Cable modem → Ubiquiti UDM Pro → (1) hex providing DNS, DHCP, and Wireguard server; (2) Home Assistant server; (3) Proxmox server; (4) Ubiquiti POE switch; (5) Windows PC.
The Ubiquiti POE switch has a bunch of Ubiquiti access points connected to it.
LAN uses 192.168.0.0/24
But, the Windows PC has a second NIC configured at 192.168.5.0/24 and connected to a POE switch with a over a dozen IP cameras all in the 192.168.5.x space.
It’s been working like this for years.
If I wasn’t completely unable to handle VLANs, I would do it differently.
Now I have a need for another AP and 2 cameras, but I only have a single cat6 cable run (and it is a long, outdoor run).
So, I was thinking about putting a small switch at the remote end of the single cable and connecting the AP and 2 cameras to that switch.
But, the cameras will all be on 192.168.5.x and the AP on 192.168.0.x.
So, how should I do this?
Yes, I really, really, really have tried to work with VLANs, and I’ve gotten some very very basic stuff done, but it’s just too difficult for me.
A switch is L2.
IP addresses are L3.
For all it matters to the switch you could connect to one of its ports a device with any IP address, it is a connection on another level.
The issue (or non issue) is only that the two networks won’t be anymore physically separated, i.e. the two added cameras will be physically connected to the same network that has access to the internet.
And you will need to add something to allow the Windows PC to access the cameras from the “wrong” interface.
Howmany megabit/sec is each camera doing ? 2Mbps ? 4Mbps ? 6Mbps
In theory you can “split” your CAT6 cable into 2 sets of connection, but limited to 100Mbps !!
However this might not be a problem is you have 4-6Mbps per cam and 12 cams < 100Mbps.
The other 100Mbps “channel” can then be used to connected the AP’s , but again limiting at 100Mbps !!
There exist connector to “split” your UTP into 2 UTP’s
I forgot to include that the Windows PC runs Blue Iris video management server.
Nonetheless, the plan/idea behind my initial config was indeed to keep the networks physically separated both for security and for performance purposes.
I would add the new computers to the 192.168.0.x network, but that would be sloppy. Or, get more complicated and instead of a switch for the AP+2-cams put a hEX and connect the other side of that cable to the other hEX and route directly between them?
You could have the two added cameras on a small, completely different, network, with only three devices in it, let’s say 10.0.0.0/29 (ok, six addresses).
Then you could use the Hex (or a hap Ax lite) placed near the Windows PC to route or netmap them to 192.168.5.x addresses, but of course this device needs to be connected to both the Windows PC network cards.
Or maybe use two different addresses for the two cameras and use /32 links?
Or, if not possible, two /30.
The issue with the splitter is not so much for the two cameras, 2x15=30 is anyway much less than 100, it is the other half of the split that may become a bottleneck for the AP traffic.
I already have a hex near the Windows PC (serving Wireguard, DNS, and DHCP). I wonder if plugging the cable that goes to a switch (connected to the 2-cams+AP), and then connecting one of the hex’s interfaces to a port on the camera system’s POE switch would be the simplest solution?
Set up the switch and devices on a different network (10.1.1.0/24) and use the hex to route the cameras to the Windows PC and the AP to the UDM? (Clearly I’m not totally clear on this part of it.)
Yes, that way could work.
But the switch has NOT any network, it is L2, the AP can have the “normal” network and be bridged to the rest of the network, if there is a connection from the Hex to the PoE switch to which the other cameras are connected, the two added cameras can have the same network as the other ones, and be also simply bridged on the Hex, no need for a different network or for routing (or netmapping).
Using one (or more) different network(s), with “saturated” IP addresses, is only an added (little) step to increase separation and security, but if this traffic goes through the Hex I think you can add firewall filter rules to the bridge, using them to allow only the desired traffic.
I totally agree with @jvanhambelgium concerning vlans. What you are proposing is much more complex than learning to use vlans.
It seems in your original diagrams (as it currently is), that the only MikroTik device is the hex that is being used for wireguard, DNS and DHCP, things that could also be done on a raspberry pi. Would you ask your Unifi question on a raspberry pi forum? The point is, you are asking help in the wrong forum if your question is about how to configure your Unifi equipment.
All the Ubiquiti Unifi stuff is vlan-aware, and there are many youtube videos describing how to set up vlans on Unifi, and it is much easier to configure (there are less knobs to turn) on Unifi compared to MikroTik ROS. It isn’t clear to me why the UDM pro isn’t being used for the services that the hex is currently doing.
Here’s how I would approach it. The new connection for vlan for 192.168.5.0/24 from the surveillance switch could go to a trunk port (or even an access port if the “surveillance switch” is not vlan-aware) on either the UDM or on the USW-16 (if you are out of ports on the UDM).
While it is possible to have multiple ip subnets sharing the same broadcast domain (LAN), doing so will prevent DHCP from working correctly if there is more than a single dhcp server connected to the LAN. vlans create separated broadcast domains on the same trunk port, these are kept separate by the IEEE802.1Q tags. Access ports on the switches allow non-vlan aware devices to connect to a specific vlan (specified by the pvid) which defines the “native vlan” or “access vlan” (depending on whether it it a trunk port with native vlan (hybrid port in MikroTik dialect) or a pure access port where no frames with vlan tags exist.
The only Unifi equipment I have is Unifi APs; I have never used any Unifi switches or UDM. But searching for “unifi vlans” found this, and although long (41 minutes), it seems to be a good “foundations” video, Unifi Vlans and it covers some of your equipment.
Only as a side-side note, I could never understand the (I believe general) love for DHCP on simple, small, “static” networks.
Of course it is a must have for wireless, and useful for cabled PC’s, but cameras?
I can imagine very few things as “static” as cameras, you have to go there, bring near the spot an ethernet connection, drill holes in the wall or ceiling, screw them tightly, they won’t likely change.
Unless you assign them a static address in the DHCP server AND allow at firewall/bridge level only those few addresses, anyone with physical access can connect a PC to the ethernet and have already a valid IP assigned, not that it is in any way a “good” security measure, but on a static setup without any DHCP server at least the hypothetical intruder will have to scan the connection to find which network it is running on.
I agree that it makes sense to use static addresses for cameras, but more for the ability to operate without a dhcp server available, especially if there isn’t a UPS protecting the cameras and dhcp server.
Given the current config, my guess is that the cameras and the extra NIC on the PC are probably using static addresses at this time, since it isn’t common for a PC to provide dhcp.
I have my networking equipment (switches, routers, printers) all configured with static ip addresses, but I still configure the dhcp server with the mac addresses and corresponding ip addresses as “static reservations”, but that is mostly for documentation purposes.
