With some experience in VLANs from “Ciscoland” (Cisco switches) from work, when it came time to set up my own home with an isolated IoT VLAN for IP cameras I was utterly mystified as I’m using HP gear (2910al series) – for something which is an industry standard the implementation of VLANS couldn’t be more different between the two (I’ve read the HP way is the better way). It didn’t click until I read literally hundreds of articles, blogs, forum posts and documentation so I wanted to put it out there from my perspective. I won’t discuss how I configured pfSense except to note I started by creating the VLAN, giving it a DHCP server, setting explicit rules to keep the traffic away from the LAN and WAN networks and had it run through the same cable as the default VLAN (normal traffic).
On HP I’ve learned that every port is, by default, a “trunk” port. I put it in quotes because trunk on a HP means link aggregation and has nothing to do with multiple VLANs running on a single port. With that in mind note that there’s always a VLAN active on the switch, the default VLAN, VLAN 1. For the port to work there needs to be at least one VLAN assigned as untagged.
I need to stop for a moment to explain the four different modes:
Untagged – A typical access port the end device would connect to. Devices connected to the port are not VLAN aware and just transmit data. The switch will add and remove the VLAN tag to the packets of data as they pass through the port.
Tagged – Used to assign an additional VLAN to a port, this would be used for uplinks/trunking from switch to switch.
No – The port is not part of the VLAN.
Forbid – The same as no, I don’t know the difference.
With that out of the way I can break down how I set things up. The links between the switches (uplinks) are Untagged on VLAN 1 so regular traffic (workstations, WAPs, etc.) can travel freely between the devices. These ports have also been tagged with VLAN 10 (the IoT VLAN I made) so that traffic can also flow between the switches.
For devices that I want to be part of VLAN 10 (IP Cameras, Blue Iris Server), on those ports I set them as untagged to VLAN 10, and set them to no for VLAN 1. This way they can only communicate to devices on the same VLAN. For simplification I set up a block of ports on this way on each switch so I’ll know those ports are physically part of VLAN 10.
I wanted my IP Camera server (running Blue Iris) to be accessible through the internet, for this all I had to do was utilize two network interfaces on the server; one for the IoT VLAN and one for the regular network (technically VLAN 1).
Why go to all the trouble to isolate part of the network? It’s the absolute way to secure the devices, stuck in their VLAN with no internet access they are invulnerable to zero day exploits, will never become part of a DDoS botnet and I don’t need to worry that there’s a backdoor allowing the cameras live feed to be viewed remotely; the only thing I need to secure is the Blue Iris server. It also means if someone cuts an ethernet cable and crimps a connector on the end they won’t get very much.
Why have a DHCP server just for IP Cameras? I like to use DHCP reservation to set the devices IPs quickly, it’s a pain to open multiple cameras web interfaces and reconfigure them manually.