Hi everyone

[G+_J Miller]

Hi everyone.

I am about to install up to 16 IP cameras in and around my home. These cameras are going to be throwing a lot of data around my network.

This got me thinking how my network was set up and how I could improve it and keep it running fast. I am a gamer and use PLEX to stream video to the Roku's I have around the home so I have high demands on my network.

 

Since I know just enough to be dangerous, I would like to get a conversation going from the talented people here on the best way to go about setting up secure high speed Ethernet networks, securely connecting them to your ISP, what equipment will do the job for the least amount of money and of course, reliability.

I would like this to be a learning post so everyone can take away something from it. If you were thinking of doing this also, maybe this will get you to get that project going.

 

A little background on my application;

When I moved in, many moons ago, I saw the need for a high speed network so I installed CAT5E to many Ethernet ports throughout the home, all going to one big box where a huge switch is located so almost all of the equipment in my home is hard wired. Of course we use WIFI all over so instead of having the router use WIFI, I have 2 WAPs (Wireles Access Points) located in different locations to spread the coverage out.

 

Please take a look at what I have noted below and don't be shy to give me your 2 cents or professional recommendations.

 

First I broke the single existing network into 3 separate networks for security and speed considerations.

1. Main Network

This network will have it's own dedicated router for wired connections and WAPs for WIFI connections.

This network will support all of our servers, work stations, tablets and entertainment devices like Roku, and voice controllers like Amazon's Alexa and Google Home products.

This Networks Needs:

Access to Internet.

Wireless and wired connections.

Access to all other devices on this network.

Access to devices on the “Security Network”.

Serve “Plex” to LAN.

Serve “Plex” to WAN

Serve “Plex” to Guest Network if possible.

Be fast for gaming.

 

2. Security Network

This network will have it's own dedicated router for wired connections and use the WAP(s) for WIFI connections if possible. If not, then I will use the routers built in WIFI or dedicated WAP(s) for the WIFI.

This network will support all of the Ip cameras, SVR (Security Video Recorder) home control systems and security system.

This Networks Needs:

Access to Internet. (If needed)

Wireless and wired connections

Be secure

POE

Cameras will serve video to Main Network.

Cameras will serve video to Security Network.

Cameras will serve video to WAN. (Please advise on how to do this securely)

SVR (Security Video Recorder) will record video from all IP cameras on Security Network.

SVR will server video to Main Network.

SVR will server video to Security Network.

SVR will serve video to WAN. (Please advise on how to do this securely)

 

3. Guest Network:

This network will use the "Guest" partition on the "Main" networks router or WAP's for WIFI connections.

The guest network will provide internet access via WIFI to my guests that come over. I would prefer to not secure this network as giving passwords to my guests so they can check their Facebook account seems useless to me.

This Networks Needs:

Access to Internet.

Wireless connections only.

Not have access to any other network.

Access to PLEX? (Maybe a password to access?? Please advise on how to secure this to an open network)

 

Feel free to chime in here if I missed anything or would like to start a conversation on security or setup or equipment you used to make your ideal network infrastructure.

 

Here is a link to a document I am currently working on to document this.

If you see anything I should add, please chime in.

Thank you for your time.

[G+_Travis Hershberger]

First of all, what network equipment do you currently have? It doesn't make sense to spend money if you already have perfectly serviceable equipment.

 

As for actually hoping things up, I'd keep the IP cameras completely separate from you main/guest Network if you can. They can use a lot of bandwidth, and the best way to make your router/switches perform horribly is to turn on QOS.

 

A quick example. The Ubiquity ER-X can forward a full 1gb/sec until you turn on QOS, and then it drops to ~68mb/sec. This is simply because their is no way to have an ASIC handle QOS, it all had to go through the CPU. That does change, but we're talking $10,000 to start. The mid range Ubiquity routers will do ~120mb/sec, and they just released a $200 model that should hit ~200mb/sec with QOS turned on. I have an ER-POE at home, so I know that 120mb/sec is about right.

 

If I had the option, I'd make the NVR be the only way to access the camera network. Possibly using it to be a router/gateway/firewall between the networks if you really want to access the individual cameras from the main network.

 

As for gear, I'd look at Ubiquity and HPE if you need switches. No other company even touches Ubiquity for routers and access points.

