Separating IP Cam traffic between two Mikrotik routers

I’ve got two Mikrotik routers CRS328 and CRS326 connected to each other via 10G optical link. First router is connected to Internet.
All ethernet ports on the first router together with optical port that is administering connection to the second router are groupped into a bridge. The first router takes care of internet connectivity (masquerade etc.) on behalf on entire network via another optical port. Second router is just a switch with no extra functionality. All ethernet ports of the second router - again - together with optical port administering connectivity to the first router are bridged.

There are five IP cameras connected to the first router and two IP cameras plus an NVR connected to the second router,. All works fine.

My NVR happens to have two network interfaces so I’m thinking of separating camera ports out from the bridge(s) and building completely separate network segment(s) for cameras and NVR only. NVR would be receiving traffic from cameras via one interface and I would be accessing the NVR via second interface from the default (non-camera) network segment.

How would you recommend connecting those isolated port groups in each router together? I.e. I can dedicate one more port in each router and connect via dedicated secondary ethernet cable connecting the camera “islands” together. Or would you rather suggest encapsulating the traffic shipping it over the already existing connection (more so since it has abundance of capacity anyhow)? Is VLAN the correct approach or is there any other way? And if VLAN is used - can I somehow configure VLAN tagging only for the Camera segment?

I’m not super skilled in routing, struggeling with VLAN configuration already and seek advice on which direction to take - so as to focus me in the right direction and limit the number of attempts/amount of material to study. Thanks in advance!

What are you trying to achieve by isolating the cameras?

I don’t think you need to use the two interfaces of your NVR, unless your NVR will not act as gateway for your cameras and you want to isolate physically the two networks.

As you understood, you can create two VLANs one for the computers and one for the cameras/NVR.
You need to define the VLANs on the two bridges you have on both CRS and then create to VLAN interfaces on CRS328 so it can act as gateway for the two networks.
Then you need assign the varius tagged and untagged ports to carry the traffic

• all the port where you have cameras and computers will be set up as untagged and assigned to the correct PVID.
• all the port used to interconnecting CRS328 and CRS326 will be tagged
• create two VLAN interfaces on CRS328 and add them to the bridge to manage the traffic for the respective VLANs and allocate DHCP servers (I assume you use the CRS328 also as DHCP of your netwrok).

Then if you want to isolate the access you can create a Firewall rule that will allow access from VLAN computers only to IP of NVR but not to IPs of the cameras and eventually block internet access to the cameras.

Instead, if you really want to use the NVR as gateway for your cameras and build a fully isolated network then you can:

• define VLAN in the bridge of the two CRS
• have a trunk (tagged) link between the two CRS (==> If you can move all the cameras under one single switch you don’t even need the trunk)
• assign the access (tagged) ports where you conenct computers as camera and assigning appropiate PVID to the ports

After this, you can take one cable from an untagged port of VLAN1 and conenct to eth1 of the NVR, then anothed cable form an untagged port of VLAN2 (camera side) and connect to the eth2 of the NVR.
In this way there won’t be any traffic between the two VLAN unless the NVR can forward traffic and act as router for your cameras.

The CRS series is CPU-limited compared to a proper “router.” They’re better thought of as uncommonly smart and adroit L3 switches.

It’s common wisdom that the most predictive entry on the official test results table for CPU-mediated traffic is the one for 512-byte packets with 25 filter rules, which in this case shows 428 Mbit/sec. That matches up pretty well with my own iperf3 results.

Now, don’t get yourself confused on this point. An iperf3 test with the client and server running across the CRS328 gives near line-speed results. The previously-linked test has iperf3 running on the CRS328’s CPU inside a container, though, forcing all traffic through the CPU, not the switch chip.

The trick is, “router” type functions often require use of the CPU. If the switch chip can’t do a given thing itself, that traffic ends up shunted down through the Linux kernel running on the CPU to accomplish the goals you gave RouterOS through the configuration. Different switches in MT’s lineup have widely differing features, but they give you line-speed results only as long as you stay within those limitations.

You may be wondering why I’m telling you about this even though you are not (yet) complaining of limited speed. It’s because you’ve selected a device with a 10G SFP+ port and are using that port for the Internet uplink and calling it a “router” even though it isn’t grouped with the routers on MikroTik’s product pages. You aren’t even going to get a single gigabit through a CRS328 if you make it do anything substantial that can’t be offloaded to the hardware. As soon as you start loading the CRS328 with significant CPU-mediated traffic, it’ll become the bottleneck in your network, somewhere in the 400 megabit range.

It’s better to split the roles into router and switch so that the only traffic that hits the router’s CPU is traffic that is crossing the router from one side to the other. That keeps all LAN-only traffic on the CRS switches, ideally fully hardware-offloaded, including all this internal IPcam traffic you speak of.

All ethernet ports on the first router together with optical port that is administering connection to the second router are groupped into a bridge.

That’s good. Either you have read and understood the warning in the docs, here, or you have stumbled into a correct configuration. I wouldn’t bring it up if it wasn’t for what you say next, though…

I can dedicate one more port in each router and connect via dedicated secondary ethernet cable connecting the camera “islands” together.

That sounds like you’d end up with 2+ bridges, which as I’ve pointed out will cause one set of ports to be handled by the CPU, not the switch chip. This is bad enough by itself, but this atop your current use of a lowly CRS328 as a fiber Internet router…? Madness.

Is VLAN the correct approach or is there any other way?

