I want to see if the following is possible using VLAN:
I have the following equipment:
Is it possible to set up VLAN's in the following configuration with just the one switch:
Have the normal home network (i.e all the home computers, mobiles etc.) on say VLAN1.
Have the Home Server on VLAN 2.
Have the IP Cameras on VLAN 3.
Then have the ability for: VLAN 1 to communicate with VLAN 2. VLAN 3 to communicate with VLAN 2. Not allow connection for VLAN 3 back to VLAN 1 but allow connection from VLAN 1 to VLAN 3.
Basically to split the cameras from the normal home network so no one can attach to their ethernet ports and access the network but at the same time still be able to access the home server which is acting as the NVR both by the cameras and by the home network.
I will gloss over the VLAN configuration briefly. I'm using a TP-Link Smart Switch for reference - the Easy Smart Switch range is a bit different but this should be more or less doable in the same way. Refer to Chapters 6.3 and 6.4 in the manual.
In your case, VLAN 1 would be tagged on the router port and untagged on any port your computers connect to (with PVID 1 on those same ports). VLAN 2 would be tagged on the router port and untagged on the server port (with PVID 2 on that port). VLAN 3 would be tagged on the router port and untagged on the camera ports (with PVID 3 on those ports).
You will also need to configure EdgeOS:
192.168.3.1/24for simplicity. This means the router is using the address
192.168.3.0/24subnet on its VLAN 3 interface.)
Now, by default, EdgeOS will route packets between all its interfaces. You want to block this in specific scenarios, which can be done using the EdgeOS firewall.
The first thing you'll want to do is add a ruleset blocking VLANs (2 and 3?) from accessing the router's management interface. It should look something like:
local. Make sure the VLAN you want to manage the router from still has access!
Relatedstates (advanced tab)
Create a new ruleset for one-way 1 => 3, default
Accept. Make sure you edit it and apply it only to the VLAN 1 and 3 interfaces. Now you need to add your rules in order. I would suggest:
192.168.3.0/24. This allows 1 => 3 to initiate connections.
Related. This allows 3 => 1 responses (network is bidirectional!) for TCP and UDP.
192.168.1.0/24. This is the fallback which rejects anything not allowed by rule #2, meaning 3 => 1 cannot initiate new connections.
There is a bit of discussion here: https://community.ubnt.com/t5/EdgeRouter/One-way-firewall-rules/td-p/1505691
If you do not do anything to block it, 1 <=> 2 and 2 <=> 3 should have worked from the start. Keep in mind that this does open the possibility for an attacker to bypass your router firewall by going 3 => 2 => 1 if something is vulnerable on 2.
Also keep in mind that this example setup is actually allow by default with an explicit block from 3 => 1 -- but 3 can still access any future VLANs you set up. A safer (but slightly more complex) config is to block by default (block
192.168.0.0/16 as the last rule in a ruleset) and explicitly allow 1 <=> 2, 2 <=> 3 and 1 => 3. It follows the same general principles; you'll just need to add rules explicitly allowing 2 and blocking the rest.