I want to install some wireless cctv cameras but I dont want them accesible to the internet but still want them to communicate on the wifi, is this possible if I block internet access via firewall rules in the way that is described here?
Yes it is. Lets assume you have a data LAN setup (untagged) as 192.168.50.1 that all the current pcs / laptops connect to.
Set up a VLAN for the CCTV cameras (eg VLAN 51 as 192.168.51.1/24).
Create a new SSID (eg CCTV-WIFI) in that VLAN 51. The WIFI cameras can connect to it.
If you have a dedicated POE switch with cameras powered from it, either set the port the switch connects to on the Peplink/Pepwave as an access port for VID 51, or if its a managed switch, set the ports the cameras connect to as access ports for VLAN 51.
Then set up the firewall rules that block that CCTV subnet (192.168.51.0/24) from accessing the WAN.
Devices on the data network will be able to access the internet and the cameras, the cameras won’t have internet access.
I will assign a port to this dedicated vlan and then will try to block the internet and connect the camera to this specific port.
In regard to blocking the subnet I notice you referenced this as (192.168.51.0/24) but you set the vlan as 192.168.51.1/24, why is this number different? It is probably a simple networking question but subnets and masks are very new to me so need to be sure how to configure the firewall rule and what is happening if possible.
Not sure what you mean by ‘Devices on the data network will be able to access the internet and the cameras, the cameras won’t have internet access.’?
By data network do you mean the 192.168.50.1 devices? My current vlans have 10.xxx.xx.xx addresses in case that makes any difference, I dont think it does but as I said I am new to networks\router\vlans etc.
192.168.51.0/24 is a reference to the subnet ID - literally a way to describe this network from an IP addressing perspective. In this case a network that has a usable range of 192.168.51.1 to 51.254 or 254 possible connected devices…
You didn’t give me any addressing, so in my example I picked 192.168.50.0/24 as the ‘normal’ default network where all your computers and printers and stuff would be. This is your 10.x.x.x LAN(s). Ultimately the IP subnets can be anything you want them to be so long as they are different so that you can identify the subnet/network with the cameras on it in the firewall rule you need to create to block their internet access.
Since that firewall rule will only block traffic from your new VLAN with the cameras on, I was trying to say that everything else will be unaffected.
I see, normally I prevent vlan inter-routing so they cant see each other but it makes sense if I dont do this. Thank you so much for the other answers as it has cleared everything up brilliantly.
This has worked perfectly and there is no internet access on this vlan, I assume that even if somebody was able to hack into the camera via the internet they wouldnt be able to get any pictures from it due to it not being able to talk back to the internet?
For a belt and braces approach should an inbound rule be added, what would it look like, similar to the outbound but something to allow access from other devices on the same vlan?