Hello guys,

I'm struggling with something that should be easy but I can't find a solution:

I have a RB2011 which works as a captive portal / firewall router for a customer. I have to setup a new IP camera for surveillance, using the existing infrastructure. Actually I have the ISP router connected to a normal switch, providing free internet access for the administrative office PCs on the 192.168.5.0/24 lan, the same where my network video recorder resides. Attached to this I have my RB2011 (on ETH1 as WAN). On ETH5 I have the network switches and AP (all Unifi) that provide wireless internet for guests through a customized Mikrotik captive portal (10.2.0.0/24 network), and I have to install a new IP camera behind this. I already have set the camera MAC address to be allowed passtrough the firewall (like the unifi APs and switches so they can connect to my controller on the cloud), but I can't make the camera communicate with the QNAP NAS NVR that is connected "WAN" side.

Can you help me please?

Yes draw a diagram I got lost after the second sentence.

I have to install a new IP camera behind this.

Because...?

Why can't you run a cable back to the RB2011 or the office switch?

I already have set the camera MAC address to be allowed passtrough the firewall

MAC address filtering is amateur-hour security. MACs are trivially spoofed and easily discovered.

If you want an analogy, it'd be like a secure building's guards checking IDs at the outer gate, but the "IDs" they use are those paper "My Name Is..." stickers with six numbers written on them. Want to visit the C-suite level? Wait for the CEO to walk past, then write his number down on a blank name tag instead of the numbers you were issued. Walk right in.

If you want actual security, you use something like dot1x, TLS, VPN, VLAN...

Each of these can be subverted — there is no perfect security — but if you set each of them up right, it's a lot harder than spoofing a MAC address.

I can't make the camera communicate with the QNAP NAS NVR that is connected "WAN" side.

Is the data flow actually that direction? Camera to NAS? In my experience, security camera systems go the other direction: you configure the recording device to connect out to the camera and pull the video in via RTSP or similar.

Setting up the router to permit your NAS on 192.168.5.0/24 to connect out to the camera on the public customer network should be a lot less difficult than providing a secure means for something on the public network to push data back into the private network.

Hello,

I have drawn a simple diagram of my situation. I cannot run another cable from the camera to the office switch, I have to rely on the "guest" branch of the network to reach the office. I'm probably missing something dumb, because base on testing in my lab I can reach a NAS that resides on a different VLAN that the one on which my work PC is.

Give the camera a static IP in the 192.168.5.0/24 range, then put its wired port in the same bridge as the leg going back to the office switch. Then it doesn't matter which direction the traffic flows: it'll be a network peer to everything on the office network. Just because the camera is on the "right hand side" of that router doesn't mean it must have a 10.2.0.0/24 address.

If for some reason bridging won't work in your situation, add an explicit static route or IP filter rule to route traffic from the IP cam to the office network.

An IP filter rule might be a good idea anyway, depending on how physically secure that IP cam's cabling is. If the ports are exposed, you might want an intelligent rule that prevents one of your guest network users from hijacking this physical connection. Something like "IF is MAC this, and source IP this, and destination TCP port this and destination IP this, THEN allow" so that even if a guest-side device clones the MAC and IP, they still can't do anything but access the NAS. Then you configure the NAS so the cam connection isn't allowed to delete files, etc.

But my office network is connected on ETH1 of RB2011, and the guest network is on ETH5 (stand-alone, no bridge). On ETH5 I have all the switches and AP for the guest side of the network. I have one cable coming from the Unifi switch that serves some APs and this camera arriving on the RB2011 (coming from the main centralized unifi switch for all guest branches).

I guess I'll try with the static route.

Problem solved... I was acting really dumb. In the NAS I setup as the camera address the one on the guest network instead of the IP of ETH1 of Rb. Tangent was right, it was a simple matter of DST-NATting the required ports on the camera IP.

Sorry for wasting your time guys, thanks for the suggestions.

I have one cable coming from the Unifi switch that serves some APs and this camera arriving on the RB2011

If there's only one cable from the office to the guest network, and the IP camera is on the guest network, your diagram isn't accurate. It shows the IP cam having its own connection to the RB2011. That's two cables.

I have one cable coming from the Unifi switch that serves some APs and this camera arriving on the RB2011

If there's only one cable from the office to the guest network, and the IP camera is on the guest network, your diagram isn't accurate. It shows the IP cam having its own connection to the RB2011. That's two cables.

You are right, I wrote the diagram down in a hurry. Sorry for that.