I want to setup a cctv system on its own network.

I have a draytek router at home and have setup 2 vlans.

What i want to do is run my home network on 192.168.1.x and on port 6 the dvr on 192.168.2.x etc

I also want to route from 192.168.1.x to 192.168.2.x so i can access the cctv on the lan but not the other way so if the dvr is compromised it cannot be used to attack internal machines etc.

I think I want a proper DMZ but im unsure. Any IT gods got any pointers?

 

Ta

You would not want to have connections between LAN's as this would defeat the object of the VLAN.

http://www.draytek.co.uk/information/our-technology/vlans

You are thinking of the example for port 4 in the above? Port 4 will be able to communicate to VLAN0 and VLAN1 which you wouldn't want from an attack POV.

 

I have a VLAN tag purely for the CCTV, it's isolated and only accessible from external, it's a simple solution for my network setup.

 

Most domestic/low end routers provide a DMZ host, this routes all traffic to one IP, if this host is compromised with no further protection you are on the LAN.

Draytek have a DMZ Subnet (Port) option which if set correctly can be a Host or Subnet, as you suggest.

https://www.draytek.com/en/faq/faq-connectivity/connectivity.lan/whats-the-difference-between-dmz-host-and-dmz-subnet/

 

You would therefore not use VLAN's and put the CCTV in the DMZ Port, with Inter-LAN enabled and set the firewall rule to Block inbound as shown in the example.

Do note I believe DMZ subnet is bound to P1 if enabled, which could be an issue if your CCTV is on a unmanaged switch elsewhere.

To make sure you have setup the firewall rules correctly you can patch into the DMZ and check access to the LAN is firewalled.

 

great thanks