That’s pretty much the only sane approach here since it uses the CRS switches as they’re meant to be used.

The only other sensible option is full-blown port isolation, which is simpler to set up but doesn’t allow any exceptions to its absolute boundaries as VLANs do.

Thank you @tangent and @Dario1982 for your insights.

Couple of more pieces of information:

• the internet connectivity is at approx. 120 Mbps only. It is a home setup and I’m living in a residential area which comes last when it comes to fiberization of the country.

• There were two major targets of my exercise: 1) offload unnecessary traffic from ports/bridge that don’t deal with video traffic from cameras 2) security (namely to separate cameras from possibility to access both internet and any part of in-house infrastructure)

I know (knew) that for hardware acceleration to be used a bridge was the right way. What I didn’t know was only one bridge is supported by HW (dedicated chipset) while second (and any other on top) goes through CPU. This pretty much renders my intention useless since performance was one of the two key reasons to do it. However security concern stays. so…

I currently use VLANs for separating traffic coming from UniFi WiFi APs - but labeling is done by the APs themselves and I’m only filtering traffic in Mikrotik’s Firewall (namely allowing traffic from Guest SSID to go out to internet only, not inside). I will have a look and try to learn how to setup VLANs (again) and will have a look at port separation too.

Just one more hint if I could ask: all ports (exece[t for one which is connecting the entire network to internet) are now groupped to a bridge - actually two bridges, one in each switch/router (including those ports which are used to interconnect the switches/routers together) and it will stay that way to utilize deicated chipset. There is one default address space accross the entire network (192.168.1.x) except for WiFi and specifically Guest SSID, which is assigning 192.168.2.x and routing from .2.x into .1.x is prohibited in Firewall - this way Guest WiFi connected devices can go out into Internet but can’t reach intranet.

Now for the cameras - the ports will then likely stay assigned to the bridge. Do I assume right the cameras may be assigned with yet another subnet e.g. 192.168.3.x and would it help, if the NVR is connected to the single switch/router with two ethernet cables - one interface living in .3.x space (cammera traffic would be collected through that one) and the other in .1.x through which recorded content would be accessed from devices connected to inner lan or do I still get the entire concept wrong?

No; the CRS3xx line supports bridge VLAN filtering, which allows a single bridge to support many VLANs. This will in turn keep your traffic separate as desired, when appropriately configured.

I will have a look and try to learn how to setup VLANs (again)

This guide is well-regarded.

actually two bridges, one in each switch/router

If you wish to be pedantic about it, say instead “one bridge per switch chip”. There’s no point confusing matters by reporting the number of RouterOS devices as equal to the number of bridges present.

There are nuances beyond that basic case, if you’re interested…

Do I assume right the cameras may be assigned with yet another subnet

Each VLAN gets its own subnet, yes.

A common convention that keeps things simple is to put the VLAN ID in the third octet, so that e.g., VLAN ID 3 might be 192.168.3.x/24. Nothing enforces this; it’s purely for the network admin’s benefit.

Beware, however, that VLAN 1 gets handled as “special” in a lot of situations, which are hard to predict without a lot of testing and reading. It’s best to avoid using it unless you absolutely must. Therefore, your 192.168.1.x subnet would either need to be renumbered to follow this convention or you’d break the convention by using, e.g. VLAN ID 1001 for that subnet.

one interface living in .3.x space (cammera traffic would be collected through that one) and the other in .1.x through which recorded content would be accessed from devices connected to inner lan or do I still get the entire concept wrong?

Without knowing your equipment intimately, it’s difficult to advise. However, I will observe that one of the key properties of VLANs is that a given port can be a member of any number of VLANs. It is one of the primary practical distinctions between VLANs and either port isolation or multiple bridges. These latter schemes are rigorously exclusive: a given port can be on only one bridge or in an isolation group or not.

Point being, you could instead assign one port on your NVR to both the IPcam and security monitoring VLANs.

Thank you, @tangent!

The referenced guide was very helpful. So it seems I will extend VLAN configuration not only to the ports where WiFi APs are connected but merely to all ports involved.

Based on your performance references I will add a true router into my setup - it will be RB5009. Two reasons besides of routing performance are the fact that all CRS328 ports are anyhow depleted hence extension is needed in the given spot (the CRS326 is in a different floor) and it will provide space and computing power to host Unifi Cloud Key Controller to manage my WiFi APs in a container (which will mean minus one physical device in the setup which I take as benefit).

I’m considering going one step further and moving even the RB5009 to switch position (still using its containers support) and introducing Firewalla Gold SE into the position of my network’s router and using Mikrotiks as switches. The ability to monitor and manage the network “on the go” via graphical interface on my mobile phone is appealing to me: one one hand I’ve already invested a lot of time learning at least the basics of configuring the Mikrotik environment, on the other hand it is a household setup and I seek to focus more on other things then configuring the home network.

But that is diverting from the original topic, let me get back to it: my NVR is actually a Windows workstation with BlueIris SW. The PC has two network interfaces and as I understand now thanks to your hints and further study I should be able to use IP aliasing to setup two IP addresses on one network interface (each for its own VLAN) however it should also be possible to use both available interfaces on the PC and connect it to distinct ports to the switch too. Might be seen as wast of resources (using one more port on the switch) but I rather see it as load balancing - pushing the camera traffic in via one interface and accessing the content via the other.

Unless there are further comments thank you again for valuable help!