[G+_Travis Hershberger]

Almost forgot. Once you've dealt with the camera network, creating a guest Network should be clicking an option box on a gui, no matter what network great you end up with.

[G+_Geoff Galley]

3 dumb routers would be a good solution

[G+_Neil Sondhi]

I have something similar setup at my home, works like a charm - details below:

 

1. Switch - Dlink DGS-1210.

2. Router: 2x Netgear R8000P.

3. CAT7 wired network.

4. 12 camera (IP)

 

I have enabled guest network for IOT devices and use them without any issues. I access them mostly via their app through the internet ' like remote access even when I am local.

 

The camera network is in a dedicated VLAN and only the NVR has access to the internet. This enables me to check the camera *not directly but only via the NVR.

 

VLAN made a huge difference - without VLAN the network did show some slowness but then after enabling VLANs - I got the full bandwidth I was expecting.

 

QoS did not make much difference so I left it switched off.

 

Looking at your setup, did you consider useing pfsense as a VM to do routing for different networks or use a old desktop with 4-5 NIC to do the routing. its not clear how you want to manage the rouing/firewall etc. pfsense does a great job and is easy to configure.

[G+_Paul Hutchinson]

Any service that locally bridges between the networks is a point that can make the security fall apart and end up no better than a single network configuration.

 

So if you want the best security eliminate all the serve to other local network items in your lists. Then use a configuration like Neil Sondhi describes to exchange data between the local networks via the Internet.

 

Convenience generally reduces security.

[G+_Ben Formesyn]

From your description and requirements I'm going to make the assumption that you're fairly technically savvy. From your list, If I assume you have cameras / Plex etc already setup you'd need a Switch, Firewall and WiFi AP - around £600 GPB ( ~ 850USD ) if you were buying new kit for this, second hand from eBay you could do a lot better. I'd also agree with Neil Sondhi's comments above

 

1. For cameras, definitely only use wired connections for your cameras. If you had that number on the wireless you're likely to find frequent drop outs and other devices trying to use the network may struggle for any decent throughput.

 

2. Consider using pfSense to act as your main internet Firewall / Router with either dedicated NICs to interface for each VLAN, or use VLAN tagging if you have a Switch that supports this ( most "managed" switches will do) as this allows you to control each network in terms of the access (if any) to any other local networks and the internet. Think of this as an 'upgrade' to a three dumb routers approach.

 

3. For Wireless AP - you could look at a Router ( eg Netgrear R7000 or newer ) running DD-WRT ( or alternatives ) which support running multiple Wireless APs at the same time from a single box - with VLAN tagging back to the switch and then Router you can run a separate WiFi AP for each VLAN from a single box.

[G+_Brent Vrieze]

I agree with a couple of my distinguished KITAs that you should use PfSense. If you are going to the expense and trouble to add all this gear you need the back end to support it. I posted here a couple of weeks about the cost of building a PfSense firewall/router. I think you can do it for around $250. Let me look it up again (this is fun)

 

$60 - Motherboard, Make sure it does NOT have a 1x PCIe slot (Most of them do) This one is Mini-ATX for more flexibility use Micro-ATX but they are larger and take more power. This has an embedded CPU with no fan.

newegg.com - ASRock J3355B-ITX Intel Dual-Core Processor J3355 (up to 2.5 GHz) Mini ITX Motherboard/CPU Combo

 

$60 - 4GB of RAM

 

$30 - small SSD

 

$60 - 4 port NIC something like https://www.newegg.com/Product/Product.aspx?Item=9SIA6CC5528650

Make sure it can do VLAN tagging if you want to do trunks off the router. If not you don't need it. Also make sure you get low profile card if your case only takes a low profile card. Some have both brackets.

 

$45 - case something like this with the power supply in it.

https://www.newegg.com/Product/Product.aspx?Item=N82E16811147131

 

 

If you would like to save a bit of money you could just buy some un-managed 1Gb switches, 1 for each subnet/VLAN.

 

As far as WiFi is concerned you should get one that does multiple SSIDs so that you are using the same radios for all of them. This reduces the ambient radio noise from having so many APs in the area. I use an old Cisco 1142 in autonomous mode and trunk 3 networks to it. Cost was $50. For this to happen you need some way to trunk all the VLANs up to the AP though which means at least 1 managed switch. I could not get PfSense to trunk to the AP properly and gave up.

