M
M
mejor-correo2017-09-04 16:16:17
network hardware
mejor-correo, 2017-09-04 16:16:17

How to properly configure the local network (which has video surveillance)?

Good day!
It so happened that I "inherited" a certain amount of equipment, despite the fact that the former owner could not be found.
I myself am not strong in networks and settings of network equipment, my knowledge is rather superficial at the level of setting up a home router, forwarding ports, etc. I'm more on program moments and video surveillance.
I would really appreciate any help/advice.
Here's what we have at the moment:
There is a local network - 192.168.1.0/24 + there is a "white" IP address.
At the moment there are 4 switches:
• SW1 - D-link DES-1210-28P (192.168.1.110)
• SW2 - D-link DES-1210-28P (192.168.1.112)
• SW3 - D-link DGS-1210-28P (192.168.1.113)
• SW4 – D-link DES-3200-26 (IP unknown, no access to the switch)
Zyxel Keenetic II router is also installed, which is also a gateway for devices (192.168.1.1)
Two video surveillance servers:
• SRV- V1 - responsible for external video surveillance (192.168.1.199)
• SRV-V2 - responsible for internal video surveillance (192.168.1.200)
IP cameras, internal and external, which are connected to SW1 and SW2 (external) and SW3 (internal).
SW1 and SW2 are interconnected by fiber optic cable via SFP, SW2 and SW3 with SW4 twisted pair.
At the moment there are a number of problems and questions:
1. At the time of installation of the SRV-V2 server, the SW2 and SW3 switches were connected with a patch cord, everything was fine, but it did not ping from the router, and was not visible from the Internet. After connecting SW3 and SW4, the server began to ping and became accessible from the Internet.
Why did this situation happen?
2. If you connect a laptop to SW3, then the SRV-V1 server, as well as cameras connected to SW2 and SW1, will not be pinged. No access to SW2 web interface.
3. Even if you directly connect your laptop to SW2, then there is no ping to the cameras that are connected to SW1 and there is no access to the web interface of SW1, but I would like to, because. SW1 is geographically removed from the place where SW2, SW3 and SW4 are located. While the SRV-V1 server connected to SW2 perfectly sees the cameras connected to SW1.
4. I can’t set up a VPN server on Zyxel in any way, although the VPN server component has been installed, turned on, and started a user. But it doesn't want to connect to it. Windows 10 - writes: "Cannot connect to the remote computer, so the connection port is closed." I enabled 40 bit key support for the MPPE protocol in my system.
I would also like to know your opinion on the following plans:
1. Divide the network into VLANs, thereby separating video surveillance and other devices on the local network (which are connected to SW4), in order to reduce the load within the network, as well as to improve security. Is it possible to forward ports on Keenetic from the outside to the VLAN that will be used for video surveillance?
Does it make sense to separate internal and external video surveillance into different VLANs?
2. Is it possible (and correct) to make such a division in the future, if not divided into VLANs?

  • 2 - 99 - DHCP - Clients incl. WiFi
  • 100 - 110 - switch
  • 111 - 149 - Static IP reserve
  • 150 – 250 – Video surveillance
  • 251 - 254 - Reserve

I'm attaching the diagram I was able to draw.
Thanks in advance for your replies!
c085d8de34b04688a0db2a43ff142785.jpg

Answer the question

In order to leave comments, you need to log in

3 answer(s)
D
d-stream, 2017-09-04
@mejor-correo

0. in order to avoid a rake - it is highly recommended to get away from the networks 192.168.0.0/24 and
192.168.1.0/24
, possibly limited by the L3 functional)
2. it is still better than item 1

A
Alexander Klepenkov, 2017-09-14
@kladus

Divide the network into VLANs, thereby separating video surveillance and other devices in the local network (which are connected to SW4), in order to reduce the load within the network

Specify how the division into VLANs reduces the load (probably on the equipment?), because the channel width does not change?

M
mejor-correo, 2017-09-14
@mejor-correo

Last night I dismantled the entire bundle of wires in that closet and it turned out that the circuit had changed slightly, but some of the questions disappeared.
I connected SW2 and SW3 to the router and everything immediately began to ping and work as I needed.
The issue with VPN was also partially resolved. Through the CLI on Zyxel, I enabled 128-bit encryption and began to connect, with one exception. From one place does not want to establish a connection. Can somehow the gateway be configured so that it does not pass VPN through itself ...? Because through another gateway from the same place everything is connected.
The most difficult question for me remains about the VLAN settings.
If I understand correctly, then I need to do the following?
And I connect these ports with the corresponding switches, and as a gateway on the switches I specify the IP that is assigned to the corresponding Keenetic'a port?
Those ports that connect the devices themselves should be Trunk, if I understand correctly. End Device Ports Untagged.
Is this done on Keenetic in the "Home network" - "Segments" section?

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question