10.3'

config domain
        option name 'AP2'
        option ip '10.10.10.4'

config host
        option name 'AP1'
        option dns '1'
        option ip '10.10.10.3'
        option leasetime '0'

config host
        option name 'AP2'
        option dns '1'
        option ip '10.10.10.4'
        option leasetime '0'

config host
        option name 'switch1'
        option dns '1'
        option ip '10.10.10.2'
        option leasetime '0'

config domain
        option name 'switch1'
        option ip '10.10.10.2'

root@router:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'wireguard'
        list proto 'udp'
        option src 'wan'
        option src_dport '51820'
        option dest_ip '10.10.10.6'
        option dest_port '51820'

config zone
        option name 'camlan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'camlan'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'camlan'

This generally looks fine now. You don't have a DHCP server configured for your camlan. Do you want one setup? If so, add this:

config dhcp 'camlan'
        option interface 'camlan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'none'
1 Like

I think I will keep it disabled since all of my IP cameras will have a static IP, unless you can think of a reason to have it enabled anyways?

I don't know why I'm not able to access the camlan from lan via http, I might have to post on Zyxel support forum to see if my switch configuration is wrong.

I appreciate your help!

It's not a requirement as long as your devices have static IPs. However, it could be useful in some situations (or, in some cases, it might be less desirable).

Have you tried using a regular computer (or something like a RPi) on the camlan to see if you can get a connection between the two networks? I'd recommend something that you can test more easily and that would nominally work across subnets. Specifically, some systems do not accept connections from other subnets -- windows by default is like this, so you actually have to adjust the windows firewall to allow inter-VLAN connections. Your camera system may have a similar firewall feature enabled.

Since you're not using DHCP, you'll want to set a computer with a static IP in the correct subnet, and then test the ability for the connection to happen between the LAN and the camlan.

That said, it is also a good idea to verify that all of the information on the cameras/camera system is correct -- it needs to have an IP, subnet mask, and gateway (and nominally DNS, but that is less critical if you are not using the internet on that network). If any of these are missing or incorrect, the camera may not be able to respond.

Your Zyxel switch configuration will not impact routing, but if the device isn't properly configured, your cameras may actually not be properly connected to the expected network.

I'd start with a test with a regular computer (as I described above). In fact, enabling a DHCP server on that subnet and allowing internet connectivity (camlan > wan forwarding) will help you verify if the network is operating properly... if you get an IP via DHCP, you know you've got your switch configured properly. If you can get to the internet, the router is also configured appropriately. Then it is just your cameras that need verification (settings, local firewall rules, etc.).

You can turn off the DHCP server and remove the camlan > wan forwarding after you've verified everything is functioning.

That is a great idea! I will try that and report back.