Prevent single vlan internet access


#1

Hi,

I want to install some wireless cctv cameras but I dont want them accesible to the internet but still want them to communicate on the wifi, is this possible if I block internet access via firewall rules in the way that is described here?

Thanks


#2

Yes it is. Lets assume you have a data LAN setup (untagged) as 192.168.50.1 that all the current pcs / laptops connect to.

Set up a VLAN for the CCTV cameras (eg VLAN 51 as 192.168.51.1/24).

Create a new SSID (eg CCTV-WIFI) in that VLAN 51. The WIFI cameras can connect to it.

If you have a dedicated POE switch with cameras powered from it, either set the port the switch connects to on the Peplink/Pepwave as an access port for VID 51, or if its a managed switch, set the ports the cameras connect to as access ports for VLAN 51.

Then set up the firewall rules that block that CCTV subnet (192.168.51.0/24) from accessing the WAN.

Devices on the data network will be able to access the internet and the cameras, the cameras won’t have internet access.


#3

Many thanks for this.

The camera I am looking at is https://www.amazon.co.uk/gp/product/B07CN1DZHH/ref=ask_ql_qh_dp_hza so I believe initially I need to connect the camera to an ethernet cable to the router for inital setup so it discovers the network details but it isnt poe.

I will assign a port to this dedicated vlan and then will try to block the internet and connect the camera to this specific port.

In regard to blocking the subnet I notice you referenced this as (192.168.51.0/24) but you set the vlan as 192.168.51.1/24, why is this number different? It is probably a simple networking question but subnets and masks are very new to me so need to be sure how to configure the firewall rule and what is happening if possible.

Not sure what you mean by ‘Devices on the data network will be able to access the internet and the cameras, the cameras won’t have internet access.’?
By data network do you mean the 192.168.50.1 devices? My current vlans have 10.xxx.xx.xx addresses in case that makes any difference, I dont think it does but as I said I am new to networks\router\vlans etc.

Thanks again.


#4

I might have this wrong but does it mean that I will just block the entire range on 192.168.51 from 0 -254, which obviously includes 1?

If my laptop is on 192.168.50.x how will they be able to see the camera on 192.168.51.x as arent they on different network addresses\vlans?


#5

192.168.51.0/24 is a reference to the subnet ID - literally a way to describe this network from an IP addressing perspective. In this case a network that has a usable range of 192.168.51.1 to 51.254 or 254 possible connected devices…

The online subnet calculator is really useful for learning how IP addressing works:
image

You didn’t give me any addressing, so in my example I picked 192.168.50.0/24 as the ‘normal’ default network where all your computers and printers and stuff would be. This is your 10.x.x.x LAN(s). Ultimately the IP subnets can be anything you want them to be so long as they are different so that you can identify the subnet/network with the cameras on it in the firewall rule you need to create to block their internet access.

Since that firewall rule will only block traffic from your new VLAN with the cameras on, I was trying to say that everything else will be unaffected.


#6

The Peplink router can see both networks and will route traffic between them so your laptop can see the cameras and vice versa.


#7

I see, normally I prevent vlan inter-routing so they cant see each other but it makes sense if I dont do this. Thank you so much for the other answers as it has cleared everything up brilliantly.


#8

This has worked perfectly and there is no internet access on this vlan, I assume that even if somebody was able to hack into the camera via the internet they wouldnt be able to get any pictures from it due to it not being able to talk back to the internet?

For a belt and braces approach should an inbound rule be added, what would it look like, similar to the outbound but something to allow access from other devices on the same vlan?

Thanks