Can i access cameras from my private network?

1118 (segma1900) 2018-03-18 17:08:03 UTC #1

hi to all i newly get to know nethserver and i loved it when i try it in virtual box
i am planning to make this network

could i access it if i attach the cameras to my green private network or i have to connect them directly to the router which by the way have a static IP which can be accessed world wide??
i forget to mention that we need to be able to open check the cameras from home or any where in the world when traveling

mrmarkuz (Markus Neuberger) 2018-03-18 17:48:16 UTC #2

Hi @1118,

welcome to NethServer Community.

Both attachements are possible to access it from internal and external. You may use port forwarding on your router to put the cams to the 192.168.0.0 network. You have to do it on Nethserver too, when the cams are in green network. This way you can reach your cams by port, like https://public-ip-or-fqdn:22221 for the first cam, https://public-ip-or-fqdn:22222 for the second cam and so on…

http://docs.nethserver.org/en/v7/firewall.html#port-forward

Another way is reverse proxy, so you can reach it like https://public-ip-or-fqdn/cam1…

docs.nethserver.org/en/v7/proxy_pass.html

I’d put it in the green zone so it’s under control of Nethserver, you have to do it if you want reverse proxy.

Do you have WLAN on your router?

1118 (segma1900) 2018-03-18 18:16:38 UTC #3

yes i have WLAN on the router

mrmarkuz (Markus Neuberger) 2018-03-18 18:18:50 UTC #4

Do you use it or do you have separate WLAN for internal use behind Nethserver? Are the cams wireless or cabled?

1118 (segma1900) 2018-03-18 18:28:33 UTC #5

the cams are cabled and i for the wireless i am not sure about how to deal with it for now.
by the way i think i still need to do port forward for the router when use reverse proxy right?

another thing the current configuration is choatic the whole network is reachable from internet and all machine are assigned with 192.168 subnet do you think it is okey to put the 192 for internal green and 10.10 for the router ?

mrmarkuz (Markus Neuberger) 2018-03-18 18:36:17 UTC #6

Yes, you are right.

Yes, it is.

You should use Nethserver as DNS and DHCP server because of Active Directory, which works best with this configuration.

1118 (segma1900) 2018-03-18 18:46:42 UTC #7

thank you so much for your feedback. this is my first work my background previously was mostly theoretical

mrmarkuz (Markus Neuberger) 2018-03-18 18:52:19 UTC #8

You’re welcome. Feel free to ask if you have questions.

1118 (segma1900) 2018-03-18 22:34:32 UTC #9

another thing from my studying security comes with multiple layer of protection. i found many network maps that connect the clients of the LAN to the router directly which is in most case an ISP provided router with very limited firewall capabilities. in your opinion which one of those maps i put here does provide better security, management, and control? and what is the advantage of each one over the other?

the second
index

mrmarkuz (Markus Neuberger) 2018-03-18 23:11:31 UTC #10

I’d prefer the first one (and not only because I can see it much better ).
I don’t get second one but maybe if you have wlan on the adsl router and need to use it for internal network? What system is the firewall between internet and adsl router? A bridge firewall? Why do the WLAN/VPN clients have a separate firewall? Do you have some more examples/links of such configs?

My home setup as example:

Internet and VPN clients - Provider router (cable modem) - NethServer firewall/gateway/proxy/IPS/VPN (two interfaces) - NethServer DC/mail/webapps (only green)

I set my Nethserver gateway as DMZ host on my cable modem so any network traffic is forwarded from modem to my gateway This way I have full control on the Nethserver firewall and don’t have to reconfigure my modem for every port forward etc.

vhinzsanchez (Vhinz Sanchez) 2018-03-19 01:47:22 UTC #11

Hi,

If I just may. Since you’ll be the administrator, why not control the access? Have them view the cams/dvrs from a VPN connection? Much work for you for configuration of VPN but much more secure. I wouldn’t want my corporate/business/especially home CCTVs and DVRs to be open for public viewing.

Nothing is preventing you to open your port and forward it to the device, mine is just a suggestion.

EddieA (Eddie Atherton) 2018-03-19 06:10:50 UTC #12

The other thing I see from your original diagram is double NATting, firstly to the 192,168.0.024 network and then to 10.10.0.0/24 which could possibly cause even more issues.

Cheers.

1118 (segma1900) 2018-03-19 17:01:59 UTC #13

yes i am considering vpn connection for the cameras and remote desktop. can you give me some ideas about the best way to do that??

1118 (segma1900) 2018-03-19 17:03:18 UTC #14

what do you suggest then?? i want to seperate the interal LAN from the internet. and in futer if i need a web server i want to put it on the red zone

1118 (segma1900) 2018-03-19 17:17:26 UTC #15

i got some new info about the current implementation. the factory is 3 levels and each level has 2 routing switches and 1 POE for cameras. the overall number of cameras is 66 and the number of computers curently attached is 10 devices 3 in ground level and 4 in 1 level and 3 in the last level. most of the switches are used for the cameras. so any diffrent suggestion or you advice me to stick with my plan?. and for cameras if i want to make a vpn server for it what is the best way to do it in my suggested model??
thank you

mrmarkuz (Markus Neuberger) 2018-03-19 19:16:53 UTC #16

Create an openvpn server on your Nethserver.

http://docs.nethserver.org/en/v7/vpn.html#roadwarrior

If you have a router in front of Nethserver port forward the vpn port to NethServer.

Connect via openvpn client to the server. This way you should reach your cams easily.

1118 (segma1900) 2018-03-19 22:31:44 UTC #17

thank you for the feedback. another little thing i notice that the people who do the infrastructure place routers instead of switches. i dont think this was necessary and i think i should turn of routing and any other services from the routers except the main one , am i right?

mrmarkuz (Markus Neuberger) 2018-03-19 22:59:27 UTC #18

It’s enough to have one Nethserver with its firewall/routing functions.

vhinzsanchez (Vhinz Sanchez) 2018-03-20 00:40:49 UTC #19

You might want to review it. The infra people who put in the routers instead of servers might have the following agenda which may or may not have been implemented:

The network is or should have been segmented/VLANed, thus in need of routing.
They have routers but routing/dhcp server is disabled, effectively making it a switch. If this is the case, I’m thinking that there’s no switch/es available but there’s plenty of routers or these routers are consumer grade making it cheaper.

In anyways, it’s yours now, just do proper documentation.

1118 (segma1900) 2018-03-23 19:44:40 UTC #20

another question if i may. if i want to have 2 diffrent subnets in the private network one for the pcs and printers and one for cameras. is it possible to do that in nethserver?