 

I love my setup and can't wait to test the 1 Gb capacity when the pull the fiber to my house when the frost leaves the ground.

 

[G+_K Branch jr]

This is good info. please keep posting update,

[G+_J Miller]

Hi all, sorry for the delay as I was pulled away and could not get back before now.

Thanks for the great responses.

 

 

Travis Hershberger "First of all, what network equipment do you currently have?"

I currently have this equipment on my main network.

(1) TP-Link AC1200 (Router)

(2) TP-Link TL-WA901ND (WAP's)

(1) D-Link 24 port switch

Various smaller gig switches at other locations throughout the network.Never more than one sub switch from the main.

I have this extra router laying around.

(1) Linksys E3000 (Router) I intend on using this router for the security network if it still works properly.

 

"If I had the option, I'd make the NVR be the only way to access the camera network. Possibly using it to be a router/gateway/firewall between the networks if you really want to access the individual cameras from the main network."

This sounds like a great idea. Can you tell us more on how to do this? I am calling the manufactures of the NVR for another issue. I would love to throw this at them.

 

"creating a guest Network should be clicking an option box on a gui, no matter what network great you end up with."

Yes the guest network should be pretty easy but I would love to get the WAP's to transmit the guest network and the cheap ones I am using do not do this.

I turn on the wireless and the guest wireless when guests arrive but this is tedious. I do not use the router wireless functions on a day to day basis as I have found that it extends the routers life. These cheap 25$ WAP's do a great job and are easily and cheaply replaceable when they become flakey at about every 1.5 to 2 years..

[G+_J Miller]

Neil Sondhi "The camera network is in a dedicated VLAN and only the NVR has access to the internet. This enables me to check the camera *not directly but only via the NVR."

So you have 2 independent routers but are using VLANs on one or both?

I need to understand this better.

 

"Looking at your setup, did you consider useing pfsense as a VM to do routing for different networks or use a old desktop with 4-5 NIC to do the routing."

If the routers can not handle the cross network traffic securely then I guess I will have figure out a way to cope without it or forget security and keep it convenient. Extra hardware is really not an option for me. But it may be for others looking to do this.

[G+_J Miller]

Paul Hutchinson thank you for your endorsement of Neil Sondhi networks. Sounds like this is the way to go.

I will know more tomorrow when I talk to the NVR guys. I have several tablets around the house with my home control system/security on it and would like to see each camera individually instead of all of the cameras blocked together which is what the NVR will put out. I am not sure if my NVR will feed the cams individually. I will check.

[G+_J Miller]

Ben Formesyn, "For cameras, definitely only use wired connections for your cameras"

I agree as I am a wire guy and am in the process of running C5 to all of the camera locations.

 

"Consider using pfSense to act as your main internet Firewall / Router"

I can't do but someone here might want to. I need to keep it dumb router only.

 

"For Wireless AP - you could look at a Router ( eg Netgrear R7000 or newer ) running DD-WRT"

Yea I will probably be installing DD-WRT on my AC1200 and see if I can get it to do what I need it to.

 

 

[G+_J Miller]

Brent Vrieze "I agree with a couple of my distinguished KITAs that you should use PfSense."

Wow, you almost have me convinced but I would hate to have to buy new equipment if I don't have to and secondly, I hate network issues and I can see me having to fiddle with it all the time..

[G+_J Miller]

Ok I just set up the Linksys Router and connected it to the NVR.

Most of the cams will go to the NVR and some will go to the router. I am assuming that will be OK?

Can the security router's feed run into any switch (DHCP) of the main router? Or do I have to DMZ a special output on the main router for it's feed?

Soooo much to learn.

Thanks.

[G+_Neil Sondhi]

J Miller yes I have 2xVLANs - pfsense takes care of the routing and maintain DHCP. I am using ACL on VLAN to allow the NVR to reach the internet. Otherwise all cameras are in their own “sandbagged” VLAN. IOTs are always on the guest network. So in total I have 2x VLANS and guest networks.

 

I think you should at least give pfsense a try on a old desktop, you will be surprised how easy it is to manage multiple networks.

 

If you want to talk more then just catch me on hangout (my time zone +1 GMT) I will be glad to share and learn.